Add wip bootstrap playbook

skylab/infra/playbooks/bootstrap.yml

@@ -0,0 +1,128 @@
+---
+- name: Prompt for parameters
+  hosts: localhost
+  gather_facts: false
+  vars_prompt:
+  - name: bootstrap_hostname
+    prompt: Enter hostname (or IP address) of bootstrap target
+    private: false
+  - name: bootstrap_username
+    prompt: Enter username to use for connecting to boostrap target
+    default: root
+    private: false
+  - name: bootstrap_password
+    prompt: Enter password to use for connecting to boostrap target
+    private: true
+    confirm: true
+  - name: bootstrap_port
+    prompt: Enter SSH port to connect to on bootstrap target
+    default: 22
+    private: false
+  tasks:
+  - name: Add boostrap host
+    changed_when: false
+    ansible.builtin.add_host:
+      hostname: bootstrap
+      ansible_host: "{{ bootstrap_hostname }}"
+      ansible_user: "{{ bootstrap_username }}"
+      ansible_ssh_pass: "{{ bootstrap_password }}"
+      ansible_port: "{{ bootstrap_port }}"
+
+- name: Bootstrap remote
+  hosts: bootstrap
+  vars:
+    ansible_host_key_checking: false
+  tasks:
+  - name: Fetch install path
+    ansible.builtin.stat:
+      path: /var/lib/skylab
+    register: _skylab_install_path
+
+  - name: Check OS requirements
+    ansible.builtin.assert:
+      that:
+      - ansible_distribution == 'Rocky'
+      - ansible_distribution_major_version in ['8', '9']
+      success_msg: >-
+        Host is running supported OS {{ ansible_distribution }} {{ ansible_distribution_version }}
+      fail_msg: >-
+        Unsupported operating system ({{ ansible_distribution }} {{ ansible_distribution_major_version }}),
+        only RockyLinux 8 and RockyLinux 9 are supported.
+
+  - name: Check boostrap state
+    ansible.builtin.assert:
+      that:
+      - not _skylab_install_path.stat.exists
+      success_msg: >-
+        Host is ready for boostrapping
+      fail_msg: >-
+        Host has already been boostrapped
+
+  - name: Update ansible user account
+    ansible.builtin.user:
+      name: ansible
+      state: present
+      uid: 1400
+      password: # WIP
+
+  - name: Remove ansible user group
+    ansible.builtin.group:
+      name: ansible
+      state: absent
+
+  - name: Create skylab group
+    ansible.builtin.group:
+      name: skylab
+      state: present
+      gid: 1400
+
+  - name: Update ansible user authorized keys
+    ansible.posix.authorized_keys:
+      user: ansible
+      exclusive: true
+      key: []
+
+  - name: Update root user account
+    ansible.builtin.user:
+      name: ansible
+      state: present
+      password: # WIP
+
+  - name: Update root user authorized keys
+    ansible.posix.authorized_keys:
+      user: root
+      exclusive: true
+      key: []
+
+  - name: Update SSHD port
+    ansible.builtin.replace:
+      path: /etc/ssh/sshd_config
+      regexp: "^(#?)Port [0-9]+$"
+      replace: "Port 4242"
+
+  - name: Disable SSHD password auth
+    ansible.builtin.replace:
+      path: /etc/ssh/sshd_config
+      regexp: '^(#?)PasswordAuthentication .*$'
+      replace: 'PasswordAuthentication no'
+
+  - name: Disable SSHD root login
+    ansible.builtin.replace:
+      path: /etc/ssh/sshd_config
+      regexp: '^(#?)PermitRootLogin .*$'
+      replace: 'PermitRootLogin no'
+
+  - name: Update OS
+    ansible.builtin.dnf:
+      name: "*"
+      state: latest
+      allowerasing: true
+      autoremove: true
+
+  - name: Create SkyLab directory
+    ansible.builtin.file:
+      state: directory
+      path: /var/lib/skylab
+      owner: ansible
+      group: skylab
+      mode: 0750