source: main/waeup-ansible/bootstrap.yml @ 15133

Last change on this file since 15133 was 14325, checked in by uli, 8 years ago

Make bootstrap.yml really work.

This version of bootstrap.yml was played on a real, freshly
initialized Hetzner server. And worked.

It does not create a sudo-less deploy user any more, but different
admin users with password.

The main task of the play is still: securing and restarting SSH before
creating some non-root access.

File size: 1.4 KB
RevLine 
[13839]1---
2# This ansible-playbook prepares fresh-from-hetzner
3# servers for work with ansible.
4#
[14325]5# It should be played as first thing after getting your hands over new
6# hardware
[13839]7#
[14325]8# The documentation for this playbook is in `README.rst`.  Please read
9# it! Do not run this playbook without having read the README.
[13839]10#
11- hosts: yet-untouched
[14325]12  become: yes
[13842]13  vars:
[14325]14    # Enable root access via SSH? Set to false not before user
15    # accounts are active.
16    permit_ssh_root: true
17    # create hashed passwords like this:
18    #      $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw
19    admin_users:
20      uli:
21        hashed_pw: "$6$W3DjhWuk/dDzw2F$ozaXblaUYnEX6NiS9jg.NYFelyPIV8ySxDJGNwbPpTd.oAnmA.754pntuGT1XP.cAcpkCI5b9zWSgOQ09f5HG1"
[13849]22
[14325]23  roles:
24  - openssh
25
26  handlers:
27  - name: "Restart sshd"
28    service:
29      name="ssh"
30      enabled=yes
31      state=restarted
32
[13839]33  tasks:
[14325]34  - name: Create admin users
35    user:
36      name: "{{ item.key }}"
37      shell: /bin/bash
38      groups: sudo
39      password: "{{ item.value.hashed_pw }}"
40      update_password: on_create
41      state: present
42    with_dict: "{{ admin_users }}"
[13842]43
[14325]44  - name: Disable SSH root access
45    # make sure this is not run before you can log in otherwise!
46    lineinfile:
47      dest=/etc/ssh/sshd_config
48      backrefs=yes
49      line='PermitRootLogin no'
50      regexp='^PermitRootLogin yes'
51      state=present
52    notify: "restart sshd"
53    when: not permit_ssh_root
Note: See TracBrowser for help on using the repository browser.