AUR with Ansible
https://feddit.uk/post/7425101
=> More informations about this toot | More toots from Cyber@feddit.uk
Sound like you have configured your Ansible to run as root per default. You should remove that from your ansible.cfg. The tasks you do need root for you use the keyword ‘become: true’ to use sudo for that task alone (or use ‘become’ it for a block if several tasks).
=> More informations about this toot | More toots from mumblerfish@lemmy.world
Ah! Ok, I’ll dig into that and have a look.
I thought I was SSHing into the clients as a non-root user, but I guess that’s where I’m going wrong.
Yeah, looking at the /tmp/aur folder it creates, it’s owner is root… hmmm.
Thanks
=> More informations about this toot | More toots from Cyber@feddit.uk
I may be wrong, but if you did ssh as roothen it seems like your ssh configuration leaves a bit to be desired. If you can ssh in as root, you may want disallow that in your ssh configuration… don’t remember the setting now, ‘AllowRoot no’ maybe? Then it also should be that you have your pub key in root’s .ssh/authorized_keys, you may want to remove that. Allowing anyone to ssh in as root is probably not a good idea. For example ‘root’ is a very common username used in bruteforce attacks on exposed ssh ports, so locking down any possibility to get in as root directly is probably a good idea.
=> More informations about this toot | More toots from mumblerfish@lemmy.world
Thanks for the pointer, but no, I’m not SSHing as root. And PermitRootLogin no is configured, so all good there.
Turns out I start the entire sequence as become, so I had to learn about changing users with ansible-become variables
Still have a few bugs to work out, but thanks for getting me on track
=> More informations about this toot | More toots from Cyber@feddit.uk
I did something similar with Puppet a while ago, it also runs as root so hot the same problem.
My solution was to set up my own package repo for the AUR packages I needed and just build them periodically. This way I only have to build them once for all the machines.
=> More informations about this toot | More toots from wiccan2@lemmy.world
I will be looking at setting up a local package cache soon, but hadn’t thought about putting the aur packages in the same one… nice.
So, do you just build those packages anywhere and just copy to your repo?
=> More informations about this toot | More toots from Cyber@feddit.uk
Basically.
I build on my laptop and then add to the repo stored on my NAS.
I’ve also got chaotic-aur set up as they tend to build the bulk of what I need from the AUR so I only have to build the more niche packages I use.
=> More informations about this toot | More toots from wiccan2@lemmy.world
Didn’t know about chaotic-aur, thanks
=> More informations about this toot | More toots from Cyber@feddit.uk
If your non-root user has sudo access, then it should be as easy as making your Ansible playbook log in as the non-root user by default, and then use Ansible’s become for anything that needs to run with sudo.
=> More informations about this toot | More toots from TheRandomNinja@beehaw.org
I literally stumbled upon this a few hours ago, maybe it will help.
github.com/DoTheEvo/ansible-arch
=> More informations about this toot | More toots from deluxeparrot@thelemmy.club
Ooh, not seen that before… thanks
=> More informations about this toot | More toots from Cyber@feddit.uk
Can’t you change to a normal user with become? We do lots of stuff with Ansible as normal user. You should be able to create tasks that get executed as normal user and install yay and run makepkg, and then run yay to install packages.
=> More informations about this toot | More toots from mellejwz@lemmy.world
Yeah, the problem was that some modules don’t support become, so I just ran the whole thing that way.
For git and aur, to drop sudo I found that I have to use ansible-become variables to override just that step.
Live & learn
=> More informations about this toot | More toots from Cyber@feddit.uk This content has been proxied by September (ba2dc).Proxy Information
text/gemini