Ansible for FreeBSD - use cases?

Victor Sudakov vas at sibptus.ru
Mon Oct 7 04:22:44 UTC 2019 

Ruben wrote:
> >> - freebsd-update (crossing . releases, so using the "upgrade" switch)
> > 
> > Do you administer freebsd-update within one release with Ansible too?
> > 
> 
> Yes, that works nicely (since it doesn't require interaction).

Maybe you have been lucky, but for me freebsd-update sometimes drops
into interactive mode to resolve conflicts in /etc

> >>
> >> Ansible integrates quite nicely with Jinja2, which allows us to
> >> configure/adminstrate all applications we run on FreeBSD servers.
> > 
> > Please tell if Jinja2 (which port is that?) has to be installed on the
> > Ansible controller only, or on every managed host?
> 
> You would only need it on the ansible host. I think it's even a 
> requirement for running ansible, but i'm not sure. The package I have 
> currently installed on an FreeBSD ansible controller: py27-Jinja2-2.10.1 .

You are right, in my test setup py36-Jinja2-2.10.1 is already a
requirement for sysutils/ansible.

[dd]

> > Thanks for the positive review! One more question: have you ever had
> > problems and disasters caused by Ansible modules? After all, they are
> > pieces of software written probably by a Linux-minded person modifying
> > your FreeBSD system's vitals. Does it not sound a bit scary?
> 
> I totally agree : it is scary. Especially the packetfilter/firewall and 
> user management stuff. As you are probably well aware AWS for instance 
> doesn't provide console access to its ec2 instances. If a playbook/role 
> screws up, customers miss an often very vital part of their infrastructure.
> 
> If you test playbooks/roles on non-production deployments prior to 
> running them on live stuff its suddenly a lot less scary and I have 
> never come accross disaster scenarios. 

I see.

> The user management modules - in 
> my experience - are rock-solid. The 
> "lininfile,blockinfile,raw,shell,command" modules as well. What other 
> modules were you contemplating on using / what is your usecase?

A good question. Let me remember the most tedious tasks.

1. I already distribute some configuration files (like
squid white- and blacklists, hosts.allow, sysutils/vm-bhyve templates
etc) with net/rdist6. I may replace rdist by ansible if it's more
flexible (rdist cannot edit files, only replaces if newer).
The "copy", "lineinfile" and "blockinfile" modules are for that, right?

2. Installation of packages (from the single repo I keep) and keeping
them up-to-date. In jails too.

3. User and group management certainly. In jails too.

4. Creation/destruction/configuraton of a) jails and b) VMs in vm-bhyve.

5. The management of Let's Encrypt certs (I use acme.sh currently). Do I
even need ansible for that?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20191007/341da5a4/attachment.sig>

More information about the freebsd-questions mailing list