skylab
/
skylab-ansible
Archived
2
0
Fork 0
Code Pull Requests Releases Activity

Add ssh port update to bootstrap playbook 

Update to use dynamic managment settings
Remove check for existing bootstrap directory
Fix re-using ansible password for root user
This commit is contained in:
Ethan Paul 2023-04-19 18:06:35 -04:00
parent 5f602c797f
commit 02b6460cff
Signed by: enpaul
GPG Key ID: 9B6D99E4CFA31867
3 changed files with 105 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
inventory/en1.yaml
View File

@ -1,8 +1,9 @@
--- ---
all: all:
children:
en1: {}
vars: vars:
skylab_state_dir: /var/lib/skylab
skylab_ansible_venv: "{{ skylab_state_dir }}/ansible-runtime"
skylab_pip_version: 19.3.1 skylab_pip_version: 19.3.1
ansible_user: ansible ansible_user: ansible
ansible_ssh_common_args: "-o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes" ansible_ssh_common_args: "-o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes"
@ -14,7 +15,6 @@ workstation:
skylab_hostname: voyager.skylab.enp.one skylab_hostname: voyager.skylab.enp.one
skylab_targets: [workstation] skylab_targets: [workstation]
en1: en1:
vars: vars:
skylab_location: Newton MA skylab_location: Newton MA

23
inventory/group_vars/all.yaml
View File

@ -1,7 +1,15 @@
--- ---
skylab_mgmt_keys: skylab_state_dir: /var/lib/skylab
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5TGKururOa1Y+cbv8AWXYI5zhfZCDV0fsBG+33IYUc enpaul@ansible.voyager
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBf7i/8hSJDYnoD95noCJJVtSxxCp9N5EmnshALufiwm enpaul@ansible.opportunity skylab_ansible_venv: "{{ skylab_state_dir }}/ansible-runtime"
skylab_ansible_vault_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
61323762623165383963316238343539346336663864366631616339356564346636373561616237
6666363531393234636337656431366365343236346536320a346163353935366636303131313661
32623635363063383039363539303135393838376264356463646465376435616363376163373663
6366633665373939380a373234633365376632376433643034336539346338613566353537663731
34323464633165626133306464363464333539363761343831316565356266373833
skylab_tfstate_backend: skylab_tfstate_backend:
hostname: cluster.lab.enp.one hostname: cluster.lab.enp.one
@ -16,3 +24,12 @@ skylab_tfstate_backend:
3631343463616631380a386661336534663033383637666538316665303962353034376232356235 3631343463616631380a386661336534663033383637666538316665303962353034376232356235
65323339353563623431666535366465353133343137653232326534326436323661636536373564 65323339353563623431666535366465353133343137653232326534326436323661636536373564
3466633762303966366366653531613261336561356531636461 3466633762303966366366653531613261336561356531636461
skylab_mgmt:
sshport: 4242
group: skylab
user: ansible
id: 1400
sshkeys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5TGKururOa1Y+cbv8AWXYI5zhfZCDV0fsBG+33IYUc enpaul@ansible.voyager
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBf7i/8hSJDYnoD95noCJJVtSxxCp9N5EmnshALufiwm enpaul@ansible.opportunity

