Is anyone using #Ansible to manage Linux firewall rules ?

Using a module, I don't know how to get to the desired state, ie. removing all existing rules and applying only the ones I set.
Is the right solution to generate a a complete rule file and apply it ?

So I decided to modify the @ndlug matrix configuration today and since we use matrix-docker-ansible-deploy (https://github.com/spantaleev/matrix-docker-ansible-deploy), I tried to run:

$ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start -K

Which allows me to use sudo to become root. Well, it normally does, but because the server is running Ubuntu 26.04 it does not work because ansible does not understand sudo-rs:

https://reddit.com/r/ansible/comments/1t6ie61/become_true_not_working_with_ubuntu_2604_lts/

Fortunately, I was able to find a workaround by adding the following to my ansible.cfg:

[privilege_escalation]
become_method = sudo
become_exe = /usr/bin/sudo.ws

This tells ansible to use the original sudo rather than sudo-rs for privilege escalation.

This is a bit annoying... but not a total dealbreaker. I am finding more and more papercuts with Ubuntu though, particularly on the server side, which I was not anticipating. This might further encourage me to continue my transition to Debian :|

#ubuntu #sudo #ansible

Finally built my ingress controller; no more manual management of #letsencrypt certs or #nginx with #ansible .

#go #programming #softwaredevelopment #homelab #selfhosted

Version 0.4.5 of the #Uyuni #Ansible Collection just dropped: https://galaxy.ansible.com/ui/repo/published/stdevel/uyuni/

This version adds support for MLM server and proxy 5.1 and additional distributions (Debian 13, Ubuntu 24.04 and EL9). Keep in mind that those aren't officially supported ("as is"). It also fixes several bugs and s lot of Ansible linting.

Happy converging and patching!

#SUSE

Иллюзия IaC: почему Terraform не знает, что происходит с вашей инфраструктурой

Мы использовали Terraform как полагается. Потом сделали плановый apply — и положили прод второй раз за неделю. Разбираю, почему IaC не гарантирует консистентность, откуда берётся конфигурационный дрейф и почему «введём процессы» его не остановит.

https://habr.com/ru/articles/1046061/

#IaC #дрейф #terraform #ansible #devops #devsecops

ansible_jailexec 2.0.0 is out. It's security release.

Versions <2.0.0 have a jail-escape bug: put_file followed symlinks placed inside a jail during a root-owned, host-side move, allowing arbitrary root writes on the host. All file transfers now run inside the jail via jexec, confined to its chroot.

Advisory: GHSA-cxgv-hp74-jj7r
Release: https://github.com/chofstede/ansible_jailexec/releases/tag/v2.0.0

#FreeBSD #Ansible #infosec

FotoVorschlag: 'Wäsche'

Ansible Socken

#FotoVorschlag #Ansible