{"id":1082,"date":"2025-05-22T12:09:02","date_gmt":"2025-05-22T10:09:02","guid":{"rendered":"https:\/\/chrisengelhard.nl\/ansible-best-practices-and-security-when-to-use-and-when-not\/"},"modified":"2026-05-04T19:27:32","modified_gmt":"2026-05-04T17:27:32","slug":"ansible-best-practices-and-security-when-to-use-and-when-not","status":"publish","type":"post","link":"https:\/\/chrisengelhard.nl\/en\/ansible-best-practices-and-security-when-to-use-and-when-not\/","title":{"rendered":"Ansible best practices and security: when to use and when not"},"content":{"rendered":"\n<div id=\"inhoudsopgave\"><\/div><section class=\"wp-block-greenshift-blocks-container gspb_container gspb_container-gsbp-d15c2ca\" id=\"gspb_container-id-gsbp-d15c2ca\">\n<p><strong>Table of Contents<\/strong><\/p>\n\n\n\n<div class=\"wp-block-greenshift-blocks-toc gs-toc gspb_toc-id-gsbp-754f43d\" id=\"gspb_toc-id-gsbp-754f43d\" itemscope itemtype=\"https:\/\/schema.org\/ItemList\"><div class=\"gs-autolist\"><div class=\"gs-autolist-item\" itemscope itemprop=\"itemListElement\" itemtype=\"https:\/\/schema.org\/ListItem\"><span class=\"gs-autolist-number\">1<\/span><span class=\"gs-autolist-title\"><meta itemprop=\"name\" content=\"Wat is het idee achter SSH-monitoring met Ansible?\"\/><a class=\"gs-scrollto\" href=\"#wat-is-het-idee-achter-ssh-monitoring-met-ansible\">Wat is het idee achter SSH-monitoring met Ansible?<\/a><\/span><\/div><div class=\"gs-autolist-item\" itemscope itemprop=\"itemListElement\" itemtype=\"https:\/\/schema.org\/ListItem\"><span class=\"gs-autolist-number\">2<\/span><span class=\"gs-autolist-title\"><meta itemprop=\"name\" content=\"Waarom is dit problematisch?\"\/><a class=\"gs-scrollto\" href=\"#waarom-is-dit-problematisch\">Waarom is dit problematisch?<\/a><\/span><\/div><div class=\"gs-autolist-item gs_sub_heading\" itemscope itemprop=\"itemListElement\" itemtype=\"https:\/\/schema.org\/ListItem\"><span class=\"gs-autolist-number\">2.1<\/span><span class=\"gs-autolist-title\"><meta itemprop=\"name\" content=\"1. Securityrisico\u2019s\"\/><a class=\"gs-scrollto\" href=\"#1-securityrisicos\">1. Securityrisico\u2019s<\/a><\/span><\/div><div class=\"gs-autolist-item gs_sub_heading\" itemscope itemprop=\"itemListElement\" itemtype=\"https:\/\/schema.org\/ListItem\"><span class=\"gs-autolist-number\">2.2<\/span><span class=\"gs-autolist-title\"><meta itemprop=\"name\" content=\"2. Ineffici\u00ebntie en vertraging\"\/><a class=\"gs-scrollto\" href=\"#2-inefficientie-en-vertraging\">2. Ineffici\u00ebntie en vertraging<\/a><\/span><\/div><div class=\"gs-autolist-item gs_sub_heading\" itemscope itemprop=\"itemListElement\" itemtype=\"https:\/\/schema.org\/ListItem\"><span class=\"gs-autolist-number\">2.3<\/span><span class=\"gs-autolist-title\"><meta itemprop=\"name\" content=\"3. Geen real-time monitoring\"\/><a class=\"gs-scrollto\" href=\"#3-geen-real-time-monitoring\">3. Geen real-time monitoring<\/a><\/span><\/div><div class=\"gs-autolist-item gs_sub_heading\" itemscope itemprop=\"itemListElement\" itemtype=\"https:\/\/schema.org\/ListItem\"><span class=\"gs-autolist-number\">2.4<\/span><span class=\"gs-autolist-title\"><meta itemprop=\"name\" content=\"4. Slechte schaalbaarheid\"\/><a class=\"gs-scrollto\" href=\"#4-slechte-schaalbaarheid\">4. Slechte schaalbaarheid<\/a><\/span><\/div><div class=\"gs-autolist-item\" itemscope itemprop=\"itemListElement\" itemtype=\"https:\/\/schema.org\/ListItem\"><span class=\"gs-autolist-number\">3<\/span><span class=\"gs-autolist-title\"><meta itemprop=\"name\" content=\"Waarom promoten influencers dit?\"\/><a class=\"gs-scrollto\" href=\"#waarom-promoten-influencers-dit\">Waarom promoten influencers dit?