Compare commits
No commits in common. "66eff65bae6d7ba0dbd3cef225557c90426cd2b7" and "7dea9091003923bec455a6fcf64eaf0a9cdc11f4" have entirely different histories.
66eff65bae
...
7dea909100
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +0,0 @@
|
|||||||
vault
|
|
||||||
.vault_pass
|
|
19
Makefile
19
Makefile
@ -1,20 +1,15 @@
|
|||||||
init:
|
|
||||||
ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "init.yml"
|
|
||||||
|
|
||||||
install:
|
install:
|
||||||
ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "bootstrap.yml" --extra-vars "enable_setup=true enable_wireguard=true enable_k3s=true"
|
ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "init.yml" --extra-vars "enable_setup=true enable_wireguard=true enable_k3s=true"
|
||||||
|
|
||||||
|
setup:
|
||||||
|
ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "init.yml" --extra-vars "enable_setup=true enable_wireguard=false enable_k3s=false"
|
||||||
|
|
||||||
wg:
|
wg:
|
||||||
ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "bootstrap.yml" --extra-vars "enable_wireguard=true enable_k3s=false"
|
ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "init.yml" --extra-vars "enable_setup=false enable_wireguard=true enable_k3s=false"
|
||||||
|
|
||||||
k3s:
|
k3s:
|
||||||
ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "bootstrap.yml" --extra-vars "enable_wireguard=false enable_k3s=true"
|
ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "init.yml" --extra-vars "enable_setup=false enable_wireguard=false enable_k3s=true"
|
||||||
|
|
||||||
uninstall:
|
uninstall:
|
||||||
ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "k3s-ansible/reset.yml"
|
ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "k3s-ansible/reset.yml"
|
||||||
|
|
||||||
ping:
|
|
||||||
ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible all -i inventory/hosts.yml --extra-vars "@inventory/vars/main.yaml" -m ping
|
|
||||||
|
|
||||||
ping-unprovisioned:
|
|
||||||
ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible all -i inventory/unprovisioned.yml -m ping
|
|
||||||
|
68
README.md
68
README.md
@ -1,64 +1,44 @@
|
|||||||
# Ansible
|
# Ansible
|
||||||
|
|
||||||
Catalogue of Ansible playbooks and helper scripts for server management
|
Catalogue of Ansible playbooks and helper scripts for server management
|
||||||
atmen: slave, servant
|
|
||||||
|
|
||||||
## Configuration options
|
## TODO
|
||||||
### SSH Ports
|
- Split user provisioning to get rid of `creator` and use `atmen` as fast as possible | This should be done using two differnt playbooks, and switch user between the two
|
||||||
The ssh port can be configured in 2 steps:
|
- Add configuration for `creator` to lock the account after initial provisioning, only allowing short connection with returned message
|
||||||
1. Change the `ansible_ssh_port` variable in `inventory/group_vars/all.yml`
|
|
||||||
2. Change the `sshd_port` variable in `inventory/vars/unprovisioned.yaml`
|
### Disable creator
|
||||||
|
Change `~/.profile` to only contain a print message and `exit 0`
|
||||||
|
Add `.hushlogin` to remove ssh login message
|
||||||
|
|
||||||
## Node configuration process
|
## Node configuration process
|
||||||
### Provisioning
|
### Setup user configuration
|
||||||
- Add atmen user for provisioning
|
- Create provisioning user without password and sudo
|
||||||
- Configure SSH key for atmen user
|
- Create tanguy user with password
|
||||||
- Add maintainer user
|
|
||||||
- Configure SSH key for maintainer user
|
|
||||||
- Disable root login (passwd --lock root)
|
