Ansible
Doc détaillée : https://genjin.frama.io/ansible_documentation/
en cours de rédaction
inspiré de https://serversforhackers.com/c/an-ansible-tutorial
Installation
cf. https://docs.ansible.com/ansible/intro_installation.htmlpour mac:
sudo easy_install pip sudo pip install ansible sudo pip install passlib
Configuration
sudo mkdir /etc/ansible sudo vi /etc/ansible/hosts
Contenu du fichier :
[hosts] adminweb.colibris-lemouvement.org
Test de la config:
ansible hosts -m ping -u root
Playbook d'install du host
on va créer le user admin et installer les outils de base pour faire les virtual hosts.mkdir playbooks vi playbooks/install_host.yml
contenu:
---
- hosts: hosts
vars:
ROOT_PASSWORD: '<un mot de passe vraiment long et dur>'
ADMIN_USER: admin
ADMIN_PASSWORD: '<un mot de passe vraiment long et dur>'
SSH_KEYS:
- ~/.ssh/id_ed25519.pub
REQUIRED_PACKAGES:
- sudo
- fail2ban
- unattended-upgrades
OPTIONAL_PACKAGES:
- vim
SSH_PORT: 22001
tasks:
- name: Change root password
user: name=root password="{{ ROOT_PASSWORD |password_hash('sha512')}}"
- name: Update APT package cache
apt: update_cache=yes cache_valid_time=3600
- name: Upgrade APT to the latest packages
apt: upgrade=safe
- name: Install required packages
apt: state=installed pkg={{ item }}
with_items: "{{ REQUIRED_PACKAGES }}"
- name: Install optional packages
apt: state=installed pkg={{ item }}
with_items: "{{ OPTIONAL_PACKAGES }}"
- name: Creating user {{ ADMIN_USER }} with admin access
user: name=admin password={{ ADMIN_PASSWORD |password_hash('sha512') }} groups=sudo append=yes shell=/bin/bash
- name: Add {{ ADMIN_USER }} user to sudoers
lineinfile:
dest=/etc/sudoers
regexp="{{ ADMIN_USER }} ALL"
line="{{ ADMIN_USER }} ALL=(ALL) ALL"
state=present
- name: Create group ssh-user
group:
name: ssh-user
state: present
- name: Add {{ ADMIN_USER }} user to ssh-user
user:
name='{{ ADMIN_USER }}'
groups=ssh-user
append=yes
- name: Clean old ssh host keys
file: path={{ item }} state=absent
with_items:
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_dsa_key.pub
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ecdsa_key.pub
- /etc/ssh/ssh_host_ed25519_key
- /etc/ssh/ssh_host_ed25519_key.pub
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_rsa_key.pub
- name: Create new ssh host key
command: ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
- name: Create footprint of ssh host key
command: ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
- name: Add authorized keys for user {{ ADMIN_USER }}
authorized_key: user={{ ADMIN_USER }} key="{{ lookup('file', item) }}"
with_items: "{{ SSH_KEYS }}"
- name: Change ssh config file
template: src=../files/sshd_config dest=/etc/ssh/sshd_config owner=root group=root mode=664
notify: Restart ssh
handlers:
- name: Restart ssh
service: name=ssh state=restarted
Pour le premier lancement, on passe par root
ansible-playbook playbooks/install_host.yml -u root"
Ensuite par le user admin, car l'acces root est bloqué
ansible-playbook playbooks/install_host.yml -u admin -s --ssh-extra-args='-p 22001 -o useroaming=no -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519' -K
Aller plus loin
- S'inspirer des playbooks crées sur https://galaxy.ansible.com pour voir comment faire encore mieux!
- voir le très bien fait https://debops.org (en particulier les preseeds)
- et des exemples cool https://github.com/geerlingguy/ansible-vagrant-examples (ya aussi un code pour cluster raspberry géré par ansible)