I have completed writing an Ansible role to self-host Firefox Sync server. Thanks to Ansible being just YAML, I hope others can be helped even without running the role by simply reading the code, comments, and commit messages.

I have completed writing an Ansible role to self-host Firefox Sync server. Thanks to Ansible being just YAML, I hope others can be helped even without running the role by simply reading the code, comments, and commit messages.
"The new Data Tagging feature expands provenance tracking on variables to nearly every source. This allows for much more descriptive error messaging, as the entire chain of execution can be consulted to include contextual information about what was happening when an error occurred- in many cases including display of the offending source lines with column markers.
As part of or work on #Cellbroadcast we've documented our current test setup: https://codeberg.org/Phosh/gsm-cell-testing using #osmocom for the mobile network parts and #ansible for deploying #ModemManager on the devices, performing the tests and checking the results.
Thanks to @NGIZero for supporting our work on this.
Wer einen ganzen Zoo von Servern, VMs und/oder Kleinstcomputern verwaltet, sehnt sich schnell nach einem Werkzeug, dass einem ein paar Aufgaben abnimmt.
Eines ist #Ansible und mit einem vorgeschalteten #Semaphore lässt es sich auch noch gut automatisieren. Eine Installationsanleitung kann ich jetzt im Blog auch beitragen:
Automatisierte Aktualisierungen mit Semaphore/Ansible
https://www.jcs-net.de/blog/automatisierte-aktualisierungen-mit-semaphore-ansible
Ansible k3s on vms 1.2.0 and delegated_vm_install 2.0.3 released
https://stafwag.github.io/blog/blog/2025/04/06/ansible-k3s-on-vms_and_delegated_vm_install_released/
I prepared a few update releases of some ansible roles related to provisoin virtual machines with libvirt over the last weeks.
Mainly clean up releases and makes sure that everything works on different GNU/Linux distributions out of the box.
What #Ansible Project/Module/Role should I use to provision an #OpenWRT Router?
Hello, hachyderm! we've been working hard on building up our ansible runbooks and improving hachyderm's overall resilience. Recently, we've been focusing on is database resilience.
We're getting close to retiring our original database server (finally!) and preparing to move to a fully ansible-managed set of databases servers, primary and replica on new hardware. We'll send another announcement when we do the cut over. The team has done excellent work to make this highly automated, quick, and painless!
Done:
author ansible roles for managing postgresql, pgbackrest (backups), pgbouncer, and primary/replica failover
decide to continue with pgbouncer and *not* use pgcat
rotate database passwords
order new replica database hardware
order new future primary database hardware
To do soon:
rebuild replica database with ansible scripts
prepare primary database with ansible scripts
start replicating to new database replica
cut over to new database server
We're also planning on open-sourcing our ansible roles in the coming weeks - just a little housekeeping & tidying up before we do!
For years now I’ve had a bit of a bee under my cap: would it be possible to unlock a Vault file with a GnuPG-compatible smart card? And what if the smart card were local and the unlocking had to be triggered remotely?
Forwarding GnuPG agent over SSH
https://jpmens.net/2025/04/04/forwarding-gnupg-agent-over-ssh/
Edit: I have amended the sentence regarding distinct machines. Works fine on two different Linux boxes.
@hannesstein @tewe Hier habe ich ebenfalls #Ansible dafür: Basissystem, Rest per Roles ausgerollt. Funktioniert gut - und ohne weitere Eingriffe.
Allerdings wird das derzeit noch von einem Host aus angestoßen. Der Aufwand da irgendetwas zentrales zu stellen war mir bei drei Geräten bisher zu hoch.
@tewe Ich verwalte unsere Linux-PCs per #Ansible, die Playbooks stelle ich Dir gerne zur Verfügung (muss ich eh mal veröffentlichen). Authentifiziert wird gegen die Schul-Win-AD: https://oer-informatik.de/linux-ad-integration
#Ansible's decision to use Jinja in values only, and not render the YAML itself through Jinja (like Salt does) might make some things a bit more clean, but it also makes a _lot_ of things significantly more difficult.
OK, this seems to be the python that Ansible is using. Being called directly without all the PATH mangling that the .ansible-wrapped script does. Which explains why it does not find the kubernetes module...
(Thanks @darix for the hint)
Running the playbook with -v shows me that it is using a completely different python3 from /nix/store/lhpwdis5hkyljz1d200bj1s6g51ljq9k-python3-3.12.8/bin/python3 which does not have the kubernetes module apparently.
No idea how it picks this up, where it takes that information from and how to fix this...
Hardcoding a nix path, even it is just ~/.nix-profile/bin/python3, is of course not feasible if the code is being used on other machines where this is not guaranteed to exist (as outlined in the answers yesterday).
What am I missing?
Fourth and hopefully last round for the #NixOS #Ansible bubble:
Short recap: Having the kubernetes module in the ansible derivation/package is not enough, it needs to also be in the python3 or python312 derivation/package.
Fun fact:
- `which python3` gives me /home/tux.penguin/.nix-profile/bin/python3
- this links to /nix/store/ipwx571dlhxmdf1n1yd8vgqq5ndjnxba-python3-3.12.8-env/bin/python3
- `which -a python3` only gives me this one python, no other binaries found in the PATH with that name
1. Using /nix/store/ipwx571dlhxmdf1n1yd8vgqq5ndjnxba-python3-3.12.8-env/bin/python3 as ansible_python_interpreter works, the kubernetes module is found
2. Using /home/tux.penguin/.nix-profile/bin/python3 for ansible_python_interpreter works
3. Using "{{ lookup('env','HOME') }}/.nix-profile/bin/python3" for ansible_python_interpreter works
4. Using just python3 DOES NOT work?!?!? What the hell? Even if this is resolved (in the shell at least) to the same python3 binary/link in ~/.nix-profile/bin/python3? What the hell?
Third round for the #NixOS #Ansible bubble:
I think I have a solution! At least I got some thing working.
Having the python312 nixpkg installed is not enough. It is also not enough to have python312, python312Packages.kubernetes and python312Packages.cryptography installed.
I had to install them "in the same package":
```
home.packages = with pkgs; [
ansible
ansible-lint
(pkgs.python3.withPackages (python-pkgs: [
python-pkgs.cryptography
python-pkgs.kubernetes
]))
];
```
Then I could set the ansible_python_interpreter to `python3` and could use the kubernetes python module for using things from the kubernetes.core Ansible collection.
This is in addition to having the modules also available in the ansible derivation, no idea if that is really necessary.
I'll do some more digging and testing, but at least something worked now! I call that a win!
Second round for the #NixOS #Ansible bubble:
With lots of help I now have a Ansible derivation that includes python modules for requirements from e.g. the kubernetes.core Ansible collection.
But things still do not work. Example: Creating something in a Kubernetes cluster using the kubernetes.core collection. No matter whether I target localhost in my playbook or the remote host with a delegate_to for localhost.
Ansible uses the installed python directly, but without all the module-including-voodoo that is done in the .ansible-wrapped file (that is being called when "ansible" is being invoked". And thus the kubernetes module is not found.
I also tried installing python3 and python3Packages.kubernetes in addition to ansible. I see the kubernetes in $HOME/.nix-profile/lib/python3.12/site-packages/, but it is still not found. I tried telling Ansible that localhost has a python interpreter, but no change.
Frustrating...