Hi,
I use ansible for many stuff and do like it for the simplicity. However,
there is one feature I miss (that is available in even puppet). That is
to purge unmanaged resources.
See for example my exim implementation. It is overcomplicated as that
feature is missing in ansible.
I create the config from multiple templates under /etc/exim4/conf.d/*
(the debian way):
- name: Create configuration
template:
dest: "{{ exim_config_dir }}/conf.d/{{ item.path | regex_replace('_exim4-', exim_replace_string ~ '-') | regex_replace('\.j2$') }}"
src: "{{ item.src }}"
with_filetree: config
when:
- item.state == 'file'
- item.path is search('\.j2$')
register: exim_configs_written
Then I set a fact for the installed configs, get a list of the existing
files and remove all that are not in the list:
- set_fact:
exim_protect_configs: "{{ exim_protect_configs + [exim_config_dir ~ '/conf.d/' ~ item.item.path | regex_replace('_exim4-', exim_replace_string ~ '-') | regex_replace('\. j2$')] }}"
with_items: "{{ exim_configs_written.results }}"
when: not item.skipped|d()
- name: Get list of current files
find:
paths: "{{ exim_watched_dirs | map('regex_replace', '^', exim_config_dir ~ '/conf.d/') | list }}"
register: exim_configs_current
- name: Delete old files
file:
path: "{{ item.path }}"
state: absent
with_items: "{{ exim_configs_current.files }}"
when:
- item.isreg
- item.path not in exim_protect_configs
In this example I could also just create one single file but I want to
keep the freedom to manage other config snippets for example for
spamassassin in different roles.
So for years now I wait if there will be a purging way finally in
ansible like for example:
- name: Purge unmanaged stuff
purge:
path: /etc/exim4/conf.d
recurse: yes
notify: Rebuild config somewhere else
- name: Purge unmanaged root keys
purge:
path: /root/.ssh/authorized_keys
that would remove all files that are not managed in any other way (file,
copy, template, assemble, unarchive, lineinfile, blockinfile,
authorized_key, ...).
The only difficult part would be when to execute that action. But even
that, having a cleanup role that includes just that and perhaps a notify
to recreate clean config would be very helpful.
Another think would be /etc/hosts entries, entries in
/root/.ssh/authorized_keys and some more.
-- Klaus