Skip to content

Semaphore

Semaphore UI is a modern way to run ansible with an easy to use GUI. Its a good alternative to Ansible Tower or AWX. You can store your vault secrets and run playbooks on a schedule. Decyphertek has also setup ansible with some basic playbooks to help you get started. AWS Marketplace: Semaphore UI

SSH into the Semaphore server:

  • Linux + Mac - add .pem key to ~/.ssh/id_rsa > change permisisons > chmod 400 id_rsa
  • If using putty or mobaxterm make sure to convert .pem to .ppk using puttygen.
  • Linux + Mac - ssh semaphore@ip-of-server
  • Windows - utilize putty or mobaxterm

Semaphore login & password:

  • Run from Terminal to find your password - cat passwords.txt
  • Go to your browser - https://ip-of-server
  • Login to semaphore gui - username: semaphore password: SEMAPHORE_USER_PASS listed in passwords.txt
  • Optional: Change Semaphore Password - Bottom left > Click on semaphore > Edit Accounts > Enter your new password .
  • Login to mariadb from terminal : sudo mysql -u root -p - Password: SEMAPHORE_DB_PASS listed in passwords.txt
  • Change mariadb password : Login to terminal > sudo mysqladmin -u root -p'your_password' password "new_password"
  • Ansible playooks/roles : cd /home/semaphore/.ansible - you can list the files in this directory - ls

Setup Ansible / OpenTofu in Semaphore:

  • Create a project: Can be accessed on the main page when you first log in.
  • Create an Environment {}: On the left side, select Environment > Select New Environment (can be empty {} or have env variables).
  • Add an ssh key/Password to keystore: On the left side, select Key Store > Select New Key > enter name key & select ssh key or password.
  • Create an Inventory: On the left side, select Inventory > Enter name, select saved credentials, select Static (Hosts).
[test_server]
172.31.95.4 ansible_host=172.31.95.4 ansible_user=admin
  • Create a repository : Left side, Select Repositories > Select New Repository > Enter name , URL or Path = /home/semaphore/.ansible/playbooks/ , select key .
  • Create a Task Template : Runs an Ansible playbook
Name: decyphertek
Playbook Filename: /home/semaphore/.ansible/playbooks/ufw/ufw_install.yml
Select established : Inventory , Repository , Environment . 
  • Before you run a task playbook, you need to ssh into the target server from semaphore via terminal.
  • Login Semaphore terminal > add your private key > ssh into target server, so it gets added to known_hosts.
vim ~/.ssh/id_rsa 
chmod 400 id_rsa 
ssh username@ip-of-server
  • Run a Task/playbook : Left side Task Templates > Select RUN next to the task.
  • Follow similar steps for Terraform / OpenTofu - https://docs.semui.co/user-guide/task-templates/terraform
  • Opentofu Docs - https://opentofu.org/docs/

Troubleshooting:

  • AWS Basics - https://decyphertek.readthedocs.io/en/latest/products/aws-basics/
  • Make sure you are accessing https://ip-of-server
  • Your passwords are in /home/semaphore/passwords.txt - cat /home/semaphore/passwords.txt
  • Make sure you setup , projects , Environment , ssh key , inventory , repository , and task .
  • Ensure public ssh key is on the target server & there is a route, so Ansible Sempahore can run properly.
  • Manage semaphore from systemd - sudo systemctl status semaphore
  • Manage nginx from systemd - sudo systemctl status nginx

Additonal Security Features:

  • Ossec Hids - https://decyphertek.readthedocs.io/en/latest/technotes/OSSEC/
  • Crowdsec IPS - https://decyphertek.readthedocs.io/en/latest/technotes/Crowdsec/
  • UFW Host Firewall - https://decyphertek.readthedocs.io/en/latest/technotes/UFW/
  • Auditd Logging - https://decyphertek.readthedocs.io/en/latest/technotes/Auditd/
  • Automated Updates - Update script upon first boot and at 3am daily.

References:

  • https://www.semui.co/
  • https://docs.semui.co/