Ansible Pull via SSH instead of HTTPS?

charles · October 14, 2021, 11:24am

I am watching Jay’s video on Using Ansible to automate your Laptop and Desktop configs!

This is really great so far.

At ~37:40 Jay issues an ansible pull command and uses the HTTPS url from his GitHub repo.

I am following along with the tutorial, however I have deviated slightly- I am not using GitHub. I am using an Ubuntu server in my homelab to hold the bare repository and then cloning to my workstation/laptop as needed to perform the actual work.
So to summarize- I am trying to ansible pull the git repo that is on a local ubuntu server instead of on GitHub. My workstation has SSH Key access to the ubuntu server. I have removed the -U flag that Jay uses for URL.

I ran sudo ansible-pull ssh://charles@ubuntu-server:/nfs/ubuntu-server/git-repos/ansible/ansible-desktop.git
Ansible rejects this command and provides the man page (I think? Its the help page showing me all the various options & flags) and then has an error message showing:
ERROR! URL for repository not specified, use -h for help

I’m unsure how to use ansible-pull via SSH to local server instead of a URL to GitHub.
Based on the Ansible docs page It looks like I should be able to use SSH as some of the options mention SSH, but I don’t think I need to pass any of those flags?

This is the LLTV Wiki Page for the relevant video.

Could someone point me in the right direction?

Buffy · October 14, 2021, 11:57am

Just for testing, can you use “git clone” with that URL and successfully clone the repo? I’m not real sure about how to access remote git repos outside of GitHub/GitLab as we have GitLab set up locally for our repos.

Do you still need that second ‘:’ even if you don’t specify a connection port? Maybe that’s throwing it off?

charles · October 14, 2021, 12:35pm

Thank you for the pointers-
Performing a git clone was my first test as well. It performs ok, see here:

charles@UbuntuWS:~/Git-repos/ansible-desktop$ git clone charles@ubuntu-server:/nfs/ubuntu-server/git-repos/ansible/ansible-desktop.git
Cloning into 'ansible-desktop'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (6/6), done.

Yeah I’m not certain on the ansible-pull SSH syntax but I’ve tried a few:
As you suggested above, no : after the remote server’s hostname

charles@UbuntuWS:~/Git-repos/ansible-desktop$ sudo ansible-pull charles@ubuntu-server/nfs/ubuntu-server/git-repos/ansible/ansible-desktop.git

with colon after server’s hostname:

charles@UbuntuWS:~/Git-repos/ansible-desktop$ sudo ansible-pull charles@ubuntu-server:/nfs/ubuntu-server/git-repos/ansible/ansible-desktop.git

With ssh:// prefix which I read is the proper syntax on a stackoverflow post, not sure the info is accurate, but I tried anyway. I also added the local domain to the end of the hostname

charles@UbuntuWS:~/Git-repos/ansible-desktop$ sudo ansible-pull ssh://charles@ubuntu-server.charles.home/nfs/ubuntu-server/git-repos/ansible/ansible-desktop.git

ssh:// prefix combined with your suggestion of no colon after remote server hostname

Each of the above commands result in the same output. Its long so I will only paste once:

charles@UbuntuWS:~/Git-repos/ansible-desktop$ sudo ansible-pull ssh://charles@ubuntu-server/nfs/ubuntu-server/git-repos/ansible/ansible-desktop.git
usage: ansible-pull [-h] [--version] [-v] [-k] [--private-key PRIVATE_KEY_FILE] [-u REMOTE_USER] [-c CONNECTION] [-T TIMEOUT] [--ssh-common-args SSH_COMMON_ARGS] [--sftp-extra-args SFTP_EXTRA_ARGS]
                    [--scp-extra-args SCP_EXTRA_ARGS] [--ssh-extra-args SSH_EXTRA_ARGS] [--vault-id VAULT_IDS] [--ask-vault-password | --vault-password-file VAULT_PASSWORD_FILES] [-e EXTRA_VARS] [-t TAGS]
                    [--skip-tags SKIP_TAGS] [-i INVENTORY] [--list-hosts] [-l SUBSET] [-M MODULE_PATH] [-K] [--purge] [-o] [-s SLEEP] [-f] [-d DEST] [-U URL] [--full] [-C CHECKOUT] [--accept-host-key]
                    [-m MODULE_NAME] [--verify-commit] [--clean] [--track-subs] [--check] [--diff]
                    [playbook.yml ...]