- Disable root login (passwd --lock root)
|
||||||
- Disable SSH login for creator user
|
|
||||||
- Disable SSH password login
|
|
||||||
- Change SSH port
|
|
||||||
|
|
||||||
### SSH Setup
|
### SSH Setup
|
||||||
- Install fail2ban
|
- Install fail2ban
|
||||||
|
- Disable SSH password login
|
||||||
|
- Change SSH port
|
||||||
|
|
||||||
### Miscellaneous
|
### Miscellaneous
|
||||||
- Disable unattended-upgrade is installed
|
- Test if unattended-upgrade is installed
|
||||||
|
- Disable if true
|
||||||
- Disable IPv6
|
- Disable IPv6
|
||||||
- Setup hostname
|
- Setup hostname
|
||||||
- Install open-iscsi, nfs-common, nfs-utils
|
|
||||||
|
|
||||||
### OMV configuration
|
### Softwares
|
||||||
- Install OMV through OMV-extras
|
- Install k3s with token
|
||||||
- (lab) Add Vagrant user to SSH group
|
- Install OMV for NAS node*(s)
|
||||||
- Add atmen user to sudoers
|
|
||||||
- Install openmediavault-zfs, openmediavault-s3, openmediavault-filebrowser
|
|
||||||
|
|
||||||
# OMV manual configuration
|
## Update system
|
||||||
|
- General package manager update
|
||||||
|
|
||||||
|
# Additional configuration
|
||||||
|
- Add label to output node on k3s to enable load balancer
|
||||||
|
|
||||||
|
# OMV configuration
|
||||||
## NFS configuration
|
## NFS configuration
|
||||||
- Create FS
|
- Create FS
|
||||||
- Enable NFS
|
- Enable NFS
|
||||||
- `subtree_check,insecure,no_root_squash,anonuid=1000,anongid=100` in NFS share extra options
|
- `subtree_check,insecure,no_root_squash,anonuid=1000,anongid=100` in NFS share extra options
|
||||||
|
|
||||||
# Vault
|
|
||||||
Sensitive data is stored under two files in the `vault` directory:
|
|
||||||
- `user_provisioning.yml` contains the vault password
|
|
||||||
- `vault.yml` contains the sensitive data
|
|
||||||
|
|
||||||
## user_provisioning.yml
|
|
||||||
Configure users for provisioning and manual maintenance
|
|
||||||
```yaml
|
|
||||||
vault_atmen_password: <atmen_password>
|
|
||||||
vault_maintainer_user: <your_user>
|
|
||||||
vault_maintainer_password: <maintainer_password>
|
|
||||||
```
|
|
||||||
|
|
||||||
## vault.yml
|
|
||||||
Configure k3s secrets
|
|
||||||
```yaml
|
|
||||||
ansible_become_password: <atmen_password>
|
|
||||||
token: <k3s_token>
|
|
||||||
```
|
|
||||||
|
|
||||||
To avoid pasting your vault password everytime, you can create a `.vault_pass` file in the root directory with the vault password.
|
|
||||||
|
@ -1,29 +0,0 @@
|
|||||||
---
|
|
||||||
- hosts: all
|
|
||||||
gather_facts: no
|
|
||||||
tasks:
|
|
||||||
- name: Include vault vars
|
|
||||||
include_vars:
|
|
||||||
file: "{{ playbook_dir ~ '/vault/secrets' }}"
|
|
||||||
- name: Include vars
|
|
||||||
include_vars:
|
|
||||||
file: inventory/vars/main.yaml
|
|
||||||
- name: Wait for hosts
|
|
||||||
ansible.builtin.wait_for_connection:
|
|
||||||
timeout: 60
|
|
||||||
- name: Gathering facts
|
|
||||||
setup:
|
|
||||||
- name: Start basic node configuration
|
|
||||||
include_role:
|
|
||||||
name: node-configuration
|
|
||||||
when: enable_setup | bool
|
|
||||||
- name: Configure headscale
|
|
||||||
include_role:
|
|
||||||
name: headscale
|
|
||||||
when: enable_headscale|bool
|
|
||||||
- name: Configure wireguard
|
|
||||||
ansible.builtin.import_playbook: wireguard/wireguard.yml
|
|
||||||
when: enable_wireguard|bool
|
|
||||||
- name: Configure k3s
|
|
||||||
ansible.builtin.import_playbook: k3s-ansible/site.yml
|
|
||||||
when: enable_k3s | bool
|
|
24
init.yml
24
init.yml
@ -1,15 +1,17 @@
|
|||||||
---
|
---
|
||||||
- hosts: all
