 And welcome to the homelab show episode 107 the Ansible semaphore modern UI for Ansible I thought this was a neat topic that Jay picked and how you doing Jay? I'm doing really good other than being like really hot So if I start sweating the heat index I think tomorrow alone is gonna be 104 I don't know about today. So that plus a bunch of homelab equipment in my studio equals probably three or four showers today How are you? Yeah? Yeah, yeah It was it was our other friends of the channel Such as our friends radar and some of those guys because they're in Texas and a few of us a few of them over in Oregon They've also had a heat wave. So I guess it's our turn here in Michigan Me and Jay me and Jay are on this side of the world here. We were relatively close to each other in Michigan So yeah, we're gonna severe weather potentially for the next five days They're now know how big but yeah fun times fun times for sure But let's jump into the topic here But I want to mention of something before we jump into it and that's our sponsor for today Linode they're back and they're sponsoring us and things are going. Well, they are a great place to run Maybe you have some things you want to deploy in the cloud maybe you want to use Ansible to deploy that in the cloud and Linode has a cloud offering for you head over to the link down below to sign up for Linode get started with their Process matter of fact, I did a recent video using Linode with my unified controller stuff I really like their new interface. I had actually kind of been slacking Jay told me how good it was and then I went in there Set some stuff up. I'm like, okay This was easy to deploy simple to set up their interface is nice It's a great place to host any of the solutions where you don't want that heat in your Home lab you maybe want it out in their lab a great place to set things up We thank them for sponsoring a show user offer code the home lab show and get a discount get started with Linode Thank you again for being a sponsor And as a side note anybody watching the live the live streamer the video after the fact We have synchronized cameras. Oh We both have a model a camera now because I decided to go to the a6600 So if anyone yeah, if I look any different I doubt it because I said everything the same But if the pixels look better, there's that but today it's not about pixels. It's about semaphore semaphore Ansible semaphore definitely a Interesting topic we've talked about ansible, but of course and I it's funny because in the olden days And I feel like this is less of a problem now We're the older tech curmudgeon's complaining about kids these days only want to use a web UI I think a web UI makes some of these complicated tasks a little bit easier And I believe that's kind of the purpose of this is to give you a another dashboard for it This is a little bit of a discussion me and Jay had Appliance versus custom-built that's another episode we did and one of the advantages you get like I know Can do a lot with ZFS from the command line But true nas makes my life a whole lot easier especially things like when you want to set up replication So I think there's a lot of value in making it easier because unless your core focus is becoming an expert at command line ZFS then maybe you should just run true nas and maybe your focus can then be something else or it is something else So I think the same thing with this ansible, which I'm about to learn about it I you know briefly read through it. I let Jay drive the topic on this one and It definitely looks interesting. So let's hear all about it So the first thing I want to mention is the existence of AWX and ansible tower because you know There's a lineage not really a lineage because it's this isn't really this you know this built the same way But it serves the same goal. So Ansible tower is like your ansible GUI and I think this is something that ansible fans are well aware of but it was Very complicated to set up it the AW AWX is the open source version. So it's the same thing I mean, it's a little bit more complicated than that But essentially AWX tower gives you that GUI layer But it's always just been a pain to set up and I've done it a few times and I ran AWX for a while But I just kind of felt like the there's just it's just too cumbersome to set up and I never really did a tutorial on it But when I was looking at semaphore, I was thinking that it was gonna You know serve the same purpose and and I was right more than I thought because even the sections It's not exactly the same as AWX But you could tell that there's carryover like maybe some of the tabs are titled the same or some of the sections and features Are the same some of the workflow is the same, but it's just a lot easier to use so essentially What this allows you to do is have Ansible playbooks in a repository it can download those and then run them Against your host, but it could do that through the web browser But the cool thing about this is if you're a command line person at your company or you know at home Obviously, we kind of all are we but you know if you're using it, you know You like the command line That's fine But if you have somebody that you're working with that might not be as advanced as you They can also use the same playbooks but through the web browser But if someone doesn't want to do that they could just still use it through the command line Just you know pull down the playbooks and run them manually There's it doesn't stop you from doing that but I do like the fact that for people that just want a gooey or Maybe have you know friends are working with or coworkers at work or something They have you know, whether you're advanced or you're not you have a way of interacting with the playbooks and when it comes to semaphore it's It's just really easy like I was I was I sat down To set this up and I figured I'm going to be here a while You know that just kind of feel that way because I'm just you know setting something up and it takes a