@@ -865,6 +1025,13 @@ Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
name: nginx
state: restarted
+
+
+ Plain YAML — tasks run top to bottom against the "webservers" group.
+ become: true = run as root (sudo).
+ Handlers are the neat bit: restart nginx only if the config actually changed.
+
+
@@ -890,6 +1057,13 @@ changed: [finistdevs-web]
PLAY RECAP ********************************************************************
finistdevs-web : ok=4 changed=3 unreachable=0 failed=0 skipped=0
+
+
+ "ok" vs "changed" — ok means already in desired state, changed means it acted. That's idempotence visible in the output.
+ The handler only fired because the config task reported "changed".
+ Run it again and everything would be "ok", changed=0.
+
+
@@ -901,6 +1075,13 @@ finistdevs-web : ok=4 changed=3 unreachable=0 failed=0 skipped=0
Run a compliance audit across your whole fleet
The go-to tool for one-off tasks and recurring operations.
+
+
+ Ansible isn't only "set up a server once" — it shines for ad-hoc operations.
+ Imperative/orchestration angle: patching, rolling upgrades, canary, audits across the fleet.
+ This is where it differs most from Puppet's "always converge" model.
+
+
@@ -911,6 +1092,13 @@ finistdevs-web : ok=4 changed=3 unreachable=0 failed=0 skipped=0
Don't write a playbook to install Docker from scratch — someone already did
Just ansible-galaxy install geerlingguy.docker.
+
+
+ Galaxy = the package registry for reusable roles/collections.
+ Don't reinvent common setups — pull a battle-tested role (geerlingguy is the famous example).
+ Huge productivity multiplier; just vet what you import.
+
+
@@ -922,12 +1110,25 @@ finistdevs-web : ok=4 changed=3 unreachable=0 failed=0 skipped=0
Semaphore — lightweight open-source alternativeCore engine remains Apache 2.0 — truly open-source.
+
+
+ At scale you want a UI/scheduler/RBAC layer on top of the CLI.
+ AWX (free) → Ansible Automation Platform (Red Hat, supported) is the main path; Semaphore is a lighter option.
+ Reassure: the core stays Apache 2.0 — no license rug-pull like Terraform.
+
+
Puppet Your servers are configured. Now keep them that way.
+
+
+ Third layer: enforcement. Configured once isn't enough — drift creeps back.
+ Puppet's job: keep state correct continuously, forever.
+
+
@@ -940,6 +1141,12 @@ finistdevs-web : ok=4 changed=3 unreachable=0 failed=0 skipped=0
Puppet Inc. acquired by Perforce in 2022
Written in Ruby and Clojure
+
+
+ The oldest of the three (2005) — pioneered config management.
+ Now owned by Perforce. We'll touch on what that means for the community later.
+
+
@@ -950,6 +1157,13 @@ finistdevs-web : ok=4 changed=3 unreachable=0 failed=0 skipped=0
Compiles a catalog and enforces it locally
Drift is corrected automatically.
+
+
+ Opposite model to Ansible: pull, not push — agents reach out to the server.
+ Every ~30 min the agent fetches a catalog and converges the node — point at the diagram.
+ This is the key idea: enforcement runs on a loop, not just at deploy.
+
+
@@ -1007,6 +1221,13 @@ class webserver {
}
}
+
+
+ Same nginx example as Ansible — compare the styles side by side.
+ Pure declarative: describe resources (package, file, service) and desired state, not steps.
+ notify chains the dependency: config change → restart service.
+
+
@@ -1027,6 +1248,13 @@ Notice: /Stage[main]/Webserver/Service[nginx]/ensure: started
Notice: Applied catalog in 12.34 seconds
+
+
+ Agent run: fetch catalog → compare to actual → apply only the diffs.
+ This normally runs automatically every 30 min; -t is a manual trigger for demo.
+ Next run with no drift would report no changes.
+
+
@@ -1037,6 +1265,13 @@ Notice: Applied catalog in 12.34 seconds
Continuous compliance — not just at deploy time. Every. 30. Minutes.
No manual remediation
+
+
+ The killer feature: self-healing. Someone hand-edits a file → Puppet reverts it next run.
+ Walk the loop in the diagram: drift detected → agent applies → compliant → repeat.
+ This is what "continuous compliance" means in practice.
+
+
@@ -1079,6 +1314,13 @@ Notice: Applied catalog in 12.34 seconds
Fewer SaaS options than Terraform or Ansible
Puppet Enterprise and Foreman are self-hosted. No managed cloud offering.
+
+
+ Sweet spot: large fleets of long-lived servers where drift control matters.
+ Trade-off vs the others: fewer SaaS options, more setup — it's self-hosted.
+ Honest framing: overkill for a handful of ephemeral cloud VMs.
+
+
@@ -1089,12 +1331,26 @@ Notice: Applied catalog in 12.34 seconds
OpenVox — an emerging open-source fork of the Puppet coreThe community is strong, with or without Puppet Inc.
+
+
+ Addresses the "is Puppet dying?" worry after the Perforce acquisition.
+ Vox Pupuli keeps the modules alive; OpenVox forks the core (echoes the OpenTofu story).
+ Reassurance: the open ecosystem outlives any single vendor.
+
+
They're not competing. They're complementary.
Each solves a different layer of the same problem.
+
+
+ The payoff slide — the "vs" framing was a trap. They stack.
+ Terraform provisions → Ansible configures → Puppet enforces. Three layers.
+ "Which should I use?" → depends which layer of the problem you have.
+
+
@@ -1131,6 +1387,13 @@ Notice: Applied catalog in 12.34 seconds
Ansible configures it and deploys the appPuppet continuously enforces compliance
+
+ Concrete recap of how they fit together end to end.
+ You don't have to use all three — but they layer cleanly when you do.
+ Pick by your actual need: just provisioning? Terraform. Ad-hoc ops? Ansible. Drift control? Puppet.
+
+
@@ -1142,6 +1405,13 @@ Notice: Applied catalog in 12.34 seconds
Slides: ministicraft.pages.git.cloud.arnaud-pc.fr/finistdev-configuration-as-code/
🤖 Made with Claude & GitHub Copilot
+
+
+ Thank the audience, point to the slides URL.
+ Open the floor for questions.
+ Backup topics if quiet: Kubernetes operators, Pulumi, secrets management.
+
+
Terraform