|
Last change
on this file since 14395 was
14325,
checked in by uli, 8 years ago
|
|
Make bootstrap.yml really work.
This version of bootstrap.yml was played on a real, freshly
initialized Hetzner server. And worked.
It does not create a sudo-less deploy user any more, but different
admin users with password.
The main task of the play is still: securing and restarting SSH before
creating some non-root access.
|
|
File size:
1.4 KB
|
| Line | |
|---|
| 1 | --- |
|---|
| 2 | # This ansible-playbook prepares fresh-from-hetzner |
|---|
| 3 | # servers for work with ansible. |
|---|
| 4 | # |
|---|
| 5 | # It should be played as first thing after getting your hands over new |
|---|
| 6 | # hardware |
|---|
| 7 | # |
|---|
| 8 | # The documentation for this playbook is in `README.rst`. Please read |
|---|
| 9 | # it! Do not run this playbook without having read the README. |
|---|
| 10 | # |
|---|
| 11 | - hosts: yet-untouched |
|---|
| 12 | become: yes |
|---|
| 13 | vars: |
|---|
| 14 | # Enable root access via SSH? Set to false not before user |
|---|
| 15 | # accounts are active. |
|---|
| 16 | permit_ssh_root: true |
|---|
| 17 | # create hashed passwords like this: |
|---|
| 18 | # $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw |
|---|
| 19 | admin_users: |
|---|
| 20 | uli: |
|---|
| 21 | hashed_pw: "$6$W3DjhWuk/dDzw2F$ozaXblaUYnEX6NiS9jg.NYFelyPIV8ySxDJGNwbPpTd.oAnmA.754pntuGT1XP.cAcpkCI5b9zWSgOQ09f5HG1" |
|---|
| 22 | |
|---|
| 23 | roles: |
|---|
| 24 | - openssh |
|---|
| 25 | |
|---|
| 26 | handlers: |
|---|
| 27 | - name: "Restart sshd" |
|---|
| 28 | service: |
|---|
| 29 | name="ssh" |
|---|
| 30 | enabled=yes |
|---|
| 31 | state=restarted |
|---|
| 32 | |
|---|
| 33 | tasks: |
|---|
| 34 | - name: Create admin users |
|---|
| 35 | user: |
|---|
| 36 | name: "{{ item.key }}" |
|---|
| 37 | shell: /bin/bash |
|---|
| 38 | groups: sudo |
|---|
| 39 | password: "{{ item.value.hashed_pw }}" |
|---|
| 40 | update_password: on_create |
|---|
| 41 | state: present |
|---|
| 42 | with_dict: "{{ admin_users }}" |
|---|
| 43 | |
|---|
| 44 | - name: Disable SSH root access |
|---|
| 45 | # make sure this is not run before you can log in otherwise! |
|---|
| 46 | lineinfile: |
|---|
| 47 | dest=/etc/ssh/sshd_config |
|---|
| 48 | backrefs=yes |
|---|
| 49 | line='PermitRootLogin no' |
|---|
| 50 | regexp='^PermitRootLogin yes' |
|---|
| 51 | state=present |
|---|
| 52 | notify: "restart sshd" |
|---|
| 53 | when: not permit_ssh_root |
|---|
Note: See
TracBrowser for help on using the repository browser.
