Changeset 14323


Ignore:
Timestamp:
8 Dec 2016, 02:59:36 (8 years ago)
Author:
uli
Message:

Update README.

Reflect changes to bootstrap.yml.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • main/waeup-ansible/README.rst

    r14192 r14323  
    1010
    1111is a really nice hands-on intro to `ansible`. Please read it!
     12
     13If you want to devel/test scripts in here, try to work with virtual machines
     14first. The ``Vagrant`` section below explains the details.
     15
     16Server Lifecircle
     17=================
     18
     19When we get a server freshly installed from Hetzner, we want to make sure, at
     20least some common security holes are closed.
     21
     22
     23Right after first install: `bootstrap.yml`
     24------------------------------------------
     25
     26For starters we "bootstrap" a server install with the ``bootstrap.yml``
     27playbook. This playbook does three things:
     28
     29- It secures the ``SSHD`` config according to infos from
     30  https://bettercrypto.org
     31- It adds accounts for admin users (including sudo rights)
     32- It disables root login via SSH.
     33
     34Before the playbook can be run, you have to fix some things.
     35
     361) Make sure you can ssh into the systems as ``root``.
     37
     382) Make sure, Python2.x is installed on the target systems. This is not the
     39   case anymore for instance for minimal Ubuntu images starting with 16.04 LTS.
     40
     41   If Python2.x is not installed, do::
     42
     43     # apt-get update
     44     # apt-get install python python-simplejson
     45
     46   as `root` on each targeted system.
     47
     48
     493) For each server to handle, make an entry in the ``[yet-untouched]`` section
     50   of the ``hosts`` file like this::
     51
     52     # hosts
     53     [yet-untouched]
     54     h23.waeup.org ansible_user=root ansible_ssh_pass=so-secret ansible_sudo_pass="{{ ansible_ssh_pass }}"
     55     h24.waeup.org ansible_user=root ansible_ssh_pass=123456789 ansible_sudo_pass="{{ ansible_ssh_pass }}"
     56
     57   The ``ansible_sudo_pass`` is not neccessary for now, but will be needed if
     58   you want to run everything as a normal user. And it is just a blank copy of
     59   ``ansible_ssh_pass``.
     60
     61   Yes, this is a very dangerous part and you should not check this
     62   modifications in. Instead you should remove the entries after you are done.
     63
     644) Update the ``vars`` in ``bootstrap.yml``. Tell, whether SSH root access
     65   should stay enabled and say ``no`` or ``false``.
     66
     67   Then, you have to create a dict of admin users. For each user we need a name
     68   (key) and a hashed password. This can be done like this::
     69
     70     $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw
     71
     72   which will create a random password and its SHA512-hashed variant in a file
     73   called ``mypw``. If you do not have `diceware` installed, you can use
     74   `pwgen` (or any other password maker)::
     75
     76     $ pwgen -s 33 | tee mypw | mkpasswd -s --method=sha-512 >> mypw
     77
     78   The hashed variant then has to be entered as ``hashed_pw`` in the `vars` of
     79   ``bootstrap.yml``.
     80
     81   In the end, there should be something like::
     82
     83     # bootstrap.yml
     84     # ...
     85     vars:
     86       permit_ssh_root: false
     87       admin_users:
     88         user1:
     89           hashed_pw: "$6$Wsdfhwelkl32lslk32lkdslk43...."
     90         user2:
     91           hashed_pw: "$6$FDwlkjewlkWs2434SVRDE65DFF...."
     92     ...
     93
     94   Please note, that all users listed in this dict will have the same passwords
     95   on all servers handled when running the script.
     96
     975) Finally, run the play::
     98
     99     $ ansible-playbook -i hosts -C bootstrap.yml
     100
     101   to see, whether setup is fine (dry run) and::
     102
     103     $ ansible-playbooj -i hosts bootstrap.yml
     104
     105   to actually perform the changes.
     106
    12107
    13108Vagrant
Note: See TracChangeset for help on using the changeset viewer.