Last tasks

Day-01/playbook.yml

@@ -1,12 +0,0 @@
----
-- hosts: localhost
-  tasks:
-
-  - name: 'Call "id"'
-    command: id
-
-  - name: Copy a file
-    copy: src=test.txt dest=/tmp/test.txt backup=yes
-
-  - name: 'Call "cat /tmp/test.txt"'
-    command: cat /tmp/test.txt

ansible.cfg

@@ -1,5 +1,9 @@
 [defaults]
 inventory = ./inventory/
+gathering = smart
+fact_cachung_timeout = 86400
+fact_caching = yaml
+fact_caching_connection = ../cachdir/
 deprecation_warnings = false
 interpreter_discovery = auto
 remote_user = root

blocks.yml

@@ -0,0 +1,13 @@
+---
+- hosts: localhost
+  tasks:
+    - block:
+        - debug: msg='OK'
+        - shell: /bin/false
+        - debug: msg='Never'
+      rescue:
+        - debug: msg='ERR'
+        - shell: /bin/false
+        - debug: msg='Never again'
+      always:
+        - debug: msg='Always'

dokuwiki_inventory.yml

@@ -0,0 +1,5 @@
+---
+- hosts: all
+  roles:
+    - dokuwiki_inventory
+

dynmaic_groups.yml

@@ -0,0 +1,11 @@
+---
+- hosts: all
+  tasks:
+    - group_by:
+        key: "virt_{{ ansible_distribution }}"
+
+- hosts: virt_Debian
+  gather_facts: no
+  tasks:
+    - name: Testytest
+      shell: 'uname -a'

grep.yml

@@ -0,0 +1,14 @@
+---
+- hosts: localhost
+  tasks:
+    - command: "grep {{ username }} /etc/passwd"
+      register: result
+      ignore_errors: True
+
+    - debug:
+        msg: '{{ username }} exists'
+      when: result is success
+
+    - debug:
+        msg: '{{ username }} does not exist'
+      when: result is failed

group_vars/apt.yml

@@ -1,7 +1,2 @@
-ntp_servers:
-  - 0.debian.pool.ntp.org
-  - 1.debian.pool.ntp.org
-  - 2.debian.pool.ntp.org
-
 ntp_package_name : ntp
 ntp_service_name : ntp

host_vars/tn8-devuan9.yml

@@ -0,0 +1,2 @@
+---
+ssh_service_name: ssh

inventory/hosts

@@ -14,8 +14,8 @@ tn8-suse151 ansible_host=192.168.1.178
 tn8-ubu1604 ansible_host=192.168.1.170
 tn8-ubu1804 ansible_host=192.168.1.135
 tn8-ubu2004 ansible_host=192.168.1.185
-[void]
+#[void]
-tn8-void ansible_host=192.168.1.149
+#tn8-void ansible_host=192.168.1.149
 [apt:children]
 debian
 devuan
@@ -23,7 +23,7 @@ ubuntu
 [nosysd:children]
 alpine
 devuan
-void
+#void
 [sysd:children]
 centos
 debian

loop_include.yml

@@ -0,0 +1,9 @@
+---
+- hosts: localhost
+  tasks:
+    - include: loop_include_sub.yml
+      loop:
+        - A
+        - B
+      loop_control:
+        loop_var: outer

loop_include_sub.yml

@@ -0,0 +1,8 @@
+---
+- debug: "msg='{{ my_idx }} Innen: {{ item }}, Außen: {{ outer }}'"
+  loop:
+    - 1
+    - 2
+  loop_control:
+    index_var: my_idx
+    label: "Testytest"

monitored.yml

@@ -0,0 +1,7 @@
+---
+- hosts: all
+  vars:
+    monitored_by_ssh: True
+    monitored_by_nrpe: True
+  roles:
+    - monitored