pulls playbooks from a VCS repo and executes them for the local host

positional arguments:
  playbook.yml          Playbook(s)

optional arguments:
  --accept-host-key     adds the hostkey for the repo url if not already added
  --ask-vault-password, --ask-vault-pass
                        ask for vault password
  --check               don't make any changes; instead, try to predict some of the changes that may occur
  --clean               modified files in the working repository will be discarded
  --diff                when changing (small) files and templates, show the differences in those files; works great with --check
  --full                Do a full clone, instead of a shallow one.
  --list-hosts          outputs a list of matching hosts; does not execute anything else
  --purge               purge checkout after playbook run
  --skip-tags SKIP_TAGS
                        only run plays and tasks whose tags do not match these values
  --track-subs          submodules will track the latest changes. This is equivalent to specifying the --remote flag to git submodule update
  --vault-id VAULT_IDS  the vault identity to use
  --vault-password-file VAULT_PASSWORD_FILES, --vault-pass-file VAULT_PASSWORD_FILES
                        vault password file
  --verify-commit       verify GPG signature of checked out commit, if it fails abort running the playbook. This needs the corresponding VCS module to support such an operation
  --version             show program's version number, config file location, configured module search path, module location, executable location and exit
  -C CHECKOUT, --checkout CHECKOUT
                        branch/tag/commit to checkout. Defaults to behavior of repository module.
  -M MODULE_PATH, --module-path MODULE_PATH
                        prepend colon-separated path(s) to module library (default=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules)
  -U URL, --url URL     URL of the playbook repository
  -d DEST, --directory DEST
                        directory to checkout repository to
  -e EXTRA_VARS, --extra-vars EXTRA_VARS
                        set additional variables as key=value or YAML/JSON, if filename prepend with @
  -f, --force           run the playbook even if the repository could not be updated
  -h, --help            show this help message and exit
  -i INVENTORY, --inventory INVENTORY, --inventory-file INVENTORY
                        specify inventory host path or comma separated host list. --inventory-file is deprecated
  -l SUBSET, --limit SUBSET
                        further limit selected hosts to an additional pattern
  -m MODULE_NAME, --module-name MODULE_NAME
                        Repository module name, which ansible will use to check out the repo. Choices are ('git', 'subversion', 'hg', 'bzr'). Default is git.
  -o, --only-if-changed
                        only run the playbook if the repository has been updated
  -s SLEEP, --sleep SLEEP
                        sleep for random interval (between 0 and n number of seconds) before starting. This is a useful way to disperse git requests
  -t TAGS, --tags TAGS  only run plays and tasks tagged with these values
  -v, --verbose         verbose mode (-vvv for more, -vvvv to enable connection debugging)

Connection Options:
  control as whom and how to connect to hosts

  --private-key PRIVATE_KEY_FILE, --key-file PRIVATE_KEY_FILE
                        use this file to authenticate the connection
  --scp-extra-args SCP_EXTRA_ARGS
                        specify extra arguments to pass to scp only (e.g. -l)
  --sftp-extra-args SFTP_EXTRA_ARGS
                        specify extra arguments to pass to sftp only (e.g. -f, -l)
  --ssh-common-args SSH_COMMON_ARGS
                        specify common arguments to pass to sftp/scp/ssh (e.g. ProxyCommand)
  --ssh-extra-args SSH_EXTRA_ARGS
                        specify extra arguments to pass to ssh only (e.g. -R)
  -T TIMEOUT, --timeout TIMEOUT
                        override the connection timeout in seconds (default=10)
  -c CONNECTION, --connection CONNECTION
                        connection type to use (default=smart)
  -k, --ask-pass        ask for connection password
  -u REMOTE_USER, --user REMOTE_USER
                        connect as this user (default=None)

Privilege Escalation Options:
  control how and which user you become as on target hosts

  -K, --ask-become-pass
                        ask for privilege escalation password
ERROR! URL for repository not specified, use -h for help

Part of me is thinking of taking the easy way out and cloning my git repo up to github and using GitHub as the primary repo instead of a local server. Maybe I am overcomplicating but I just see zero need to involve GitHub when a local server should be fully sufficient for this use-case.

hulxmash · October 15, 2021, 7:58pm

If that’s the route you are thinking of going, I would consider hosting gitea. It will pretty much give you the same look and feel of git hub, but completely self hosted. I am not working on anything that I would like to expose to the public, so that’s what I’m using in my lab. It works great. Thank you Tom and Jay for mentioning on your podcast.