From 857e83a6fedb3c65f231f25e8d5381b45d22fde1 Mon Sep 17 00:00:00 2001 From: Ethan Paul Date: Sun, 19 Mar 2023 03:12:54 -0400 Subject: [PATCH] Add wip bootstrap playbook --- skylab/infra/playbooks/bootstrap.yml | 128 +++++++++++++++++++++++++++ 1 file changed, 128 insertions(+) create mode 100644 skylab/infra/playbooks/bootstrap.yml diff --git a/skylab/infra/playbooks/bootstrap.yml b/skylab/infra/playbooks/bootstrap.yml new file mode 100644 index 0000000..6e71237 --- /dev/null +++ b/skylab/infra/playbooks/bootstrap.yml @@ -0,0 +1,128 @@ +--- +- name: Prompt for parameters + hosts: localhost + gather_facts: false + vars_prompt: + - name: bootstrap_hostname + prompt: Enter hostname (or IP address) of bootstrap target + private: false + - name: bootstrap_username + prompt: Enter username to use for connecting to boostrap target + default: root + private: false + - name: bootstrap_password + prompt: Enter password to use for connecting to boostrap target + private: true + confirm: true + - name: bootstrap_port + prompt: Enter SSH port to connect to on bootstrap target + default: 22 + private: false + tasks: + - name: Add boostrap host + changed_when: false + ansible.builtin.add_host: + hostname: bootstrap + ansible_host: "{{ bootstrap_hostname }}" + ansible_user: "{{ bootstrap_username }}" + ansible_ssh_pass: "{{ bootstrap_password }}" + ansible_port: "{{ bootstrap_port }}" + +- name: Bootstrap remote + hosts: bootstrap + vars: + ansible_host_key_checking: false + tasks: + - name: Fetch install path + ansible.builtin.stat: + path: /var/lib/skylab + register: _skylab_install_path + + - name: Check OS requirements + ansible.builtin.assert: + that: + - ansible_distribution == 'Rocky' + - ansible_distribution_major_version in ['8', '9'] + success_msg: >- + Host is running supported OS {{ ansible_distribution }} {{ ansible_distribution_version }} + fail_msg: >- + Unsupported operating system ({{ ansible_distribution }} {{ ansible_distribution_major_version }}), + only RockyLinux 8 and RockyLinux 9 are supported. + + - name: Check boostrap state + ansible.builtin.assert: + that: + - not _skylab_install_path.stat.exists + success_msg: >- + Host is ready for boostrapping + fail_msg: >- + Host has already been boostrapped + + - name: Update ansible user account + ansible.builtin.user: + name: ansible + state: present + uid: 1400 + password: # WIP + + - name: Remove ansible user group + ansible.builtin.group: + name: ansible + state: absent + + - name: Create skylab group + ansible.builtin.group: + name: skylab + state: present + gid: 1400 + + - name: Update ansible user authorized keys + ansible.posix.authorized_keys: + user: ansible + exclusive: true + key: [] + + - name: Update root user account + ansible.builtin.user: + name: ansible + state: present + password: # WIP + + - name: Update root user authorized keys + ansible.posix.authorized_keys: + user: root + exclusive: true + key: [] + + - name: Update SSHD port + ansible.builtin.replace: + path: /etc/ssh/sshd_config + regexp: "^(#?)Port [0-9]+$" + replace: "Port 4242" + + - name: Disable SSHD password auth + ansible.builtin.replace: + path: /etc/ssh/sshd_config + regexp: '^(#?)PasswordAuthentication .*$' + replace: 'PasswordAuthentication no' + + - name: Disable SSHD root login + ansible.builtin.replace: + path: /etc/ssh/sshd_config + regexp: '^(#?)PermitRootLogin .*$' + replace: 'PermitRootLogin no' + + - name: Update OS + ansible.builtin.dnf: + name: "*" + state: latest + allowerasing: true + autoremove: true + + - name: Create SkyLab directory + ansible.builtin.file: + state: directory + path: /var/lib/skylab + owner: ansible + group: skylab + mode: 0750