If you\u2019ve ever deployed a VM in vSphere and caught yourself thinking, \u201cThere must be a faster way to do this,\u201d you\u2019re definitely not alone. After clicking through the same wizard more times than I\u2019d like to admit, I decided it was time to build something cleaner, smarter, and fully automated.<\/p>\n\n\n\n
In this series, I\u2019ll walk through how I built a multi-OS provisioning and configuration framework using Ansible and VMware\u2014flexible enough to handle Linux servers, Windows Server, and even Windows clients.<\/p>\n\n\n\n
We\u2019ll cover the full workflow:<\/p>\n\n\n\n
\u2013 structuring a clean and scalable Ansible repository
\u2013 provisioning VMs from vSphere templates
\u2013 bootstrapping access with SSH keys or WinRM
\u2013 applying OS-specific configuration logic (Debian, RedHat, Windows)
\u2013 integrating the workflow with manual triggers or CI\/CD pipelines<\/p>\n\n\n\n
The goal is simple: save time, reduce repetitive work, and deploy consistent, ready-to-use systems with a single command.<\/p>\n\n\n\n
So grab your favorite drink, open the terminal, and let\u2019s get started.<\/p>\n\n\n\n
Before diving into templates, roles, and automation magic, it\u2019s important to understand what this project is trying to accomplish. The goal is simple: build a unified automation framework that can provision and configure multiple operating systems on VMware\u2014cleanly, consistently, and without the usual copy-paste chaos.<\/p>\n\n\n\n
At its core, the framework follows three guiding principles:<\/p>\n\n\n\n
1. Separation of concerns<\/strong> 2. OS-agnostic high-level workflow<\/strong> 3. Environment-based inventories<\/strong> From a high-level perspective, the automation workflow looks like this:<\/p>\n\n\n\n The end result is a flexible and scalable provisioning framework that eliminates repetitive tasks, enforces consistency, and makes spinning up new systems feel like a quick, predictable operation rather than an endless sequence of manual steps.<\/p>\n\n\n\n With the overview in place, it\u2019s time to walk through the repository structure and start building the framework piece by piece.<\/p>\n\n\n\n A clean and predictable repository layout is essential for any automation project\u2014especially when dealing with multiple operating systems and several environments. The structure below keeps provisioning, configuration, variables, and OS-specific logic separated in a way that scales well as the framework grows.<\/p>\n\n\n\n Here is the high-level directory layout used in this project:<\/p>\n\n\n\n The sections below explain how each part is created and why it exists.<\/p>\n\n\n\n This will be our root directory for the entire automation framework.<\/p>\n\n\n\n Inside the repository, create all the necessary directories:<\/p>\n\n\n\n Each directory has a specific purpose:<\/p>\n\n\n\n This file ensures that Ansible knows where to find roles, collections, and the default inventory.<\/p>\n\n\n\n Create it at the repository root:<\/p>\n\n\n\n ansible.cfg<\/strong><\/p>\n\n\n\n The automation relies on a few Ansible collections, such as:<\/p>\n\n\n\n Create the requirements file:<\/p>\n\n\n\n collections\/requirements.yml<\/strong><\/p>\n\n\n\n At this stage we are only defining which collections the framework depends on. The actual installation of these collections will be done later, from within a dedicated Python virtual environment, to avoid version conflicts with the system-wide Ansible installation.<\/p>\n\n\n\n We begin with a lab<\/strong> environment and a clean OS-oriented grouping.<\/p>\n\n\n\n Create:<\/p>\n\n\n\n inventories\/lab\/inventory.yml<\/strong><\/p>\n\n\n\n This layout allows us to target:<\/p>\n\n\n\n without duplicating logic.<\/p>\n\n\n\n Each OS type gets its own variables file.