skylab
/
skylab-ansible
Archived
2
0
Fork 0
Code Pull Requests Releases Activity

Finalize and debug bootstrap playbook

This commit is contained in:
Ethan Paul 2023-04-01 22:01:29 -04:00
parent 740b73cb7d
commit 88247b4011
Signed by: enpaul
GPG Key ID: DAF443CA3A2FA6FA
1 changed files with 71 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
skylab/infra/playbooks/bootstrap.yml
View File

@ -13,7 +13,7 @@
- name: bootstrap_password
prompt: Enter password to use for connecting to boostrap target
private: true
confirm: true
default: skylab
- name: bootstrap_port
prompt: Enter SSH port to connect to on bootstrap target
default: 22
@ -32,6 +32,11 @@
hosts: bootstrap
vars:
ansible_host_key_checking: false
vars_prompt:
- name: vault_password
prompt: Enter Ansible vault password for generating user secrets
private: true
confirm: true
tasks:
- name: Fetch install path
ansible.builtin.stat:
@ -58,17 +63,17 @@
fail_msg: >-
Host has already been boostrapped
- name: Update ansible user account
ansible.builtin.user:
name: ansible
state: present
uid: 1400
password: # WIP
- name: Remove ansible user group
ansible.builtin.group:
name: ansible
state: absent
- name: Check that management keys are defined
ansible.builtin.assert:
that:
- skylab_mgmt_keys is defined
- skylab_mgmt_keys != []
success_msg: >-
Found {{ skylab_mgmt_keys | length }} SSH keys to install to the Ansible management user
fail_msg: >-
No management keys were found for installation to the Ansible management user. Aborting to avoid
locking out SSH access to the boostrap host. Please define the 'skylab_mgmt_keys' variable with
a list of SSH public keys to install to the Ansible management user.
- name: Create skylab group
ansible.builtin.group:
@ -77,28 +82,53 @@
gid: 1400
- name: Update ansible user authorized keys
ansible.posix.authorized_keys:
ansible.posix.authorized_key:
user: ansible
exclusive: true
key: []
key: "{{ skylab_mgmt_keys | join('\n') }}"
- name: Update root user account
- name: Generate ansible user account password
delegate_to: localhost
no_log: true
changed_when: false
ansible.builtin.shell:
cmd: >
command mpw -qq -F none -t max -u ansible {{ ansible_host }} -p <<<
'{{ vault_password }}' |
python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
executable: /bin/bash
register: _password_ansible
- name: Update ansible user account
ansible.builtin.user:
name: ansible
state: present
password: # WIP
group: skylab
groups:
- skylab
- wheel
uid: 1400
password: "{{ _password_ansible.stdout }}"
- name: Remove ansible user group
ansible.builtin.group:
name: ansible
state: absent
- name: Update root user authorized keys
ansible.posix.authorized_keys:
ansible.posix.authorized_key:
user: root
exclusive: true
key: []
key: ""
- name: Update SSHD port
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: "^(#?)Port [0-9]+$"
replace: "Port 4242"
- name: Disable sudo password for WHEEL group
become: true
ansible.builtin.copy:
content: "%wheel ALL=(ALL) NOPASSWD: ALL"
dest: /etc/sudoers.d/30-wheel
owner: root
group: skylab
mode: 0644
- name: Disable SSHD password auth
ansible.builtin.replace:
@ -117,7 +147,24 @@
name: "*"
state: latest
allowerasing: true
autoremove: true
- name: Generate root user account password
delegate_to: localhost
no_log: true
changed_when: false
ansible.builtin.shell:
cmd: >
command mpw -qq -F none -t max -u ansible {{ ansible_host }} -p <<<
'{{ vault_password }}' |
python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
executable: /bin/bash
register: _password_root
- name: Update root user account
ansible.builtin.user:
name: root
state: present
password: "{{ _password_root.stdout }}"
- name: Create SkyLab directory
ansible.builtin.file: