skylab
/
skylab-ansible
Archived
2
0
Fork 0
Code Pull Requests Releases Activity

Add ssh port update to bootstrap playbook 

Update to use dynamic managment settings
Remove check for existing bootstrap directory
Fix re-using ansible password for root user
This commit is contained in:
Ethan Paul 2023-04-19 18:06:35 -04:00
parent 5f602c797f
commit 02b6460cff
Signed by: enpaul
GPG Key ID: 9B6D99E4CFA31867
3 changed files with 105 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
inventory/en1.yaml
View File

@ -1,8 +1,9 @@
---
all:
children:
en1: {}
vars:
skylab_state_dir: /var/lib/skylab
skylab_ansible_venv: "{{ skylab_state_dir }}/ansible-runtime"
skylab_pip_version: 19.3.1
ansible_user: ansible
ansible_ssh_common_args: "-o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes"
@ -14,7 +15,6 @@ workstation:
skylab_hostname: voyager.skylab.enp.one
skylab_targets: [workstation]
en1:
vars:
skylab_location: Newton MA

23
inventory/group_vars/all.yaml
View File

@ -1,7 +1,15 @@
---
skylab_mgmt_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5TGKururOa1Y+cbv8AWXYI5zhfZCDV0fsBG+33IYUc enpaul@ansible.voyager
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBf7i/8hSJDYnoD95noCJJVtSxxCp9N5EmnshALufiwm enpaul@ansible.opportunity
skylab_state_dir: /var/lib/skylab
skylab_ansible_venv: "{{ skylab_state_dir }}/ansible-runtime"
skylab_ansible_vault_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
61323762623165383963316238343539346336663864366631616339356564346636373561616237
6666363531393234636337656431366365343236346536320a346163353935366636303131313661
32623635363063383039363539303135393838376264356463646465376435616363376163373663
6366633665373939380a373234633365376632376433643034336539346338613566353537663731
34323464633165626133306464363464333539363761343831316565356266373833
skylab_tfstate_backend:
hostname: cluster.lab.enp.one
@ -16,3 +24,12 @@ skylab_tfstate_backend:
3631343463616631380a386661336534663033383637666538316665303962353034376232356235
65323339353563623431666535366465353133343137653232326534326436323661636536373564
3466633762303966366366653531613261336561356531636461
skylab_mgmt:
sshport: 4242
group: skylab
user: ansible
id: 1400
sshkeys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5TGKururOa1Y+cbv8AWXYI5zhfZCDV0fsBG+33IYUc enpaul@ansible.voyager
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBf7i/8hSJDYnoD95noCJJVtSxxCp9N5EmnshALufiwm enpaul@ansible.opportunity