<\/p>\n\n\n\n inventories\/lab\/group_vars\/linux_debian.yml<\/strong><\/p>\n\n\n\n inventories\/lab\/group_vars\/linux_redhat.yml<\/strong><\/p>\n\n\n\n inventories\/lab\/group_vars\/win_servers.yml<\/strong><\/p>\n\n\n\n inventories\/lab\/group_vars\/win_clients.yml<\/strong><\/p>\n\n\n\n Note: Why Keep These Files If They\u2019re Empty?<\/strong><\/p>\n\n\n\n Because a mature automation environment evolves. When that moment comes, you will not want to refactor your repository. Keeping group_vars empty-but-ready is the cleanest way to support future expansion.<\/p>\n\n\n\n inventories\/lab\/group_vars\/vcenter.yml<\/strong><\/p>\n\n\n\n A few important notes:<\/p>\n\n\n\n This separation keeps the configuration clean, avoids duplication, and allows each VM to define its own provisioning metadata in a separate location.<\/p>\n\n\n\n We create one role that works for both Debian and RedHat families.<\/p>\n\n\n\n roles\/os_linux_base\/defaults\/main.yml<\/strong><\/p>\n\n\n\n roles\/os_linux_base\/tasks\/main.yml<\/strong><\/p>\n\n\n\n roles\/os_linux_base\/tasks\/debian.yml<\/strong><\/p>\n\n\n\n roles\/os_linux_base\/tasks\/redhat.yml<\/strong><\/p>\n\n\n\n Each operating system family (Debian, RedHat, Windows Server, Windows Client) uses its own golden image stored in vSphere. To avoid hardcoding template names inside the playbooks, the framework stores them in a central variable file.<\/p>\n\n\n\n Create the following file:<\/p>\n\n\n\n vars\/templates.yml<\/strong><\/p>\n\n\n\n Why store template names separately?<\/p>\n\n\n\n During provisioning, the appropriate template is selected by referencing these variables instead of embedding string literals.<\/p>\n\n\n\n On most Linux distributions, Ansible packages are available directly from the system repositories. While this is convenient, it often leads to version mismatches between ansible-core and external collections such as community.vmware. To keep this framework stable and reproducible, all Ansible commands are executed from a dedicated Python virtual environment.<\/p>\n\n\n\n This has a few important advantages:<\/p>\n\n\n\n The setup is straightforward. From the repository root:<\/p>\n\n\n\n Next, upgrade pip and install the required Python packages inside the virtual environment:<\/p>\n\n\n\n With Ansible installed in the virtualenv, you can now install the collections defined earlier in collections\/requirements.yml:<\/p>\n\n\n\n From this point on, every Ansible command related to this project should be executed from the virtual environment:<\/p>\n\n\n\n If you skip the virtual environment and run Ansible from the system packages, you may run into compatibility issues between ansible-core and the community.vmware collection, leading to errors such as missing support modules or StrictVersion import problems.<\/p>\n\n\n\n When you start automating VMware and Windows deployments, there\u2019s one thing you absolutely don\u2019t want floating around in plain text: passwords<\/strong>. That\u2019s where Ansible Vault<\/strong> comes in.<\/p>\n\n\n\n Vault lets you store sensitive variables in encrypted files and keep your repository clean, safe, and shareable. Everything looks like YAML, but the content is encrypted. Ansible decrypts it automatically at runtime when you pass the vault password.<\/p>\n\n\n\n In this project, the Vault holds:<\/p>\n\n\n\n Basically: anything that makes a security auditor raise an eyebrow<\/em>.<\/p>\n\n\n\n All sensitive values live in:<\/p>\n\n\n\n Putting the Vault inside This layout keeps things clean, avoids accidental leaks in inventory files, and makes the entire project easier to reason about \u2014 exactly what you want when working with VMware automation, WinRM bootstrap, and multi-OS provisioning.<\/p>\n\n\n\n We initialize the vault like this:<\/p>\n\n\n\n Ansible asks for a vault password (you\u2019ll use the same one later with Once saved, the file on disk is fully encrypted and unreadable.