This repository aims at automating the setup of my Debian workstations using Ansible.
This repo works in combination with my utils (my own small housekeeping programs) and my dotfiles (config files for the programs I use).
This short documentation acts as a personal reminder :)
- Download a
netinstISO image from the official website. - Create a bootable USB drive.
- With
dd:sudo dd if=[path_to_iso] of=[path_to_usb]I usually use
lsblkto know the path to the USB drive. Be careful, as choosing the wrong path might cause serious damage. - Sometimes Rufus can work where
dddoesn’t.
- With
- Install Debian.
Note: the Debian installation itself can be automated using preseeding. My experimental preseed configuration can be found on the
preseedbranch here.A manual install works for me at the moment. Here are a few important choices I usually make:
- I usually set up an encrypted LVM.
- I don’t create a
rootuser, only a normal user, who will automatically be placed in thesudogroup. This is convenient since I don’t have to manually installsudoon the new machine. - I only install the standard system utilities and the SSH server, i.e. no X server nor desktop environment such as GNOME - Ansible will take care of everything. The SSH server is required to connect to the machine from the Ansible controller (usually another machine on my network).
There are 3 ways to execute the Ansible playbook.
The provisioning may be done from a so-called controller, i.e. another machine on my local network.
- Install
sshpassand log into the node once using SSH. This will add the fingerprint to theknown_hostsfile. - Test the connection. For example:
ansible -m ping -i 192.168.1.7, -u alc --ask-pass allWithout
-u, the default user would be the same as the one who’s logged in on the controller.Sometimes I use a QEMU virtual machine for testing purpose, with a SSH port forwarding on port
2222. In this case:ansible -m ping -i localhost, -e "ansible_port=2222" --ask-pass all - Run the playbook. I use the
basic-systemtag to setup, well, a basic system, according to my preferences:ansible-playbook \ -u alc \ -i 192.168.1.7, \ --ask-pass \ --ask-become-pass \ --ask-vault-pass \ --tags "basic-system" playbook.yml--ask-passis necessary for the SSH connection (sshpassis installed on the controller). This could also be done using SSH keys.--ask-become-passis for sudo.--ask-vault-passis for decrypting the vault. I use it to store a Github token allowing to add a public key to my Github repository (see the ssh-key role).The password can be tested beforehand on the encrypted token using:
ansible-vault decryptJust press Enter then C-d after pasting the string.
For QEMU, this is the same, but with
-i localhostand-e "ansible_port=2222.
Alternatively, the playbook can be executed on the current machine
itself (localhost) if all the necessary tools are already installed
(ansible, etc.). This is useful to maintain my current machine in a
desired state defined by Ansible.
ansible-playbook \
-u alc \
-i localhost, \
-e "ansible_connection=local" \
--ask-become-pass \
--ask-vault-pass \
--tags "basic-system"
playbook.ymlFinally, the playbook might also be run locally on a fresh Debian install by running a bootstrapping script:
wget -qO - https://raw.githubusercontent.com/alecigne/ansible-desktop/develop/bootstrap.bash | bashThe bootstrapping script will install Git and Ansible and will clone this repository. It will then execute Ansible twice:
- A first time for switching from Debian stable to Debian testing and
updating the system (
debian-upgradetag).ansible-playbook \ -i localhost, \ -e "ansible_connection=local" \ --ask-become-pass \ playbook.yml \ --tags debian-upgrade - A second time to execute the rest of the playbook using an updated
version of Ansible.
ansible-playbook \ -i localhost, \ -e "ansible_connection=local" \ --ask-become-pass \ --ask-vault-pass \ playbook.yml \ --skip-tags debian-upgrade