Ansible for provisioning/maintaining infrastructure?

[alexwilson]

Suggested initially by @Rikairchy, I've been toying with it and think that Ansible in pull-mode might be perfect for our use-case:
We can make sure secrets are stored in a secrets store, or rely on network-level security, and then have a single public repository here responsible for the configuration of our boxes.

Then we can separately manage the docker+sidecar that NG brings, using simpler orchestration software like Nomad or something simplistic.

Note: It does make the job easier for profilers, but it's offset by the wealth of open-source security tooling and testing suites we'd have access to, i.e. CircleCI

I was thinking of using something like this as the cloudinit script: https://www.reddit.com/r/devops/comments/6fajam/ansible_in_pull_mode/

Let me know what you think.

[Rikairchy]

I haven't worked with Ansible in pull-mode, but I would like to mention that all Tower features are free for the first ten machines.

The great thing about Ansible is there are VM automation plugins for Digital Ocean, EC2, GCE, VMware, and Proxmox. We won't be limited by the backend we choose (unless we pick Hyper-V, which in that case we deserve it).

It shouldn't be too hard to write a playbook to create a VM using whatever provider we decide, and have Ansible SSH into the new VM and pull down the configurations we aren't. We can then set cron to call a playbook every so often to check for configuration changes and the like.