<\/p>\n\n\n\n If we ever need to edit the values:<\/p>\n\n\n\n If you want to view it (read-only):<\/p>\n\n\n\n We never store plaintext passwords in playbooks or inventory. Ansible decrypts everything on the fly when you run:<\/p>\n\n\n\n In this first part, we focused entirely on building the foundation of our automation framework: a clean repository layout, structured inventories, OS-specific group variables, secure vCenter settings, and a central mapping for all base templates. With these pieces in place, the project is now ready for actual provisioning work.<\/p>\n\n\n\n In the next post, we\u2019ll take the first real step: deploying a Windows 10 virtual machine from a vSphere template using the structure we created here. We\u2019ll define the VM\u2019s metadata, assign a static IP address, set the correct network adapter, and build the full provisioning playbook.<\/p>\n\n\n\n Now that the framework is prepared, we can finally start putting it to use. Stay tuned for Part 2: Provisioning a Windows 10 Client from a vSphere Template<\/em>.<\/p>\n","protected":false},"excerpt":{"rendered":" If you\u2019ve ever deployed a VM in vSphere and caught yourself thinking, \u201cThere must be a faster way to do this,\u201d you\u2019re definitely not alone. After clicking through the same wizard more times than I\u2019d like to admit, I decided it was time to build something cleaner, smarter, and fully automated. In this series, I\u2019ll […]<\/p>\n","protected":false},"author":1,"featured_media":4654,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_FSMCFIC_featured_image_caption":"","_FSMCFIC_featured_image_nocaption":"","_FSMCFIC_featured_image_hide":"","footnotes":""},"categories":[7,15,8],"tags":[94,25,31,26,36],"class_list":["post-4652","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-vmware","category-windows","tag-ansible","tag-vcenter","tag-vm","tag-vmware","tag-vsphere"],"yoast_head":"\n
Provisioning, configuration, OS logic, and environment-specific data each live in their own clearly defined place. This keeps the repository clean and prevents the \u201cspaghetti Ansible\u201d effect we\u2019ve all seen at least once.<\/p>\n\n\n\n
Whether you\u2019re deploying a Debian-based server, a RedHat box, a Windows Server instance, or even a Windows client, the overall flow stays the same. What changes is only the OS-specific logic underneath.<\/p>\n\n\n\n
The structure remains identical across lab, test, and production. Only the data\u2014like hostnames, credentials, templates, or datastores\u2014changes per environment.<\/p>\n\n\n\n\n
A clean, pre-configured golden image (Linux or Windows) is cloned and customized automatically.<\/li>\n\n\n\n
Each VM receives a predefined static IP address, subnet, gateway and DNS configuration based on its host_vars definition. The same data is later used by Ansible to connect to the system for post-provisioning tasks.<\/li>\n\n\n\n\n
Package installation, baseline settings, services, domain join (for Windows), or any custom logic you want to enforce.<\/li>\n\n\n\n
Optional steps such as deploying agents, monitoring exporters, middleware, or full application stacks.<\/li>\n\n\n\n
The entire workflow can run manually or be fully automated through GitLab CI, Jenkins, or any other pipeline.<\/li>\n<\/ol>\n\n\n\nCreating the Base Repository Layout<\/h2>\n\n\n\n
infra-ansible\/\n\u251c\u2500\u2500 ansible.cfg\n\u251c\u2500\u2500 collections\/\n\u2502 \u2514\u2500\u2500 requirements.yml\n\u251c\u2500\u2500 inventories\/\n\u2502 \u251c\u2500\u2500 lab\/\n\u2502 \u2502 \u251c\u2500\u2500 inventory.yml\n\u2502 \u2502 \u2514\u2500\u2500 group_vars\/\n\u2502 \u2502 \u251c\u2500\u2500 all.yml\n\u2502 \u2502 \u251c\u2500\u2500 linux_debian.yml\n\u2502 \u2502 \u251c\u2500\u2500 linux_redhat.yml\n\u2502 \u2502 \u251c\u2500\u2500 win_servers.yml\n\u2502 \u2502 \u2514\u2500\u2500 win_clients.yml\n\u2502 \u251c\u2500\u2500 test\/\n\u2502 \u2514\u2500\u2500 prod\/\n\u251c\u2500\u2500 playbooks\/\n\u2502 \u251c\u2500\u2500 provision\/\n\u2502 \u2502 \u251c\u2500\u2500 vmware_linux_debian.yml\n\u2502 \u2502 \u2514\u2500\u2500 