On Sat, Jun 22, 2019 at 10:29:22PM +0300, cho...@jtan.com wrote:
Ansible is not the correct tool for this job; it can only configure and maintain an _extant_ system. None of the recent plethora of configuration management tools have considered the scenario *before* an operating system has been installed. All of them expect the server to exist and for secured communication channels to have been established between it and the master control system before they are operable.
That's the interesting thing in my case (at least)... the system *IS* already extant!
It has a nice shiny new Ubuntu/Debian/Fedora/centOS install that has just been imaged onto it using the hosting provider's default tooling, and SSH is already configured. (without blindly saying "yes" to the unexpected-fingerprint prompt)
Normally in this situation one would just use Ansible to harden the default Linux install and configure whatever applications are needed. But in this case I feel like hardening the Linux install even more, by replacing it with OpenBSD :)
Maybe I'm wrong, but it seems like if this problem were well-solved then it would make easier to use OpenBSD in many more applications and situations.
FWIW I'm working on-and-off on a tool which specifically automates *that* problem (build a new server/vm/chroot with zero human interaction so Ansible et al. can subsequently and safely take over) but what I've released so far is alpha quality at best. Conveniently if you're only targetting OpenBSD then it's entirely useless because, provided you can use PXE*, the OpenBSD developers have already solved it. Without Ansible. Matthew [*] The autoinstall/siteXX.tgz/etc. solution provided by the OpenBSD developers is very good but there are some questions I have around integrity on a potentially untrusted network. However as I'm trying to target more than just OpenBSD, and I don't trust any network, I've simply abandoned the idea of using PXE in my own environments so I haven't looked into the answers to them. YMMV.
I'd love to see your tool. PXE is mostly not available for this case (in general I am trying to target the most generic possible situation).