ntp.yml

@@ -1,29 +0,0 @@
----
-- hosts: sysd
-
-  tasks:
-
-    - name: Install NTP
-      package:
-        name: "{{ ntp_package_name }}"
-        state: latest
-
-    - name: Template Config
-      template:
-        src: "{{ ntp_package_name }}.conf.j2"
-        dest: "/etc/{{ ntp_package_name  }}.conf"
-        mode: 0644
-        owner: root
-        group: root
-        backup: yes
-
-    - name: Restart Service
-      service:
-        name: "{{ ntp_service_name }}"
-        state: restarted
-
-    - name: Ensure Running
-      service:
-        name: "{{ ntp_service_name }}"
-        state: started
-        enabled: yes

playbook.yml

@@ -0,0 +1,4 @@
+---
+- hosts: sysd
+  roles:
+    - ntp

pre_post_tasks.yml

@@ -0,0 +1,19 @@
+---
+- hosts: localhost
+
+  pre_tasks:
+    - name: Create a FACT
+      set_fact:
+        test_fact: test_fact
+      tags:
+        always
+
+  tasks:
+    - name: Print a msg
+      debug:
+        msg: This far
+
+  post_tasks:
+    - name: Get a FACT
+      setup:
+        filter: test_fact

roles/dokuwiki_inventory/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+doku_path: /var/lib/dokuwiki/data/pages/inventory

roles/dokuwiki_inventory/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: Create Inventory Folder
+  local_action:
+    module: file
+    path: "{{ doku_path }}"
+    state: directory
+    mode: 0755
+  run_once: True
+
+- name: Write Wiki Page
+  local_action:
+    module: template
+    src: host.j2
+    dest: "{{ doku_path }}/{{ inventory_hostname }}.txt"
+
+- name: Write Index Page
+  local_action:
+    module: template
+    src: start.j2
+    dest: "{{ doku_path }}/start.txt"
+  run_once: True

roles/dokuwiki_inventory/templates/host.j2

@@ -0,0 +1,32 @@
+====== {{ inventory_hostname }} ======
+  * FQDN: {{ ansible_fqdn }} -- {{ ansible_default_ipv4.address }}
+  * Product: **{{ ansible_system_vendor|default("N/A") }}** {{ ansible_product_name|default("N/A") }} (S/N: {{ ansible_product_serial }}), {{ ansible_form_factor }}
+  * Virtualization: {{ ansible_virtualization_role }} / {{ ansible_virtualization_type }}
+  * CPUs: {{ ansible_processor_vcpus }} ( {{ ansible_processor_count }} x {{ ansible_processor_cores }} Cores x {{ ansible_processor_threads_per_core }} Threads )
+  * CPU-Type: {{ ansible_processor[2] }}
+  * RAM: {{ ansible_memtotal_mb }} MB
+  * Swap: {{ "%0.2f" % (ansible_swaptotal_mb / 1024) }} GB
+  * OS: {{ ansible_distribution }} {{ ansible_distribution_version }}
+  * Kernel: {{ ansible_kernel }}
+  * Init: {{ ansible_service_mgr }}
+  * IPs:
+    * IPv4: {{ ansible_all_ipv4_addresses|join(', ') }}
+    * IPv6: {{ ansible_all_ipv6_addresses|join(', ') }}
+
+
+Mountpoints:
+| Source | Mountpoint | Filesystem |
+{% for m in ansible_mounts %}
+| ''{{ m.device }}'' | ''{{ m.mount }}'' | ''{{ m.fstype }}'' |
+{% endfor %}
+
+  * AppArmor: {{ ansible_apparmor.status }}
+  * SE-Linux: {{ ansible_selinux.status }}
+  * SSH-Host-Keys:
+    * DSA: ''{{ ansible_ssh_host_key_dsa_public|default("N/A") }}''
+    * RSA: ''{{ ansible_ssh_host_key_rsa_public|default("N/A") }}''
+    * ECDSA: ''{{ ansible_ssh_host_key_ecdsa_public|default("N/A") }}''
+    * Ed25519: ''{{ ansible_ssh_host_key_ed25519_public|default("N/A") }}''
+
+----
+//{{ ansible_managed }}//