while Not that there's a lot not a lot to learn, but it was just easy like beyond easy It was just ridiculous how easy is it's great So I'll talk about the setup process first and then I'll you know talk about more of the features So when you go to their website the first thing you'll see is something like snap install semaphore or something I don't remember the verbiage, but they mentioned a snap package there and On their website you won't see anything else But if you go to the docs tab and then go to the installation page You'll find that there's actually a bunch more ways that you can run this you don't have to use the snap package So for example, there's a Repository package if you want to run it on Debbie and Ubuntu or equivalent or CentOS related distros So you could you know DNF install apt install after adding the repository or you could just download the binary and dot forward slash call it a Day, I mean, you don't even have to install it if you don't want to And they also provide a system D service if you want that you they give you like a you know a template You just change the path to wherever you save the binary if it's it'll probably be user bin Semaphore or something like that if it's installed, but I just did the dot forward slash method just pull down the binary and You could create your custom system D script if you want to run it as a service But no matter what when you pull it down or you install it The first thing to do is run ants or excuse me semaphore setup. It's going to ask you a bunch of questions It's going to use the answers to those questions to develop a Or generate a config file that that'll be in the same directory You could tell it to put it somewhere else if you want It'll just ask you like you want telegram notifications email notifications slack notifications Where do you want your playbooks to be stored when they're pulled down? number of questions that'll help you know differentiate how you want your setup and then to run it you Run semaphore and you point it to the config file that was generated previously and that causes it to run One of the questions that'll ask you is which database server you want to use So it'll give you an option for my sequel postgres or bolt DB, which I've never heard of before this and I still don't know anything about it. So I'm just going to Tell you what I think it is based on what I've seen it's almost like having a sequel light local database file That's not sequel light. So if you don't have a database server That's what I used because I was just testing it out and I didn't want to set up a database server So I went with that and then it Runs on I believe port 3000 just go to your IP or your domain at that port and then it's there and then That point you'll see a bunch of sections and you can start using it. So setup is like really really simple Yeah, and I was looking in the installation You can you got like you said snap package manager docker or binary file and it's well documented as well Like I would just run through the documentation. I'm like, oh, this is easy Like they got the docker compose file all laid out. You just got to put your variables in and just run with it Yeah, I'm glad you brought that up. I totally forgot about the docker aspect of it So when you have this setup, you have several sections that you could you have to set up I guess this is the only the only thing that was a little bit annoying and it and Considered that what I'm about to complain about is very petty and it doesn't matter So if this is my biggest complaint, then that's pretty darn good So when you go to create a task template, which is essentially you want to run something You want a template that you run against your host It's gonna ask you for the environment the repository the key But it doesn't give you an option to set any of that up right there And it doesn't tell you that you have to have those ahead of time So I found myself going through that the you know filling out the sections and I try to continue Oh, I don't have this So I have to close out of this go back create the thing that it wants and then until I have enough to make it happy But each thing is very super Simple the one thing I had to look up was you have when you create an environment you have to create JSON But I just wanted an empty environment. I didn't really care I just created an environment called production because you can have different environments So if you put just an empty pair of curly braces in the JSON field that takes it and it's fine You don't have to use JSON, but they do make you put those brackets in there at least They won't let you continue without something in there and a space won't work. I tried it Just figured why not But the documentation is very clear. They say just put curly braces in there That's like the the one thing I had to look up other than that I mean it's pretty self-explanatory because you could create a key for example an SSH key Deploy keys for your get repository or what have you you could enter in the vault password if you use encryption You can enter in the sudo password if you want to do that Like if you're setting up a machine for the first time and you know, it's not even really set up That might be a way to do it and you go through all these sections and then once you have those things filled out You create an inventory and you add all your computers to that Our servers or whatever it is and then you can run tasks against The group or you know your environments basically you could create a inventory of web servers Or an inventory of this or that or a group them how you want and then run tasks against those groups even going down to production or Development or something like that if you have a test environment for example So you can really control like which host get which job The end to use it you create a an ansible playbook and then the feature set Becomes pretty much identical to ansible because it uses ansible So you the best way to use it is to