Ansible - Getting a list of ip addresses for a specfic group

I had a very simple problem.  I needed to get a list of IP addresses from a group of slave servers  in inventory to use as part of a firewall ruleset task in a playbook for a master server (so access was only allowed to the master from the slaves).  I knew the ip addresses were accessible via hostvars but as I only run this playbook on the master (I don't use a site.yml type god playbook) I knew I needed to run something on the slaves first to gather the facts that build hostvars  Also I wasn't using a template so that ruled out using for loops in jinja2.

My approach to solving this was:

• Create a playbook the runs on the slave servers but does nothing
• Include this playbook in the master server playbook
• Filter the hostvars data to produce a list consisting only of the ip4 addresses for a specific host group

Note: You need ansible >= 2.1 for this to work for the map extract feature

slave_do_nothing.yml
---
# Does nothing but will gather facts for later use
- hosts: slave
  tasks: [] 

master_server_test.yml
---
- include: slave_do_nothing.yml
- hosts: master
  tasks:
    - name: Do something with the slave ip address now in item
      set_fact:
         n00b: "{{ n00b| default([]) + [item] }}"
      with_items:
        "{{ groups['slave']|map('extract', hostvars,
        ['ansible_eth0', 'ipv4', 'address'])|list }}"

    - debug: msg="{{ n00b }}"

I've included something else I also discovered along the way which was how to create a list and append items to it.  You can see that fact n00b is created and defaults to a empty list and we add each item that is passed from with_items.  We then use debug to print it at the end (a list of ip addresses).  This should be very useful for debugging tasks in the future.

As a further example here is the task I use in a playbook for an icecast master server  to allow inbound connections from the icecast relays.

- name: Allow inbound from icecast relays
  firewalld:
    zone: public
    state: enabled
    permanent: true
    immediate: true
    rich_rule:
      "rule family=ipv4 source address={{ item }}
      port port={{ icecast_port }} protocol=tcp accept"
  with_items:
    "{{ groups['icecast-relay']|map('extract', hostvars,
    ['ansible_eth0', 'ipv4', 'address'])|list }}"

More Xbox One Firewall Rules - Elite Dangerous

Elite Dangerous needs UDP 19364 outbound!

SSH Don't offer a key, use a password

This is a problem i've been having more and more as my collection of keys and ~/.ssh.config grows. Sometimes you just need to log in with a password but ssh will try all of your keys and then the server prevents you from trying a password challenge because you've failed too many logins e.g.

Received disconnect from 10.12.66.18: 2: Too many authentication failures for ...

Just use ssh -o PubkeyAuthentication=no 

Disable Anonymous Binds in IPA v3 (and enable them again)

I was not entirely happy with the documentation for this here: 
While correct, It gives me no idea how to check the current configuration or how to turn anonymous binds back on again, or how to test my changes

Here is my approach:

Check the current config with this ldap query (there may be room for optimising this)
ldapsearch -x -u -h ipa.server -b cn=config "(cn=config)" nsslapd-allow-anonymous-access -W -D "cn=Directory Manager" 

That should yield:
...
nsslapd-allow-anonymous-access: on

or
...
nsslapd-allow-anonymous-access: rootdse

I then created two simple ldifs to enable and disable anonymous binds

disable-anonymous-binds.ldif
# disable-anonymous-binds.ldif
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse

enable-anonymous-binds.ldif
# enable-anonymous-binds.ldif
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: on 

Either of which can be run with
ldapmodify -x -D "cn=Directory Manager" -W -h ipa.server enable|disable-anonymous-binds.ldif