I have a basic firewall, but did not use App Armor, SELinux, or kernel blacklists. I definitely shut down port 22 just for now. It’s just a laptop daily driver. Should I do more?

Also, I’m now addicted to Arch. I’m using Hyprland with it. This means I’ve got two bleeding edge wares and that gets rough sometimes when things break. I want Arch on my desktop gaming rig though. I tired other distros but I just love Arch. Has anyone tried using Ansible to manage multiple installations? I really can’t maintain two so I was wondering if Ansible would make it easier, especially for updating.

  • eldavi@lemmy.mlEnglish
    5·
    8 days ago

    Ansible is a little bit overkill for 2 systems, but it’s worth learning since it’s a valuable skill in today’s job market

    • ScoffingLizard@lemmy.dbzer0.comOP
      2·
      7 days ago

      So I have a laptop (already configured with Arch), openwrt router, a Pi 5 for Jellyfin with Diet Pi, and a desktop. I want to put Arch with Hyperland on the desktop. It would be cool if I could just use Ansible to perform updates on the Arch Nodes at once. I also have trouble remembering configs and it causes me problems. I’d like to use my other Pi 3s with Arch for Immich, NextCloud ( I have a digital book library), Wikipedia, and etc if possible. Honestly the Pi 5 is not up yet so I could use Ansible for all. I wouldn’t have put Diet Pi on there if I had previously thought about automating Arch with Ansible.

      Hell, I think I just talked myself into it.

      • eldavi@lemmy.mlEnglish
        1·
        5 days ago

        I also have trouble remembering configs and it causes me problems.

        ansible’s strength comes in the form of infrastructure as code and managing armies of systems; it sounds like it’ll atleast help with the first part since i rely on iac to help me learn and remember configs also.

  • SayCyberOnceMore@feddit.ukEnglish
    3·
    8 days ago

    I have a laptop, NAS, Pi and some VMs running Arch - all updated by Ansible, most setup by Ansible.

    It’s fine.

    However, you’ll need to manually do a pacdiff often to check if something’s had an updated config file…

    And if you’re using the AUR, Ansible can use that too, but you just need to keep an eye on those packages in case something else needs tweaking (not to mention getting an AUR helper installed in the first place)

    Re: security - it depends… usually, if you’re not using something you need to shut it down for security… with Arch, just don’t install it in the first place. So if you don’t need an SSH server don’t install it / remove it ( I don’t recall if OpenSSH is installed by default TBH)

    You could setup a firewall, but, are you using hostile networks?

    Just ensure root has a good password and you’ve not done the Ubuntu thing of removing the need for a password to use sudo and you’ll be fine in most situations… maybe a password protected screensaver for when you leave your laptop alone at Starbucks…

    • ScoffingLizard@lemmy.dbzer0.comOP
      1·
      7 days ago

      Thanks for that. So when you have to do somethimg like run a reflector command to update mirrors, does ansible work well for that?

      Do the updates have any complexities concerning automation between processor types? Will Ansible keep updates synced across the Pi and laptop simultaneously?

      I have SSH down but bring it up when needed. I just shut if off due to paranoia. I might just run it through some crazy port and then kill root access.

      • Aerion@lemmy.ml
        1·
        4 days ago

        Run SSH over Tailscale. Extremely easy to set up, and it takes away the hassle of creating + distributing keys, port forwarding, etc. All authentication and access restriction is done through easy to understand ACLs.

        I use it, for example to manage a friend’s Snikket server in another country, with his server on his Tailnet shared with mine, and an SSH ACL to allow SSH access for my Tailscale user only.

      • SayCyberOnceMore@feddit.ukEnglish
        1·
        7 days ago

        Ok, so a few things to pick apart there…

        If you’re using reflector to find the fastest mirror, personally, I’d do that once and maybe check it… twice a year? As long as you have, say 3~5 mirrors, then if your fastest failed, you’ll still update. And the 2nd / 3rd fastest are not going to be much slower.

        So, really, that could be done manually

        But, that beings me on to ~.pacnew` in general. Again, IMHO, that should not be automated.

        Ok, maybe locale.gen updates can be ignored, but sometimes a config file really changes a lot. And that new file should be in your ansible master files to copy to all relevant devices.

        Handling different processor types? Not really a problem. If you have a load of devices then grouping your ansible hosts by OS type might be a good idea because they’ll probably be doing similar things, but you’re usually installing packages by name, doing an update, etc not OS specific usually…

        You’ll need SSH for a remote Ansible controller to access the devices, but using private key pairs, possibly only enabling on specific IP addresses, etc, would help.