The debops run/check commands

DebOps roles can store encrypted secrets (passwords and other confiential data) in a project directory, under ansible/secret/ subdirectory. For normal operation, the secrets need to be unlocked so that Ansible roles and playbooks can access and manipulate them. To make this process easier, DebOps provides the debops run and debops check commands which will automatically unlock and lock the encrypted secrets as needed.

An additional benefit of using these commands is that the user does not have to provide a full path to the playbooks - the script will try to find the correct playbook in a set of different directories or even inside Ansible Collections.

debops run

Execute one or more Ansible Playbooks against the Ansible inventory. Playbooks are included with the DebOps installation by default, they can be provided by Ansible Collections or stored in the ansible/playbooks/ subdirectory in the DebOps project directory. You can also specify full path to an Ansible playbook on disk.

The debops run command will automatically unlock and lock the encrypted ansible/secret/ directory as needed, to give the playbooks and roles access to secrets.

Options

The options below need to be specified before any playbooks to take effect.

-h, --help
Display the help and usage information
--project-dir <project_dir>
Path to the project directory to work on. If it's not specified, the script will use the current directory.
--eval
Do not execute ansible-playbook command; instead print out all the environment variables and the command itself to stdout.
--
Mark the end of the debops run options. Any of the options after this mark will be passed to the ansible-playbook command as-is.
<[<namespace>.<collection>/]playbook>

Specify one or more Ansible Playbooks to execute.

If you specify simple names like site, service/core and similar, the script will look for the corresponding playbooks in the default Ansible Collection (debops.debops). If not found there, the ansible/playbooks/ subdirectory in the current DebOps project directory will be checked next. Finally the name will be assumed to be a normal filesystem path with optional .yml or .yaml extension.

You can also specify the namespace and collection at the start of the path to select a specific collection instead of the default one, for example debops.debops/site or debops.debops/service/core. The playbooks should be stored in the playbooks/ subdirectory of the Ansible Collection, you can use subdirectories to manage a large set of playbooks easier.

[ansible_args]
You can specify all arguments supported by the ansible-playbook command to augment the execution, for example --diff, --check, --limit, and so on. See ansible-playbook --help for more details.

Examples

Execute the site.yml DebOps playbook against all hosts in the Ansible inventory:

debops run site

Display the commands which will run a DebOps playbook for a specific service on specific hosts:

debops run --eval service/mariadb_server -l dbservers

Do the same as above, by specifying the Ansible Collection in which to look for the playbook:

debops run --eval debops.debops/service/mariadb_server -l dbservers

debops check

Execute one or more Ansible Playbooks against the Ansible inventory in check mode. This command behaves the same as the debops run command, but automatically adds the --diff and --check ansible-playbook options to enable the "check mode". In this mode, Ansible will execute the playbook without making any actual changes to the host.