Changeset - 0aff90546ac4
Parent rev.
Child rev.
[Not reviewed]
0 2 0
Branko Majic (branko) - 10 years ago 2014-11-09 00:49:15
branko@majic.rs
MAR-2: Updated docs formatting a bit. Added documentation for the bootstrap role. Updated bootstrap role a bit to have better authorized key referencing.
2 files changed with 58 insertions and 8 deletions:
docs/rolereference.rst
57
7
roles/bootstrap/tasks/main.yml
1
1
0 comments (0 inline, 0 general)
docs/rolereference.rst
Show inline comments
 
@@ -38,40 +38,40 @@ Parameters
 
  **keymap** (string, mandatory)
 
    Keymap.
 

			




	
	
	
		
 
  **network_interface** (string, mandatory)

			




	
	
	
		
 
    Name of network interface (for example *eth0*) that should be

			




	
	
	
		
 
    configured.

			




	
	
	
		
 

			




	
	
	
		
 
  **network_auto** (boolean, mandatory)

			




	
	
	
		
 
    Specifies whether the network configuration should be automatic (using

			




	
	
	
		
 
    DHCP) or manual. If manual configuration is selected a number of

			




	
	
	
		
 
    additional options needs to be specified.

			




	
	
	
		
 

			




	
	
	
		
 
  **network_ip** (string, mandatory if **network_auto** if *False*)

			




	
	
	
		
 
  **network_ip** (string, mandatory if **network_auto** is set to ``no``)

			




	
	
	
		
 
    IP address for the server network interface.

			




	
	
	
		
 

			




	
	
	
		
 
  **network_netmask** (string, mandatory if **network_auto** if *False*)

			




	
	
	
		
 
  **network_netmask** (string, mandatory if **network_auto** is set to ``no``)

			




	
	
	
		
 
    Netmask for the server network interface.

			




	
	
	
		
 

			




	
	
	
		
 
  **network_gateway** (string, mandatory if **network_auto** if *False*)

			




	
	
	
		
 
  **network_gateway** (string, mandatory if **network_auto** is set to ``no``)

			




	
	
	
		
 
    Default gateway for the server.

			




	
	
	
		
 

			




	
	
	
		
 
  **network_dns** (string, mandatory if **network_auto** if *False*)

			




	
	
	
		
 
  **network_dns** (string, mandatory if **network_auto** is set to ``no``)

			




	
	
	
		
 
    Comma-separated list of DNS servers.

			




	
	
	
		
 

			




	
	
	
		
 
  **network_hostname** (string, mandatory if **network_auto** if *False*)

			




	
	
	
		
 
  **network_hostname** (string, mandatory if **network_auto** is set to ``no``)

			




	
	
	
		
 
    Server hostname.

			




	
	
	
		
 

			




	
	
	
		
 
  **network_domain** (string, mandatory if **network_auto** if *False*)

			




	
	
	
		
 
  **network_domain** (string, mandatory if **network_auto** is set to ``no``)

			




	
	
	
		
 
    Server domain.

			




	
	
	
		
 

			




	
	
	
		
 
  **mirror_hostname** (string, mandatory)

			




	
	
	
		
 
    Resolvable hostname of FQDN where the Debian apt repositories can be

			




	
	
	
		
 
    found. Only HTTP mirrors are supported.

			




	
	
	
		
 

			




	
	
	
		
 
  **mirror_directory** (string, mandatory)

			




	
	
	
		
 
    Directory under which the Debian apt repositories can be found on the

			




	
	
	
		
 
    specified mirror.

			




	
	
	
		
 

			




	
	
	
		
 
  **mirror_proxy** (string, optional, default is *None*)

			




	
	
	
		
 
    An HTTP proxy that should be used for accessing the Debian apt

			




	
	
		
 
@@ -122,24 +122,74 @@ automatic and one with manual network configuration:

			




	
	
	
		
 
      network_netmask: 255.255.255.0

			




	
	
	
		
 
      network_gateway: 10.0.0.1

			




	
	
	
		
 
      network_dns: 10.0.0.2,10.0.0.3

			




	
	
	
		
 
      network_hostname: test1

			




	
	
	
		
 
      network_domain: example.com

			




	
	
	
		
 
      mirror_hostname: ftp.se.debian.org

			




	
	
	
		
 
      mirror_proxy: http://proxy.example.com/

			




	
	
	
		
 
      mirror_directory: /debian

			




	
	
	
		
 
      root_password: testserver

			




	
	
	
		
 
      timezone: Europe/Stockholm

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
Bootstrap

			




	
	
	
		
 
---------

			




	
	
	
		
 

			




	
	
	
		
 
The ``bootstrap`` role can be used for bootstraping a new server with

			




	
	
	
		
 
Ansible. In order to apply this role to a server, all that is necessary is root

			




	
	
	
		
 
access to the server (either via SSH or locally).

