Saturday, April 5, 2025

Get Notification on Failed hosts in Ansible Play

 Hello Guys,

I was working on a writing a simple playbook of making sure that the nginx service should be up and running. while writing i realise that just making sure that service is up and running is not enough so I have added one more module which make sure firewall port 80 is opened permanently I have added the same. I have also added handlers to reload the firewall to make sure changes are permanent. 

  Then I have realise I need to  also make sure that if the Linux host is unreachable then also i should get an alert stating server is unreachable 

i know its a limited use case but i am using it with EDA (event driven ansible) .

Below is the playbook i have came up with

---
- name: Restarting the Nginx if port 80 is down
hosts: all
gather_facts: false
force_handlers: true
ignore_unreachable: true
tasks:
- name: Ping the host
ansible.builtin.ping:
register: ping_result

- name: Ping is not successful
ansible.builtin.debug:
msg: "{{inventory_hostname}} is not from Ansible Controller...!"
when: ping_result.unreachable is defined

- name: Add unreachable hosts to a list
ansible.builtin.set_fact:
unreachable_hosts: "{{ unreachable_hosts | default([]) + [inventory_hostname] }}"
when: ping_result.unreachable is defined

- name: Firewalld |Open port 80 using firewalld
ansible.posix.firewalld:
port: 80/tcp
permanent: yes
state: enabled
notify: Reload firewalld to apply changes
when: ping_result.unreachable is not defined

- name: Make sure service is up and running | Nginx service
ansible.builtin.service:
name: nginx
state: started
become: true
register: nginx_restart
when: ping_result.unreachable is not defined

- name: Genrate Email content to Send in Email | Server is unreachable
ansible.builtin.template:
src: email_alert.html.j2
dest: /tmp/alert_email.html
run_once: true
delegate_to: 127.0.0.1
when: ping_result.unreachable is defined

- name: Email Alert if fail server is unreachable
when: ping_result.unreachable is defined
mail:
host: smtp.gmail.com
port: 587
subtype: html
to:
- "nrathi@redhat.com"
subject: "Alert: Host not reachable on SSH {{ inventory_hostname }}"
body: "{{ lookup('file', '/tmp/alert_email.html') }}"
username: "abc@gmail.com"
password: "your_secure_password"
run_once: true
delegate_to: 127.0.0.1
changed_when: True
handlers:
- name: Reload firewalld | To apply changes
ansible.builtin.service:
name: firewalld
state: reloaded


below is the html template i am using

<!DOCTYPE html>

<html lang="en">

<head>

<meta charset="UTF-8">

<meta name="viewport" content="width=device-width, initial-scale=1.0">

<title> Host Down</title>
<style>
table {
width: 100%;
border-collapse: collapse;
font-family: Arial, sans-serif;
background-color: #FF0000;
margin: 0 auto;
}
th, td {
padding: 12px;
border: 1px solid #ddd;
text-align: left;
}

th {
background-color: #17469E;
color: white;
text-transform: uppercase;
font-size: 14px;
}

td {
background-color: #f9f9f9;
font-size: 14px;
}

td.label {
font-weight: bold;
background-color: #e0e0e0;
}

.title {
text-align: center;
font-size: 18px;
font-weight: bold;
margin-bottom: 20px;
color: #333;
}

.container {
width: 80%;
margin: 0 auto;
}
</style>
</head>

<body>

<p>Dear Team,</p>

<p>This is an automated alert to inform you:</p>
<p>Host isnot reachable from ansible on required ssh or WinRM </p>

<table>
<tr>
<th>Host</th>
</tr>
<tr>
<td>{{ inventory_hostname }}</td>
</tr>
</table>
<p>Best regards,<br/>abc@gmail.com</p>

</body>

</html>


#ansible-playbook -i inventory restart_nginx.yml 


Posted by at No comments:

Tuesday, February 25, 2025

Lock Linux users if do not login for 30 days

 Hello Guys,

Few days back a kind of strange requirement come to me where as an they wanted to lock the localuser if he/she do not login into the system for more than 30 days 

  1. He/She should not be able to login into the system
  2. SSH into the system
  3. His/Her account should be lock
---
- name: Lock users who have not logged in the last 30 days (excluding system users)
hosts: linux_servers
become: yes
tasks:

- name: Get list of users who have not logged in within 30 days
ansible.builtin.shell: "lastlog -b 30 | awk 'NR>1 && $3!=\"Never\" {print $1}'"
register: inactive_users
changed_when: false

- name: Get list of system users (UID < 1000)
ansible.builtin.shell: "awk -F: '$3 < 1000 {print $1}' /etc/passwd"
register: system_users
changed_when: false

