一键导入
ansible-playbooks
Write idempotent Ansible playbooks and roles for server configuration, K8s node provisioning, and application bootstrap.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Write idempotent Ansible playbooks and roles for server configuration, K8s node provisioning, and application bootstrap.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Production-grade GitHub Actions workflows — reusable workflows, OIDC cloud auth, caching, matrix builds, and environment protection rules. Use when the user creates, reviews, or debugs CI/CD pipelines in .github/workflows, or asks about GitHub Actions deployment, OIDC authentication, or workflow optimization.
Systematic diagnosis of Kubernetes pod failures — CrashLoopBackOff, OOMKilled, Pending, ImagePullBackOff, and service connectivity issues. Use when the user encounters pods not starting, container restart loops, scheduling failures, or service unreachability in a K8s cluster.
Implement distributed tracing with OpenTelemetry, Tempo/Jaeger — instrumentation, sampling, and trace-to-log correlation. Use when the user asks about distributed tracing, OpenTelemetry setup, span instrumentation, trace propagation, or connecting traces to logs and metrics.
Design reusable React components with compound patterns, controlled/uncontrolled hybrids, typed prop APIs, async state handling, and ARIA accessibility. Use when the user creates, refactors, or reviews React components, or mentions props, hooks, .tsx files, component APIs, or accessible UI patterns.
Apply STRIDE threat modeling to system designs, identify IDOR and authorization vulnerabilities, and build threat matrices for security reviews. Use when the user designs a new system, reviews an architecture, prepares for a security audit, or asks about common API vulnerabilities like IDOR or broken access control.
Secure CI/CD pipelines with keyless signing, OIDC federation, provenance attestations, policy enforcement, and hardened runners.
| name | ansible-playbooks |
| type | skill |
| description | Write idempotent Ansible playbooks and roles for server configuration, K8s node provisioning, and application bootstrap. |
| related-rules | ["iac-standards.md","secret-hygiene.md"] |
| allowed-tools | Read, Write, Edit, Bash |
Expertise: Idempotent roles, inventory patterns, Vault integration, molecule testing, bare-metal K8s node prep.
When configuring bare-metal servers, provisioning K8s nodes, managing OS-level config, or rotating OS credentials.
roles/base-server/
├── tasks/
│ ├── main.yml ← imports sub-task files
│ ├── packages.yml
│ ├── sysctl.yml
│ └── users.yml
├── defaults/
│ └── main.yml ← all variables with sensible defaults
├── vars/
│ └── main.yml ← internal constants (not overridable)
├── templates/
│ └── sysctl.conf.j2
├── handlers/
│ └── main.yml ← restart services on change
└── meta/
└── main.yml ← role dependencies
# ✅ Package install — idempotent
- name: Install required packages
ansible.builtin.apt:
name:
- containerd
- curl
- jq
state: present
update_cache: true
when: ansible_os_family == "Debian"
# ✅ File with checksum validation — only copies if changed
- name: Configure containerd
ansible.builtin.template:
src: containerd-config.toml.j2
dest: /etc/containerd/config.toml
owner: root
group: root
mode: "0644"
notify: Restart containerd # handler only fires if file changed
# ✅ Service management
- name: Enable and start containerd
ansible.builtin.systemd:
name: containerd
enabled: true
state: started
daemon_reload: true
# handlers/main.yml
- name: Restart containerd
ansible.builtin.systemd:
name: containerd
state: restarted
- name: Reload sysctl
ansible.builtin.command: sysctl --system
changed_when: false
# inventory/production/hosts.ini
[control_plane]
cp-01 ansible_host=192.168.10.10
cp-02 ansible_host=192.168.10.11
cp-03 ansible_host=192.168.10.12
[workers]
worker-01 ansible_host=192.168.10.20
worker-02 ansible_host=192.168.10.21
[k8s_cluster:children]
control_plane
workers
[k8s_cluster:vars]
ansible_user=ubuntu
ansible_ssh_private_key_file=~/.ssh/infra-key
ansible_python_interpreter=/usr/bin/python3
# Encrypt a vars file
ansible-vault encrypt group_vars/all/vault.yml
# Inline encrypted variable
ansible-vault encrypt_string 'supersecretpassword' --name 'db_password'
# group_vars/all/vault.yml (encrypted)
vault_db_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
...
# group_vars/all/vars.yml (plain, references vault vars)
db_password: "{{ vault_db_password }}"
# playbooks/k8s-node-prep.yml
---
- name: Prepare K8s nodes
hosts: k8s_cluster
become: true
roles:
- role: base-server # OS hardening, packages
- role: k8s-prereqs # swap off, kernel modules, sysctl
- role: containerd # install + configure containerd
- role: kubeadm-install # install kubeadm, kubelet, kubectl (pinned)
# Dry run (check mode)
ansible-playbook -i inventory/production/hosts.ini \
playbooks/k8s-node-prep.yml --check --diff
# Run with vault password
ansible-playbook -i inventory/production/hosts.ini \
playbooks/k8s-node-prep.yml \
--vault-password-file ~/.ansible-vault-password
# Limit to specific hosts
ansible-playbook -i inventory/production/hosts.ini \
playbooks/k8s-node-prep.yml \
--limit "worker-01,worker-02"
# Tags for partial runs
ansible-playbook ... --tags "packages,sysctl" --skip-tags "users"
# Lint (enforce best practices)
ansible-lint playbooks/k8s-node-prep.yml
# Molecule test (spins container, runs playbook, verifies)
cd roles/base-server && molecule test