Ansible
Overview
Use Ansible for repeatable, idempotent changes across nodes. Keep playbooks minimal, explicit about hosts, and safe to re-run.
When to use
- You need to apply the same change on multiple hosts.
- The change touches OS packages, services, or system config.
- You are bootstrapping or maintaining k3s, Rancher, or Tailscale on nodes.
Inventory and groups
Inventory lives in ansible/inventory/hosts.ini. Common groups:
kube_masters (k3s masters)kube_workers (k3s workers)k3s_cluster (masters + workers)proxy (nuc)docker_hosts (docker-host)
Quick start
Ping all nodes in the cluster:
ansible -i ansible/inventory/hosts.ini k3s_cluster -m ping -u kalmyk
Run a playbook on all nodes in the cluster:
ansible-playbook -i ansible/inventory/hosts.ini ansible/playbooks/install_nfs_client.yml -u kalmyk -b
Limit to a single host:
ansible-playbook -i ansible/inventory/hosts.ini ansible/playbooks/install_tailscale.yml -u kalmyk -b --limit kube-worker-00
Common playbooks in this repo
install_nfs_client.yml - install NFS client tools on nodesinstall_tailscale.yml - install Tailscale packagesstart_enable_tailscale.yml - enable and start tailscaledstart_enable_tailscale_client.yml - start Tailscale client servicesk3s-ha.yml - configure k3s HA clusterk3s-oidc.yml - configure OIDC for k3srancher2.yml - install Rancherwait_for_rancher.yml - wait until Rancher is readyrancher_bootstrap_logs.yml - capture Rancher bootstrap logsstart_rancher2_container.yml - start Rancher container
Safety and idempotency
- Prefer Ansible modules over shell commands.
- Use
--check and --diff when validating a risky change.
- Use
--limit to scope changes during testing.
- Keep playbooks idempotent so re-runs are safe.
Validation
- Service check:
systemctl status tailscaled
- Logs:
journalctl -u tailscaled --no-pager -n 50
- Cluster check:
kubectl get nodes -o wide
Resources
- Reference:
references/ansible-runbook.md
- Runner:
scripts/run-playbook.sh
- Template:
assets/playbook-template.yml