have some playbooks in a repository Which is what I did and I had one that just goes through and Installs all updates on all servers. So simple it just basically does the equivalent of apt upgrade on everything and it works pretty well I mean, it's pretty self-explanatory at that point The logging is really good because you could go in and find out. Okay, did this job run? Why did this one fail because it keeps track of everything that you do? So if you want to go back and I didn't test this out But apparently you can replay certain sections of your taskbook So if something isn't working you could kind of try to replay and get back to where you were So they have some really smart features on this that I think are amazing Other features that I wrote down in no particular order You could group playbooks to projects so you could have different projects for different things you want to do You can run playbooks on a particular schedule. That's pretty cool. So you want something to run overnight not a problem I Already mentioned environments inventories access keys and things like that so you can manage all of those and You could not only run your playbooks from inside your browser You could delegate them to be run by another person so you can actually have different users on here So hey, can you run this for me and then give them access to it and then they can just go ahead and do it For you It's just me so I didn't have any I didn't even think to ask you because like I didn't even know about that feature Tell us probably too late get leading up to the the thing but essentially I could delegate access to you I haven't tried it yet, but that'd be kind of fun Kind of another note they have too is you can do LDAP and open ID configuration as well So if you have all their authentication, they do have those other options in here And it asked you about that to the LDAP thing when you set it up for the first time It asked you during the process if that's something that you want, which is pretty cool So you just just go through the questions in your terminal when you when you set it up There is a demo on their site. It doesn't work. It's broken The good news is it's easy to set up as Jay said so you don't have to rely on a demo I want to touch back on one thing though and maybe we'll do an episode on this at some point But there's so many times that me and Jay both been tagged on the socials or comments here about all their Authentication methods. It's cool that things like this Ansible supports LDAP But I'm still not sure if there's enough demand for us to do a video on it because it's usually just your Home lab tools that end up supporting this. It's not usually your other things that you can do the authentication with on here I know that's there's usually a question. It comes up immediately of mentioning like LDAP like hey You should do a video on how you can replace active directory with LDAP or open ID connect And it usually comes down to compatibility of all the different software not having tie-ins for all those things which challenges us more It's not the it's not the tool that doesn't work. It's the integration doesn't exist for enough things usually It's a handful things on but I'm happy to see like this tool having that level of integration because if you're a Linux only shop and you're looking for some automation tools to build into your pipeline having something where you go Why would I want an AD server in my Linux pipeline? That might make sense when you have an on-prem LDAP system that controls your authentication for your users and things like that At my end and this is one of the reasons why I don't get into it much is I use Ansible for creating all my user account So I never really had a need for LDAP because that's something that Ansible make sure if I want a user account on all of my systems It's very easy to do that and LDAP just seemed like like overkill I think for a lot of people they might be coming from a Standpoint where they're at work and they have to learn it for work or there might be overlap So in those situations even though LDAP is overkill for a homelab It's often for the people that want to learn it that that's the value to them Is that they get a chance to see how this is interacting with other things? But as you said, I mean there's there's often nuances especially With active directory being LDAP plus because you have you know LDAP Compatible directories, but then you also have additional things they add and some of the you know Appliances that you use will be hooking into some of those Microsoftisms for example in the absence of those kind of confuses it and say I don't know what to do because this field isn't there So it's always a messy type of thing, but I think at some point That's something we can look at because there's my forgot fedora's version of this and There's a couple others that have come that are trying to make this easy for people But for me, I just use Ansible for creating user accounts because Ansible is doing everything else anyway So having it do that one more thing and it's all central in that one location for everything I do So There could be value in that if you don't have a learning reason for LDAP in my opinion And just quickly on this topic because it's kind of related because you could be using Ansible to do this Ansible for Managing users. Do you have it managing your passwords upon deployment? Yep, no, but I change my passwords regularly So if I submit the password change it gets applied to everything and the same with SSH keys Like it I could literally just add an SSH key remove the previous one and that'll be done and Make sure it's on the net order Exactly. Well, you know, it doesn't actually matter for mine because Mine doesn't use SSH for the actual configuration which It's using Ansible pull So all the machines are going down get and running it against themselves So even if my password is flat out deleted on everything it would be deleted. It's just going to go and