roles/dokuwiki_inventory/templates/start.j2

@@ -0,0 +1,4 @@
+{% for h in hostvars|sort %}
+  * [[ {{ h }} ]]
+{% endfor %}
+

roles/epel

@@ -0,0 +1 @@
+Subproject commit c5d6c7fd84999febc117e5b97a78d63158d56912

roles/hosts/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Detect domain name
+  set_fact:
+    domainname: "{{ ansible_dns.domain|default(False) or ansible_dns.search.0|default(False) or ansible_domain|default(False) or 'invalid'}}"
+
+- name: Add name/IP to hosts file
+  lineinfile:
+    dest: /etc/hosts
+    regexp: '^{{ ansible_default_ipv4.address }}'
+    line: '{{ ansible_default_ipv4.address }} {{ ansible_hostname }}.{{ domainname }} {{ ansible_hostname }}'
+    backup: yes
+
+- name: Clean/remove 127.0.1.1
+  lineinfile:
+    dest: /etc/hosts
+    regexp: '^127.0.1.1'
+    state: absent
+    backup: yes
+
+- name: Ensure 127.0.0.1 localhost
+  lineinfile:
+    dest: /etc/hosts
+    regexp: '127.0.0.1'
+    line: '127.0.0.1 localhost localhost.localdomain'
+    insertbefore: BOF
+    backup: yes
+

roles/monitored

@@ -0,0 +1 @@
+Subproject commit 22b2fd3c3a5f631e4e5c2adb67798af91cedc550

roles/ntp/defaults/main.yml

@@ -0,0 +1,4 @@
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+  - 2.debian.pool.ntp.org

roles/ntp/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart NTP
+  service:
+    name: "{{ ntp_service_name }}"
+    state: restarted

roles/ntp/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: Install NTP
+  package:
+    name: "{{ ntp_package_name }}"
+    state: latest
+
+- name: Template Config
+  template:
+    src: "etc/{{ ntp_package_name }}.conf.j2"
+    dest: "/etc/{{ ntp_package_name  }}.conf"
+    mode: 0644
+    owner: root
+    group: root
+    backup: yes
+  notify: Restart NTP
+
+- name: Restart Service
+  service:
+    name: "{{ ntp_service_name }}"
+    state: restarted
+
+- name: Ensure Running
+  service:
+    name: "{{ ntp_service_name }}"
+    state: started
+    enabled: yes

roles/ssh-keyonly/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+ssh_service_name: sshd

roles/ssh-keyonly/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+- name: "Set «PermitRootLogin» to «without-password»"
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^#? *PermitRootLogin'
+    line: "PermitRootLogin without-password"
+    backup: yes
+  register: sshconfigchanged
+
+
+- name: Restart sshd
+  service:
+    name: "{{ ssh_service_name }}"
+    state: restarted
+    sleep: 5
+  when: sshconfigchanged is changed
+
+

roles/webcluster/roles/web_base/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+ntp_server:
+  - 0.de.pool.ntp.org
+  - 1.de.pool.ntp.org
+  - 2.de.pool.ntp.org

roles/webcluster/roles/web_base/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: ntp }

roles/webcluster/roles/web_db/defaults/main.yml

@@ -0,0 +1,11 @@
+---
+db_packages:
+  - mariadb-server
+  - python-mysqldb
+
+db_servicename: mysql
+
+db_name: webapp
+db_user: webappuser
+db_password: webapppw
+

roles/webcluster/roles/web_db/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Install software
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ db_packages }}"
+
+- name: MariaDB enable service
+  service:
+    name: "{{ db_servicename }}"
+    state: started
+    enabled: yes
+
+- name: MariaDB create DB
+  mysql_db:
+    name: "{{ db_name }}"
+    state: present
+
+- name: MariaDB create user
+  mysql_user:
+    name: "{{ db_user }}"
+    password: "{{ db_password }}"
+    priv: '{{ db_name }}.*:ALL'
+    host: '%'
+    state: present
+
+

