skylab-ansible/skylab/infra/playbooks/bootstrap.yml

---
- name: Prompt for parameters
  hosts: localhost
  gather_facts: false
  vars_prompt:
  - name: bootstrap_hostname
    prompt: Enter hostname (or IP address) of bootstrap target
    private: false
  - name: bootstrap_username
    prompt: Enter username to use for connecting to boostrap target
    default: root
    private: false
  - name: bootstrap_password
    prompt: Enter password to use for connecting to boostrap target
    private: true
    default: skylab
  - name: bootstrap_port
    prompt: Enter SSH port to connect to on bootstrap target
    default: 22
    private: false
  tasks:
  - name: Add boostrap host
    changed_when: false
    ansible.builtin.add_host:
      hostname: bootstrap
      ansible_host: "{{ bootstrap_hostname }}"
      ansible_user: "{{ bootstrap_username }}"
      ansible_ssh_pass: "{{ bootstrap_password }}"
      ansible_port: "{{ bootstrap_port }}"

  - name: Test connection
    delegate_to: bootstrap
    delegate_facts: true
    vars:
      ansible_host_key_checking: false
    ansible.builtin.ping: {}

- name: Bootstrap remote
  hosts: bootstrap
  vars:
    ansible_host_key_checking: false
  vars_prompt:
  - name: skylab_ansible_vault_password
    prompt: Enter Ansible vault password for generating user secrets
    private: true
    confirm: true
  tasks:
  - name: Check OS requirements
    ansible.builtin.assert:
      that:
      - ansible_distribution == 'Rocky'
      - ansible_distribution_major_version in ['8', '9']
      success_msg: >-
        Host is running supported OS {{ ansible_distribution }} {{ ansible_distribution_version }}        
      fail_msg: >-
        Unsupported operating system ({{ ansible_distribution }} {{ ansible_distribution_major_version }}),
        only RockyLinux 8 and RockyLinux 9 are supported.        

  - name: Check that management keys are defined
    ansible.builtin.assert:
      that:
        - skylab_mgmt is defined
        - skylab_mgmt.sshkeys != []
      success_msg: >-
        Found {{ skylab_mgmt.sshkeys | length }} SSH keys to install to the Ansible management user        
      fail_msg: >-
        No management keys were found for installation to the Ansible management user. Aborting to avoid
        locking out SSH access to the boostrap host. Please define the 'skylab_mgmt.sshkeys' variable with
        a list of SSH public keys to install to the Ansible management user.        

  - name: Install RockyLinux python bindings
    become: true
    ansible.builtin.dnf:
      state: present
      name:
        - libffi-devel
        - python3-devel
        - python3-libselinux
        - python3-policycoreutils
        - python3-firewall

  - name: Create mgmt group
    become: true
    ansible.builtin.group:
      name: "{{ skylab_mgmt.group }}"
      state: present
      gid: "{{ skylab_mgmt.id }}"

  - name: Generate mgmt user account password
    delegate_to: localhost
    no_log: true
    changed_when: false
    ansible.builtin.shell:
      cmd: >
        command mpw -qq -F none -t max -u {{ skylab_mgmt.user }} {{ ansible_host }} -p <<<
        '{{ skylab_ansible_vault_password }}' |
        python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'        
      executable: /bin/bash
    register: _password_mgmt

  - name: Update mgmt user account
    become: true
    ansible.builtin.user:
      name: "{{ skylab_mgmt.user }}"
      state: present
      group: "{{ skylab_mgmt.group }}"
      groups:
        - "{{ skylab_mgmt.group }}"
        - wheel
      uid: "{{ skylab_mgmt.id }}"
      password: "{{ _password_mgmt.stdout }}"

  - name: Update mgmt user authorized keys
    become: true
    ansible.posix.authorized_key:
      user: "{{ skylab_mgmt.user }}"
      exclusive: true
      key: "{{ skylab_mgmt.sshkeys | join('\n') }}"

  - name: Remove mgmt user group
    become: true
    ansible.builtin.group:
      name: "{{ skylab_mgmt.user }}"
      state: absent

  - name: Update root user authorized keys
    become: true
    ansible.posix.authorized_key:
      user: root
      exclusive: true
      key: ""

  - name: Disable sudo password for WHEEL group
    become: true
    ansible.builtin.copy:
      content: "%wheel ALL=(ALL) NOPASSWD: ALL"
      dest: /etc/sudoers.d/30-wheel
      owner: root
      group: "{{ skylab_mgmt.group }}"
      mode: 0644

  - name: Disable SSHD password auth
    become: true
    ansible.builtin.replace:
      path: /etc/ssh/sshd_config
      regexp: '^(#?)PasswordAuthentication .*$'
      replace: PasswordAuthentication no

  - name: Disable SSHD root login
    become: true
    ansible.builtin.replace:
      path: /etc/ssh/sshd_config
      regexp: '^(#?)PermitRootLogin .*$'
      replace: PermitRootLogin no

  - name: Update SSHD mgmt port
    become: true
    ansible.builtin.replace:
      path: /etc/ssh/sshd_config
      regexp: '^(#?)Port .*$'
      replace: Port {{ skylab_mgmt.sshport }}

  - name: Grant SSHD permissions on the mgmt port
    become: true
    community.general.seport:
      ports: "{{ skylab_mgmt.sshport }}"
      proto: tcp
      setype: ssh_port_t
      state: present

  - name: Install Firewalld
    become: true
    ansible.builtin.dnf:
      name: firewalld
      state: present

  - name: Enable Firewalld
    become: true
    ansible.builtin.service:
      name: firewalld
      enabled: true

  - name: Grant SSHD firewall access to the mgmt port
    become: true
    ansible.posix.firewalld:
      port: "{{ skylab_mgmt.sshport }}/tcp"
      state: enabled
      permanent: true

  - name: Revoke SSHD firewall access to default port
    become: true
    ansible.posix.firewalld:
      service: ssh
      permanent: true
      state: disabled

  - name: Update OS
    become: true
    ansible.builtin.dnf:
      name: "*"
      state: latest
      allowerasing: true

  - name: Generate root user account password
    delegate_to: localhost
    no_log: true
    changed_when: false
    ansible.builtin.shell:
      cmd: >
        command mpw -qq -F none -t max -u root {{ ansible_host }} -p <<<
        '{{ skylab_ansible_vault_password }}' |
        python3 -c 'import crypt; print(crypt.crypt(input(), crypt.mksalt(crypt.METHOD_SHA512)))'        
      executable: /bin/bash
    register: _password_root

  - name: Update root user account
    become: true
    ansible.builtin.user:
      name: root
      state: present
      password: "{{ _password_root.stdout }}"

  - name: Create SkyLab directory
    become: true
    ansible.builtin.file:
      state: directory
      path: "{{ skylab_state_dir }}"
      owner: "{{ skylab_mgmt.user }}"
      group: "{{ skylab_mgmt.group }}"
      mode: 0750