|
- hosts: all
|
||||||
gather_facts: no
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Add unprovisioned vars
|
- name: Start basic node configuration
|
||||||
include_vars:
|
|
||||||
file: inventory/vars/unprovisioned.yaml
|
|
||||||
- name: Wait for hosts
|
|
||||||
ansible.builtin.wait_for_connection:
|
|
||||||
timeout: 60
|
|
||||||
- name: Gathering facts
|
|
||||||
setup:
|
|
||||||
- name: Provision users
|
|
||||||
include_role:
|
include_role:
|
||||||
name: user-provision
|
name: node-configuration
|
||||||
|
when: enable_setup | bool
|
||||||
|
- name: Configure headscale
|
||||||
|
include_role:
|
||||||
|
name: headscale
|
||||||
|
when: enable_wireguard | bool
|
||||||
|
# - name: Configure wireguard
|
||||||
|
# ansible.builtin.import_playbook: wireguard/wireguard.yml
|
||||||
|
# when: enable_wireguard|bool == true
|
||||||
|
- name: Configure k3s
|
||||||
|
ansible.builtin.import_playbook: k3s-ansible/site.yml
|
||||||
|
when: enable_k3s | bool
|
||||||
|
@ -1,11 +1,6 @@
|
|||||||
---
|
---
|
||||||
k3s_version: "v1.29.2+k3s1"
|
k3s_version: "v1.29.2+k3s1"
|
||||||
systemd_dir: "/etc/systemd/system"
|
systemd_dir: "/etc/systemd/system"
|
||||||
api_endpoint: "{{ hostvars[groups['server'][0]]['wireguard_ip'] | default(groups['server'][0]) }}"
|
master_ip: "{{ hostvars[groups['master'][0]]['wireguard_ip'] | default(groups['master'][0]) }}"
|
||||||
extra_server_args: "--disable traefik --advertise-address {{hostvars[inventory_hostname]['wireguard_ip']}} --flannel-iface wg0 --tls-san {{ ansible_host }} --disable servicelb {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}"
|
extra_server_args: "--disable traefik --advertise-address {{hostvars[inventory_hostname]['wireguard_ip']}} --flannel-iface wg0 --tls-san {{ ansible_host }} --disable servicelb {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}"
|
||||||
extra_agent_args: "--flannel-iface wg0 --node-external-ip {{hostvars[inventory_hostname]['wireguard_ip']}} {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}"
|
extra_agent_args: "--flannel-iface wg0 --node-external-ip {{hostvars[inventory_hostname]['wireguard_ip']}} {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}"
|
||||||
ansible_python_interpreter: /usr/bin/python3
|
|
||||||
ansible_ssh_port: 22
|
|
||||||
ufw_enabled: false
|
|
||||||
wireguard_port: 51820
|
|
||||||
wireguard_mask_bits: 8
|
|
||||||
|
@ -1,36 +0,0 @@
|
|||||||
all:
|
|
||||||
hosts:
|
|
||||||
cp:
|
|
||||||
ansible_host: 192.168.56.101
|
|
||||||
is_nas: false
|
|
||||||
hostname: cp
|
|
||||||
wireguard_ip: 10.20.0.1
|
|
||||||
k3s_label:
|
|
||||||
- type=worker
|
|
||||||
- size=wide
|
|
||||||
vps:
|
|
||||||
ansible_host: 192.168.56.102
|
|
||||||
is_nas: false
|
|
||||||
hostname: vps
|
|
||||||
wireguard_ip: 10.20.0.2
|
|
||||||
k3s_label:
|
|
||||||
- type=outbound
|
|
||||||
children:
|
|
||||||
server:
|
|
||||||
hosts:
|
|
||||||
cp:
|
|
||||||
agent:
|
|
||||||
hosts:
|
|
||||||
vps:
|
|
||||||
k3s_cluster:
|
|
||||||
children:
|
|
||||||
server:
|
|
||||||
agent:
|
|
||||||
vars:
|
|
||||||
k3s_version: v1.28.5+k3s1
|
|
||||||
api_endpoint: "{{ hostvars[groups['server'][0]]['wireguard_ip'] | default(groups['server'][0]) }}"
|
|
||||||
extra_server_args: "--disable traefik --advertise-address {{hostvars[inventory_hostname]['wireguard_ip']}} --flannel-iface wg0 --tls-san {{hostvars[inventory_hostname]['wireguard_ip']}} --disable servicelb {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}"
|
|
||||||
