source: main/waeup-ansible/bootstrap.yml @ 16889

Last change on this file since 16889 was 15915, checked in by uli, 5 years ago

Rename group [yet-untouched] -> [yet_untouched]

as ansible does not like dashes in groupnames.

File size: 1.5 KB
RevLine 
[13839]1---
2# This ansible-playbook prepares fresh-from-hetzner
3# servers for work with ansible.
4#
[14325]5# It should be played as first thing after getting your hands over new
6# hardware
[13839]7#
[14325]8# The documentation for this playbook is in `README.rst`.  Please read
9# it! Do not run this playbook without having read the README.
[13839]10#
[15915]11- hosts: yet_untouched
[14325]12  become: yes
[13842]13  vars:
[14325]14    # Enable root access via SSH? Set to false not before user
15    # accounts are active.
[15915]16    permit_ssh_root: false
[15389]17    # Allow admin users below to become root w/o entering password?
18    permit_become_root_no_password: true
[14325]19    # create hashed passwords like this:
20    #      $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw
21    admin_users:
[15915]22        uli:
23            hashed_pw: "$6$iuoXy2wO3elWM6d2$NR/ayKF58q0Bm0BdsR.g.Nt5xYzD0s0t17ZjrYaRpY7nkRekjgHTnqw849pK9FdynmNZAioW6oQBQx3BB5kcd0"
[13849]24
[14325]25  roles:
26  - openssh
27
28  handlers:
29  - name: "Restart sshd"
30    service:
31      name="ssh"
32      enabled=yes
33      state=restarted
34
[13839]35  tasks:
[14325]36  - name: Create admin users
37    user:
38      name: "{{ item.key }}"
39      shell: /bin/bash
40      groups: sudo
41      password: "{{ item.value.hashed_pw }}"
42      update_password: on_create
43      state: present
44    with_dict: "{{ admin_users }}"
[13842]45
[14325]46  - name: Disable SSH root access
47    # make sure this is not run before you can log in otherwise!
48    lineinfile:
49      dest=/etc/ssh/sshd_config
50      backrefs=yes
51      line='PermitRootLogin no'
52      regexp='^PermitRootLogin yes'
53      state=present
54    notify: "restart sshd"
55    when: not permit_ssh_root
Note: See TracBrowser for help on using the repository browser.