<\/a><\/span><\/div><div class=\"gs-autolist-item\" itemscope itemprop=\"itemListElement\" itemtype=\"https:\/\/schema.org\/ListItem\"><span class=\"gs-autolist-number\">4<\/span><span class=\"gs-autolist-title\"><meta itemprop=\"name\" content=\"Wanneer Ansible w\u00e9l gebruiken volgens best practices\"\/><a class=\"gs-scrollto\" href=\"#wanneer-ansible-wel-gebruiken-volgens-best-practices\">Wanneer Ansible w\u00e9l gebruiken volgens best practices<\/a><\/span><\/div><div class=\"gs-autolist-item\" itemscope itemprop=\"itemListElement\" itemtype=\"https:\/\/schema.org\/ListItem\"><span class=\"gs-autolist-number\">5<\/span><span class=\"gs-autolist-title\"><meta itemprop=\"name\" content=\"Wat gebruik je dan wel voor monitoring?\"\/><a class=\"gs-scrollto\" href=\"#wat-gebruik-je-dan-wel-voor-monitoring\">Wat gebruik je dan wel voor monitoring?<\/a><\/span><\/div><div class=\"gs-autolist-item gs_sub_heading\" itemscope itemprop=\"itemListElement\" itemtype=\"https:\/\/schema.org\/ListItem\"><span class=\"gs-autolist-number\">5.1<\/span><span class=\"gs-autolist-title\"><meta itemprop=\"name\" content=\"1. Lightweight agents\"\/><a class=\"gs-scrollto\" href=\"#1-lightweight-agents\">1. Lightweight agents<\/a><\/span><\/div><div class=\"gs-autolist-item gs_sub_heading\" itemscope itemprop=\"itemListElement\" itemtype=\"https:\/\/schema.org\/ListItem\"><span class=\"gs-autolist-number\">5.2<\/span><span class=\"gs-autolist-title\"><meta itemprop=\"name\" content=\"2. Monitoring stacks\"\/><a class=\"gs-scrollto\" href=\"#2-monitoring-stacks\">2. Monitoring stacks<\/a><\/span><\/div><div class=\"gs-autolist-item gs_sub_heading\" itemscope itemprop=\"itemListElement\" itemtype=\"https:\/\/schema.org\/ListItem\"><span class=\"gs-autolist-number\">5.3<\/span><span class=\"gs-autolist-title\"><meta itemprop=\"name\" content=\"3. Push-based logging\"\/><a class=\"gs-scrollto\" href=\"#3-push-based-logging\">3. Push-based logging<\/a><\/span><\/div><div class=\"gs-autolist-item gs_sub_heading\" itemscope itemprop=\"itemListElement\" itemtype=\"https:\/\/schema.org\/ListItem\"><span class=\"gs-autolist-number\">5.4<\/span><span class=\"gs-autolist-title\"><meta itemprop=\"name\" content=\"4. Beveiliging\"\/><a class=\"gs-scrollto\" href=\"#4-beveiliging\">4. Beveiliging<\/a><\/span><\/div><div class=\"gs-autolist-item\" itemscope itemprop=\"itemListElement\" itemtype=\"https:\/\/schema.org\/ListItem\"><span class=\"gs-autolist-number\">6<\/span><span class=\"gs-autolist-title\"><meta itemprop=\"name\" content=\"Conclusie\"\/><a class=\"gs-scrollto\" href=\"#conclusie\">Conclusie<\/a><\/span><\/div><\/div><\/div>\n<\/section>\n\n<p>Ansible best practices are crucial for anyone who wants to automate infrastructure safely and efficiently. Although Ansible is a powerful tool, it is important to know when it is suitable and when it is not. In this blog we cover those moments and examine a commonly used example: SSH-based monitoring via Ansible. This example is often promoted by influencers in their homelabs, but has pitfalls that you should avoid in production.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<p>[<a href=\"#inhoudsopgave\" data-type=\"internal\" data-id=\"#inhoudsopgave\" rel=\"nofollow\">top<\/a>]<\/p>\n\n<h2 class=\"wp-block-heading\" id=\"wat-is-het-idee-achter-ssh-monitoring-met-ansible\">What is the idea behind SSH monitoring with Ansible?<\/h2>\n\n<p>You see it more and more: influencers on YouTube and other social media channels \u2014 often from their homelab \u2014 show how you can periodically log in to remote systems via SSH with Ansible, combined with cronjobs or schedulers. This approach is presented as easy and quick for basic metrics such as memory and disk usage.<\/p>\n\n<p>It works like this:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>A cronjob on a central machine regularly starts an Ansible playbook.<\/li>\n\n\n\n<li>This playbook connects to various servers via SSH.<\/li>\n\n\n\n<li>Via simple shell commands (<code>free -m<\/code>, <code>df -h<\/code>, <code>uptime<\/code>) system statistics are collected.<\/li>\n\n\n\n<li>The results are logged or shared via email or chat tools.