From 02b6460cffc64ab77f513f76f67928493c95cebc Mon Sep 17 00:00:00 2001
From: Ethan Paul <e@enp.one>
Date: Wed, 19 Apr 2023 18:06:35 -0400
Subject: [PATCH] Add ssh port update to bootstrap playbook

Update to use dynamic managment settings
Remove check for existing bootstrap directory
Fix re-using ansible password for root user
---
 inventory/en1.yaml                   |   6 +-
 inventory/group_vars/all.yaml        |  23 ++++-
 skylab/infra/playbooks/bootstrap.yml | 128 +++++++++++++++++----------
 3 files changed, 105 insertions(+), 52 deletions(-)

diff --git a/inventory/en1.yaml b/inventory/en1.yaml
index 74181df..c6870a5 100644
--- a/inventory/en1.yaml
+++ b/inventory/en1.yaml
@@ -1,8 +1,9 @@
 ---
 all:
+  children:
+    en1: {}
+
   vars:
-    skylab_state_dir: /var/lib/skylab
-    skylab_ansible_venv: "{{ skylab_state_dir }}/ansible-runtime"
     skylab_pip_version: 19.3.1
     ansible_user: ansible
     ansible_ssh_common_args: "-o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes"
@@ -14,7 +15,6 @@ workstation:
       skylab_hostname: voyager.skylab.enp.one
       skylab_targets: [workstation]
 
-
 en1:
   vars:
     skylab_location: Newton MA
diff --git a/inventory/group_vars/all.yaml b/inventory/group_vars/all.yaml
index 61a023d..0ea3d89 100644
--- a/inventory/group_vars/all.yaml
+++ b/inventory/group_vars/all.yaml
@@ -1,7 +1,15 @@
 ---
-skylab_mgmt_keys:
-- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5TGKururOa1Y+cbv8AWXYI5zhfZCDV0fsBG+33IYUc enpaul@ansible.voyager
-- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBf7i/8hSJDYnoD95noCJJVtSxxCp9N5EmnshALufiwm enpaul@ansible.opportunity
+skylab_state_dir: /var/lib/skylab
+
+skylab_ansible_venv: "{{ skylab_state_dir }}/ansible-runtime"
+
+skylab_ansible_vault_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          61323762623165383963316238343539346336663864366631616339356564346636373561616237
+          6666363531393234636337656431366365343236346536320a346163353935366636303131313661
+          32623635363063383039363539303135393838376264356463646465376435616363376163373663
+          6366633665373939380a373234633365376632376433643034336539346338613566353537663731
+          34323464633165626133306464363464333539363761343831316565356266373833
 
 skylab_tfstate_backend:
   hostname: cluster.lab.enp.one
@@ -16,3 +24,12 @@ skylab_tfstate_backend:
           3631343463616631380a386661336534663033383637666538316665303962353034376232356235
           65323339353563623431666535366465353133343137653232326534326436323661636536373564
           3466633762303966366366653531613261336561356531636461
+
+skylab_mgmt:
+  sshport: 4242
+  group: skylab
+  user: ansible
+  id: 1400
+  sshkeys:
+  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5TGKururOa1Y+cbv8AWXYI5zhfZCDV0fsBG+33IYUc enpaul@ansible.voyager
+  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBf7i/8hSJDYnoD95noCJJVtSxxCp9N5EmnshALufiwm enpaul@ansible.opportunity
diff --git a/skylab/infra/playbooks/bootstrap.yml b/skylab/infra/playbooks/bootstrap.yml
index 1325e9b..5d69805 100644
--- a/skylab/infra/playbooks/bootstrap.yml
+++ b/skylab/infra/playbooks/bootstrap.yml
@@ -38,16 +38,11 @@
   vars:
     ansible_host_key_checking: false
   vars_prompt:
-  - name: vault_password
+  - name: skylab_ansible_vault_password
     prompt: Enter Ansible vault password for generating user secrets
     private: true
     confirm: true
   tasks:
-  - name: Fetch install path
-    ansible.builtin.stat:
-      path: /var/lib/skylab
-    register: _skylab_install_path
-
   - name: Check OS requirements
     ansible.builtin.assert:
       that:
@@ -59,68 +54,75 @@
         Unsupported operating system ({{ ansible_distribution }} {{ ansible_distribution_major_version }}),
         only RockyLinux 8 and RockyLinux 9 are supported.
 
-  - name: Check boostrap state
-    ansible.builtin.assert:
-      that:
-      - not _skylab_install_path.stat.exists
-      success_msg: >-
-        Host is ready for boostrapping
-      fail_msg: >-
-        Host has already been boostrapped
-
   - name: Check that management keys are defined
     ansible.builtin.assert:
       that:
-        - skylab_mgmt_keys is defined
-        - skylab_mgmt_keys != []
+        - skylab_mgmt is defined
+        - skylab_mgmt.sshkeys != []
       success_msg: >-
-        Found {{ skylab_mgmt_keys | length }} SSH keys to install to the Ansible management user
+        Found {{ skylab_mgmt.sshkeys | length }} SSH keys to install to the Ansible management user
       fail_msg: >-
         No management keys were found for installation to the Ansible management user. Aborting to avoid
-        locking out SSH access to the boostrap host. Please define the 'skylab_mgmt_keys' variable with
+        locking out SSH access to the boostrap host. Please define the 'skylab_mgmt.sshkeys' variable with
         a list of SSH public keys to install to the Ansible management user.
 
