Automating Development Environments with Ansible & Chezmoi

Kevin Howell

Red Hat

Agenda

• Background & Framing
• Ansible
• Chezmoi
• Inspiration

First we’re going to talk about how I define a development environment, considerations around automation,

And then I’ll wrap up with some general thoughts.

About Me

• Principal Software Engineer at Red Hat
• console.redhat.com subscriptions Tech Lead
• Raleigh, NC
• @kahowell@mastodon.social
• https://kahowell.net

First up a bit about me. Java, Quarkus, OpenShift, Tekton

Why

System replacement

Multiple machines

Share between Work & Home

When you retire an old machine and replace it, it’s nice to start fresh (restoring from backup works too, but comes with quirks like drivers, etc.)

New hardware for various reasons: * retirement of old assets * hardware failure * better hardware (e.g. LLM stuff)

• More than one machine - show of hands: more than 2: 2 1 0

• maybe the other machine is a phone, or a machine on a cloud provider

• Learn a config or find a package at work/home and want to use in both.

Pets vs. Cattle

Okay, so there’s this analogy that’s been around a long time. (Pets vs. cattle)

The gist: * pets are cared for individually * cattle are cared for as a group

What about pet cows?

It’s a flawed analogy (on the surface), because sometimes we find something in between.

Other Motivations

Learn a new skill

Share

Cool Factor

You have to admit, sometimes we automate things or try tools because of the cool factor

https://xkcd.com/1205/

Framing

Let’s talk framing, how I think about this.

Layers

System customizations: things you need sudo for User customizations: things you don’t need sudo for

As you move from system -> user customizations, it feels less like “cattle” and more like pets.

Base OS Install

Just install and accept defaults.

• … vs Kickstart/unattended install
• … vs Custom Install Image

Or you could automate but: * need to maintain it * need to put credentials in a file somewhere (ew!)

Or you could do a custom install but: * maintenance again!

Ansible - Why

• automate lots of things
• python

Ansible Installation

dnf install -y ansible

for Ubuntu

apt install -y ansible

Basic Ansible Setup

# go to a standard role directory
mkdir -p ~/.ansible/roles; cd ~/.ansible/roles
# create a role
ansible-galaxy role init $USER-environment

Ansible Role Contents

├── defaults
│   └── main.yml
├── files
├── handlers
│   └── main.yml
├── meta
│   └── main.yml
├── README.md
├── tasks
│   └── main.yml
├── templates
├── tests
│   ├── inventory
│   └── test.yml
└── vars
    └── main.yml

Ansible - Basic Workflow

# update it to do some stuff
$EDITOR tasks/main.yml
# run it - lazy shortcut
ansible -K localhost -c local \
  -m include_role -a name=$USER-environment

(and commit/push to a repo for sharing)

There are other ways to run the ansible code against machines, but this works locally (and y’all can lookup how to run Ansible against remote machines - I believe in you!)

Packages

Package types:

• rpm/deb
• flatpak
• snap
• homebrew (linuxbrew)

- name: Install RPMs
  ansible.builtin.dnf:
    name:
      - '@Development Tools'
      - ansible-lint

For each package manager you use maintain a list of what you install.

Get in the habit of updating anytime you install a new package.

Can use commands to get a list (e.g. command history) - maintenance challenges

Package Origin Preferences

• Distro packages
• Flatpak
• Homebrew
• Snap

• distro maintainers ensure it works on your distro
• flatpak/snap: same experience across distros (but I don’t like snap all that much personally)
• homebrew: share with the mac folks

(You might choose a different order, based on your own preferences &needs)

System Config - Files

files/no-passwords.conf

PasswordAuthentication no

Ansible:

- name: Disable ssh password authentication
  become: true
  ansible.builtin.copy:
    src: no-passwords.conf
    dest: /etc/ssh/sshd_config.d/no-passwords.conf
    mode: '0600'

System Config - Templates

templates/sudoers-custom.j2

{{ ansible_user_id }} ALL=(ALL) NOPASSWD: ALL

Ansible:

- name: Land sudoers template
  ansible.builtin.template:
    src: sudoers-custom.j2
    dest: /etc/sudoers.d/sudoers-custom
    validate: /usr/sbin/visudo -cf %s

These are generally set-and-forget things.

Raw files and templates.

There are lots of modules that offer higher level of abstraction, but these go a long way.

Using Ansible Elsewhere

ansible-galaxy role install \
  --force \
  git+https://github.com/$USER/$USER-environment
ansible -K localhost -c local \
  -m include_role -a name=$USER-environment

Note

You can apply remotely as well, see docs.

Ansible - Other Capabilities

• Manage users/groups
• Manage services/jobs (systemd & cron)
• Execute commands/scripts

Chezmoi

Chezmoi - Why

• lighter weight
• better than files in a git repo
• ergonomics

Chezmoi Installation

# also pulls dotfiles if you already use chezmoi
sh -c "$(curl -fsLS get.chezmoi.io)" \
  -- init \
  --apply \
  $GITHUB_USERNAME

User Config

• vim vs. emacs
• vs. vscode
• vs. vscodium

• .bashrc
• .zshrc
• .gitconfig

chezmoi add ~/.bashrc
chezmoi git commit
chezmoi git push

Show of hands, do you prefer…

I’m a bash person, myself, but shoutout to those that like zsh

gitconfig: And sometimes you don’t edit these yourself, but they still matter.

Templates

dot_gitconfig.tmpl

[user]
  name = Kevin Howell
  email = {{ .email }}
[core]
  editor = vim
[diff]
  tool = meld
[init]
  defaultBranch = main

Tools

Useful code that isn’t distro packaged (yet)

GitHub Releases

Python Packages

Node Packages

Managing GitHub Releases

~/.local/share/chezmoi/ .chezmoiexternal.toml.tmpl

{{ $versions := (fromYaml (include "versions.yaml")) -}}
["bin/ollama"]
    type = "file"
    executable = true
    url = "https://github.com/ollama/ollama/releases/download/{{ $versions.ollama }}/ollama-linux-amd64"

Tip

You can use this with renovate to get automated updates.

Managing Python Packages

~/.local/share/chezmoi/ run_after_poetryinstall.sh

#!/bin/bash
cd ~/tools/python  # make sure include this in $PATH
poetry install --no-root --sync

Note

Can follow a similar pattern for npm packages.

Tip

You can use this with renovate/dependabot to get automated updates.

Scripts

1. scripts git repo (can add to $PATH)
2. directly in dotfiles repo

Prefer the git repo if you want to share maintence (e.g. team, oss-project)

Directly in dotfiles repo is fine too.

Using Chezmoi Elsewhere

chezmoi init $username --apply

Inspiration

• Browse Ansible Galaxy for roles (https://galaxy.ansible.com)
• Browse Ansible collections docs (https://docs.ansible.com)
• Search GitHub for topic: chezmoi (https://github.com/topics/chezmoi)
• Search github for dotfiles repos

Ansible Galaxy has community and partner automation for lots of things.

Take a look at the Ansible module docs. No, really, they have lots of good examples!

Chezmoi’s default workflow encourages publishing your dotfiles to github, so there are tons of chezmoi repos out there. A lot of folks tag them with the chezmoi topic.

Non-chezmoi dotfiles repos are useful too.

My Repos

• https://github.com/kahowell/kahowell-environment
• https://github.com/kahowell/dotfiles

Red Hat Developer

• no-cost subscription for individuals
• free sandbox environments
• https://developers.redhat.com

Q&A

Thanks for attending!

• @kahowell@mastodon.social
• https://kahowell.net

red.ht/SCALE2024