sawrus/ansible-playbooks
areas/devops/infrastructure/skills/ansible-playbooks/SKILL.md
Write idempotent Ansible playbooks and roles for server configuration, K8s node provisioning, and application bootstrap.
$ install --global
skillsauthnpx skillsauth add sawrus/agent-guides ansible-playbooksInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 9:04 PM1.8s1 file scanned
SKILL.md
- name:
- ansible-playbooks
- type:
- skill
- description:
- Write idempotent Ansible playbooks and roles for server configuration, K8s node provisioning, and application bootstrap.
- allowed-tools:
- Read, Write, Edit, Bash
Skill: Ansible Playbooks
Expertise: Idempotent roles, inventory patterns, Vault integration, molecule testing, bare-metal K8s node prep.
When to load
When configuring bare-metal servers, provisioning K8s nodes, managing OS-level config, or rotating OS credentials.
Role Structure (Standard)
roles/base-server/
├── tasks/
│ ├── main.yml ← imports sub-task files
│ ├── packages.yml
│ ├── sysctl.yml
│ └── users.yml
├── defaults/
│ └── main.yml ← all variables with sensible defaults
├── vars/
│ └── main.yml ← internal constants (not overridable)
├── templates/
│ └── sysctl.conf.j2
├── handlers/
│ └── main.yml ← restart services on change
└── meta/
└── main.yml ← role dependencies
Idempotency Patterns
# ✅ Package install — idempotent
- name: Install required packages
ansible.builtin.apt:
name:
- containerd
- curl
- jq
state: present
update_cache: true
when: ansible_os_family == "Debian"
# ✅ File with checksum validation — only copies if changed
- name: Configure containerd
ansible.builtin.template:
src: containerd-config.toml.j2
dest: /etc/containerd/config.toml
owner: root
group: root
mode: "0644"
notify: Restart containerd # handler only fires if file changed
# ✅ Service management
- name: Enable and start containerd
ansible.builtin.systemd:
name: containerd
enabled: true
state: started
daemon_reload: true
Handlers Pattern
# handlers/main.yml
- name: Restart containerd
ansible.builtin.systemd:
name: containerd
state: restarted
- name: Reload sysctl
ansible.builtin.command: sysctl --system
changed_when: false
Inventory Structure
# inventory/production/hosts.ini
[control_plane]
cp-01 ansible_host=192.168.10.10
cp-02 ansible_host=192.168.10.11
cp-03 ansible_host=192.168.10.12
[workers]
worker-01 ansible_host=192.168.10.20
worker-02 ansible_host=192.168.10.21
[k8s_cluster:children]
control_plane
workers
[k8s_cluster:vars]
ansible_user=ubuntu
ansible_ssh_private_key_file=~/.ssh/infra-key
ansible_python_interpreter=/usr/bin/python3
Vault for Secrets
# Encrypt a vars file
ansible-vault encrypt group_vars/all/vault.yml
# Inline encrypted variable
ansible-vault encrypt_string 'supersecretpassword' --name 'db_password'
# group_vars/all/vault.yml (encrypted)
vault_db_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
...
# group_vars/all/vars.yml (plain, references vault vars)
db_password: "{{ vault_db_password }}"
K8s Node Prep Playbook (bare-metal)
# playbooks/k8s-node-prep.yml
---
- name: Prepare K8s nodes
hosts: k8s_cluster
become: true
roles:
- role: base-server # OS hardening, packages
- role: k8s-prereqs # swap off, kernel modules, sysctl
- role: containerd # install + configure containerd
- role: kubeadm-install # install kubeadm, kubelet, kubectl (pinned)
Running Playbooks
# Dry run (check mode)
ansible-playbook -i inventory/production/hosts.ini \
playbooks/k8s-node-prep.yml --check --diff
# Run with vault password
ansible-playbook -i inventory/production/hosts.ini \
playbooks/k8s-node-prep.yml \
--vault-password-file ~/.ansible-vault-password
# Limit to specific hosts
ansible-playbook -i inventory/production/hosts.ini \
playbooks/k8s-node-prep.yml \
--limit "worker-01,worker-02"
# Tags for partial runs
ansible-playbook ... --tags "packages,sysctl" --skip-tags "users"
Lint & Test
# Lint (enforce best practices)
ansible-lint playbooks/k8s-node-prep.yml
# Molecule test (spins container, runs playbook, verifies)
cd roles/base-server && molecule test
Related Skills
sawrus/qa_expert
testing
VerifiedTrustedCommunity
QA Expert for writing E2E tests, test scenarios, test plans, and ensuring test coverage quality.
12SKILL.mdUpdated Apr 18, 2026
sawrus/design_expert
development
VerifiedTrustedCommunity
Expert UI/UX design intelligence for creating distinctive, high-craft, and mobile-first interfaces. Focuses on premium aesthetics, touch-first ergonomics, and Flutter performance.
12SKILL.mdUpdated Apr 18, 2026
sawrus/code_review_expert
development
VerifiedTrustedCommunity
Code Review Expert for static analysis, security auditing, architecture review, and ensuring code quality standards.
12SKILL.mdUpdated Apr 18, 2026
sawrus/babysit-pr
development
VerifiedTrustedCommunity
Babysit a GitHub pull request after creation by continuously polling review comments, CI checks/workflow runs, and mergeability state until the PR is merged/closed or user help is required. Diagnose failures, retry likely flaky failures up to 3 times, auto-fix/push branch-related issues when appropriate, and keep watching open PRs so fresh review feedback is surfaced promptly. Use when the user asks Codex to monitor a PR, watch CI, handle review comments, or keep an eye on failures and feedback on an open PR.
12SKILL.mdUpdated Apr 18, 2026