Ansible


Doc détaillée : https://genjin.frama.io/ansible_documentation/

en cours de rédaction

inspiré de https://serversforhackers.com/c/an-ansible-tutorial

Installation

cf. https://docs.ansible.com/ansible/intro_installation.html

pour mac:
sudo easy_install pip
sudo pip install ansible
sudo pip install passlib


Configuration

sudo mkdir /etc/ansible
sudo vi /etc/ansible/hosts

Contenu du fichier :
[hosts]
adminweb.colibris-lemouvement.org
pour l'instant j'en met juste un, mais a terme tous les hosts y seront

Test de la config:
ansible hosts -m ping -u root
comme nous avons pas encore d'autres users la premiere commande passe avec le user root

Playbook d'install du host

on va créer le user admin et installer les outils de base pour faire les virtual hosts.
mkdir playbooks
vi playbooks/install_host.yml

contenu:
---
- hosts: hosts
  vars:
    ROOT_PASSWORD: '<un mot de passe vraiment long et dur>'
    ADMIN_USER: admin
    ADMIN_PASSWORD: '<un mot de passe vraiment long et dur>'
    SSH_KEYS:
      - ~/.ssh/id_ed25519.pub

    REQUIRED_PACKAGES:
      - sudo
      - fail2ban
      - unattended-upgrades

    OPTIONAL_PACKAGES:
      - vim

    SSH_PORT: 22001

  tasks:
    - name: Change root password
      user: name=root password="{{ ROOT_PASSWORD |password_hash('sha512')}}"

    - name: Update APT package cache
      apt: update_cache=yes cache_valid_time=3600

    - name: Upgrade APT to the latest packages
      apt: upgrade=safe

    - name: Install required packages
      apt: state=installed pkg={{ item }}
      with_items: "{{ REQUIRED_PACKAGES }}"

    - name: Install optional packages
      apt: state=installed pkg={{ item }}
      with_items: "{{ OPTIONAL_PACKAGES }}"

    - name: Creating user {{ ADMIN_USER }} with admin access
      user: name=admin password={{ ADMIN_PASSWORD |password_hash('sha512') }} groups=sudo append=yes shell=/bin/bash

    - name: Add {{ ADMIN_USER }} user to sudoers
      lineinfile:
        dest=/etc/sudoers
        regexp="{{ ADMIN_USER }} ALL"
        line="{{ ADMIN_USER }} ALL=(ALL) ALL"
        state=present

    - name: Create group ssh-user
      group:
       name: ssh-user
       state: present

    - name: Add {{ ADMIN_USER }} user to ssh-user
      user:
        name='{{ ADMIN_USER }}'
        groups=ssh-user
        append=yes

    - name: Clean old ssh host keys
      file: path={{ item }} state=absent
      with_items:
        - /etc/ssh/ssh_host_dsa_key
        - /etc/ssh/ssh_host_dsa_key.pub
        - /etc/ssh/ssh_host_ecdsa_key
        - /etc/ssh/ssh_host_ecdsa_key.pub
        - /etc/ssh/ssh_host_ed25519_key
        - /etc/ssh/ssh_host_ed25519_key.pub
        - /etc/ssh/ssh_host_rsa_key
        - /etc/ssh/ssh_host_rsa_key.pub

    - name: Create new ssh host key
      command: ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""

    - name: Create footprint of ssh host key
      command: ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub

    - name: Add authorized keys for user {{ ADMIN_USER }}
      authorized_key: user={{ ADMIN_USER }} key="{{ lookup('file', item) }}"
      with_items: "{{ SSH_KEYS }}"

    - name: Change ssh config file
      template: src=../files/sshd_config dest=/etc/ssh/sshd_config owner=root group=root mode=664
      notify: Restart ssh

  handlers:
    - name: Restart ssh
      service: name=ssh state=restarted


Pour le premier lancement, on passe par root
ansible-playbook playbooks/install_host.yml -u root"

Ensuite par le user admin, car l'acces root est bloqué
ansible-playbook playbooks/install_host.yml -u admin -s --ssh-extra-args='-p 22001 -o useroaming=no -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519' -K


Aller plus loin