-  - name: Create skylab group
-    ansible.builtin.group:
-      name: skylab
+  - name: Install RockyLinux python bindings
+    become: true
+    ansible.builtin.dnf:
       state: present
-      gid: 1400
+      name:
+        - libffi-devel
+        - python3-devel
+        - python3-libselinux
+        - python3-policycoreutils
+        - python3-firewall
 
-  - name: Generate ansible user account password
+  - name: Create mgmt group
+    become: true
+    ansible.builtin.group:
+      name: "{{ skylab_mgmt.group }}"
+      state: present
+      gid: "{{ skylab_mgmt.id }}"
+
+  - name: Generate mgmt user account password
     delegate_to: localhost
     no_log: true
     changed_when: false
     ansible.builtin.shell:
       cmd: >
-        command mpw -qq -F none -t max -u ansible {{ ansible_host }} -p <<<
-        '{{ vault_password }}' |
+        command mpw -qq -F none -t max -u {{ skylab_mgmt.user }} {{ ansible_host }} -p <<<
+        '{{ skylab_ansible_vault_password }}' |
         python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
       executable: /bin/bash
-    register: _password_ansible
+    register: _password_mgmt
 
-  - name: Update ansible user account
+  - name: Update mgmt user account
+    become: true
     ansible.builtin.user:
-      name: ansible
+      name: "{{ skylab_mgmt.user }}"
       state: present
-      group: skylab
+      group: "{{ skylab_mgmt.group }}"
       groups:
-        - skylab
+        - "{{ skylab_mgmt.group }}"
         - wheel
-      uid: 1400
-      password: "{{ _password_ansible.stdout }}"
+      uid: "{{ skylab_mgmt.id }}"
+      password: "{{ _password_mgmt.stdout }}"
 
-  - name: Update ansible user authorized keys
+  - name: Update mgmt user authorized keys
+    become: true
     ansible.posix.authorized_key:
-      user: ansible
+      user: "{{ skylab_mgmt.user }}"
       exclusive: true
-      key: "{{ skylab_mgmt_keys | join('\n') }}"
+      key: "{{ skylab_mgmt.sshkeys | join('\n') }}"
 
-  - name: Remove ansible user group
+  - name: Remove mgmt user group
+    become: true
     ansible.builtin.group:
-      name: ansible
+      name: "{{ skylab_mgmt.user }}"
       state: absent
 
   - name: Update root user authorized keys
+    become: true
     ansible.posix.authorized_key:
       user: root
       exclusive: true
@@ -132,22 +134,54 @@
       content: "%wheel ALL=(ALL) NOPASSWD: ALL"
       dest: /etc/sudoers.d/30-wheel
       owner: root
-      group: skylab
+      group: "{{ skylab_mgmt.group }}"
       mode: 0644
 
   - name: Disable SSHD password auth
+    become: true
     ansible.builtin.replace:
       path: /etc/ssh/sshd_config
       regexp: '^(#?)PasswordAuthentication .*$'
-      replace: 'PasswordAuthentication no'
+      replace: PasswordAuthentication no
 
   - name: Disable SSHD root login
+    become: true
     ansible.builtin.replace:
       path: /etc/ssh/sshd_config
       regexp: '^(#?)PermitRootLogin .*$'
-      replace: 'PermitRootLogin no'
+      replace: PermitRootLogin no
+
+  - name: Update SSHD mgmt port
+    become: true
+    ansible.builtin.replace:
+      path: /etc/ssh/sshd_config
+      regexp: '^(#?)Port .*$'
+      replace: Port {{ skylab_mgmt.sshport }}
+
+  - name: Grant SSHD permissions on the mgmt port
+    become: true
+    community.general.seport:
+      ports: "{{ skylab_mgmt.sshport }}"
+      proto: tcp
+      setype: ssh_port_t
+      state: present
+
+  - name: Grant SSHD firewall access to the mgmt port
+    become: true
+    ansible.posix.firewalld:
+      port: "{{ skylab_mgmt.sshport }}/tcp"
+      state: enabled
+      permanent: true
+
+  - name: Revoke SSHD firewall access to default port
+    become: true
+    ansible.posix.firewalld:
+      service: ssh
+      permanent: true
+      state: disabled
 
   - name: Update OS
+    become: true
     ansible.builtin.dnf:
       name: "*"
       state: latest
@@ -159,22 +193,24 @@
     changed_when: false
     ansible.builtin.shell:
       cmd: >
-        command mpw -qq -F none -t max -u ansible {{ ansible_host }} -p <<<
-        '{{ vault_password }}' |
+        command mpw -qq -F none -t max -u root {{ ansible_host }} -p <<<
+        '{{ skylab_ansible_vault_password }}' |
         python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
       executable: /bin/bash
     register: _password_root
 
   - name: Update root user account
+    become: true
     ansible.builtin.user:
       name: root
       state: present
       password: "{{ _password_root.stdout }}"
 
   - name: Create SkyLab directory
+    become: true
     ansible.builtin.file:
       state: directory
-      path: /var/lib/skylab
-      owner: ansible
-      group: skylab
+      path: "{{ skylab_state_dir }}"
+      owner: "{{ skylab_mgmt.user }}"
+      group: "{{ skylab_mgmt.group }}"
       mode: 0750