vmware_windows_server.yml\n\u2502 \u251c\u2500\u2500 configure\/\n\u2502 \u2502 \u251c\u2500\u2500 linux_base.yml\n\u2502 \u2502 \u2514\u2500\u2500 windows_base.yml\n\u2502 \u251c\u2500\u2500 patch\/\n\u2502 \u2514\u2500\u2500 stacks\/\n\u251c\u2500\u2500 roles\/\n\u2502 \u251c\u2500\u2500 os_linux_base\/\n\u2502 \u251c\u2500\u2500 os_windows_base\/\n\u2502 \u251c\u2500\u2500 vmware_guest_provision\/\n\u2502 \u2514\u2500\u2500 monitoring\/\n\u251c\u2500\u2500 vars\/\n\u2502 \u251c\u2500\u2500 vm_sizes.yml\n\u2502 \u2514\u2500\u2500 images.yml\n\u2514\u2500\u2500 docs\/\n \u251c\u2500\u2500 architecture.md\n \u2514\u2500\u2500 runbooks.md<\/code><\/pre>\n\n\n\n
\n\n\n\nStep 1: Create the Repository Folder<\/h3>\n\n\n\n
mkdir infra-ansible\ncd infra-ansible<\/code><\/pre>\n\n\n\n
\n\n\n\nStep 2: Create the Core Folder Structure<\/h3>\n\n\n\n
mkdir -p collections\nmkdir -p inventories\/lab\nmkdir -p playbooks\/{provision,configure,patch,stacks}\nmkdir -p roles\nmkdir -p vars\nmkdir -p docs<\/code><\/pre>\n\n\n\n\n
\n\n\n\nStep 3: Create ansible.cfg<\/h3>\n\n\n\n
[defaults]\ninventory = inventories\/lab\/inventory.yml\nroles_path = roles\ncollections_path = collections\nhost_key_checking = False\nretry_files_enabled = False\ndeprecation_warnings = False<\/code><\/pre>\n\n\n\n
\n\n\n\nStep 4: Define Required Collections<\/h3>\n\n\n\n
\n
collections:\n - name: community.vmware\n - name: ansible.windows\n - name: community.windows\n - name: microsoft.ad<\/code><\/pre>\n\n\n\n
\n\n\n\nStep 5: Create the Inventory Structure<\/h3>\n\n\n\n
# Root inventory structure\nall:\n children:\n\n # Debian-based Linux servers (Debian, Ubuntu)\n linux_debian:\n hosts: {}\n\n # RedHat-based Linux servers (RHEL, Rocky, AlmaLinux, CentOS)\n linux_redhat:\n hosts: {}\n\n # Windows Server machines\n win_servers:\n hosts: {}\n\n # Windows Client machines (Windows 10\/11)\n win_clients:\n hosts: {}\n\n # Group containing all Linux systems (Debian + RedHat)\n linux:\n children:\n linux_debian: {}\n linux_redhat: {}\n\n # Group containing all Windows systems (Servers + Clients)\n windows:\n children:\n win_servers: {}\n win_clients: {}\n\n # vCenter endpoint\n vcenter:\n hosts: {}<\/code><\/pre>\n\n\n\n\n
\n\n\n\nStep 6: Create group_vars for Each OS Family<\/h3>\n\n\n\n
Debian Linux<\/h4>\n\n\n\n
# Settings specific to Debian-based Linux systems (Debian, Ubuntu)\nansible_connection: ssh\nansible_user: \"ansible\"\nansible_become: true\nansible_become_method: sudo\n\nlinux_package_manager: \"apt\"\nlinux_common_packages:\n - curl\n - vim\n - htop<\/code><\/pre>\n\n\n\nRedHat Linux<\/h4>\n\n\n\n
# Settings specific to RedHat-based Linux systems (RHEL, Rocky, AlmaLinux, CentOS)\nansible_connection: ssh\nansible_user: \"ansible\"\nansible_become: true\nansible_become_method: sudo\n\nlinux_package_manager: \"dnf\"\nlinux_common_packages:\n - curl\n - vim-enhanced\n - htop<\/code><\/pre>\n\n\n\nWindows Server<\/h4>\n\n\n\n
# Placeholder for future Windows Server group settings\n#\n# This file is intentionally empty for now. \n# When multiple Windows Server hosts are introduced, \n# shared configuration (baseline policies, defaults, \n# package lists, WinRM options, role mappings, etc.)\n# can be added here instead of duplicating them in host_vars.<\/code><\/pre>\n\n\n\nWindows Clients<\/h4>\n\n\n\n
# Placeholder for future Windows Client group settings\n#\n# At this stage, all configuration for Windows 10 is \n# host-specific, so this file remains empty.\n#\n# As the environment expands (multiple workstations, shared \n# hardening rules, security policies, software baselines, \n# or centralized parameters), this file will become the \n# natural location for settings that apply to all Windows \n# client VMs.<\/code><\/pre>\n\n\n\n
Today you may have a single Windows client and no Windows servers \u2014 but later you might add:<\/p>\n\n\n\n\n
The structure will already be in place.<\/p>\n\n\n\nvCenter Connection Configuration<\/h4>\n\n\n\n
