Last change
on this file since 14530 was
14325,
checked in by uli, 8 years ago
|
Make bootstrap.yml really work.
This version of bootstrap.yml was played on a real, freshly
initialized Hetzner server. And worked.
It does not create a sudo-less deploy user any more, but different
admin users with password.
The main task of the play is still: securing and restarting SSH before
creating some non-root access.
|
File size:
1.4 KB
|
Rev | Line | |
---|
[13839] | 1 | --- |
---|
| 2 | # This ansible-playbook prepares fresh-from-hetzner |
---|
| 3 | # servers for work with ansible. |
---|
| 4 | # |
---|
[14325] | 5 | # It should be played as first thing after getting your hands over new |
---|
| 6 | # hardware |
---|
[13839] | 7 | # |
---|
[14325] | 8 | # The documentation for this playbook is in `README.rst`. Please read |
---|
| 9 | # it! Do not run this playbook without having read the README. |
---|
[13839] | 10 | # |
---|
| 11 | - hosts: yet-untouched |
---|
[14325] | 12 | become: yes |
---|
[13842] | 13 | vars: |
---|
[14325] | 14 | # Enable root access via SSH? Set to false not before user |
---|
| 15 | # accounts are active. |
---|
| 16 | permit_ssh_root: true |
---|
| 17 | # create hashed passwords like this: |
---|
| 18 | # $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw |
---|
| 19 | admin_users: |
---|
| 20 | uli: |
---|
| 21 | hashed_pw: "$6$W3DjhWuk/dDzw2F$ozaXblaUYnEX6NiS9jg.NYFelyPIV8ySxDJGNwbPpTd.oAnmA.754pntuGT1XP.cAcpkCI5b9zWSgOQ09f5HG1" |
---|
[13849] | 22 | |
---|
[14325] | 23 | roles: |
---|
| 24 | - openssh |
---|
| 25 | |
---|
| 26 | handlers: |
---|
| 27 | - name: "Restart sshd" |
---|
| 28 | service: |
---|
| 29 | name="ssh" |
---|
| 30 | enabled=yes |
---|
| 31 | state=restarted |
---|
| 32 | |
---|
[13839] | 33 | tasks: |
---|
[14325] | 34 | - name: Create admin users |
---|
| 35 | user: |
---|
| 36 | name: "{{ item.key }}" |
---|
| 37 | shell: /bin/bash |
---|
| 38 | groups: sudo |
---|
| 39 | password: "{{ item.value.hashed_pw }}" |
---|
| 40 | update_password: on_create |
---|
| 41 | state: present |
---|
| 42 | with_dict: "{{ admin_users }}" |
---|
[13842] | 43 | |
---|
[14325] | 44 | - name: Disable SSH root access |
---|
| 45 | # make sure this is not run before you can log in otherwise! |
---|
| 46 | lineinfile: |
---|
| 47 | dest=/etc/ssh/sshd_config |
---|
| 48 | backrefs=yes |
---|
| 49 | line='PermitRootLogin no' |
---|
| 50 | regexp='^PermitRootLogin yes' |
---|
| 51 | state=present |
---|
| 52 | notify: "restart sshd" |
---|
| 53 | when: not permit_ssh_root |
---|
Note: See
TracBrowser for help on using the repository browser.