diff --git a/skylab/infra/playbooks/bootstrap.yml b/skylab/infra/playbooks/bootstrap.yml index 6e71237..099b0b0 100644 --- a/skylab/infra/playbooks/bootstrap.yml +++ b/skylab/infra/playbooks/bootstrap.yml @@ -13,7 +13,7 @@ - name: bootstrap_password prompt: Enter password to use for connecting to boostrap target private: true - confirm: true + default: skylab - name: bootstrap_port prompt: Enter SSH port to connect to on bootstrap target default: 22 @@ -32,6 +32,11 @@ hosts: bootstrap vars: ansible_host_key_checking: false + vars_prompt: + - name: vault_password + prompt: Enter Ansible vault password for generating user secrets + private: true + confirm: true tasks: - name: Fetch install path ansible.builtin.stat: @@ -58,17 +63,17 @@ fail_msg: >- Host has already been boostrapped - - name: Update ansible user account - ansible.builtin.user: - name: ansible - state: present - uid: 1400 - password: # WIP - - - name: Remove ansible user group - ansible.builtin.group: - name: ansible - state: absent + - name: Check that management keys are defined + ansible.builtin.assert: + that: + - skylab_mgmt_keys is defined + - skylab_mgmt_keys != [] + success_msg: >- + Found {{ skylab_mgmt_keys | length }} SSH keys to install to the Ansible management user + fail_msg: >- + No management keys were found for installation to the Ansible management user. Aborting to avoid + locking out SSH access to the boostrap host. Please define the 'skylab_mgmt_keys' variable with + a list of SSH public keys to install to the Ansible management user. - name: Create skylab group ansible.builtin.group: @@ -77,28 +82,53 @@ gid: 1400 - name: Update ansible user authorized keys - ansible.posix.authorized_keys: + ansible.posix.authorized_key: user: ansible exclusive: true - key: [] + key: "{{ skylab_mgmt_keys | join('\n') }}" - - name: Update root user account + - name: Generate ansible user account password + delegate_to: localhost + no_log: true + changed_when: false + ansible.builtin.shell: + cmd: > + command mpw -qq -F none -t max -u ansible {{ ansible_host }} -p <<< + '{{ vault_password }}' | + python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))' + executable: /bin/bash + register: _password_ansible + + - name: Update ansible user account ansible.builtin.user: name: ansible state: present - password: # WIP + group: skylab + groups: + - skylab + - wheel + uid: 1400 + password: "{{ _password_ansible.stdout }}" + + - name: Remove ansible user group + ansible.builtin.group: + name: ansible + state: absent - name: Update root user authorized keys - ansible.posix.authorized_keys: + ansible.posix.authorized_key: user: root exclusive: true - key: [] + key: "" - - name: Update SSHD port - ansible.builtin.replace: - path: /etc/ssh/sshd_config - regexp: "^(#?)Port [0-9]+$" - replace: "Port 4242" + - name: Disable sudo password for WHEEL group + become: true + ansible.builtin.copy: + content: "%wheel ALL=(ALL) NOPASSWD: ALL" + dest: /etc/sudoers.d/30-wheel + owner: root + group: skylab + mode: 0644 - name: Disable SSHD password auth ansible.builtin.replace: @@ -117,7 +147,24 @@ name: "*" state: latest allowerasing: true - autoremove: true + + - name: Generate root user account password + delegate_to: localhost + no_log: true + changed_when: false + ansible.builtin.shell: + cmd: > + command mpw -qq -F none -t max -u ansible {{ ansible_host }} -p <<< + '{{ vault_password }}' | + python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))' + executable: /bin/bash + register: _password_root + + - name: Update root user account + ansible.builtin.user: + name: root + state: present + password: "{{ _password_root.stdout }}" - name: Create SkyLab directory ansible.builtin.file: