I have a basic firewall, but did not use App Armor, SELinux, or kernel blacklists. I definitely shut down port 22 just for now. It’s just a laptop daily driver. Should I do more?
Also, I’m now addicted to Arch. I’m using Hyprland with it. This means I’ve got two bleeding edge wares and that gets rough sometimes when things break. I want Arch on my desktop gaming rig though. I tired other distros but I just love Arch. Has anyone tried using Ansible to manage multiple installations? I really can’t maintain two so I was wondering if Ansible would make it easier, especially for updating.
Thanks for that. So when you have to do somethimg like run a reflector command to update mirrors, does ansible work well for that?
Do the updates have any complexities concerning automation between processor types? Will Ansible keep updates synced across the Pi and laptop simultaneously?
I have SSH down but bring it up when needed. I just shut if off due to paranoia. I might just run it through some crazy port and then kill root access.
Run SSH over Tailscale. Extremely easy to set up, and it takes away the hassle of creating + distributing keys, port forwarding, etc. All authentication and access restriction is done through easy to understand ACLs.
I use it, for example to manage a friend’s Snikket server in another country, with his server on his Tailnet shared with mine, and an SSH ACL to allow SSH access for my Tailscale user only.
Ok, so a few things to pick apart there…
If you’re using
reflectorto find the fastest mirror, personally, I’d do that once and maybe check it… twice a year? As long as you have, say 3~5 mirrors, then if your fastest failed, you’ll still update. And the 2nd / 3rd fastest are not going to be much slower.So, really, that could be done manually
But, that beings me on to ~.pacnew` in general. Again, IMHO, that should not be automated.
Ok, maybe
locale.genupdates can be ignored, but sometimes a config file really changes a lot. And that new file should be in your ansible master files to copy to all relevant devices.Handling different processor types? Not really a problem. If you have a load of devices then grouping your ansible hosts by OS type might be a good idea because they’ll probably be doing similar things, but you’re usually installing packages by name, doing an update, etc not OS specific usually…
You’ll need SSH for a remote Ansible controller to access the devices, but using private key pairs, possibly only enabling on specific IP addresses, etc, would help.