Changeset 14325


Ignore:
Timestamp:
8 Dec 2016, 03:10:08 (8 years ago)
Author:
uli
Message:

Make bootstrap.yml really work.

This version of bootstrap.yml was played on a real, freshly
initialized Hetzner server. And worked.

It does not create a sudo-less deploy user any more, but different
admin users with password.

The main task of the play is still: securing and restarting SSH before
creating some non-root access.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • main/waeup-ansible/bootstrap.yml

    r13994 r14325  
    33# servers for work with ansible.
    44#
    5 # What it does:
    6 #   secures sshd (according to bettercrypto.org)
    7 #   adds accounts uli/henrik/deploy
    8 #   disables root access
     5# It should be played as first thing after getting your hands over new
     6# hardware
    97#
    10 # This playbook should be executed as first thing
    11 # after getting your hands over new hardware
    12 #
    13 # It will normally be run with ``ask-pass``
     8# The documentation for this playbook is in `README.rst`.  Please read
     9# it! Do not run this playbook without having read the README.
    1410#
    1511- hosts: yet-untouched
     12  become: yes
    1613  vars:
    17     deploy_user: 'deploy'
    18     deploy_public_key: "{{ lookup('file', 'files/id-deploy.pub') }}"
     14    # Enable root access via SSH? Set to false not before user
     15    # accounts are active.
     16    permit_ssh_root: true
     17    # create hashed passwords like this:
     18    #      $ diceware -d '-' -n 6 --no-caps | tee mypw | mkpasswd -s --method=sha-512 >> mypw
     19    admin_users:
     20      uli:
     21        hashed_pw: "$6$W3DjhWuk/dDzw2F$ozaXblaUYnEX6NiS9jg.NYFelyPIV8ySxDJGNwbPpTd.oAnmA.754pntuGT1XP.cAcpkCI5b9zWSgOQ09f5HG1"
     22
     23  roles:
     24  - openssh
     25
     26  handlers:
     27  - name: "Restart sshd"
     28    service:
     29      name="ssh"
     30      enabled=yes
     31      state=restarted
    1932
    2033  tasks:
    21     - name: "bootstrap | update authorized key of 'deploy'"
    22       authorized_key:
    23         user="{{ deploy_user }}"
    24         key="{{ deploy_public_key }}"
     34  - name: Create admin users
     35    user:
     36      name: "{{ item.key }}"
     37      shell: /bin/bash
     38      groups: sudo
     39      password: "{{ item.value.hashed_pw }}"
     40      update_password: on_create
     41      state: present
     42    with_dict: "{{ admin_users }}"
    2543
    26     - name: "bootstrap | grant sudoers perms to 'deploy'"
    27       lineinfile:
    28         dest=/etc/sudoers
    29         insertafter="^root"
    30         line="{{ deploy_user }}  ALL=(ALL) NOPASSWD{{ ':' }} ALL"
    31         state=present
    32 
    33   roles:
    34     - openssh
    35     - core
     44  - name: Disable SSH root access
     45    # make sure this is not run before you can log in otherwise!
     46    lineinfile:
     47      dest=/etc/ssh/sshd_config
     48      backrefs=yes
     49      line='PermitRootLogin no'
     50      regexp='^PermitRootLogin yes'
     51      state=present
     52    notify: "restart sshd"
     53    when: not permit_ssh_root
Note: See TracChangeset for help on using the changeset viewer.