source: main/waeup-ansible/bootstrap.yml @ 16835

Last change on this file since 16835 was 15915, checked in by uli, 5 years ago

Rename group [yet-untouched] -> [yet_untouched]

as ansible does not like dashes in groupnames.

File size: 1.5 KB
Line 
1---
2# This ansible-playbook prepares fresh-from-hetzner
3# servers for work with ansible.
4#
5# It should be played as first thing after getting your hands over new
6# hardware
7#
8# The documentation for this playbook is in `README.rst`.  Please read
9# it! Do not run this playbook without having read the README.
10#
11- hosts: yet_untouched
12  become: yes
13  vars:
14    # Enable root access via SSH? Set to false not before user
15    # accounts are active.
16    permit_ssh_root: false
17    # Allow admin users below to become root w/o entering password?
18    permit_become_root_no_password: true
19    # create hashed passwords like this:
20    #      $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw
21    admin_users:
22        uli:
23            hashed_pw: "$6$iuoXy2wO3elWM6d2$NR/ayKF58q0Bm0BdsR.g.Nt5xYzD0s0t17ZjrYaRpY7nkRekjgHTnqw849pK9FdynmNZAioW6oQBQx3BB5kcd0"
24
25  roles:
26  - openssh
27
28  handlers:
29  - name: "Restart sshd"
30    service:
31      name="ssh"
32      enabled=yes
33      state=restarted
34
35  tasks:
36  - name: Create admin users
37    user:
38      name: "{{ item.key }}"
39      shell: /bin/bash
40      groups: sudo
41      password: "{{ item.value.hashed_pw }}"
42      update_password: on_create
43      state: present
44    with_dict: "{{ admin_users }}"
45
46  - name: Disable SSH root access
47    # make sure this is not run before you can log in otherwise!
48    lineinfile:
49      dest=/etc/ssh/sshd_config
50      backrefs=yes
51      line='PermitRootLogin no'
52      regexp='^PermitRootLogin yes'
53      state=present
54    notify: "restart sshd"
55    when: not permit_ssh_root
Note: See TracBrowser for help on using the repository browser.