10
AUR with Ansible (feddit.uk)
submitted 9 months ago by Cyber@feddit.uk to c/archlinux@lemmy.ml

I've started looking at Ansible to manage all the laptops, VMs, SBCs that I have running Arch Got the ol' pacman installs / updates working fine, but I'm having some problems understanding how to setup AUR to install some of those packages.

Main issue is where Ansible is basically doing everything as root, and AUR helpers don't want to run as root, so ok, create a 2nd non-root user first...

But even installing an AUR helper (yay) brings problems:

I can setup a folder in /tmp/aur , I can git clone the yay package, but then I have no idea how to run makepkg or then yay as that non-root user.

Does anyone have this already figured out?

Or... am I going about this the wrong way?

you are viewing a single comment's thread
view the rest of the comments
[-] mumblerfish@lemmy.world 5 points 9 months ago* (last edited 9 months ago)

Sound like you have configured your Ansible to run as root per default. You should remove that from your ansible.cfg. The tasks you do need root for you use the keyword 'become: true' to use sudo for that task alone (or use 'become' for a block if several tasks).

[-] Cyber@feddit.uk 1 points 9 months ago

Ah! Ok, I'll dig into that and have a look.

I thought I was SSHing into the clients as a non-root user, but I guess that's where I'm going wrong.

Yeah, looking at the /tmp/aur folder it creates, it's owner is root... hmmm.

Thanks

[-] mumblerfish@lemmy.world 2 points 9 months ago

I may be wrong, but if you did ssh as roothen it seems like your ssh configuration leaves a bit to be desired. If you can ssh in as root, you may want disallow that in your ssh configuration... don't remember the setting now, 'AllowRoot no' maybe? Then it also should be that you have your pub key in root's .ssh/authorized_keys, you may want to remove that. Allowing anyone to ssh in as root is probably not a good idea. For example 'root' is a very common username used in bruteforce attacks on exposed ssh ports, so locking down any possibility to get in as root directly is probably a good idea.

[-] Cyber@feddit.uk 2 points 9 months ago

Thanks for the pointer, but no, I'm not SSHing as root. And PermitRootLogin no is configured, so all good there.

Turns out I start the entire sequence as become, so I had to learn about changing users with ansible-become variables

Still have a few bugs to work out, but thanks for getting me on track

this post was submitted on 03 Feb 2024
10 points (100.0% liked)

Arch Linux

7175 readers
2 users here now

The beloved lightweight distro

founded 4 years ago
MODERATORS