Last change
on this file since 14672 was
14325,
checked in by uli, 8 years ago
|
Make bootstrap.yml really work.
This version of bootstrap.yml was played on a real, freshly
initialized Hetzner server. And worked.
It does not create a sudo-less deploy user any more, but different
admin users with password.
The main task of the play is still: securing and restarting SSH before
creating some non-root access.
|
File size:
1.4 KB
|
Line | |
---|
1 | --- |
---|
2 | # This ansible-playbook prepares fresh-from-hetzner |
---|
3 | # servers for work with ansible. |
---|
4 | # |
---|
5 | # It should be played as first thing after getting your hands over new |
---|
6 | # hardware |
---|
7 | # |
---|
8 | # The documentation for this playbook is in `README.rst`. Please read |
---|
9 | # it! Do not run this playbook without having read the README. |
---|
10 | # |
---|
11 | - hosts: yet-untouched |
---|
12 | become: yes |
---|
13 | vars: |
---|
14 | # Enable root access via SSH? Set to false not before user |
---|
15 | # accounts are active. |
---|
16 | permit_ssh_root: true |
---|
17 | # create hashed passwords like this: |
---|
18 | # $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw |
---|
19 | admin_users: |
---|
20 | uli: |
---|
21 | hashed_pw: "$6$W3DjhWuk/dDzw2F$ozaXblaUYnEX6NiS9jg.NYFelyPIV8ySxDJGNwbPpTd.oAnmA.754pntuGT1XP.cAcpkCI5b9zWSgOQ09f5HG1" |
---|
22 | |
---|
23 | roles: |
---|
24 | - openssh |
---|
25 | |
---|
26 | handlers: |
---|
27 | - name: "Restart sshd" |
---|
28 | service: |
---|
29 | name="ssh" |
---|
30 | enabled=yes |
---|
31 | state=restarted |
---|
32 | |
---|
33 | tasks: |
---|
34 | - name: Create admin users |
---|
35 | user: |
---|
36 | name: "{{ item.key }}" |
---|
37 | shell: /bin/bash |
---|
38 | groups: sudo |
---|
39 | password: "{{ item.value.hashed_pw }}" |
---|
40 | update_password: on_create |
---|
41 | state: present |
---|
42 | with_dict: "{{ admin_users }}" |
---|
43 | |
---|
44 | - name: Disable SSH root access |
---|
45 | # make sure this is not run before you can log in otherwise! |
---|
46 | lineinfile: |
---|
47 | dest=/etc/ssh/sshd_config |
---|
48 | backrefs=yes |
---|
49 | line='PermitRootLogin no' |
---|
50 | regexp='^PermitRootLogin yes' |
---|
51 | state=present |
---|
52 | notify: "restart sshd" |
---|
53 | when: not permit_ssh_root |
---|
Note: See
TracBrowser for help on using the repository browser.