128
skylab/infra/playbooks/bootstrap.yml
View File

@ -38,16 +38,11 @@
vars:
ansible_host_key_checking: false
vars_prompt:
- name: vault_password
- name: skylab_ansible_vault_password
prompt: Enter Ansible vault password for generating user secrets
private: true
confirm: true
tasks:
- name: Fetch install path
ansible.builtin.stat:
path: /var/lib/skylab
register: _skylab_install_path
- name: Check OS requirements
ansible.builtin.assert:
that:
@ -59,68 +54,75 @@
Unsupported operating system ({{ ansible_distribution }} {{ ansible_distribution_major_version }}),
only RockyLinux 8 and RockyLinux 9 are supported.
- name: Check boostrap state
ansible.builtin.assert:
that:
- not _skylab_install_path.stat.exists
success_msg: >-
Host is ready for boostrapping
fail_msg: >-
Host has already been boostrapped
- name: Check that management keys are defined
ansible.builtin.assert:
that:
- skylab_mgmt_keys is defined
- skylab_mgmt_keys != []
- skylab_mgmt is defined
- skylab_mgmt.sshkeys != []
success_msg: >-
Found {{ skylab_mgmt_keys | length }} SSH keys to install to the Ansible management user
Found {{ skylab_mgmt.sshkeys | length }} SSH keys to install to the Ansible management user
fail_msg: >-
No management keys were found for installation to the Ansible management user. Aborting to avoid
locking out SSH access to the boostrap host. Please define the 'skylab_mgmt_keys' variable with
locking out SSH access to the boostrap host. Please define the 'skylab_mgmt.sshkeys' variable with
a list of SSH public keys to install to the Ansible management user.
- name: Create skylab group
ansible.builtin.group:
name: skylab
- name: Install RockyLinux python bindings
become: true
ansible.builtin.dnf:
state: present
gid: 1400
name:
- libffi-devel
- python3-devel
- python3-libselinux
- python3-policycoreutils
- python3-firewall
- name: Generate ansible user account password
- name: Create mgmt group
become: true
ansible.builtin.group:
name: "{{ skylab_mgmt.group }}"
state: present
gid: "{{ skylab_mgmt.id }}"
- name: Generate mgmt user account password
delegate_to: localhost
no_log: true
changed_when: false
ansible.builtin.shell:
cmd: >
command mpw -qq -F none -t max -u ansible {{ ansible_host }} -p <<<
'{{ vault_password }}' |
command mpw -qq -F none -t max -u {{ skylab_mgmt.user }} {{ ansible_host }} -p <<<
'{{ skylab_ansible_vault_password }}' |
python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
executable: /bin/bash
register: _password_ansible
register: _password_mgmt
- name: Update ansible user account
- name: Update mgmt user account
become: true
ansible.builtin.user:
name: ansible
name: "{{ skylab_mgmt.user }}"
state: present
group: skylab
group: "{{ skylab_mgmt.group }}"
groups:
- skylab
- "{{ skylab_mgmt.group }}"
- wheel
uid: 1400
password: "{{ _password_ansible.stdout }}"
uid: "{{ skylab_mgmt.id }}"
password: "{{ _password_mgmt.stdout }}"
- name: Update ansible user authorized keys
- name: Update mgmt user authorized keys
become: true
ansible.posix.authorized_key:
user: ansible
user: "{{ skylab_mgmt.user }}"
exclusive: true
key: "{{ skylab_mgmt_keys | join('\n') }}"
key: "{{ skylab_mgmt.sshkeys | join('\n') }}"
- name: Remove ansible user group
- name: Remove mgmt user group
become: true
ansible.builtin.group:
name: ansible
name: "{{ skylab_mgmt.user }}"
state: absent
- name: Update root user authorized keys
become: true
ansible.posix.authorized_key:
user: root
exclusive: true
@ -132,22 +134,54 @@
content: "%wheel ALL=(ALL) NOPASSWD: ALL"
dest: /etc/sudoers.d/30-wheel
owner: root
group: skylab
group: "{{ skylab_mgmt.group }}"
mode: 0644
- name: Disable SSHD password auth
become: true
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: '^(#?)PasswordAuthentication .*$'
replace: 'PasswordAuthentication no'
replace: PasswordAuthentication no
- name: Disable SSHD root login
become: true
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: '^(#?)PermitRootLogin .*$'
replace: 'PermitRootLogin no'
replace: PermitRootLogin no
- name: Update SSHD mgmt port
become: true
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: '^(#?)Port .*$'
replace: Port {{ skylab_mgmt.sshport }}
- name: Grant SSHD permissions on the mgmt port
become: true
community.general.seport:
ports: "{{ skylab_mgmt.sshport }}"
proto: tcp
setype: ssh_port_t
state: present
- name: Grant SSHD firewall access to the mgmt port
become: true
ansible.posix.firewalld:
port: "{{ skylab_mgmt.sshport }}/tcp"
state: enabled
permanent: true
- name: Revoke SSHD firewall access to default port
become: true
ansible.posix.firewalld:
service: ssh
permanent: true
state: disabled
- name: Update OS
become: true
ansible.builtin.dnf:
name: "*"
state: latest
@ -159,22 +193,24 @@
changed_when: false
ansible.builtin.shell:
cmd: >
command mpw -qq -F none -t max -u ansible {{ ansible_host }} -p <<<
'{{ vault_password }}' |
command mpw -qq -F none -t max -u root {{ ansible_host }} -p <<<
'{{ skylab_ansible_vault_password }}' |
python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
executable: /bin/bash
register: _password_root
- name: Update root user account
become: true
ansible.builtin.user:
name: root
state: present
password: "{{ _password_root.stdout }}"
- name: Create SkyLab directory
become: true
ansible.builtin.file:
state: directory
path: /var/lib/skylab
owner: ansible
group: skylab
path: "{{ skylab_state_dir }}"
owner: "{{ skylab_mgmt.user }}"
group: "{{ skylab_mgmt.group }}"
mode: 0750