roles/webcluster/roles/web_lb/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+lb_packages:
+  - haproxy
+  - socat
+

roles/webcluster/roles/web_lb/handlers/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Restart HAProxy
+  service:
+    name: haproxy
+    state: restarted
+
+- name: Restart RSyslog
+  service:
+    name: rsyslog
+    state: restarted
+
+

roles/webcluster/roles/web_lb/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: Install software
+  package:
+    name: "{{ item }}"
+    state: latest
+  with_items: "{{ lb_packages }}"
+  notify: Restart RSyslog
+
+- name: HAProxy enable service
+  service:
+    name: haproxy
+    enabled: yes
+    state: started
+
+- name: HAProxy create config
+  template:
+    dest: "/etc/haproxy/haproxy.cfg"
+    src: "haproxy.cfg.j2"
+    mode: 0644
+    backup: yes
+  notify:
+    - Restart HAProxy
+    - Restart RSyslog
+

roles/webcluster/roles/web_lb/templates/haproxy.cfg.j2

@@ -0,0 +1,58 @@
+global
+	log	127.0.0.1 local0
+	log	127.0.0.1 local1 notice
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+
+	# Default ciphers to use on SSL-enabled listening sockets.
+	# For more information, see ciphers(1SSL).
+	ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
+
+defaults
+	log	global
+	mode	http
+	option	httplog
+	option	dontlognull
+	timeout connect 5000
+	timeout client	50000
+	timeout server	50000
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http
+
+frontend	localnodes
+	bind		*:80
+	mode		http
+	default_backend	nodes
+
+backend		nodes
+	mode		http
+	balance		roundrobin
+	option		forwardfor
+	http-request	set-header X-Forwarded-Port %[dst_port]
+	http-request	add-header X-Forwarded-Proto https if { ssl_fc }
+	option		httpchk HEAD / HTTP/1.1\r\nHost:localhost
+	#server		worker_01 172.22.244.81:80 check
+	{% for host in groups['worker'] %}
+	  server  {{ hostvars[host]['inventory_hostname'] }}  {{ hostvars[host]['ansible_default_ipv4'].address }}:80 check
+	{% endfor %}
+
+listen stats
+	bind *:1936
+	stats enable
+	stats uri /
+	stats hide-version
+	stats auth admin:admin
+

roles/webcluster/roles/web_worker/defaults/main.yml

@@ -0,0 +1,25 @@
+---
+worker_packages:
+  - apache2
+  - php-fpm
+  - php-mysql
+
+worker_a2mods:
+  - mpm_event
+  - proxy
+  - proxy_fcgi
+  - rewrite
+
+worker_a2dissites:
+  - 000-default.conf
+  - default-ssl.conf
+
+worker_a2ensites:
+  - worker.conf
+
+worker_a2docroots:
+  - var/www/worker
+
+worker_phpfpmpools:
+  - etc/php/7.0/fpm/pool.d/worker.conf
+

roles/webcluster/roles/web_worker/files/var/www/worker/index.php

@@ -0,0 +1 @@
+<?php phpinfo(); ?>

roles/webcluster/roles/web_worker/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+- name: Restart Apache2
+  service:
+    name: apache2
+    state: restarted
+
+- name: Restart PHP-FPM
+  service:
+    name: php7.0-fpm
+    state: restarted
+

roles/webcluster/roles/web_worker/tasks/db_update.yml

@@ -0,0 +1,5 @@
+---
+- name: Update DB schema
+  command: {{ worker_dbupdate_command }}
+  run_once: True
+

