2nd Ansible for Network Automation Project

This project treats the network as code. Every device configuration, every IP assignment, every VLAN, and every monitoring target is defined in a source of truth and enforced by Ansible. Changes go through Git approval, which validated everything before deployment, and are monitored for configuration drift. When drift is detected, the platform remediates it automatically (with human approval).

I broke it down into 38 parts, with each part building onto the previous one. This is my 2nd iteration of my 1st Ansible for Network Automation Project.

Network topology

topology

Infrastructure Stack

Each service runs on its own dedicated VM since I tried to mirror enterprise isolation practices. Every service integrates with NetBox for device data and FreeIPA for authentication.

Service	Purpose	Integration
NetBox	Source of truth (IPAM, DCIM)	Dynamic inventory for Ansible, service discovery for monitoring
Gitea	Self-hosted Git with branch protection	PR pipeline, Oxidized config backend, AWX project source
AWX	Automation controller	Job scheduling, RBAC, webhook-triggered deployments
Zabbix	Networking monitoring (SNMP)	Auto-discovers devices from Netbox
Prometheus + Grafana	Metrics and dashboards	Node exporter on all VMs, NetBox service discovery
Graylog + OpenSearch	Centralized log management	Syslog over TLS, NetBox enrichment, alerting
Oxidized	Config backup and versioning	Gitea backend, diff-on-change alerts
FreeIPA	Centralized identity and SSO	LDAP backend for TACACS+, SSO for all web UIs
step-ca	Internal PKI	TLS for syslog, HTTPS endpoints, ACME renewal
Batfish	Offline config analysis	Pre-change validation in the CI/CD pipeline
pyATS / Genie	Live network validation	Post-change verification, health snapshots
Ansible EDA	Event-driven automation	Closed-loop remediation triggered by Graylog

Key Capabilities

Intent-based configuration

Device configs generated from Jinja2 templates driven by NetBox data. Changing an interface description in NetBox and running the playbook updates the device. The network conforms to the source of truth.

Dynamic inventory

No static hosts file. The NetBox plugin queries the API at runtime and builds the inventory from device records, platform assignments, and IP addresses. Adding a device means registering it in NetBox.

Structured IPAM

A 10.33.0.0/16 supernet where the third octet encodes function (0 = loopbacks, 1 = P2P links, 10+ = VLAN ID). All addressing managed in NetBox IPAM and populated via Ansible.

Multi-vault secrets

Three vault IDs separating trust boundaries: network device credentials, infrastructure service credentials, and PKI material. Pre-commit hooks block plaintext secrets from ever reaching Git.

GitOps change pipeline

Feature branch ➦ PR in Gitea ➦ Ansible lint ➦ Batfish analysis ➦ Peer review ➦ Merge ➦ AWX webhook ➦ Playbook run ➦ pyATS validation ➦ Oxidized backup

Self-healing loop

Drift detected ➦ Graylog alert ➦ EDA rulebook ➦ AWX workflow ➦ Approval gate ➦ Remediation ➦ Backup + verify

Security Practices

Ansible Vault with multiple vault IDs per trust boundary

Pre-commit hooks blocking secrets, unencrypted vaults

Branch protection with required PR approval

Passphrase-protected Ed25519 SSH keys with ssh-agent

TACACS+ with FreeIPA LDAP backend

Internal CA (step-ca) with ACME certificate automation

Signed commits, secrets scanning, SBOM generation

SSH hardening, control plane policing, management ACLs

Screenshots

Grafana: Fabric health

Unified dashboard with device availability, interface utilization, and BGP session states.

Screenshot pending

NetBox: Device inventory

All 8 devices with sites, roles, platforms, and primary IPs populated.

Screenshot pending

AWX: Workflow execution

Multi-step workflow with validation, deployment, and approval gates.

Screenshot pending

Gitea: PR with CI checks

Pull request showing lint, syntax, and pre-change analysis passing.

Build Sequence

Phase 1

Foundation

Control node, Gitea, Ansible Vault, Containerlab with first devices, playbook fundamentals, Jinja2 deep dive, reusable roles.

Parts 01–06

Phase 2

The Network Fabric

NetBox as source of truth, IPAM plan, multi-vendor automation (IOS-XE, NX-OS, PAN-OS), BGP fabric, VM provisioning, monitoring, config backup.

Parts 07–15

Phase 3

Network Services

BGP/OSPF production patterns, FreeIPA, TACACS+, security hardening, internal PKI, DNS/NTP, centralized logging, traffic flow visibility, unified observability.

Parts 16–25

Phase 4

Automation Platform

AWX controller, GitOps pipeline, Batfish pre-change analysis, pyATS live validation, Molecule role testing, CI/CD hardening, drift detection, NetBox reconciliation.

Parts 26–34

Phase 5

Advanced Automation

AWX workflows with approval gates, Event-Driven Ansible, closed-loop self-healing, full-stack rebuild from scratch.

Parts 35–38

Technologies

AUTOMATION

Ansible

Ansible Vault

AWX

Ansible EDA

Jinja2

Molecole

NETWORK PLATFORMS

Cisco IOS-XE

Cisco NX-OS

Palo Alto PAN-OS

BGP

OSPF

TACACS+

INFRASTRUCTURE

NetBox

Containerlab

Proxmox VE

Docker

FreeIPA

step-ca

OBSERVABILITY

Zabbix

Prometheus

Grafana

Graylog

OpenSearch

ntopng

Oxidized

DEVOPS

Git

Gitea

GitOps

CI/CD

Batfish

pyATS

Netdisco

LANGUAGES

Python

YAML

Jinja2

Bash

REST APIs

Last updated on April 8, 2026 • Ernesto Diaz