Changeset 14323 for main/waeup-ansible

Timestamp:

8 Dec 2016, 02:59:36 (8 years ago)

Author:

uli

Message:

Update README.

Reflect changes to bootstrap.yml.

File:

• main/waeup-ansible/README.rst (modified) (1 diff)

main/waeup-ansible/README.rst

@@ -10 +10 @@
 
 is a really nice hands-on intro to `ansible`. Please read it!
+
+If you want to devel/test scripts in here, try to work with virtual machines
+first. The ``Vagrant`` section below explains the details.
+
+Server Lifecircle
+=================
+
+When we get a server freshly installed from Hetzner, we want to make sure, at
+least some common security holes are closed.
+
+
+Right after first install: `bootstrap.yml`
+------------------------------------------
+
+For starters we "bootstrap" a server install with the ``bootstrap.yml``
+playbook. This playbook does three things:
+
+- It secures the ``SSHD`` config according to infos from
+  https://bettercrypto.org
+- It adds accounts for admin users (including sudo rights)
+- It disables root login via SSH.
+
+Before the playbook can be run, you have to fix some things.
+
+1) Make sure you can ssh into the systems as ``root``.
+
+2) Make sure, Python2.x is installed on the target systems. This is not the
+   case anymore for instance for minimal Ubuntu images starting with 16.04 LTS.
+
+   If Python2.x is not installed, do::
+
+     # apt-get update
+     # apt-get install python python-simplejson
+
+   as `root` on each targeted system.
+
+
+3) For each server to handle, make an entry in the ``[yet-untouched]`` section
+   of the ``hosts`` file like this::
+
+     # hosts
+     [yet-untouched]
+     h23.waeup.org ansible_user=root ansible_ssh_pass=so-secret ansible_sudo_pass="{{ ansible_ssh_pass }}"
+     h24.waeup.org ansible_user=root ansible_ssh_pass=123456789 ansible_sudo_pass="{{ ansible_ssh_pass }}"
+
+   The ``ansible_sudo_pass`` is not neccessary for now, but will be needed if
+   you want to run everything as a normal user. And it is just a blank copy of
+   ``ansible_ssh_pass``.
+
+   Yes, this is a very dangerous part and you should not check this
+   modifications in. Instead you should remove the entries after you are done.
+
+4) Update the ``vars`` in ``bootstrap.yml``. Tell, whether SSH root access
+   should stay enabled and say ``no`` or ``false``.
+
+   Then, you have to create a dict of admin users. For each user we need a name
+   (key) and a hashed password. This can be done like this::
+
+     $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw
+
+   which will create a random password and its SHA512-hashed variant in a file
+   called ``mypw``. If you do not have `diceware` installed, you can use
+   `pwgen` (or any other password maker)::
+
+     $ pwgen -s 33 | tee mypw | mkpasswd -s --method=sha-512 >> mypw
+
+   The hashed variant then has to be entered as ``hashed_pw`` in the `vars` of
+   ``bootstrap.yml``.
+
+   In the end, there should be something like::
+
+     # bootstrap.yml
+     # ...
+     vars:
+       permit_ssh_root: false
+       admin_users:
+         user1:
+           hashed_pw: "$6$Wsdfhwelkl32lslk32lkdslk43...."
+         user2:
+           hashed_pw: "$6$FDwlkjewlkWs2434SVRDE65DFF...."
+     ...
+
+   Please note, that all users listed in this dict will have the same passwords
+   on all servers handled when running the script.
+
+5) Finally, run the play::
+
+     $ ansible-playbook -i hosts -C bootstrap.yml
+
+   to see, whether setup is fine (dry run) and::
+
+     $ ansible-playbooj -i hosts bootstrap.yml
+
+   to actually perform the changes.
+
 
 Vagrant