roles/webcluster/roles/web_worker/tasks/main.yml

@@ -0,0 +1 @@
+main_with_haproxy.yml

roles/webcluster/roles/web_worker/tasks/main_with_haproxy.yml

@@ -0,0 +1,92 @@
+---
+- name: Install software
+  package:
+    name: "{{ item }}"
+    state: latest
+  with_items: "{{ worker_packages }}"
+
+- name: Apache2 enable modules
+  apache2_module:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ worker_a2mods }}"
+  notify: Restart Apache2
+
+- name: Apache2 disable sites
+  file:
+    path: "/etc/apache2/sites-enabled/{{ item }}"
+    state: absent
+  with_items: "{{ worker_a2dissites }}"
+  notify: Restart Apache2
+
+- name: Apache2 create vhosts
+  template:
+    dest: "/etc/apache2/sites-available/{{ item }}"
+    src: "etc/apache2/sites-available/{{ item }}.j2"
+    mode: 0644
+    backup: yes
+  with_items: "{{ worker_a2ensites }}"
+  notify: Restart Apache2
+
+- name: Apache2 enable sites
+  file:
+    path: "/etc/apache2/sites-enabled/{{ item }}"
+    src: "/etc/apache2/sites-available/{{ item }}"
+    state: link
+    force: yes
+  with_items: "{{ worker_a2ensites }}"
+  notify: Restart Apache2
+
+- name: Apache2 create DocRoots
+  file:
+    path: "/{{ item }}"
+    state: directory
+    mode: 0755
+  with_items: "{{ worker_a2docroots }}"
+  notify: Restart Apache2
+
+- name: PHP Install pools
+  template:
+    dest: "/{{ item }}"
+    src: "{{ item }}.j2"
+    mode: 0644
+    backup: yes
+  with_items: "{{ worker_phpfpmpools }}"
+  notify: Restart PHP-FPM
+
+- name: Disable worker in load balancers
+  haproxy:
+    socket: /run/haproxy/admin.sock
+    backend: nodes
+    host: "{{ inventory_hostname }}"
+    state: disabled
+  delegate_to: "{{ item }}"
+  with_items: "{{ groups.lb }}"
+
+- name: Apache2 copy websites
+  copy:
+    dest: "/{{ item }}/"
+    src: "{{ item }}/"
+    backup: yes
+  with_items: "{{ worker_a2docroots }}"
+
+- name: Apache2 template dummy index.html
+  template:
+    dest: "/{{ item }}/index.html"
+    src: "{{ item }}/index.html.j2"
+    mode: 0644
+    backup: yes
+  with_items: "{{ worker_a2docroots }}"
+
+- name: Sleep 30 seconds...
+  pause: seconds=30
+
+- name: Enable worker in load balancers
+  haproxy:
+    socket: /run/haproxy/admin.sock
+    backend: nodes
+    host: "{{ inventory_hostname }}"
+    state: enabled
+  delegate_to: "{{ item }}"
+  with_items: "{{ groups.lb }}"
+