recreate it for me But and I'm glad you brought that up too because that reminds me that is something that So far, I don't think semaphore is going to be a good fit for because if you're if the machines are running it local host via ansible pull Then all the logging and everything is and everything happens on those machines Unless you have like a some sort of a callback plug-in that's going to like forward the logging over to You know semaphore which those types of things do exist and semaphore really isn't made for that kind of thing but What I'm going to use it for is for a utility server that I'm building and I'm going to use semaphore for this so the idea is Maybe the first provision Is something that semaphore can run one-off things like updating packages if there's a A security vulnerability and I want to make sure like all of all of them are updated And I want to do it like and not wait the couple of minutes or something extra for my get thing to pull down I could do it through this as well for a one-off change and security vulnerabilities You could argue wouldn't be a good thing to add to version control because these change constantly so if you're chasing vulnerability fixes and Config management I mean that's pretty much all you're going to do But if it needs to be a one-off run against all of your machines then semaphore might even be A better choice for that But I think if you're running ansible in its traditional way then semaphore is especially going to be a useful utility I would say Um and someone's asking is ansible similar to puppet for configuration or is it more like a terraform deployment? neither terraform Is I mean you could use terraform for some config management But terraform has you know provisioners where you can you know tell it to build a server and then pass off Pass control or actually not pass control but run something from a provisioner which could be ansible or puppet puppet is going to be a more of an agent server kind of relationship Which essentially is what you're creating with ansible pull because You know technically ansible becomes an agent at that point downloading to get repository. It's a lot simpler But puppet if I remember correctly, I don't know if that's that's still the case I thought it would used ruby as it's in tax language. I think so Puppet though it seems to be falling out of popularity like it was years ago. It was very popular Um, we actually have a client we manage now in that sense the merger That's just what we manage for them because that's what they have for their infrastructure But you know, it's it's one of those once you've built it all on this No one's really pushing to say hey, let's spend the time rebuilding this all is ansible But right most modern systems and newer companies have run into or done consulting is always ansible I think when if you were starting, you know, greenfield you're going, what am I going to use today? Uh puppet is not bad, but I think it's better to spend some security problems with puppet because of the client server And it's just older So people have been finding some problems with ansible has such a different structure and such a massive it ramped up fast in terms of community sport And that once you have a project that big and it has a lot of people using it as in Very large enterprise players. You get a lot of security auditing and a lot of You know eyes really on it. So I think that's why it's been I think at one point in time it was the most starred and it might still be one of the most starred github projects out there So it's definitely A magnitude more in popularity over um puppet right now I actually I actually went from puppet to chef to ansible that that was my order A job I was working for a company I was working for They already decided they wanted to run puppet. Um, you know when I started the company had I don't really care I'll I'll learn it and I did my I maintained that for a couple of years and then The next company wanted to use chef. So I learned that and I felt like chef was um Heavier than puppet which is already kind of bloated in my opinion But I didn't know there was a better way But then a friend of mine kept saying you have to try ansible. You have to try ansible. I'm like No, I don't want you right now And then after after, you know, he kind of wore me down for a while And I'm like, oh my god, this ansible thing is amazing. I told you and I got really tired with Especially with chef explaining to stakeholders why there's cpu spikes regularly because the kiffig tool is checking in and they You know, you got to understand with when it comes to stakeholders at a company It's often the case where they might say the server's 80 percent busy. What should we do? And I'm like, well, that's awesome. You're you're getting your money's worth your server's doing work. Congratulations. What but it's at 80 percent but Do you want like a server that's underused good your your server's used you're getting work out you're doing work for you And then they see further spikes above that when the configuration management tool runs And then you have to start explaining that to them But then with ansible everything's even more lightweight You know, and sure you're going to have a cpu spike no matter what you do but it's Going to be more um, it's just more flexible and it's easier to understand. I think To me, that's why ansible is really taking off because Or has already taken off a long time ago because it's showing people that you don't have to have this super, you know Bloated and just heavy utility to manage things. It's complicated to set up and the syntax could be complicated for somebody who doesn't Really care about scripting, but then ansible shows everyone though It doesn't have to be that complicated you could have all those things but with a smaller footprint And I think it was brilliant that it's such a brilliant way to do it Yeah, it's pretty much and I started with ansible and i'm by far not great at it But I