From 61ddc6eab5666b8619bfbe1b8241e033b011bb17 2015-05-05 01:18:18 From: Branko Majic Date: 2015-05-05 01:18:18 Subject: [PATCH] MAR-13: Updated documentation for the preseed role (added missin parameter description for ansible_key). Remove the ansible key from list of authorised keys for root user at end of bootstrap process. Updated testsite documentation to be more explicit for bootstrap process. --- diff --git a/docs/rolereference.rst b/docs/rolereference.rst index c4af2d60f6a99b927aebdce5a01750027a1353cb..1125c7d74a673d49213e2bec7a456b2c34b3251d 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -15,6 +15,11 @@ partition. A number of common parameters can be provided. Parameters ~~~~~~~~~~ +**ansible_key** (string, mandatory) + SSH public key that should be deployed to authorized_keys truststore for + operating system user ``root``. This is necessary for the bootstrap process + to work since Debian Jessie does not allow password-based logins for root. + **preseed_directory** (mandatory) Destination directory where the preseed files should be stored. @@ -146,6 +151,9 @@ The role implements the following: SSH access). * Configures sudo to allow operating system user ``ansible`` to run sudo commands without password authentication. +* Removes the Ansible user's key from the list of authorized keys for user root + at the end of bootstrap process. This key was necessary only for the bootstrap + process. Parameters diff --git a/docs/testsite.rst b/docs/testsite.rst index c5769fb660682c4bfce6a9867bc261f2d6b11ce8..a9ddf29718e7345d91688a1534cfb52845f70132 100644 --- a/docs/testsite.rst +++ b/docs/testsite.rst @@ -70,14 +70,22 @@ In order to deploy the test site, the following steps would normally be taken: 5. Install all servers using the generated preseed files. -6. Invoke the ``bootstrap.yml`` playbook in order to set-up some basic +6. Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to + remove old entries if you are redoing the process). You can easily obtain all + the necessary fingerprints with command: + + .. code-block:: shell + + ssh-keyscan mail.example.com ldap.example.com xmpp.example.com + +7. Invoke the ``bootstrap.yml`` playbook in order to set-up some basic environment for Ansible runs on all servers: .. code-block:: shell ansible-playbook playbooks/bootstrap.yml -7. Finally, apply configuration on all servers: +8. Finally, apply configuration on all servers: .. code-block:: shell diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml index d225e9f7ccd3772d16e1e59367478b1067b8d958..029c6cb743a3e23061df249f8b0bb8af379f0464 100644 --- a/roles/bootstrap/tasks/main.yml +++ b/roles/bootstrap/tasks/main.yml @@ -13,4 +13,7 @@ authorized_key: user=ansible key="{{ ansible_key }}" - name: Set-up password-less sudo for the ansible user - copy: src=ansible_sudo dest=/etc/sudoers.d/ansible mode=640 owner=root group=root \ No newline at end of file + copy: src=ansible_sudo dest=/etc/sudoers.d/ansible mode=640 owner=root group=root + +- name: Revoke rights for Ansible user to log-in as root to server via ssh + authorized_key: user=root key="{{ ansible_key }}" state=absent \ No newline at end of file