extra_agent_args: "--flannel-iface wg0 --node-external-ip {{hostvars[inventory_hostname]['wireguard_ip']}} {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}"
|
|
||||||
ufw_enabled: false
|
|
||||||
wireguard_port: 51820
|
|
||||||
wireguard_mask_bits: 8
|
|
@ -1,28 +1,45 @@
|
|||||||
all:
|
all:
|
||||||
hosts:
|
hosts:
|
||||||
cp:
|
|
||||||
ansible_host: 192.168.56.101
|
|
||||||
is_nas: false
|
|
||||||
hostname: cp
|
|
||||||
wireguard_ip: 10.20.0.1
|
|
||||||
k3s_label:
|
|
||||||
- type=worker
|
|
||||||
- size=wide
|
|
||||||
vps:
|
|
||||||
ansible_host: 192.168.56.102
|
|
||||||
is_nas: false
|
|
||||||
hostname: vps
|
|
||||||
wireguard_ip: 10.20.0.2
|
|
||||||
k3s_label:
|
|
||||||
- type=outbound
|
|
||||||
children:
|
|
||||||
server:
|
|
||||||
hosts:
|
|
||||||
cp:
|
cp:
|
||||||
agent:
|
ansible_host: 10.10.0.64
|
||||||
hosts:
|
is_nas: false
|
||||||
vps:
|
hostname: cp
|
||||||
k3s_cluster:
|
wireguard_ip: 10.20.0.2
|
||||||
children:
|
outsider:
|
||||||
server:
|
ansible_host: 51.15.60.240
|
||||||
agent:
|
is_nas: false
|
||||||
|
hostname: outsider
|
||||||
|
wireguard_ip: 10.20.0.1
|
||||||
|
children:
|
||||||
|
master:
|
||||||
|
hosts:
|
||||||
|
cp:
|
||||||
|
node:
|
||||||
|
hosts:
|
||||||
|
outsider:
|
||||||
|
etcd_cluster:
|
||||||
|
hosts:
|
||||||
|
cp:
|
||||||
|
outsider:
|
||||||
|
master:
|
||||||
|
hosts:
|
||||||
|
cp:
|
||||||
|
replica:
|
||||||
|
hosts:
|
||||||
|
outsider:
|
||||||
|
postgres_cluster:
|
||||||
|
children:
|
||||||
|
master:
|
||||||
|
replica:
|
||||||
|
k3s_cluster:
|
||||||
|
children:
|
||||||
|
master:
|
||||||
|
node:
|
||||||
|
vars:
|
||||||
|
ansible_ssh_private_key_file: ~/.ssh/creator
|
||||||
|
ansible_user: creator
|
||||||
|
ansible_become_password: aberation
|
||||||
|
ansible_ssh_port: 22
|
||||||
|
ufw_enabled: false
|
||||||
|
wireguard_port: 51820
|
||||||
|
wireguard_mask_bits: 8
|
||||||
|
@ -1,2 +0,0 @@
|
|||||||
ansible_ssh_private_key_file: ~/.ssh/atmen
|
|
||||||
ansible_user: atmen
|
|
@ -1,5 +0,0 @@
|
|||||||
ansible_ssh_private_key_file: ~/.ssh/creator
|
|
||||||
ansible_user: creator
|
|
||||||
ansible_become_password: aberation
|
|
||||||
ansible_ssh_port: 22
|
|
||||||
sshd_port: 22
|
|
@ -1 +0,0 @@
|
|||||||
vagrant: true
|
|
@ -1 +1 @@
|
|||||||
Subproject commit 9c8ba5c1555944f02f7ffadc3b0839530b2782f7
|
Subproject commit fe3df5c836fa93e0a7de3a588a07095112833bbb
|
4
misc/defaults/main.yml
Normal file
4
misc/defaults/main.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
# defaults file for misc
|
||||||
|
ansible_default_user: autositos
|
||||||
|
ssh_key_filename: id_autositos_rsa
|
2
misc/handlers/main.yml
Normal file
2
misc/handlers/main.yml
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
---
|
||||||
|
# handlers file for misc
|
@ -21,6 +21,24 @@ galaxy_info:
|
|||||||
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
||||||
# min_ansible_container_version:
|
# min_ansible_container_version:
|
||||||
|
|
||||||
|
#
|
||||||
|
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||||
|
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||||
|
# To view available platforms and versions (or releases), visit:
|
||||||
|
# https://galaxy.ansible.com/api/v1/platforms/
|
||||||
|
#
|
||||||
|
# platforms:
|
||||||
|
# - name: Fedora
|
||||||
|
# versions:
|
||||||
|
# - all
|
||||||
|
# - 25
|
||||||
|
# - name: SomePlatform
|
||||||
|
# versions:
|
||||||
|
# - all
|
||||||
|
# - 1.0
|
||||||
|
# - 7
|
||||||
|
# - 99.99
|
||||||
|
|
||||||
galaxy_tags: []
|
galaxy_tags: []
|
||||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
2
misc/tasks/main.yml
Normal file
