Since Silverblue is mostly read-only, what would be the best way to use configuration management with this distro? Think of the following:
- sshd configuration
- PAM customization
- Install software
- Customize the Toolbox (by pre-installing some software when creating a new environment)
- Hardening of configs in general
Would Ansible be okay for this? Or is there a sort of new method developed to provision these kind of distros?
I think ansible is ok.
You just will use other tools like ostree and rpm-ostree for updates/upgrades and install software.
Updates, Upgrades & Rollbacks :: Fedora Docs
In a toolbox you can use dnf as usual.
Toolbox :: Fedora Docs
Even if silverblue is imutable it has writable sections like:
Technical Information :: Fedora Docs
package module will support
rpm-ostree: ansible.builtin.package module – Generic OS package manager — Ansible Documentation
With Toolbox, it’s not possible to have like a Dockerfile or anything to provision it?
Toolbox is a rootless container. The tool you can manage it is Podman.
Podman as Ansible is developed by RH. I’m quiet sure that there will be a way to use it together.
I’m familiar with both tools. I was expecting that toolbox somehow would allow for bootstrapping the container with IDK a yaml file or something like that which is then included with the toolbox create part. This yaml file could also be used for Ansible by including it in a loop for non Silverblue systems.
But I guess I’ll do it the other way around. I’ll create a templated Dockerfile with a package install list based on the package install list I have in Ansible. Then I’ll create a separation, a part will be installed with rpm-ostree and (a part) will be included in that Dockerfile. Then I’ll load that custom image with toolbox rather than a vanilla distro image. It’s not pretty, but it will keep things centrally organized.
I guess rkhunter, postfix, and other software that needs to run as a daemon/cron will be included in the Silverblue installation and the rest will be in the container.