217 lines
6.2 KiB
YAML
217 lines
6.2 KiB
YAML
---
|
|
- name: Prompt for parameters
|
|
hosts: localhost
|
|
gather_facts: false
|
|
vars_prompt:
|
|
- name: bootstrap_hostname
|
|
prompt: Enter hostname (or IP address) of bootstrap target
|
|
private: false
|
|
- name: bootstrap_username
|
|
prompt: Enter username to use for connecting to boostrap target
|
|
default: root
|
|
private: false
|
|
- name: bootstrap_password
|
|
prompt: Enter password to use for connecting to boostrap target
|
|
private: true
|
|
default: skylab
|
|
- name: bootstrap_port
|
|
prompt: Enter SSH port to connect to on bootstrap target
|
|
default: 22
|
|
private: false
|
|
tasks:
|
|
- name: Add boostrap host
|
|
changed_when: false
|
|
ansible.builtin.add_host:
|
|
hostname: bootstrap
|
|
ansible_host: "{{ bootstrap_hostname }}"
|
|
ansible_user: "{{ bootstrap_username }}"
|
|
ansible_ssh_pass: "{{ bootstrap_password }}"
|
|
ansible_port: "{{ bootstrap_port }}"
|
|
|
|
- name: Test connection
|
|
delegate_to: bootstrap
|
|
delegate_facts: true
|
|
ansible.builtin.ping: {}
|
|
|
|
- name: Bootstrap remote
|
|
hosts: bootstrap
|
|
vars:
|
|
ansible_host_key_checking: false
|
|
vars_prompt:
|
|
- name: skylab_ansible_vault_password
|
|
prompt: Enter Ansible vault password for generating user secrets
|
|
private: true
|
|
confirm: true
|
|
tasks:
|
|
- name: Check OS requirements
|
|
ansible.builtin.assert:
|
|
that:
|
|
- ansible_distribution == 'Rocky'
|
|
- ansible_distribution_major_version in ['8', '9']
|
|
success_msg: >-
|
|
Host is running supported OS {{ ansible_distribution }} {{ ansible_distribution_version }}
|
|
fail_msg: >-
|
|
Unsupported operating system ({{ ansible_distribution }} {{ ansible_distribution_major_version }}),
|
|
only RockyLinux 8 and RockyLinux 9 are supported.
|
|
|
|
- name: Check that management keys are defined
|
|
ansible.builtin.assert:
|
|
that:
|
|
- skylab_mgmt is defined
|
|
- skylab_mgmt.sshkeys != []
|
|
success_msg: >-
|
|
Found {{ skylab_mgmt.sshkeys | length }} SSH keys to install to the Ansible management user
|
|
fail_msg: >-
|
|
No management keys were found for installation to the Ansible management user. Aborting to avoid
|
|
locking out SSH access to the boostrap host. Please define the 'skylab_mgmt.sshkeys' variable with
|
|
a list of SSH public keys to install to the Ansible management user.