never tried the other tools, but I found it relatively intuitive and said, oh, okay This makes sense. This is your fleet. This is your playbooks and this is the stuff you Oh, just put these ip addresses here throw these commands in here The building blocks from the basic to building it to a more complicated system where I found them relatively easy One of the reasons why I stopped using puppet and this is a long time ago so no hard feelings, you know against them now because I don't know if this is still a case but Um, I forgot which version of debbie and it was the company I was working for they're all in on debbie And so we were that's what we were using and we were ready to move on to the next release because we've already tested it and it worked out just fine but You know that new release of debbie and stable was not supported by puppet and a couple months in I'm like what's going on and then Oh, we don't have it ready yet. And I'm thinking wait a minute. You you're not Like supporting one of the most, you know popular linux distributions. I mean debbie in Unreleased a when like everyone else is supporting it and all these it's like I had to I couldn't I think it took six months or something for them to actually come around and make that work And I'm sitting there like no, I I can't forgive that like if you can't if you can't work it within a reasonable amount of time I mean there's literally debbie and testing to test it against leading up to the release and I just Felt that was negligent and I stopped using it. Um, and I was using puppet at home while I was using chef at work That was not confusing at all So two different hats I was wearing there, but then ansible It's just came to the conclusion. That's what I'm going to use going forward and then you know tools like semaphore. I feel like Give someone that ease of use not that it's hard to use. It's not but if you want a browser Equivalent just for one off all I'm going to click a button and make a thing happen And in a pinch then semaphore is great for that even if you are a command line person either way I think it's it's a great way to get started and it's super easy to set up. It's written and go It's a very fast interface It's supposed to work good on mobile phones. I haven't tried that but you know, it's super fast in the browser. So I don't see why not And something I've noted in the documentation for semaphore is in their key store They don't have support if your ssh key requires a password Um, what's your work around for that? Or do you set up a limited ssh key in semaphore to Manage those machines and that is a way of getting around the password Limited but that's that's more of an I think that's more of an ansible thing because I know you can't I think it's an ansible problem Yeah, I mean there's secret managers and things and ways to you know, do this and I've seen people do it You have to kind of architect that it's not going to facilitate as well built in but Again, people have done it. It's just um, if you think about semaphore is on the top layer Your ansible scripts or playbooks have to work by themselves before you could put them in there So that's also one of those things you have to kind of solve beforehand semaphore is just receiving and already working or known working repository with playbooks So that is one of those things and there's there's going to be nuances with ansible like that because you know Most of the time it's using ssh and if you're using semaphore you're using ssh So I would not use your primary key on there. I would um create a secondary one Oh, yeah that plus consider creating a Dedicated user a system user or something that has permission To the things you want to manage and then have the ssh connection connect as that user so that's limited to what it can do So if it's just a if you're just going to do apt install and that's all it does Then you could just give it at the sudo access to um the apt utility or whatever else If you're configuring all the things that doesn't scale well because a minute you have to do a second and then a third It's already too much. Yeah This is one of those tedious things. So once you move up into the larger security models You you really think about the term is our back rb ac for role-based access controls And this is the way you practice your principles of least privilege These are really important that you assign these users if you just have an update user That way if someone ever gets a hold of your update mechanism that doesn't give them the higher levels of privilege They need to get other things done One work around is to use ansible vault. I mean, it's not going to I mean it encrypts which is great But if there's anything you should already be using this for secrets anyway Nothing should be in clear text if something has to be in the repository You shouldn't have it in the repository, but at least encrypt it and with um, you know the ansible vault You can you can encrypt other things that would surprise you like the inventory file It's you can even encrypt the inventory file So as someone pulls down your repository and they try to figure out what machines you manage They don't know because it's all garbled and It's surprising how much of ansible you can actually um, you can actually I think there's pretty much everything you can encrypt. It's crazy. So you can game that a little bit by First making the repository private and accessible only via deploy key And then on top of that encrypt everything that's potentially secretive and you know that that could certainly help with that You're right. That's one of the things you have to configure an architect and these are growing pains of anyone in ansible Oh, well, how do I do that? I've been using a passphrase for a while What do I do now and then you work through those things and I I think that also teaches you Uh deployment etiquette and how to manage servers because you have to work through real problems You're going to also work through in