Template module
Ansible Docs reference: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/template_module.html
The template module is one of the most powerful modules in Ansible. It allows you to create files from templates. The template module is a wrapper around Jinja2, a templating language for Python. The template module is used to create configuration files, or any text files that require variables injected into them. Template files have the extension .j2
.
The template file is also indempotent. If the file already exists, it will only be changed if the template file has changed.
Good examples for using templates are:
- Nginx Config file
- Firewall rule set
- Hosts file
Creating a template
This is an example for a hosts file template. It will be used to create a hosts file on the remote system.
Create hosts file with all webservers
# localhost
127.0.0.1 localhost
{{ ansible_host }} {{ inventory_hostname }}
# webservers
{% for host in groups['webservers'] %}
{{ hostvars[host]['ansible_host'] }} {{ hostvars[host]['inventory_hostname'] }}
{% endfor %}
all:
hosts:
children:
webserver:
hosts:
server1:
server2:
server3:
- name: "DNS setup"
hosts: webserver
tasks:
- name: "Create hosts file "
template:
src: hosts.j2
dest: /etc/hosts
# localhost
127.0.0.1 localhost
10.0.0.1 server1
# webservers
10.0.0.1 server1
10.0.0.2 server2
10.0.0.3 server3
# localhost
127.0.0.1 localhost
10.0.0.1 server2
# webservers
10.0.0.1 server1
10.0.0.2 server2
10.0.0.3 server3
# localhost
127.0.0.1 localhost
10.0.0.1 server3
# webservers
10.0.0.1 server1
10.0.0.2 server2
10.0.0.3 server3
Advanced example
You can expand the template module with a lot of features. This is an example for a nftables firewall template:
nftables-firewall.yml
table ip filter {
set trusted {
typeof ip saddr
elements = {10.22.0.50, 10.22.0.51, 10.22.0.52}
}
chain input {
type filter hook input priority filter; policy drop;
ct state related,established counter accept
#Trusted (icmp and ssh)
ip saddr @trusted tcp dport 22 counter accept
ip saddr @trusted ip protocol icmp counter accept
#DNS Incomming all (all to dns udp port 53)
{% if inventory_hostname in groups['dns'] %}
udp dport 53 counter accept
{% endif %}
#DNS replication (dns to dns-master tcp 53 )
{% if inventory_hostname in groups['dns'][0] %}
{% for h in groups['dns'] %}
{% if inventory_hostname not in hostvars[h]['inventory_hostname'] %}
ip saddr {{hostvars[h]['ansible_host']}} tcp dport 53 counter accept
{% endif %}
{% endfor %}
{% endif %}
#DNS Management (localhost)
iif lo counter accept
#Web Traffic (all to port webport)
{% if inventory_hostname in groups['web'] %}
tcp dport {{ webport }} counter accept
{% endif %}
#Proxy to Web Traffic (ha to web port 8081)
{% if inventory_hostname in groups['web'] %}
{% for h in groups['ha'] %}
ip saddr {{hostvars[h]['ansible_host']}} tcp dport 8081 counter accept
{% endfor %}
{% endif %}
}