|
|
|
|
- name: Install RockyLinux python bindings
|
|
become: true
|
|
ansible.builtin.dnf:
|
|
state: present
|
|
name:
|
|
- libffi-devel
|
|
- python3-devel
|
|
- python3-libselinux
|
|
- python3-policycoreutils
|
|
- python3-firewall
|
|
|
|
- name: Create mgmt group
|
|
become: true
|
|
ansible.builtin.group:
|
|
name: "{{ skylab_mgmt.group }}"
|
|
state: present
|
|
gid: "{{ skylab_mgmt.id }}"
|
|
|
|
- name: Generate mgmt user account password
|
|
delegate_to: localhost
|
|
no_log: true
|
|
changed_when: false
|
|
ansible.builtin.shell:
|
|
cmd: >
|
|
command mpw -qq -F none -t max -u {{ skylab_mgmt.user }} {{ ansible_host }} -p <<<
|
|
'{{ skylab_ansible_vault_password }}' |
|
|
python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
|
|
executable: /bin/bash
|
|
register: _password_mgmt
|
|
|
|
- name: Update mgmt user account
|
|
become: true
|
|
ansible.builtin.user:
|
|
name: "{{ skylab_mgmt.user }}"
|
|
state: present
|
|
group: "{{ skylab_mgmt.group }}"
|
|
groups:
|
|
- "{{ skylab_mgmt.group }}"
|
|
- wheel
|
|
uid: "{{ skylab_mgmt.id }}"
|
|
password: "{{ _password_mgmt.stdout }}"
|
|
|
|
- name: Update mgmt user authorized keys
|
|
become: true
|
|
ansible.posix.authorized_key:
|
|
user: "{{ skylab_mgmt.user }}"
|
|
exclusive: true
|
|
key: "{{ skylab_mgmt.sshkeys | join('\n') }}"
|
|
|
|
- name: Remove mgmt user group
|
|
become: true
|
|
ansible.builtin.group:
|
|
name: "{{ skylab_mgmt.user }}"
|
|
state: absent
|
|
|
|
- name: Update root user authorized keys
|
|
become: true
|
|
ansible.posix.authorized_key:
|
|
user: root
|
|
exclusive: true
|
|
key: ""
|
|
|
|
- name: Disable sudo password for WHEEL group
|
|
become: true
|
|
ansible.builtin.copy:
|
|
content: "%wheel ALL=(ALL) NOPASSWD: ALL"
|
|
dest: /etc/sudoers.d/30-wheel
|
|
owner: root
|
|
group: "{{ skylab_mgmt.group }}"
|
|
mode: 0644
|
|
|
|
- name: Disable SSHD password auth
|
|
become: true
|
|
ansible.builtin.replace:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^(#?)PasswordAuthentication .*$'
|
|
replace: PasswordAuthentication no
|
|
|
|
- name: Disable SSHD root login
|
|
become: true
|
|
ansible.builtin.replace:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^(#?)PermitRootLogin .*$'
|
|
replace: PermitRootLogin no
|
|
|
|
- name: Update SSHD mgmt port
|
|
become: true
|
|
ansible.builtin.replace:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^(#?)Port .*$'
|
|
replace: Port {{ skylab_mgmt.sshport }}
|
|
|
|
- name: Grant SSHD permissions on the mgmt port
|
|
become: true
|
|
community.general.seport:
|
|
ports: "{{ skylab_mgmt.sshport }}"
|
|
proto: tcp
|
|
setype: ssh_port_t
|
|
state: present
|
|
|
|
- name: Grant SSHD firewall access to the mgmt port
|
|
become: true
|
|
ansible.posix.firewalld:
|
|
port: "{{ skylab_mgmt.sshport }}/tcp"
|
|
state: enabled
|
|
permanent: true
|
|
|
|
- name: Revoke SSHD firewall access to default port
|
|
become: true
|
|
ansible.posix.firewalld:
|
|
service: ssh
|
|
permanent: true
|
|
state: disabled
|
|
|
|
- name: Update OS
|
|
become: true
|
|
ansible.builtin.dnf:
|
|
name: "*"
|
|
state: latest
|
|
allowerasing: true
|
|
|
|
- name: Generate root user account password
|
|
delegate_to: localhost
|
|
no_log: true
|
|
changed_when: false
|
|
ansible.builtin.shell:
|
|
cmd: >
|
|
command mpw -qq -F none -t max -u root {{ ansible_host }} -p <<<
|
|
'{{ skylab_ansible_vault_password }}' |
|
|
python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'
|
|
executable: /bin/bash
|
|
register: _password_root
|
|
|
|
- name: Update root user account
|
|
become: true
|
|
ansible.builtin.user:
|
|
name: root
|
|
state: present
|
|
password: "{{ _password_root.stdout }}"
|
|
|
|
- name: Create SkyLab directory
|
|
become: true
|
|
ansible.builtin.file:
|
|
state: directory
|
|
path: "{{ skylab_state_dir }}"
|
|
owner: "{{ skylab_mgmt.user }}"
|
|
group: "{{ skylab_mgmt.group }}"
|
|
mode: 0750
|