Frequently Asked Questions¶
Here you can find answers to commonly asked questions about DebOps.
Yes! All  of the Ansible roles included in DebOps are designed to be self-contained - each role usually manages a specific service or functionality, and doesn't touch anything that it is not supposed to directly. Configuration dependent on other roles (for example, firewall configuration for a network service) is passed along to relevant roles using role dependent variables, on the Ansible playbook level.
If you want, you can use DebOps roles in your own playbooks with completely different dependent roles (for example replacing the debops.ferm role with another firewall management Ansible role).
Some dependent roles like debops.secret and debops.ansible_plugins are "hard dependencies" and without them roles will not work as expected - check the example playbooks provided in the documentation to see how the roles are used.
TL;DR: Install the DebOps monorepo instead of specific roles and configure the
roles_path parameter in
ansible.cfg config file. See DebOps
installation instructions for details.
Long ago, DebOps roles were published in separate git repositories on Ansible Galaxy, and using for example:
ansible-galaxy install debops.nginx
worked as you would expect - installed the debops.nginx role in the specified directory. Around October 2017, DebOps project was consolidated to a single monorepo and separate git repositories were deprecated, but still available via Ansible Galaxy as before.
About a year later, when Ansible Galaxy team implemented experimental support
for multi-role repositories and mazer, all of the old DebOps roles
were removed from Ansible Galaxy and the DebOps monorepo was published instead.
Unfortunately, the old ansible-galaxy tool was not updated, and
using it to install specific DebOps roles resulted in a broken state, where
a bunch of
debops.apt* roles and the DebOps monorepo in a subdirectory were
installed. A solution to that was to install the published monorepo with:
mazer install debops.debops
You would also need to tell Ansible where to look for DebOps roles, by
roles_path parameter in the
configuration file (normally the debops script does that for you).
Another year passed, and in June 2019 Ansible Galaxy team removed support for multi-role repositories and implemented Ansible Collections. But before that, the Mazer team removed support for multi-role repositories from the mazer client, and at some point DebOps monorepo is/was uninstallable via Ansible Galaxy.
The project now has support for Ansible Collections, and hopefully after June
2019 the situation will improve. Right now the easiest method of installation
is using the Python
debops package from PyPI or directly from the GitHub
repository. You can read the DebOps installation instructions
to find out more.
DebOps roles automatically generate randomized passwords for different accounts
and services, using the password lookup plugin. To ensure idempotency,
plaintext passwords are stored on the Ansible Controller host in the
secret/ directory alongside the Ansible inventory.
The ansible-vault command does not support automatic generation of random passwords - you would need to create each one by hand, which gets tedious after the third host you manage. You can still do this if you want, passwords used by DebOps roles are stored in variables which can be redefined in the Ansible inventory.
secret/ directory is used for much more - Certificate Authority
management via debops.pki, passing secure data between hosts, for
example by debops.tinc, among other things. You can read more about it
in the debops.secret role documentation.
DebOps playbooks and roles are supposed to be "read-only" to ensure that future updates can be easily installed. To allow for more extensive modifications (custom files, templates and tasks), a set of Ansible lookup plugins was developed which allows to "inject" custom changes in the roles without modifying the main files. These custom lookup plugins are not part of the official Ansible distribution, and are provided with the DebOps playbooks.
The error about lookup plugins not being present might show up if you use
DebOps roles separately from the main playbook, for example downloaded through
Ansible Galaxy. In this case the easiest solution is to download the custom
lookup plugins and provide them alongside your playbook, in
lookup_plugins/ directory; this should allow Ansible to find them and
The long term plan is to remove the need for the custom lookup plugins - the roles that use them should be updated so that any changes that require custom templates or files can be done through normal Ansible functionality.