128
skylab/infra/playbooks/bootstrap.yml
View File

@ -38,16 +38,11 @@
vars: vars:
ansible_host_key_checking: false ansible_host_key_checking: false
vars_prompt: vars_prompt:
- name: vault_password - name: skylab_ansible_vault_password
prompt: Enter Ansible vault password for generating user secrets prompt: Enter Ansible vault password for generating user secrets
private: true private: true
confirm: true confirm: true
tasks: tasks:
- name: Fetch install path
ansible.builtin.stat:
path: /var/lib/skylab
register: _skylab_install_path
- name: Check OS requirements - name: Check OS requirements
ansible.builtin.assert: ansible.builtin.assert:
that: that:
@ -59,68 +54,75 @@
Unsupported operating system ({{ ansible_distribution }} {{ ansible_distribution_major_version }}), Unsupported operating system ({{ ansible_distribution }} {{ ansible_distribution_major_version }}),
only RockyLinux 8 and RockyLinux 9 are supported. only RockyLinux 8 and RockyLinux 9 are supported.
- name: Check boostrap state
ansible.builtin.assert:
that:
- not _skylab_install_path.stat.exists
success_msg: >-
Host is ready for boostrapping
fail_msg: >-
Host has already been boostrapped
- name: Check that management keys are defined - name: Check that management keys are defined
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- skylab_mgmt_keys is defined - skylab_mgmt is defined
- skylab_mgmt_keys != [] - skylab_mgmt.sshkeys != []
success_msg: >- success_msg: >-
Found {{ skylab_mgmt_keys | length }} SSH keys to install to the Ansible management user Found {{ skylab_mgmt.sshkeys | length }} SSH keys to install to the Ansible management user
fail_msg: >- fail_msg: >-
No management keys were found for installation to the Ansible management user. Aborting to avoid No management keys were found for installation to the Ansible management user. Aborting to avoid
locking out SSH access to the boostrap host. Please define the 'skylab_mgmt_keys' variable with locking out SSH access to the boostrap host. Please define the 'skylab_mgmt.sshkeys' variable with
a list of SSH public keys to install to the Ansible management user. a list of SSH public keys to install to the Ansible management user.
- name: Create skylab group - name: Install RockyLinux python bindings
ansible.builtin.group: become: true
name: skylab ansible.builtin.dnf:
state: present state: present
gid: 1400 name:
- libffi-devel
- python3-devel
- python3-libselinux
- python3-policycoreutils
- python3-firewall
- name: Generate ansible user account password - name: Create mgmt group
become: true
ansible.builtin.group:
name: "{{ skylab_mgmt.group }}"
state: present
gid: "{{ skylab_mgmt.id }}"
- name: Generate mgmt user account password
delegate_to: localhost delegate_to: localhost
no_log: true no_log: true
changed_when: false changed_when: false
ansible.builtin.shell: ansible.builtin.shell:
cmd: > cmd: >
command mpw -qq -F none -t max -u ansible {{ ansible_host }} -p <<< command mpw -qq -F none -t max -u {{ skylab_mgmt.user }} {{ ansible_host }} -p <<<
'{{ vault_password }}' | '{{ skylab_ansible_vault_password }}' |
python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))' python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
executable: /bin/bash executable: /bin/bash
register: _password_ansible register: _password_mgmt
- name: Update ansible user account - name: Update mgmt user account
become: true
ansible.builtin.user: ansible.builtin.user:
name: ansible name: "{{ skylab_mgmt.user }}"
state: present state: present
group: skylab group: "{{ skylab_mgmt.group }}"
groups: groups:
- skylab - "{{ skylab_mgmt.group }}"
- wheel - wheel
uid: 1400 uid: "{{ skylab_mgmt.id }}"
password: "{{ _password_ansible.stdout }}" password: "{{ _password_mgmt.stdout }}"
- name: Update ansible user authorized keys - name: Update mgmt user authorized keys
become: true
ansible.posix.authorized_key: ansible.posix.authorized_key:
user: ansible user: "{{ skylab_mgmt.user }}"
exclusive: true exclusive: true
key: "{{ skylab_mgmt_keys | join('\n') }}" key: "{{ skylab_mgmt.sshkeys | join('\n') }}"
- name: Remove ansible user group - name: Remove mgmt user group
become: true
ansible.builtin.group: ansible.builtin.group:
name: ansible name: "{{ skylab_mgmt.user }}"
state: absent state: absent
- name: Update root user authorized keys - name: Update root user authorized keys
become: true
ansible.posix.authorized_key: ansible.posix.authorized_key:
user: root user: root
exclusive: true exclusive: true
@ -132,22 +134,54 @@
content: "%wheel ALL=(ALL) NOPASSWD: ALL" content: "%wheel ALL=(ALL) NOPASSWD: ALL"
dest: /etc/sudoers.d/30-wheel dest: /etc/sudoers.d/30-wheel
owner: root owner: root
group: skylab group: "{{ skylab_mgmt.group }}"
mode: 0644 mode: 0644
- name: Disable SSHD password auth - name: Disable SSHD password auth
become: true
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: '^(#?)PasswordAuthentication .*$' regexp: '^(#?)PasswordAuthentication .*$'
replace: 'PasswordAuthentication no' replace: PasswordAuthentication no
- name: Disable SSHD root login - name: Disable SSHD root login
become: true
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: '^(#?)PermitRootLogin .*$' regexp: '^(#?)PermitRootLogin .*$'
replace: 'PermitRootLogin no' replace: PermitRootLogin no
- name: Update SSHD mgmt port
become: true
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: '^(#?)Port .*$'
replace: Port {{ skylab_mgmt.sshport }}
- name: Grant SSHD permissions on the mgmt port
become: true
community.general.seport:
ports: "{{ skylab_mgmt.sshport }}"
proto: tcp
setype: ssh_port_t
state: present
- name: Grant SSHD firewall access to the mgmt port
become: true
ansible.posix.firewalld:
port: "{{ skylab_mgmt.sshport }}/tcp"
state: enabled
permanent: true
- name: Revoke SSHD firewall access to default port
become: true
ansible.posix.firewalld:
service: ssh
permanent: true
state: disabled
- name: Update OS - name: Update OS
become: true
ansible.builtin.dnf: ansible.builtin.dnf:
name: "*" name: "*"
state: latest state: latest
@ -159,22 +193,24 @@
changed_when: false changed_when: false
ansible.builtin.shell: ansible.builtin.shell:
cmd: > cmd: >
command mpw -qq -F none -t max -u ansible {{ ansible_host }} -p <<< command mpw -qq -F none -t max -u root {{ ansible_host }} -p <<<
'{{ vault_password }}' | '{{ skylab_ansible_vault_password }}' |
python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))' python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
executable: /bin/bash executable: /bin/bash
register: _password_root register: _password_root
- name: Update root user account - name: Update root user account
become: true
ansible.builtin.user: ansible.builtin.user:
name: root name: root
state: present state: present
password: "{{ _password_root.stdout }}" password: "{{ _password_root.stdout }}"
- name: Create SkyLab directory - name: Create SkyLab directory
become: true
ansible.builtin.file: ansible.builtin.file:
state: directory state: directory
path: /var/lib/skylab path: "{{ skylab_state_dir }}"
owner: ansible owner: "{{ skylab_mgmt.user }}"
group: skylab group: "{{ skylab_mgmt.group }}"
mode: 0750 mode: 0750