<\/li>\n<\/ul>\n\n<p>Although this seems like an accessible method, it is mainly suitable for small homelabs and not for production environments. It does not meet Ansible best practices, especially in terms of security and scalability.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<p>[<a href=\"#inhoudsopgave\" data-type=\"internal\" data-id=\"#inhoudsopgave\" rel=\"nofollow\">top<\/a>]<\/p>\n\n<h2 class=\"wp-block-heading\" id=\"waarom-is-dit-problematisch\">Why is this problematic?<\/h2>\n\n<h3 class=\"wp-block-heading\" id=\"1-securityrisicos\">1. Security risks<\/h3>\n\n<p>This approach often requires you to use SSH keys without a passphrase, and to give the monitoring user sudo access without a password. This opens up major vulnerabilities: a single compromise of the Ansible controller can mean full access to your infrastructure. This goes against the principles of least privilege and secure automation, core points of Ansible best practices.<\/p>\n\n<h3 class=\"wp-block-heading\" id=\"2-inefficientie-en-vertraging\">2. Inefficiency and delay<\/h3>\n\n<p>SSH connections are relatively heavy due to handshakes and authentication. With dozens or hundreds of systems this can lead to high latencies and delays in data acquisition. The polling frequency is therefore limited, meaning you may miss critical peaks and troughs.<\/p>\n\n<h3 class=\"wp-block-heading\" id=\"3-geen-real-time-monitoring\">3. No real-time monitoring<\/h3>\n\n<p>Monitoring should ideally be continuous and event-driven, based on time series. The SSH pull method only gives snapshots, not fluid insights into trends or deviations. This limits your ability to respond quickly to incidents.<\/p>\n\n<h3 class=\"wp-block-heading\" id=\"4-slechte-schaalbaarheid\">4. Poor scalability<\/h3>\n\n<p>For a handful of servers this method still works, but when growing to dozens or hundreds of systems problems arise with SSH concurrency, cronjob overlap and managing log files.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<p>[<a href=\"#inhoudsopgave\" data-type=\"internal\" data-id=\"#inhoudsopgave\" rel=\"nofollow\">top<\/a>]<\/p>\n\n<h2 class=\"wp-block-heading\" id=\"waarom-promoten-influencers-dit\">Why do influencers promote this?<\/h2>\n\n<p>The popularity of this approach among influencers is mainly because it is easy to make and demonstrate. A short Ansible playbook and visible terminal output are attractive for tutorials and demos. However, they often do not indicate that this is primarily a homelab solution, where security and scalability are less critical. For production environments this is not a best practice.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<p>[<a href=\"#inhoudsopgave\" data-type=\"internal\" data-id=\"#inhoudsopgave\" rel=\"nofollow\">top<\/a>]<\/p>\n\n<h2 class=\"wp-block-heading\" id=\"wanneer-ansible-wel-gebruiken-volgens-best-practices\">When to use Ansible according to best practices<\/h2>\n\n<p>Ansible excels in:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Configuration management (packages, services, configurations).<\/li>\n\n\n\n<li>Provisioning of infrastructure (cloud, containers).<\/li>\n\n\n\n<li>Orchestration of workflows and multi-step deploys.<\/li>\n\n\n\n<li>One-time or periodic tasks such as updates and patches.<\/li>\n<\/ul>\n\n<p>Use Ansible mainly for declarative, repeatable processes and not for continuous monitoring or polling.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<p>[<a href=\"#inhoudsopgave\" data-type=\"internal\" data-id=\"#inhoudsopgave\" rel=\"nofollow\">top<\/a>]<\/p>\n\n<h2 class=\"wp-block-heading\" id=\"wat-gebruik-je-dan-wel-voor-monitoring\">What should you use for monitoring instead?<\/h2>\n\n<h3 class=\"wp-block-heading\" id=\"1-lightweight-agents\">1. Lightweight agents<\/h3>\n\n<p>Install agents such as Netdata, Node Exporter, Zabbix Agent or Telegraf on your servers. These run with minimal rights and send metrics securely to a central server.