Ansible
Doc détaillée : https://genjin.frama.io/ansible_documentation/
inspiré de https://serversforhackers.com/c/an-ansible-tutorial
Installation
cf. https://docs.ansible.com/ansible/intro_installation.htmlpour mac:
sudo easy_install pip sudo pip install ansible sudo pip install passlib
Configuration
sudo mkdir /etc/ansible sudo vi /etc/ansible/hosts
Contenu du fichier :
[hosts] adminweb.colibris-lemouvement.org
Test de la config:
ansible hosts -m ping -u root
Playbook d'install du host
on va créer le user admin et installer les outils de base pour faire les virtual hosts.mkdir playbooks vi playbooks/install_host.yml
contenu:
--- - hosts: hosts vars: ROOT_PASSWORD: '<un mot de passe vraiment long et dur>' ADMIN_USER: admin ADMIN_PASSWORD: '<un mot de passe vraiment long et dur>' SSH_KEYS: - ~/.ssh/id_ed25519.pub REQUIRED_PACKAGES: - sudo - fail2ban - unattended-upgrades OPTIONAL_PACKAGES: - vim SSH_PORT: 22001 tasks: - name: Change root password user: name=root password="{{ ROOT_PASSWORD |password_hash('sha512')}}" - name: Update APT package cache apt: update_cache=yes cache_valid_time=3600 - name: Upgrade APT to the latest packages apt: upgrade=safe - name: Install required packages apt: state=installed pkg={{ item }} with_items: "{{ REQUIRED_PACKAGES }}" - name: Install optional packages apt: state=installed pkg={{ item }} with_items: "{{ OPTIONAL_PACKAGES }}" - name: Creating user {{ ADMIN_USER }} with admin access user: name=admin password={{ ADMIN_PASSWORD |password_hash('sha512') }} groups=sudo append=yes shell=/bin/bash - name: Add {{ ADMIN_USER }} user to sudoers lineinfile: dest=/etc/sudoers regexp="{{ ADMIN_USER }} ALL" line="{{ ADMIN_USER }} ALL=(ALL) ALL" state=present - name: Create group ssh-user group: name: ssh-user state: present - name: Add {{ ADMIN_USER }} user to ssh-user user: name='{{ ADMIN_USER }}' groups=ssh-user append=yes - name: Clean old ssh host keys file: path={{ item }} state=absent with_items: - /etc/ssh/ssh_host_dsa_key - /etc/ssh/ssh_host_dsa_key.pub - /etc/ssh/ssh_host_ecdsa_key - /etc/ssh/ssh_host_ecdsa_key.pub - /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_ed25519_key.pub - /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_rsa_key.pub - name: Create new ssh host key command: ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" - name: Create footprint of ssh host key command: ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub - name: Add authorized keys for user {{ ADMIN_USER }} authorized_key: user={{ ADMIN_USER }} key="{{ lookup('file', item) }}" with_items: "{{ SSH_KEYS }}" - name: Change ssh config file template: src=../files/sshd_config dest=/etc/ssh/sshd_config owner=root group=root mode=664 notify: Restart ssh handlers: - name: Restart ssh service: name=ssh state=restarted
Pour le premier lancement, on passe par root
ansible-playbook playbooks/install_host.yml -u root"
Ensuite par le user admin, car l'acces root est bloqué
ansible-playbook playbooks/install_host.yml -u admin -s --ssh-extra-args='-p 22001 -o useroaming=no -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519' -K
Aller plus loin
- S'inspirer des playbooks crées sur https://galaxy.ansible.com pour voir comment faire encore mieux!
- voir le très bien fait https://debops.org (en particulier les preseeds)
- et des exemples cool https://github.com/geerlingguy/ansible-vagrant-examples (ya aussi un code pour cluster raspberry géré par ansible)