- Timestamp:
- 8 Dec 2016, 02:59:36 (8 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
main/waeup-ansible/README.rst
r14192 r14323 10 10 11 11 is a really nice hands-on intro to `ansible`. Please read it! 12 13 If you want to devel/test scripts in here, try to work with virtual machines 14 first. The ``Vagrant`` section below explains the details. 15 16 Server Lifecircle 17 ================= 18 19 When we get a server freshly installed from Hetzner, we want to make sure, at 20 least some common security holes are closed. 21 22 23 Right after first install: `bootstrap.yml` 24 ------------------------------------------ 25 26 For starters we "bootstrap" a server install with the ``bootstrap.yml`` 27 playbook. This playbook does three things: 28 29 - It secures the ``SSHD`` config according to infos from 30 https://bettercrypto.org 31 - It adds accounts for admin users (including sudo rights) 32 - It disables root login via SSH. 33 34 Before the playbook can be run, you have to fix some things. 35 36 1) Make sure you can ssh into the systems as ``root``. 37 38 2) Make sure, Python2.x is installed on the target systems. This is not the 39 case anymore for instance for minimal Ubuntu images starting with 16.04 LTS. 40 41 If Python2.x is not installed, do:: 42 43 # apt-get update 44 # apt-get install python python-simplejson 45 46 as `root` on each targeted system. 47 48 49 3) For each server to handle, make an entry in the ``[yet-untouched]`` section 50 of the ``hosts`` file like this:: 51 52 # hosts 53 [yet-untouched] 54 h23.waeup.org ansible_user=root ansible_ssh_pass=so-secret ansible_sudo_pass="{{ ansible_ssh_pass }}" 55 h24.waeup.org ansible_user=root ansible_ssh_pass=123456789 ansible_sudo_pass="{{ ansible_ssh_pass }}" 56 57 The ``ansible_sudo_pass`` is not neccessary for now, but will be needed if 58 you want to run everything as a normal user. And it is just a blank copy of 59 ``ansible_ssh_pass``. 60 61 Yes, this is a very dangerous part and you should not check this 62 modifications in. Instead you should remove the entries after you are done. 63 64 4) Update the ``vars`` in ``bootstrap.yml``. Tell, whether SSH root access 65 should stay enabled and say ``no`` or ``false``. 66 67 Then, you have to create a dict of admin users. For each user we need a name 68 (key) and a hashed password. This can be done like this:: 69 70 $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw 71 72 which will create a random password and its SHA512-hashed variant in a file 73 called ``mypw``. If you do not have `diceware` installed, you can use 74 `pwgen` (or any other password maker):: 75 76 $ pwgen -s 33 | tee mypw | mkpasswd -s --method=sha-512 >> mypw 77 78 The hashed variant then has to be entered as ``hashed_pw`` in the `vars` of 79 ``bootstrap.yml``. 80 81 In the end, there should be something like:: 82 83 # bootstrap.yml 84 # ... 85 vars: 86 permit_ssh_root: false 87 admin_users: 88 user1: 89 hashed_pw: "$6$Wsdfhwelkl32lslk32lkdslk43...." 90 user2: 91 hashed_pw: "$6$FDwlkjewlkWs2434SVRDE65DFF...." 92 ... 93 94 Please note, that all users listed in this dict will have the same passwords 95 on all servers handled when running the script. 96 97 5) Finally, run the play:: 98 99 $ ansible-playbook -i hosts -C bootstrap.yml 100 101 to see, whether setup is fine (dry run) and:: 102 103 $ ansible-playbooj -i hosts bootstrap.yml 104 105 to actually perform the changes. 106 12 107 13 108 Vagrant
Note: See TracChangeset for help on using the changeset viewer.