<\/p>\n\n<h3 class=\"wp-block-heading\" id=\"2-monitoring-stacks\">2. Monitoring stacks<\/h3>\n\n<p>Build a monitoring environment with tools such as Prometheus + Grafana, Zabbix, Elastic Stack or Netdata Cloud.<\/p>\n\n<h3 class=\"wp-block-heading\" id=\"3-push-based-logging\">3. Push-based logging<\/h3>\n\n<p>Let systems actively send logs and metrics via tools such as Rsyslog, Filebeat or Vector.dev, instead of pulling via SSH.<\/p>\n\n<h3 class=\"wp-block-heading\" id=\"4-beveiliging\">4. Security<\/h3>\n\n<p>Ensure monitoring accounts have minimal rights, secure data streams with TLS, also monitor your monitoring infrastructure itself, and restrict dashboard access.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<p>[<a href=\"#inhoudsopgave\" data-type=\"internal\" data-id=\"#inhoudsopgave\" rel=\"nofollow\">top<\/a>]<\/p>\n\n<h2 class=\"wp-block-heading\" id=\"conclusie\">Conclusion<\/h2>\n\n<p>Ansible best practices help you keep automation safe, scalable and reliable. SSH-based monitoring via Ansible, as often shown in homelabs, is only suitable for demos and small-scale setups. For serious production environments, choose specialized monitoring tools and minimize risks by using secure, modern architectures.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Discover in this blog the best practices for using Ansible, including security aspects. Learn when you should and should not use Ansible.<\/p>\n","protected":false},"author":1,"featured_media":983,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_gspb_post_css":".gspb_container-id-gsbp-d15c2ca{flex-direction:column;box-sizing:border-box}#gspb_container-id-gsbp-d15c2ca.gspb_container>p:last-of-type{margin-bottom:0}#gspb_container-id-gsbp-d15c2ca.gspb_container{position:relative}.gs-autolist{margin:15px 0 30px;border:1px solid #dddddd7d}.gs-autolist-item{padding:15px 15px 15px 5px;display:flex;align-items:center}.gs-autolist-title,.gs-autolist-title a{font-size:18px;line-height:24px;text-decoration:none}.gs-autolist-item.gs_sub_heading{padding:10px 15px 10px 35px}#gspb_toc-id-gsbp-754f43d .gs-autolist-item{background-color:var(--wp--preset--color--mantle, #181825)}#gspb_toc-id-gsbp-754f43d .gs-autolist-item:nth-child(2n){background-color:var(--wp--preset--color--base, #1e1e2e)}#gspb_toc-id-gsbp-754f43d .gs-autolist-number{border-radius:50%;color:#fff;margin:0 20px 0 15px;text-align:center;font-weight:700;color:var(--wp--preset--color--secondary, #fab387);height:25px;line-height:25px;width:25px;font-size:16px;min-width:25px}#gspb_toc-id-gsbp-754f43d .gs_sub_heading .gs-autolist-number{font-size:70%}","footnotes":""},"categories":[70,69,1],"tags":[32,37],"class_list":["post-1082","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-automation","category-best-practices","category-new","tag-best-practices","tag-security"],"_links":{"self":[{"href":"https:\/\/chrisengelhard.nl\/en\/wp-json\/wp\/v2\/posts\/1082","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chrisengelhard.nl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chrisengelhard.nl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chrisengelhard.nl\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/chrisengelhard.nl\/en\/wp-json\/wp\/v2\/comments?post=1082"}],"version-history":[{"count":11,"href":"https:\/\/chrisengelhard.nl\/en\/wp-json\/wp\/v2\/posts\/1082\/revisions"}],"predecessor-version":[{"id":1473,"href":"https:\/\/chrisengelhard.nl\/en\/wp-json\/wp\/v2\/posts\/1082\/revisions\/1473"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/chrisengelhard.nl\/en\/wp-json\/wp\/v2\/media\/983"}],"wp:attachment":[{"href":"https:\/\/chrisengelhard.nl\/en\/wp-json\/wp\/v2\/media?parent=1082"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chrisengelhard.nl\/en\/wp-json\/wp\/v2\/categories?post=1082"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chrisengelhard.nl\/en\/wp-json\/wp\/v2\/tags?post=1082"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}