AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible on ChromeOS Backend Infrastructure Automation Complete Guide

By Luca Berton · Published 2024-01-01 · Category: installation

Automate ChromeOS / Chromebook backend infrastructure with Ansible: Google Admin SDK, kiosk app delivery servers, MDM-adjacent automation, supporting infra.

You don't manage ChromeOS / Chromebooks with Ansible directly — they are sealed, Google-managed devices controlled via the Google Admin Console and Chrome Enterprise policies. But almost every ChromeOS deployment relies on Linux backend infrastructure: web app backends, kiosk content servers, identity providers (SAML/OIDC), VPN gateways, and tooling that calls the Google Admin SDK / Directory API. This is the master Ansible guide for ChromeOS supporting infrastructure.

What "ChromeOS automation" really means

| Layer | Ansible role | |---|---| | ChromeOS device | Not a target — managed via Google Admin Console | | Chrome Enterprise policy | Use Admin SDK API from playbooks | | Web/PWA backend | First-class Ansible target | | Kiosk content/sync server | First-class Ansible target | | VPN/SAML/OIDC supporting infra | First-class Ansible target | | Crostini (Linux-on-ChromeOS) builds | Build the container images via Ansible |

See also: Ansible AWS: Complete Guide to Cloud Automation (2026)

Ansible-core compatibility

Use ansible-core 2.18 LTS with community.general, ansible.builtin.uri, community.docker, kubernetes.core.

Web app backend deployment

- name: Deploy ChromeOS-targeted PWA backend
  hosts: localhost
  gather_facts: false
  tasks:
    - name: Helm release
      kubernetes.core.helm:
        kubeconfig: ~/.kube/config
        name: chromeos-pwa-api
        chart_ref: ./charts/pwa-api
        release_namespace: prod
        create_namespace: true
        values:
          image:
            repository: registry.example.com/pwa-api
            tag: "1.5.0"
          ingress:
            host: pwa.example.com
            tls: true

See also: Ansible Become: Privilege Escalation with sudo, su & runas (Complete Guide)

Kiosk content server (nginx)

- name: Provision kiosk content host
  hosts: kiosk_servers
  become: true
  tasks:
    - name: Install nginx
      ansible.builtin.apt:
        name: nginx
        state: present
        update_cache: true

- name: Push kiosk static bundle
      ansible.builtin.unarchive:
        src: dist/kiosk-bundle.tar.gz
        dest: /var/www/kiosk
        creates: /var/www/kiosk/index.html


- name: Vhost
      ansible.builtin.template:
        src: kiosk.nginx.conf.j2
        dest: /etc/nginx/sites-available/kiosk
      notify: Reload nginx


- name: Enable
      ansible.builtin.file:
        src: /etc/nginx/sites-available/kiosk
        dest: /etc/nginx/sites-enabled/kiosk
        state: link
      notify: Reload nginx


handlers:
    - name: Reload nginx
      ansible.builtin.service:
        name: nginx
        state: reloaded

Push policy via Google Admin SDK

- name: Set Chrome OS device policy via Admin SDK
  hosts: localhost
  gather_facts: false
  vars:
    org_unit: "/Devices/Kiosks"
    google_oauth_token: "{{ vault_google_oauth_token }}"
  tasks:
    - name: Move device to OU
      ansible.builtin.uri:
        url: "https://admin.googleapis.com/admin/directory/v1/customer/my_customer/devices/chromeos/{{ device_id }}/action"
        method: POST
        headers:
          Authorization: "Bearer {{ google_oauth_token }}"
          Content-Type: application/json
        body_format: json
        body:
          action: "deprovision"
        status_code: 200

See also: Ansible check_mode: Dry Run & Test Playbooks Without Making Changes

SAML IdP backend (Keycloak)

- name: Provision Keycloak as SAML IdP for ChromeOS
  hosts: idp_servers
  become: true
  tasks:
    - name: Run Keycloak container
      community.docker.docker_container:
        name: keycloak
        image: quay.io/keycloak/keycloak:26.0
        state: started
        restart_policy: always
        published_ports: ["8443:8443"]
        env:
          KC_HOSTNAME: idp.example.com
          KC_HTTPS_CERTIFICATE_FILE: /etc/keycloak/tls/tls.crt
          KC_HTTPS_CERTIFICATE_KEY_FILE: /etc/keycloak/tls/tls.key
          KEYCLOAK_ADMIN: admin
          KEYCLOAK_ADMIN_PASSWORD: "{{ vault_kc_admin }}"
        command: start --optimized
        volumes:
          - /etc/keycloak/tls:/etc/keycloak/tls:ro

Crostini container image build

- name: Build Crostini-friendly Debian image
  hosts: image_builders
  become: true
  tasks:
    - name: Build dev container with debootstrap
      ansible.builtin.command: >
        debootstrap --arch=amd64 bookworm /opt/crostini/rootfs http://deb.debian.org/debian
      args:
        creates: /opt/crostini/rootfs/etc/os-release

- name: Tar it up for distribution
      ansible.builtin.archive:
        path: /opt/crostini/rootfs
        dest: /opt/crostini/crostini-dev.tar.gz
        format: gz

Best practices

• Manage ChromeOS policy via Admin SDK API from Ansible — version-control the JSON payloads. • Treat kiosk/web backends like any other Linux fleet; standard playbook patterns apply. • Use OAuth service accounts with domain-wide delegation for Admin SDK calls; never user passwords. • For Crostini dev images, build with Ansible + debootstrap, sign, and host on internal HTTPS.

Conclusion

ChromeOS itself is sealed, but the infrastructure around it — PWA backends, kiosk servers, IdP, Admin SDK callers, Crostini images — is fully Ansible-automatable. Use kubernetes.core, community.docker, and ansible.builtin.uri against Google APIs to bring ChromeOS deployments under unified Ansible-driven operations.

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home