Hello Ross,
On 2021-11-21 22:09+1300, Ross Younger via users wrote:
> I always meant to get my head around Ansible (or Chef, or Puppet) for
> my VPS based on recommendations on this very list. Sadly I have not
> yet got round to it, and I suddenly find I have a need for something
> of this ilk at work.
The short version is, they're like glorified Makefiles, only proceeding
with other bits if the first bit succeeds.
> My use case is a single Linux instance, on-prem. (No fleet, no cloud,
> no VMs or containers planned.) It's to provide internal services for
> an office network: DHCP, DDNS, maybe NAS, maybe print accounting,
> maybe firewall/router/IDS, maybe apt cache or other proxies.
For a single instance, you can use Ansible against the localhost. I do
something like this for that:
$ ansible -i localhost, -b playbook_file.yaml
> I think what I want is infrastructure-as-code:
>
> * Config files (/etc) under revision control with convenient automated
> backup
Well, git is what most people use, but use what you're happy with. I
tend to put these in a tree in say, /home/ed/git/config/etc, then push
that to the remote places with Ansible, one way or another rather than
put /etc under version control itself.
> * All superuser actions are fully logged and replayable (fire drill:
> complete reimage from scratch)
> * Nobody gets direct sudo access, but I can give out admin access via the
> config management tool.
Promotional warning, 'please' exists too, thoughts welcomed :)
<
https://gitlab.com/edneville/please>
> I've had root shells for about 25 years now but I'm new to thinking
> deeply about IaC. I would be grateful for feedback:
>
> - is what I think I want reasonable and achievable? (what are the gotchas?)
I prefer the design of Ansible, things start of in an area of high
privilege and trickle down into areas of doubt and lower security. In
the puppet model, lower privilege and lower trust areas connect into the
areas of higher trust, the area that keeps all the secrets. I don't like
that much and there have been issues due to this design. It is more
popular though I will always fight the corner of Ansible as I prefer the
way that high trust area initiates communication with the lower trust.
> - am I on the right track by looking at Ansible/Chef/Puppet and do any of
> them particularly suit my use case? Are the paid-for versions worth paying
> for?
Ansible can work in a stand alone environment without /much/ work.
> - is there a useful noobs guide?
I think I have an idea of what you're trying to do, maybe this helps, in
my search bubble there were usage examples from others, which might
match what you're trying to do:
<
https://www.google.com/search?q=ansible-playbook+localhost>
Ed