- name: Display inactive users
ansible.builtin.debug:
var: inactive_users.stdout_lines

- name: Display system users (excluded)
ansible.builtin.debug:
var: system_users.stdout_lines

- name: Lock inactive users (excluding system users)
ansible.builtin.command: "usermod --lock {{ item }}"
loop: "{{ inactive_users.stdout_lines }}"
when: item not in system_users.stdout_lines and item not in ["root", "nrathi", "nobody", "other_imp_user"]


Enjoy...guys

Posted by at No comments:

Tuesday, February 18, 2025

Enable/Disable USB Support on Windows machines using ansible

 Hello Guys,

Couple of months past i was working on a project where i need to write a ansible playbook which can enable or disable the USB storage capability. I mean windows should not detect the USB devices if i connect to a computer and enforce it so i did a google search a found out the registry key for it.Then i started converting it in a playbook which look like this

---
- name: Disable_Enable USB ports on Windows Operating system
hosts: all
gather_facts: true
tasks:
- name: Check if server are reachable or not
ansible.windows.win_ping:
register: ping_result

# - debug:
# msg: "{{ ping_result }}"

- name: Disable USB storage devices
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR
name: Start
data: 4
type: dword
state: present
register: usb_dis
when:
- usb_disable|default(true)|bool == true

- name: Enable USB storage devices
register: usb_en
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR
name: Start
data: 3
type: dword
state: present
when:
- usb_disable|default(true)|bool == false

- name: Reboot system after whitelisting USB device (if required)
win_reboot:
reboot_timeout: 120
ignore_errors : true
when: usb_en.changed or usb_dis.changed

 By default it disable the usb on the windows computer

To Disable the USB

ansible-playbook -i inventory usb.yml

To Enable USB

ansible-playbook -i inventory usb.yml -e usb_disable=false

Posted by at No comments:
Labels: ,

Tuesday, February 11, 2025

Ansible Lock user after 3 unsuccessful login attempt

 Hello Guys,

How to lock a user after 3 unsuccessful login attempt and after the cooldown time of 10 min the account get reactivated . we its a well establish windows command as well but when you have to do it on the large scale or you need to enforce it so that it never get overwritten we need automation for that and i know wrote a playbook for that which will make sure that.

- name: Set user lockout after 3 attempt
win_command: net accounts /lockoutthreshold:3
register: userLockout
args:
creates: C:\userLockout.lock

- name: Create userLockout.lock
win_copy:
dest: C:\userLockout.lock
content: ""
force: no
when: userLockout

- name: Set lockout duration to 10 min
win_command: net accounts /lockoutduration:10
register: lockduration
args:
creates: C:\lockduration.lock

- name: Create lockduration.lock
win_copy:
dest: C:\lockduration.lock
content: ""
force: no
when: lockduration

- name: Set reset the lockout timeout after 10 min
win_command: net accounts /lockoutwindow:10
register: lockoutwindow
args:
creates: C:\lockoutwindow.lock

- name: Create lockoutwindow.lock
win_copy:
dest: C:\lockoutwindow.lock
content: ""
force: no
when: lockoutwindow
Posted by at No comments:
Labels: , ,

Time Sync Windows machine using Ansible

 Hello Guys,

I know you have been waiting for a automation which can help to sync the time of windows server/Desktop to local NTP server using ansible

    In the previous blog i have shared a playbook how you can use it to setup a NTP server on rhel or centos box in this will be using a playbook to connect with windows client to sync them with local ntp server.

so here is the playbook 


---
- name: Configure NTP server on Windows and synchronize time
hosts: all
#become: yes
force_handlers: True
gather_facts: false
tasks:

# - name: Install NTP service
# win_feature:
# name: NTP
# state: present

##This step is not necessary but added for asthetics so ip is not shown but fqdn looks more appling
- name: Configure NTP server on windows host
ansible.builtin.copy:
dest: C:\Windows\System32\drivers\etc\hosts
content: |
{{ ntp_server }} rhel.ntpserver.local
# notify:
# - restart ntpd

- name: Synchronize time with NTP server
ansible.windows.win_powershell:
script: |
w32tm /config /manualpeerlist:"rhel.ntpserver.local" /syncfromflags:manual /reliable:YES
w32tm /resync
notify:
- restart w32time
ignore_errors: true

handlers:
# - name: restart ntpd
# win_service:
# name: ntpd
# state: restarted

- name: restart w32time
win_service:
name: w32time
state: restarted


to run the ansible playbook 


ansible-playbook -i inventory_file ntp_client.yml -e ntp_server = "ip address of ntpserver"


Enjoy and let me know what automation you want to work on...

Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)