Ansible is a tool used to automate software provisioning, configuration management, and application deployment. It offers several advantages over other IT automation tools similar to it; It's minimal in nature, you don't need to install anything on the servers you're deploying to (except Python 2).


To easily manage (deploy new instances of or update) your OpenSRP, Keycloak, OpenMRS, and DHIS2 servers you would require Ansible to automate the deployment process.  Therefore the opensrp-playbooks provided here are meant to facilitate the process. All you need to do is clone the opensrp-playboks repository and then define your inventories based on your DevOps clients and development environments(staging, production or preview) and then run the playbooks to install the servers. The repository uses Ansible's recommended alternative directory layout.

For local "dev" deployments, you will need to install Virtualbox. You'll as well need the vault password used to encrypt sensitive info inside the sample inventory available in the repo. You will also need to create host_vars and group_vars to match your setup.


  1. Create an sudo user (user with admin rights) called ubuntu and ensure that the user has NOPASSWDconfig on the `/etc/sudoers` (you can refer to the command used below on Vagrant #3).

  2. On the host you have to install openssh-server to enable ssh connections and make it possible to ssh using the root account otherwise you will need an account with administrative privileges to run the playbooks.

    On Ubuntu or any debian disto you can install it using this command

    $ sudo apt install openssh-server

  3. Finally ensure you can access the server though ssh ubuntu@vm-ip-address (You can get the vm-ip-address of the VM by running ifconfig on the host terminal). If it requests for password kindly disable it by

    $ sudo sed -i 's/prohibit-password/yes/' /etc/ssh/sshd_config
    $ sudo service ssh restart
  • Vagrant: 

    Vagrant is a tool for building and managing virtual machine environments in a single workflow. You can download it from hereBelow is a Vagrantfile that can get you up and running.

# -*- mode: ruby -*-
# vi: set ft=ruby :
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config| = "hashicorp/bionic64" "private_network", ip: "" #replace with any private ip available 
  	config.vm.provision "shell", inline: <<-SHELL
		apt-get update    
		apt-get install -y cloud-init python3 python3-psycopg2    
		useradd -s /bin/bash -m -p $(openssl passwd -1 <specify-password-for-ubuntu-user>) ubuntu  #1    
		usermod -s /bin/bash -aG sudo ubuntu                             #2
		sudo sed -i -e '$a\\ubuntu  ALL=(ALL) NOPASSWD:ALL' /etc/sudoers #3


  1. Git clone the opensrp-playbooks from this link OpenSrp playbooks. Then switch directory to opensrp-playbooks you just cloned.

    $ git clone --recursive && cd playbooks
  2. Setup a python virtual environment:

    1. Kindly follow the steps here

    2. Create a virtual environment called opensrp.

    3. Switch to opensrp environment by typing:

        $ workon opensrp
      2. Add the following line to the end of ~/.bashrc of your machine ... Ensure you update <python-version> with version of python running on you machine.

          export ANSIBLE_STRATEGY_PLUGINS=~/.virtualenvs/opensrp/lib/python<python-version>/site-packages/ansible_mitogen/plugins/strategy #Update <python-version>
      3. Run the following command while on the virtual environment

          $ python --version

          confirm that your active python version is 3

          $ pip install -r requirements/base.pip
          $ ansible-galaxy role install -r requirements/ansible-galaxy.yml -p ~/.ansible/roles/opensrp
          $ ansible-galaxy collection install -r requirements/ansible-galaxy.yml -p ~/.ansible/collections/opensrp

          Opensrp-playbooks requires some modules from ansible-galaxy. The modules are specified in the requirements.yml file. Refer to this link for more information on ansible-galaxy : ansible-galaxy documentation

          You need to run the two commands above before running any playbooks to install the required modules..

  3. If you have not created the inventory yet kindly execute the commands below on the root of opensrp-playbooks directory.

      $ ./scripts/ opensrp-app-servers demo staging
      $ ./scripts/ openmrs-app-servers demo staging
      $ ./scripts/ mysql demo staging
      $ ./scripts/ all demo staging
      $ ./scripts/ opensrp-redis-servers demo staging
      $ ./scripts/ opensrp-postgresql-servers demo staging
      $ ./scripts/ keycloak-app-servers demo staging
  4. Add the host_vars directory and hosts file from the following directory: sample-inventories/inventory-a

  ansible_host: "<vm-ip-address>"

    1. ansible_host: "<vm-ip-address>"

  6. Finally add files directory with a pgp directory containing gpg keys like so:


$ ansible-playbook -i inventories/demo/staging setup-server.yml --vault-password-file=[local path to the file holding the vault password]  --skip-tag nginx,certbot


on inventories/demo/staging/group_vars/opensrp-app-servers/vars.yml

# Update these if you have a domain to use.
update with the opensrp version tag/branch you need to deploy
opensrp_version: "v2.1"
# for opensrp_version version v2.2 you have to add the below
# keycloak configs
on inventories/demo/staging/group_vars/mysql/vars.yml

mysql_backup_gpg_dir: "{{ all_gpg_dir }}"

Keycloak (for opensrp server web v2.2.* and above)

Run the following command to start the keycloak playbook in your local staging environment: (ensure keycloak-app-servers is in your hosts file )

$ ansible-playbook -i inventories/demo/staging deploy-keycloak.yml --vault-password-file=[local path to the file holding the vault password] --skip-tag nginx


You will need the following for you local stage setup:

on inventories/demo/staging/group_vars/opensrp-app-servers/vars.yml

# Update these if you have a domain to use.
opensrp_postgrescerts_enablefrom_sslletsencrypt: false
postgresqlopensrp_enablenginx_sslsites: false[]
postgresqlopensrp_backupnginx_enabled_sites: false

In opensrp we have spring maven profiles, kindly enable the ones you need:

The defaults are:

- postgres
- jedis
- basic_auth # this can be replaced with oauth2 to use keycloak or spring authentication server with openmrs

The other available profiles are openmrs-sync, dhis2-sync, rabbitmq, rapidpro, lettuce, dhis2-sync-vaccine-tracker and more

To use Openmrs one has to use v2.1* tags.

Run the following command to start the OpenSRP playbook in your local staging environment:

$ ansible-playbook -i inventories/demo/staging deploy-opensrp.yml --vault-password-file=[local path to the file holding the vault password]  --skip-tag nginx


on inventories/demo/staging/group_vars/opensrp-postgresql-servers/vars.yml

opensrp_postgres_enable_ssl: false
postgresql_enable_ssl: false
postgresql_backup_enabled: false

In opensrp we have spring maven profiles, kindly enable the ones you need:

The defaults are:

- postgres
- jedis
- basic_auth # this can be replaced with oauth2 to use keycloak or spring authentication server with openmrs

The other available profiles are openmrs-sync, dhis2-sync, rabbitmq, rapidpro, lettuce, dhis2-sync-vaccine-tracker and more

To use Openmrs one has to use v2.1* tags.

Run the following command to start the DHIS OpenSRP playbook in your local staging environment:

$ ansible-playbook -i inventories/demo/staging deploy-opensrp.yml --vault-password-file=[local path to the file holding the vault password]
  --skip-tag nginx


  --skip-tag nginx


Run the following command to start the DHIS playbook in your local staging environment: (ensure keycloak-app-servers is in your hosts file )

$ ansible-playbook -i inventories/demo/staging deploy-dhis.yml --vault-password-file=[local path to the file holding the vault password] --skip-tag nginx


When running the playbooks with a user other than root since ssh using root account is not recommended you need to add this extra option 