2
misc/tasks/main.yml
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
---
|
||||||
|
# tasks file for misc
|
32
misc/tasks/user.yml
Normal file
32
misc/tasks/user.yml
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
---
|
||||||
|
- name: Create provisioning user
|
||||||
|
hosts: all
|
||||||
|
become: true
|
||||||
|
gather_facts: false
|
||||||
|
tasks:
|
||||||
|
- name: Create user
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "{{ ansible_default_user }}"
|
||||||
|
comment: Automation user for ansible
|
||||||
|
state: present
|
||||||
|
append: yes
|
||||||
|
system: True
|
||||||
|
create_home: True
|
||||||
|
|
||||||
|
- name: Generate master SSH key
|
||||||
|
community.crypto.openssh_keypair:
|
||||||
|
path: "/home/{{ ansible_default_user }}/.ssh/{{ ssh_key_filename }}"
|
||||||
|
type: rsa
|
||||||
|
size: 4096
|
||||||
|
state: present
|
||||||
|
force: no
|
||||||
|
tags:
|
||||||
|
- init
|
||||||
|
|
||||||
|
- name: Deploy SSH public key
|
||||||
|
ansible.posix.authorized_key:
|
||||||
|
user: "{{ ansible_default_user }}"
|
||||||
|
state: present
|
||||||
|
key: "{{ lookup('file', '/home/{{ ansible_default_user }}/.ssh/{{ ssh_key_filename }}.pub') }}"
|
||||||
|
when: "'init' not in ansible_run_tags"
|
||||||
|
|
2
misc/tests/inventory
Normal file
2
misc/tests/inventory
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
localhost
|
||||||
|
|
5
misc/tests/test.yml
Normal file
5
misc/tests/test.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
- hosts: localhost
|
||||||
|
remote_user: root
|
||||||
|
roles:
|
||||||
|
- misc
|
2
misc/vars/main.yml
Normal file
2
misc/vars/main.yml
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
---
|
||||||
|
# vars file for misc
|
2
node-configuration/defaults/main.yml
Normal file
2
node-configuration/defaults/main.yml
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
---
|
||||||
|
# defaults file for node-configuration
|
@ -1,4 +1,9 @@
|
|||||||
---
|
---
|
||||||
|
# tasks file for node-configuration
|
||||||
|
- name: Setup user configuration
|
||||||
|
import_tasks: ./users.yml
|
||||||
|
become: yes
|
||||||
|
|
||||||
- name: Configure and harden SSH
|
- name: Configure and harden SSH
|
||||||
import_tasks: ./ssh.yml
|
import_tasks: ./ssh.yml
|
||||||
become: yes
|
become: yes
|
||||||
|
@ -16,13 +16,12 @@
|
|||||||
- name: Install OMV-extras
|
- name: Install OMV-extras
|
||||||
ansible.builtin.shell: /tmp/omv-extras.install -n -f >> /tmp/omv-extras.log
|
ansible.builtin.shell: /tmp/omv-extras.install -n -f >> /tmp/omv-extras.log
|
||||||
|
|
||||||
# Check for vagrant variable, indicating we are running in a lab environment
|
# TODO: Only enable this within Homelab configuration
|
||||||
- name: Add Vagrant user to ssh group
|
- name: Add Vagrant user to ssh group
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
name: vagrant
|
name: vagrant
|
||||||
groups: ssh
|
groups: ssh
|
||||||
append: yes
|
append: yes
|
||||||
when: vagrant | default(false)
|
|
||||||
|
|
||||||
- name: Add Ansible user to ssh group
|
- name: Add Ansible user to ssh group
|
||||||
ansible.builtin.user:
|
ansible.builtin.user:
|
||||||
|
@ -19,3 +19,18 @@
|
|||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
name: fail2ban
|
name: fail2ban
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
- name: Disable password login
|
||||||
|
lineinfile:
|
||||||
|
dest: "/etc/ssh/sshd_config"
|
||||||
|
regexp: '^(#\s*)?PasswordAuthentication '
|
||||||
|
line: "PasswordAuthentication no"
|
||||||
|
notify: restart sshd
|
||||||
