I've been keeping a computer setup page on my website for a while, describing the exact steps needed to make a computer work how I want after a new OS install. I've also had a note there for years saying eventually I should use Ansible for this. This weekend I finally got around to it, and learned a little bit about Ansible while I was at it.

The Ansible scripts

There's nothing private in my Ansible setup (it's just a copy of that page on my website anyway), so I hosted it on GitHub:


The vault

You'll notice that there is a vault, which Ansible can use to store passwords. Mine currently contains a GitHub token (which I didn't end up using), and I don't plan to ever store any non-generated passwords in it. The problem with Ansible vaults is that they're checked into git, so if you ever leak the password, you can't really change it (since the old version of the vault is still in your history).

I'm not using the vault for anything right now, but I left it in place since it has a cool setup that I plan to use in the future: It uses the LastPass CLI to download the vault password. This lets me effectively synchronize the vault password to all of my computers, without putting it in the vault.

All in one folder

One nice thing about doing all of this myself was learning about the Ansible configuration file and how to set things up. Ansible seems to be designed to store everything in /etc, but I want the repo to contain everything I need. Conveniently, you can use the ansible.cfg to set basically any option you'd want. I've used this to make my hosts file part of the repo, and to setup the vault password mentioned above.

I expected to need more config changes, but if you follow the best practices for folder layout, Ansible can find everything automatically (like roles, variables, etc.). It's interesting that in a lot of cases, you can either use a single file, or break things out into folders. For example, you can put host variables in host_vars/host_name (a file), or host_vars/host_name/vars.yml. The advantage of the second is that you can also add host_vars/host_name/vault.yml. Similarly, a role can be roles/role_name, or can be split into roles/role_name/{tasks,handlers,files}/main.yml.


Ansible can't bundle everything, so it's useful that you can add custom Python scripts to the libraries folder. I did this to install Atom packages with apm and edit gsettings. I tried to find a good XML library for editing my SyncThing configuration, but the ones I tried didn't work very well. At some point I might make my own library to set SyncThing configuration (I want it to setup sync folders and hosts automatically).


One more thing to mention: Homebrew's casks are extremely useful. It turns out I can install every program I use on OSX except for Todoist (App Store only) with Homebrew:

- name: Install Mac specific programs
  homebrew_cask: name={{ item }}
    - atom
    - battle-net
    - cyberduck
    - docker
    - firefox
    - gimp
    - gitter
    - google-chrome
    - hyperswitch
    - iterm2
    - java
    - messenger-for-desktop
    - slack
    - spectacle
    - sqlpro-for-mssql
    - steermouse
    - swinsian
    # missing: Todoist
    - tunnelblick
    - virtualbox
    - wireshark
    - yakyak

I'm glad I finally made the time to do this, since I learned a lot about Ansible and made my future computer setup much easier.