Simplifying Passbolt Installation with Ansible

Why Ansible?

In today’s fast-paced environment, system administrators and developers need reliable, repeatable, and efficient methods to set up and manage infrastructure. Ansible, an open-source automation tool, provides just that. It is particularly powerful because of its agentless nature and its simple YAML-based playbooks, which makes managing configurations more approachable. By using Ansible, you can automate processes that typically require manual intervention, minimizing human error and ensuring consistency.

With Passbolt, using Ansible to automate the installation ensures that your server setup is repeatable, reliable, and time-saving, while adhering to official configurations. Whether you’re setting up Passbolt for a small team or a larger organization, Ansible helps you configure, scale, and maintain your installation smoothly, as experienced by many in our community.

The Challenges of Manual Setup

Installing and configuring Passbolt manually on for ex. a Debian/Ubuntu system involves multiple steps that can quickly become tedious:

• Following one of our dedicated documentation;
• Installing the necessary dependencies;
• Setting up MySQL or MariaDB databases and users;
• Performing the installation on the web after the server installation;
• Adjusting user permissions and ensuring proper security measures.

Each of these steps requires attention to detail, and any misstep can lead to issues down the line.

Introducing the Ansible Playbook for Passbolt

The Passbolt Ansible Playbook automates the entire process, from installing the necessary packages to configuring SSL and setting up the Passbolt web interface. Whether you're using the Community Edition or the Pro version, this playbook streamlines everything.

This project is part of the Passbolt lab, providing a demonstration of how Ansible can be used for practical, real-world automation. While this tool is designed with flexibility in mind, it's recommended that you use it on a vanilla Debian or Ubuntu server to avoid conflicts with existing configurations.

How Does the Playbook Work?

At its core, the playbook is divided into tasks, each responsible for a specific portion of the setup:

• Prerequisites Installation: Ensures that the server is up-to-date and installs the necessary dependencies for Passbolt.
• Database Configuration: Sets up MySQL/MariaDB with the correct permissions and security settings, including root and user passwords.
• Passbolt Installation: Automates the installation of the Passbolt CE or Pro edition.
• SSL Configuration: Automatically generates and configures a self-signed SSL certificate for secure communication.
• Web Server (NGINX) Configuration: Installs and configures NGINX to serve the Passbolt API, ensuring that everything is properly linked and ready to handle secure connections.
• First Admin Setup: Once everything is set up, the first account creation link is thrown, to start using passbolt right away.

What’s Inside the Playbook?

The playbook relies on several key configuration files and templates:

• group_vars: Contains your environment-specific variables like database credentials and PHP version.
• Tasks folder: Houses all the tasks for installing Passbolt, configuring NGINX, PHP, and setting up the database.
• Templates folder: Contains the NGINX and PHP configuration templates that are dynamically filled based on your environment variables.

Steps to Run the Playbook

Clone the Repository

Start by cloning the Passbolt Ansible Playbook repository to your local machine.

git clone [email protected]:passbolt/lab-passbolt-ansible-install-playbook.git
cd lab-passbolt-ansible-install-playbook

Update Environment Variables

Copy the example group_var file to customize the environment variables accordingly:

cp group_vars/all.example.yaml group_vars/all.yaml

This includes specifying the database host, PHP version, and Passbolt URL. These variables are stored in the group_vars files.

Create an Inventory File

Define the target servers where Passbolt will be installed. You can authenticate via SSH using either a private key or password.

vim inventory

Inside precise the following

[passbolt_server]
YOUR_SERVER_IP ansible_user=YOUR_USER ansible_ssh_private_key_file=PATH_TO_YOUR_KEY

Run the Playbook

Once everything is set up, execute the playbook.

ansible-playbook -i inventory playbook.yaml

Post-Installation Steps

After the playbook finishes running, navigate to the Passbolt URL in your browser to complete the installation via the web interface. For additional peace of mind, connect with ssh to your server and run a health check to verify that the installation was successful.

sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data #or nginx instead of www-data if RPM machine

Why Use This Playbook?

• Consistency: Ensures that every installation is identical, reducing errors caused by manual steps.
• Time Efficiency: Drastically reduces the time spent on manual configuration.
• Scalability: Allows you to easily replicate the installation on multiple servers with minimal effort.
• Flexibility: The playbook is easily customizable, allowing you to modify settings for your particular use case.

Enhancing Security

The playbook takes several security measures, such as enforcing strict file permissions for SSL certificates and database credentials. However, further steps can be taken based on your organizational needs, such as configuring firewalls or adding monitoring tools.

Conclusion

Hopefully, this guide makes automating Passbolt installations with Ansible easier and more efficient. The community's input is what makes Passbolt truly special, so feel free to give this playbook a try, share any feedback, or even suggest improvements. Every bit helps!

What should the next playbook cover? Drop your ideas on the community forum, we're excited to see what would make your life simpler or your setup smoother.