{"id":3663,"date":"2025-04-17T11:27:19","date_gmt":"2025-04-17T11:27:19","guid":{"rendered":"https:\/\/www.it-react.com\/?p=3663"},"modified":"2025-04-19T22:49:01","modified_gmt":"2025-04-19T22:49:01","slug":"secure-and-centralized-ubuntu-patching-with-ansible","status":"publish","type":"post","link":"https:\/\/www.it-react.com\/index.php\/2025\/04\/17\/secure-and-centralized-ubuntu-patching-with-ansible\/","title":{"rendered":"Secure and Centralized Ubuntu Patching with Ansible"},"content":{"rendered":"\n

Let\u2019s be honest \u2014 keeping a fleet of Ubuntu servers updated isn\u2019t the most glamorous job, especially when they\u2019re tucked away behind firewalls with no internet access. But what if we could turn this dusty chore into a clean, elegant, and even satisfying little automation adventure?<\/p>\n\n\n\n

That\u2019s exactly what we did.<\/p>\n\n\n\n

This was actually my first real project using <\/strong>Ansible, and it turned out to be a fantastic way to get hands-on experience and discover how powerful (and fun!) Ansible can be. From generating SSH keys to automating patch checks, it became a perfect playground for learning while building something genuinely useful.<\/p>\n\n\n\n

Armed with a central Ubuntu APT mirror and the magic of Ansible, we built a secure and manual-friendly patching system that makes updates feel more like pushing buttons than fighting fires. Whether you\u2019re a sysadmin who loves control or just someone who enjoys a clean playbook, this setup is built for you.<\/p>\n\n\n\n

In this post, I\u2019ll walk you through everything \u2014 from SSH keys to role-based task execution \u2014 and show you how to bring order, transparency, and even a little joy to your patching process.<\/p>\n\n\n\n

\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n

As shown in the diagram above, we have a central datacenter where our APT mirror and Ansible control node is located. From there, we securely check and manage all Ubuntu servers deployed in our Alpha and Beta datacenters.<\/p>\n\n\n\n

Step One: \ud83d\udd11<\/strong> SSH Key Setup for Ansible Access<\/strong><\/h2>\n\n\n\n

To allow the Ansible control node to connect to each Ubuntu client without password prompts, we first generate an SSH key pair on the node server:<\/p>\n\n\n\n

#ssh-keygen -t ed25519 -C \"ansible-user\"<\/code><\/pre>\n\n\n\n
Then, copy the public key to each target host (if you have more keys, specify which key to use with -i<\/code> if needed). User “ansibleadmin” should be existent on each target server.<\/p>\n\n\n\n
#ssh-copy-id -i ~\/.ssh\/id_ed25519.pub ansibleadmin@<host><\/code><\/pre>\n\n\n\n
This ensures passwordless login using the ansibleadmin<\/strong><\/em> user. We can also test this using command:<\/p>\n\n\n\n
#ssh -i ~\/.ssh\/id_ed25519.pub ansibleadmin@<host><\/code><\/pre>\n\n\n\n
Step Two: \ud83d\udce6 Installing Ansible on the Control Node<\/strong><\/h2>\n\n\n\n
Ansible needs to be installed only on the control machine. On an Ubuntu system, it can be installed using the system package manager:<\/p>\n\n\n\n
#sudo apt update\n#sudo apt install ansible -y<\/code><\/pre>\n\n\n\n
Once installed, you can verify the version with:<\/p>\n\n\n\n
#ansible --version<\/code><\/pre>\n\n\n\n
Now the control node is ready to manage remote systems using Ansible.<\/p>\n\n\n\n
Step Three: \ud83d\udcc1 Ansible Directory, Inventory and Configuration Files<\/strong><\/h2>\n\n\n\n
For our project, we started by creating a dedicated directory named security-patching<\/em><\/strong> under our home user folder. This became our workspace for organizing everything related to Ansible configuration and automation.<\/p>\n\n\n\n
At the heart of this setup are two simple but powerful files: the inventory and the configuration. These define where your servers are, how to connect to them, and how Ansible behaves overall. Here’s what they do:<\/p>\n\n\n\n