|
|
||||||
|
- name: Change SSH port
|
||||||
|
lineinfile:
|
||||||
|
dest: "/etc/ssh/sshd_config"
|
||||||
|
regexp: "^Port "
|
||||||
|
line: "Port {{ sshd_port }}"
|
||||||
|
notify: restart sshd
|
||||||
|
when: 0 > 1
|
||||||
|
2
node-configuration/tests/inventory
Normal file
2
node-configuration/tests/inventory
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
localhost
|
||||||
|
|
5
node-configuration/tests/test.yml
Normal file
5
node-configuration/tests/test.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
- hosts: localhost
|
||||||
|
remote_user: root
|
||||||
|
roles:
|
||||||
|
- node-configuration
|
2
node-configuration/vars/main.yml
Normal file
2
node-configuration/vars/main.yml
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
---
|
||||||
|
# vars file for node-configuration
|
3
node-configuration/vars/users.yml
Normal file
3
node-configuration/vars/users.yml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
maintainer_user: joe
|
||||||
|
maintainer_password: testing # To be stored in vault
|
@ -1,8 +0,0 @@
|
|||||||
---
|
|
||||||
- name: Restart sshd service
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: sshd
|
|
||||||
state: restarted
|
|
||||||
listen: "restart sshd"
|
|
||||||
ignore_errors: yes
|
|
||||||
become: yes
|
|
@ -1,60 +0,0 @@
|
|||||||
- block:
|
|
||||||
- include_vars: "{{ playbook_dir ~ '/vault/user_provisioning' }}"
|
|
||||||
# Atmen : slave, servant
|
|
||||||
- name: Add provisioning user "atmen" for ansible
|
|
||||||
ansible.builtin.user:
|
|
||||||
name: atmen
|
|
||||||
comment: Ansible provisioner
|
|
||||||
groups: sudo
|
|
||||||
append: yes
|
|
||||||
shell: /bin/bash
|
|
||||||
password: "{{ vault_atmen_password | password_hash('sha512') }}"
|
|
||||||
|
|
||||||
- name: Set authorized key for atmen
|
|
||||||
ansible.posix.authorized_key:
|
|
||||||
user: atmen
|
|
||||||
state: present
|
|
||||||
key: "{{ lookup('file', atmen_ssh_key_host_path) }}"
|
|
||||||
|
|
||||||
- name: Add maintainer user
|
|
||||||
ansible.builtin.user:
|
|
||||||
name: "{{ vault_maintainer_user }}"
|
|
||||||
comment: Maintainer user
|
|
||||||
groups: sudo
|
|
||||||
append: yes
|
|
||||||
shell: /bin/bash
|
|
||||||
password: "{{ vault_maintainer_password | password_hash('sha512') }}"
|
|
||||||
|
|
||||||
- name: Set authorized key for maintainer user
|
|
||||||
ansible.posix.authorized_key:
|
|
||||||
user: "{{ vault_maintainer_user }}"
|
|
||||||
state: present
|
|
||||||
key: "{{ lookup('file', maintainer_ssh_key_host_path) }}"
|
|
||||||
|
|
||||||
- name: Disable root login
|
|
||||||
ansible.builtin.user:
|
|
||||||
name: root
|
|
||||||
password: '*'
|
|
||||||
|
|
||||||
- name: Disable SSH login for creator
|
|
||||||
ansible.builtin.lineinfile:
|
|
||||||
path: /etc/ssh/sshd_config
|
|
||||||
line: DenyUsers creator
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Disable password login
|
|
||||||
lineinfile:
|
|
||||||
dest: "/etc/ssh/sshd_config"
|
|
||||||
regexp: '^(#\s*)?PasswordAuthentication '
|
|
||||||
line: "PasswordAuthentication no"
|
|
||||||
notify: restart sshd
|
|
||||||
|
|
||||||
- name: Change SSH port
|
|
||||||
lineinfile:
|
|
||||||
dest: "/etc/ssh/sshd_config"
|
|
||||||
regexp: "^Port "
|
|
||||||
line: "Port {{ sshd_port }}"
|
|
||||||
notify: restart sshd
|
|
||||||
changed_when: true
|
|
||||||
|
|
||||||
become: yes
|
|
@ -1,3 +0,0 @@
|
|||||||
---
|
|
||||||
atmen_ssh_key_host_path: ~/.ssh/atmen.pub
|
|
||||||
maintainer_ssh_key_host_path: ~/.ssh/maintainer.pub
|
|
Loading…
Reference in New Issue
Block a user