roles/webcluster/roles/web_worker/tasks/main_with_socat.yml

@@ -0,0 +1,84 @@
+---
+- name: Install software
+  package:
+    name: "{{ item }}"
+    state: latest
+  with_items: "{{ worker_packages }}"
+
+- name: Apache2 enable modules
+  apache2_module:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ worker_a2mods }}"
+  notify: Restart Apache2
+
+- name: Apache2 disable sites
+  file:
+    path: "/etc/apache2/sites-enabled/{{ item }}"
+    state: absent
+  with_items: "{{ worker_a2dissites }}"
+  notify: Restart Apache2
+
+- name: Apache2 create vhosts
+  template:
+    dest: "/etc/apache2/sites-available/{{ item }}"
+    src: "etc/apache2/sites-available/{{ item }}.j2"
+    mode: 0644
+    backup: yes
+  with_items: "{{ worker_a2ensites }}"
+  notify: Restart Apache2
+
+- name: Apache2 disable sites
+  file:
+    path: "/etc/apache2/sites-enabled/{{ item }}"
+    src: "/etc/apache2/sites-available/{{ item }}"
+    state: link
+    force: yes
+  with_items: "{{ worker_a2ensites }}"
+  notify: Restart Apache2
+
+- name: Apache2 create DocRoots
+  file:
+    path: "/{{ item }}"
+    state: directory
+    mode: 0755
+  with_items: "{{ worker_a2docroots }}"
+  notify: Restart Apache2
+
+- name: PHP Install pools
+  template:
+    dest: "/{{ item }}"
+    src: "{{ item }}.j2"
+    mode: 0644
+    backup: yes
+  with_items: "{{ worker_phpfpmpools }}"
+  notify: Restart PHP-FPM
+
+- name: Disable worker in load balancers
+  shell: "echo disable server nodes/{{ inventory_hostname }} | socat stdio /run/haproxy/admin.sock"
+  delegate_to: "{{ item }}"
+  with_items: "{{ groups.lb }}"
+
+- name: Apache2 copy websites
+  copy:
+    dest: "/{{ item }}/"
+    src: "{{ item }}/"
+    backup: yes
+  with_items: "{{ worker_a2docroots }}"
+
+- name: Apache2 template dummy index.html
+  template:
+    dest: "/{{ item }}/index.html"
+    src: "{{ item }}/index.html.j2"
+    mode: 0644
+    backup: yes
+  with_items: "{{ worker_a2docroots }}"
+
+- name: Sleep 30 seconds...
+  pause: seconds=30
+
+- name: Enable worker in load balancers
+  shell: 'echo "enable server nodes/{{ inventory_hostname }}" | socat stdio /run/haproxy/admin.sock'
+  delegate_to: "{{ item }}"
+  with_items: "{{ groups.lb }}"
+

roles/webcluster/roles/web_worker/templates/etc/apache2/sites-available/worker.conf.j2

@@ -0,0 +1,11 @@
+<VirtualHost *:80>
+	ServerName	{{ inventory_hostname }}
+	DocumentRoot	/var/www/worker
+
+	ProxyPassMatch	^/(.*\.php(/.*)?)$	fcgi://127.0.0.1:4001/var/www/worker/$1
+
+	DirectoryIndex	index.php index.xhtml index.html
+
+	ErrorLog	${APACHE_LOG_DIR}/worker_{{ inventory_hostname }}.error.log
+	CustomLog	${APACHE_LOG_DIR}/worker_{{ inventory_hostname }}.access.log combined
+</VirtualHost>

roles/webcluster/roles/web_worker/templates/etc/php/7.0/fpm/pool.d/worker.conf.j2

@@ -0,0 +1,12 @@
+[worker]
+user = www-data
+group = www-data
+listen = 127.0.0.1:4001
+listen.owner = www-data
+listen.group = www-data
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 3
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+

roles/webcluster/roles/web_worker/templates/var/www/worker/index.html.j2

@@ -0,0 +1 @@
+<h1>{{ inventory_hostname }}</h1>

roles/webcluster/web_db.yml

@@ -0,0 +1,6 @@
+---
+- hosts: db
+  roles:
+    - web_db
+
+

roles/webcluster/web_lb.yml

@@ -0,0 +1,8 @@
+---
+- hosts: worker
+  tasks: []
+
+- hosts: lb
+  roles:
+    - web_lb
+

roles/webcluster/web_site.yml

@@ -0,0 +1,23 @@
+---
+- hosts: all
+  roles:
+    - web_base
+
+- hosts: lb
+  serial: "25%"
+  max_fail_percentage: 40
+  roles:
+    - web_lb
+
+- hosts: db
+  serial: 1
+  max_fail_percentage: 10
+  roles:
+    - web_db
+
+- hosts: worker
+  serial: 2
+  max_fail_percentage: 20
+  roles:
+    - web_worker
+

roles/webcluster/web_worker.yml

@@ -0,0 +1,10 @@
+---
+- hosts: lb
+  tasks: []
+
+- hosts: worker
+  serial: 2
+  max_fail_percentage: 20
+  roles:
+    - web_worker
+