This is a playbook to update Debian, CentOS and Archlinux with Ansible without entering ssh or sudo password on the command line.

Let’s start by creating a directory from which we’ll be working. Make sure all the files are created in there and commands are executed from there as well. E.g.

mkdir ~/ansible

1. SSH Keys

If you haven’t done already, set up ssh keys for all the hosts involved

ssh-keygen -t rsa

Copy the keys to the hosts

ssh-copy-id user@hosts

2. Inventory

Create an inventory file called hosts where we specify the ssh user for each host and add a reference for the sudo password. Put each host in the right section for the right distribution.

[Archlinux]
192.168.0.1:222 ansible_ssh_user=user ansible_become_pass='{{archlinux_box_sudo_pass}}'

[Debian]
192.168.0.3:222 ansible_ssh_user=user ansible_become_pass='{{debian_box_sudo_pass}}'

[CentOs]
192.168.0.4:222 ansible_ssh_user=user ansible_become_pass='{{centos_box_sudo_pass}}'

The non standard ssh ports are added after the semicolon, 222 in this example.

3. Passwords

Next we create an encrypted file with ansible-vault to store the sudo passwords.

ansible-vault create passwd.yml

Enter a password for the vault file and add the sudo passwords and their references used in the hosts file

archlinux_box_sudo_pass: YOUR_PASSWORD
debian_box_sudo_pass: YOUR_PASSWORD
centos_box_sudo_pass: YOUR_PASSWORD

To edit the vault file:

ansible-vault edit passwd.yml

4. The update playbook

Create a playbook.yml file. Add a section for each distribution and reference their specific hosts as defined in the hosts file. Notice the different modules used to call the package managers in Tasks.

---
- name: Update Archlinux boxes
  hosts: Archlinux
  become: yes

  vars_files:
    - ~/ansible/passwd.yml

  tasks:
    - name: full system upgrade
      pacman:
        update_cache: yes
        upgrade: yes

- name: Update Debian boxes
  hosts: Debian
  become: yes
  vars_files:
   - ~/ansible/passwd.yml

  tasks:
    - name: full system upgrade
      apt:
        update_cache: yes
        upgrade: yes

- name: Update CentOS boxes
  hosts: CentOs
  become: yes
  vars_files:
   - ~/ansible/passwd.yml

  tasks:
    - name: full system upgrade
      yum: name=* state=latest

Execute the playbook

ansible-playbook playbook.yml --ask-vault-pass

Enter the vault password.

If all went well, the result should look like this:

Vault password:

PLAY [Update Archlinux boxes] *****************************************************************************************

TASK [Gathering Facts] ************************************************************************************************
ok: [192.168.0.1]

TASK [full system upgrade] ********************************************************************************************
ok: [192.168.0.1]

PLAY [Update Debian boxes] ********************************************************************************************

TASK [Gathering Facts] ************************************************************************************************
ok: [192.168.0.2]

TASK [full system upgrade] ********************************************************************************************
ok: [192.168.0.2]

PLAY [Update CentOS boxes] ********************************************************************************************

TASK [Gathering Facts] ************************************************************************************************
ok: [192.168.0.3]

TASK [full system upgrade] ********************************************************************************************
changed: [192.168.0.3]

PLAY RECAP ************************************************************************************************************
192.168.0.1              : ok=2    changed=0    unreachable=0    failed=0
192.168.0.2              : ok=2    changed=1    unreachable=0    failed=0
192.168.0.3              : ok=2    changed=0    unreachable=0    failed=0