Articles

A “control node” with a hand-curated venv works. Until it doesn’t. A colleague has different collection versions, CI installs a slightly newer Python library, and a playbook that ran yesterday now fails. Execution Environments turn the control node into a versioned container image. ansible-builder produces it, ansible-navigator runs against it, and the same artifact ships from your laptop into AAP/AWX without modification.

Hand-writing Quadlet files works for one host. For a fleet, the containers.podman collection’s native Quadlet generation lets you describe containers as Ansible state, including secrets, registry logins, and templated configuration. A small Mastodon welcome bot makes a concrete example.

Building a DN42 node from scratch - registering AS4242422539 and fdce:73f7:a2dc::/48 in the registry, configuring a MikroTik border router with three WireGuard peerings and BGP filters, running a FreeBSD bastille jail as authoritative DNS for chofstede.dn42, and reaching the rest of the hobbyist mesh in two hops.

Part 4 of the AS201379 journey: adding a fourth FreeBSD edge router at iFog with FogIXP peering, establishing direct BGP sessions with Hetzner, bringing the home network into the AS via an iBGP-speaking MikroTik, and a little traffic engineering to steer Deutsche Telekom traffic over Vultr.

cdist is refreshingly minimal - the target only needs POSIX sh, and the control machine speaks ssh. But cdist expects one ssh endpoint per host, and FreeBSD jails are not normally their own ssh targets. Two small Python wrappers plug cdist into jexec on the host, so configuration state flows into every jail without running a single daemon, agent, or Python interpreter inside the jail itself.