| # ARA and central mgmt node |
| |
| While `sysadmins` having ssh/sudo rights on servers can trigger themselves remotely ad-hoc or role tasks through ansible from their main station, that's *not* the best practice. |
| |
| Based on the Env, we have usually (can depend on ENV requirements), one [host](https://github.com/CentOS/ansible-role-ansible-host) that is used to control the whole Infra/ENV. |
| |
| On that host, we use [ARA](https://ara.recordsansible.org/) to keep track of playbooks execution on that host, while we also have `log_path` set to also log to on-disk log files (rotated) |
| |
| So the workflow goes like this : |
| |
| * sysadmin with RWC rights pushes needed change[s] to either `inventory`, `filestore` or `pkistore` git repo |
| * two cases : |
| * it can wait next automatic execution: do nothing and ansible will deploy your change (like for example a simple TLS cert replace and reload) when the next (cron) "play all roles on all nodes" task will run |
| * it has to be done `now` : you kick the role task from the central ansible host to be ran directly |
| |
| |