the real world as well. So I think I like that fact of it Yeah, and it's like I said if you plan on doing this outside your home lab these are all those Scaling considerations because it's obviously easy and as you mentioned, you know Just being able to deploy or change your password everywhere But it gets a little different if you're managing a thousand users You're probably not going to manage a thousand users with ansible but for machine deployments at scale and managing those service accounts on the machine where you want to have it And maybe you have an incident where you go I got a roll passwords on this and you're using ansible pull you can just drop your updated one and pull those hashes all across here So there's there's a lot of different methodologies to think about there But you have to start with you know thinking and architecting it from ground zero your green field and make sure you have an idea That scales up and learning all of that fun stuff if you want to do it in the corporate world Yeah, and I think that this is these puzzles are fun to me. Some people might find this frustrating I think it's fun because you know, you feel good after you figure out a way around these types of things And even like users can scale better depending on how you architect it because if you have a playbook Like one playbook for all your users You can do that because you could create variables for the username and the password hash And then have like one file that's just straight down like you know user Password or whatever it is has all the values in one one file And it just reads those values in when it applies the template But even then like you said a thousand users gets a little at that point you probably do need I mean you've already needed that probably by the time of 100 I mean 100 users is not going to manage here I just want to make sure i'm answering some of the questions that are in the chat kind of about that of Well, does this scale and you know, this is called the homelab show So we're probably we but we encourage people who are wanting to sharpen their homelab scales to get into enterprise That's why we bring this up and talk about it But generally from the homelab show perspective and you getting started with it This is an adequate way to manage your homelab even if you have a few users in it These these methodologies will scale to Most homes don't have that many people. We'll just throw that out there Yeah, that'd be quite a house if it if you had 100 people in your house That's different sleeping. That's kind of you know, it's funny because it's a question It's got my forums people like I want to set up, you know Some type of central management for all the users of my house. I'm like, how many users do you have? Oh three and I'm like, I mean a fun idea to play with and set that up But just for the three people you have it's probably not too hard to just to keep your life simple So there's less to manage I think um, I don't know if I doubt I know this is not always the case But sometimes I feel like spouse approval drives this because if you're You know managing everything and then your significant other has to Have a different password on his or her laptop versus desktop Then it's like They're constantly asking you that for what you know, why is my password different and how do I do this? How do I do that? Which means that they really kind of start to hate the fact that everything is complicated And I feel like some people they ask for roaming profiles and you know central password because that way The individuals in their house They don't have to constantly have like unsynchronized passwords and files which means the home lab person is probably spending more time Explaining things to them than actually doing their hobbies. So I do kind of feel like there's there's that that that plays into this too but at the same time This is definitely something I want to explore. I just don't know when but I do think there's probably at least some audience for this So we'll see how that goes when I get a chance to do that. Yeah All right, yeah, check out and we'll sum up for it's awesome. It's easy our friend uh christian lempa from um I'm sorry on the name of his channel again. It's really amazing. Um, yeah, my digital life I think it is my digital life for that. I think it's that digital life But it's his channel title also says christian lempa and we've linked his video down in the description He's awesome. He's a really good presenter And he uh does a great video on this particular topic. So we thought we'd link to that So we that way you have someone you can watch for if we got you excited about it And we want and people go but time I want the visual not the podcast or put it in the show notes for you It's not hard if you look up ansel semaphore I don't think you got it. I think it's come when I typed it in it came up with his video on top I believe he's the only one who's done a video on it. So yeah, he he has some great content So so watch the video give it a like give the subscribe block and talk give it a subscribe And show some support because uh, he puts a lot of work into that and I'm not sure if I'm going to cover it Myself at any point. I probably will but right now that's the video to watch so Yep All right. Well, thank you for joining us. Uh, always love hearing from you feedback at the home lab dot show Is how you get a hold of us. We have some feedback episodes coming So we have a couple things. Tom was gonna rant on one of them. I said, no, I'm gonna save this It was a security rant. Um, we'll have we all we have stuff to talk about it's it's some misunderstandings people have And I just want to make sure we clear them up, you know, make sure that misinformation does not rain free We will rain it in we will explain to you how some of these things work and uh until then just make sure everything's up to date That's just the most important part get it all patched All right Thanks and see you next week. Thanks