Ansible
When I started this talk I thought this was the worst part
THE MOST BORING
The Problem Statement
- I have new computer (not a problem) and I want zsh installed (the problem)
sudo apt install zsh
# the thing we forget to do
chsh -s `which zsh` # when typing this I did chsh zsh
Please don't make fun of me. oh-my-zsh does give you a -1 BTW
curl -L https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh | sh
Add autosuggest to the plugins
plugins=(git zsh-autosuggestions)
git clone https://github.com/zsh-users/zsh-autosuggestions.git ~/.oh-my-zsh/plugins/zsh-autosuggestions
The Problem Statement
I have a new computer (it is the problem)
Installing the things I need
SSH Keys???
So if only there was a solution to all of these problems.
ANSIBLE!!
Isn't that a cloud configuration thing?? Something like Koobernetes?
So lets talk about the anatomy of ansible
Top Level
- hosts: localhost
become: true
pre_tasks: ...
vars: ...
tasks: ...
Task
- name: string
_SOME_ACTION_
tags:
- list
- of
- tags
Lets create the zsh install but with ansible
- Install nodejs and npm
- Install n node manager
NOTE!!
...
- name: Update cache
apt:
update_cache: true
...
BUT I HAVE SO MANY TASKS!!!
You can reduce the main file by having task files! Lets do that plus add some more programs.
Ohh wait
You can see where this is going.
Every time you do some installation of a new item, put it in ansible. Install it through ansible, add tags, etc etc.
But Prime you told me this was exciting.
SSH?
Lets change gears a bit!
SSH Keys. The worst thing ever. The best thing ever.
Ansible comes with something called ansible-vault
. My guess is that this
will be the greatest thing you take away from today.
Lets learn by example! Lets encrypt and decrypt shortly.
Decrypting... is always manual?
no.
Here is the exact (well sort of) code that I use to work with vault'd items.
# local.yml
...
vars:
source_key: "./.ssh/id_rsa"
dest_key: "{{ lookup('env', 'HOME') }}/.ssh/id_rsa"
...
# ssh file
- name: Ensure .ssh directory exists.
become_user: root
file:
dest: "{{ dest_key | dirname }}"
mode: 0700
state: directory
tags:
- dotfiles
- ssh
- name: Install ssh key
become_user: root
copy:
src: "{{ source_key }}"
dest: "{{ dest_key }}"
mode: 0600
tags:
- dotfiles
- ssh
- name: Set authorized key took from file
authorized_key:
user: "{{ lookup('env', 'USER') }}"
state: present
key: "{{ lookup('env', 'HOME') }}/.ssh/id_rsa.pub"
tags:
- dotfiles
- ssh
# clone down the dotfiles and recurse the submodules (which are private)
- name: Cloning .dotfiles
ansible.builtin.git:
repo: 'git@github.com:ThePrimeagen/.dotfiles.git'
dest: "{{ lookup('env', 'HOME') }}/.dotfiles"
recursive: yes
update: yes
accept_hostkey: yes
version: master
tags:
- dotfiles
ansible-playbook -t dotfiles local.yml --ask-become-pass --ask-vault-pass
Bonus Content
So we talked about the vault. What else could we vault other than ssh keys?