# vCenter API connection settings\n\nansible_connection: local\n\nvcenter_hostname: \"vcsa.racklab.local\"\nvcenter_username: \"ansible@vsphere.local\"\nvcenter_password: \"{{ vault_vcenter_password }}\"\nvcenter_validate_certs: false<\/code><\/pre>\n\n\n\n\n
ansible_connection: local<\/code> setting ensures that provisioning tasks run on the Ansible control node instead of a remote host.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nStep 7: Create the Linux Base Role<\/h3>\n\n\n\n
defaults<\/h4>\n\n\n\n
# Default variables for Linux base configuration\nlinux_base_packages_extra: []<\/code><\/pre>\n\n\n\nmain entry point<\/h4>\n\n\n\n
# Main entry point for os_linux_base role\n\n- name: Include Debian-family tasks\n include_tasks: debian.yml\n when: ansible_os_family == \"Debian\"\n\n- name: Include RedHat-family tasks\n include_tasks: redhat.yml\n when: ansible_os_family == \"RedHat\"<\/code><\/pre>\n\n\n\nDebian logic<\/h4>\n\n\n\n
# Base configuration for Debian-based systems\n\n- name: Update APT cache\n apt:\n update_cache: true\n cache_valid_time: 3600\n\n- name: Install common packages on Debian systems\n apt:\n name: \"{{ linux_common_packages + linux_base_packages_extra }}\"\n state: present<\/code><\/pre>\n\n\n\nRedHat logic<\/h4>\n\n\n\n
# Base configuration for RedHat-based systems\n\n- name: Ensure DNF metadata is up to date\n dnf:\n update_cache: true\n\n- name: Install common packages on RedHat systems\n dnf:\n name: \"{{ linux_common_packages + linux_base_packages_extra }}\"\n state: present<\/code><\/pre>\n\n\n\n
\n\n\n\nStep 8: Create Central Template Mapping<\/h3>\n\n\n\n
# Template names used for OS provisioning\n\nlinux_debian_template: \"ubuntu-22-base\"\nlinux_redhat_template: \"rockylinux-9-base\"\nwin_server_template: \"win2022-golden\"\nwin_client_template: \"win10-template-no-sysprep\"<\/code><\/pre>\n\n\n\n\n
Using a Python virtual environment for Ansible and installing collections<\/h2>\n\n\n\n
\n
cd ~\/infra-ansible\npython3 -m venv .venv\nsource .venv\/bin\/activate<\/code><\/pre>\n\n\n\npip install --upgrade pip\npip install ansible-core pyvmomi requests<\/code><\/pre>\n\n\n\nansible-galaxy collection install -r collections\/requirements.yml<\/code><\/pre>\n\n\n\nsource .venv\/bin\/activate\ncd ~\/infra-ansible\nansible-playbook ...<\/code><\/pre>\n\n\n\nUsing Ansible Vault for Secure Credentials<\/h2>\n\n\n\n
vCenter passwords, Windows local admin passwords, domain join credentials, service accounts\u2026 All perfect candidates for leaking into Git history and ruining your day.<\/p>\n\n\n\nWhat We Store in Vault<\/h3>\n\n\n\n
\n
vault_vcenter_password<\/code><\/li>\n\n\n\nvault_win_admin_password<\/code><\/li>\n<\/ul>\n\n\n\nWhere We Store the Vault and Why<\/h3>\n\n\n\n
inventories\/lab\/group_vars\/all\/vault.yml<\/code><\/pre>\n\n\n\ngroup_vars\/all\/<\/code> has a big advantage:
Ansible loads it automatically for every playbook and every host.<\/strong>
This means:<\/p>\n\n\n\n\n
vars_files:<\/code> everywhere<\/li>\n\n\n\nansible HOST -m win_ping<\/code> also get access to the encrypted values<\/li>\n\n\n\nCreating the Vault File<\/h3>\n\n\n\n
ansible-vault create inventories\/lab\/group_vars\/all\/vault.yml<\/code><\/pre>\n\n\n\n--ask-vault-pass<\/code>).
Inside the file, we add our encrypted variables:<\/p>\n\n\n\nvault_vcenter_password: \"YourVCPasswordHere\"\nvault_win_admin_password: \"YourWindowsPasswordHere\"<\/code><\/pre>\n\n\n\nansible-vault edit inventories\/lab\/group_vars\/all\/vault.yml<\/code><\/pre>\n\n\n\nansible-vault view inventories\/lab\/group_vars\/all\/vault.yml<\/code><\/pre>\n\n\n\nUsing Vault Variables in Playbooks<\/h3>\n\n\n\n
Instead, we reference the encrypted values like any other variable:<\/p>\n\n\n\nvcenter_password: \"{{ vault_vcenter_password }}\"\nansible_password: \"{{ vault_win_admin_password }}\"<\/code><\/pre>\n\n\n\nansible-playbook ... --ask-vault-pass<\/code><\/pre>\n\n\n\nWrap-Up<\/h2>\n\n\n\n