			




	
	
	
		
 

			




	
	
	
		
 
The role implements the following:

			




	
	
	
		
 

			




	
	
	
		
 
* Installs sudo package.

			




	
	
	
		
 
* Creates operating system user and group for Ansible (``ansible``).

			




	
	
	
		
 
* Sets-up an authorized_key for operating system user ``ansible`` (for remote

			




	
	
	
		
 
  SSH access).

			




	
	
	
		
 
* Configures sudo to allow operating system user ``ansible`` to run sudo

			




	
	
	
		
 
  commands without password authentication.

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
Parameters

			




	
	
	
		
 
~~~~~~~~~~

			




	
	
	
		
 

			




	
	
	
		
 
**ansible_key** (string, mandatory)

			




	
	
	
		
 
  SSH public key that should be deployed to authorized_keys truststore for

			




	
	
	
		
 
  operating system user ``ansible``.

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
Examples

			




	
	
	
		
 
~~~~~~~~

			




	
	
	
		
 

			




	
	
	
		
 
Since the role is meant to be used just after the server has been installed, and

			




	
	
	
		
 
using the ``root`` account, it is probably going to be invoked from a separate

			




	
	
	
		
 
playbook.

			




	
	
	
		
 

			




	
	
	
		
 
For example, a playbook (``bootstrap.yml``) could look something similar to:

			




	
	
	
		
 

			




	
	
	
		
 
.. code-block:: yaml

			




	
	
	
		
 

			




	
	
	
		
 
  ---

			




	
	
	
		
 

			




	
	
	
		
 
  - hosts: "{{ server }}"

			




	
	
	
		
 
    remote_user: root

			




	
	
	
		
 
    roles:

			




	
	
	
		
 
      - bootstrap

			




	
	
	
		
 
    vars:

			




	
	
	
		
 
      ansible_key: "{{ lookup('file', 'authorized_keys/ansible.pub') }}"

			




	
	
	
		
 

			




	
	
	
		
 
With such a playbook in place, it would be invoked with:

			




	
	
	
		
 

			




	
	
	
		
 
  ansible-playbook --ask-pass -e server=test1.example.com bootstrap.yml

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
Common

			




	
	
	
		
 
------

			




	
	
	
		
 

			




	
	
	
		
 
The ``common`` role can be used for applying a common configuration and

			




	
	
	
		
 
hardening across all servers, no matter what services they provide.

			




	
	
	
		
 

			




	
	
	
		
 
The role implements the following:

			




	
	
	
		
 

			




	
	
	
		
 
* Sets-up umask for all logins to ``0027``.

			




	
	
	
		
 
* Installs sudo.

			




	
	
	
		
 
* Installs additional base packages, as configured.

			




	
	
	
		
 
* Creates additional operating system groups, as configured.

			




	
	
		
 
@@ -157,25 +207,25 @@ Parameters

			




	
	
	
		
 

			




	
	
	
		
 
  **name** (string, mandatory)

			




	
	
	
		
 
    Name of the operating system user that should be created. User's default

			




	
	
	
		
 
    group will have the same name as the user.

			




	
	
	
		
 

			




	
	
	
		
 
  **uid** (number, mandatory)

			




	
	
	
		
 
    UID for the operating system user. User's default group will have a GID

			




	
	
	
		
 
    identical to the user's UID.

			




	
	
	
		
 

			




	
	
	
		
 
  **additional_groups** (string, mandatory)

			




	
	
	
		
 
    Comma-separated list of additional groups that a user should belong to. If

			




	
	
	
		
 
    no additional groups should be appended to user's list of groups, set it to

			




	
	
	
		
 
    empty string.

			




	
	
	
		
 
    empty string (``""``).

			




	
	
	
		
 

			




	
	
	
		
 
  **authorized_keys** (list, mandatory)

			




	
	
	
		
 
    List of SSH public keys that should be deployed to user's authorized_keys

			




	
	
	
		
 
    truststore. If no authorized keys should be deployed, set it to empty list

			




	
	
	
		
 
    (``[]``).

			




	
	
	
		
 

			




	
	
	
		
 
  **password** (string, mandatory)

			




	
	
	
		
 
    Encrypted password that should be set for the user.

			




	
	
	
		
 

			




	
	
	
		
 
**os_groups** (list, optional)

			




	
	
	
		
 
  A list of operating system groups that should be set-up on a server. Each item

			




	
	
	
		
 
  is a dictionary with the following options describing the group parameters:

			




        

    


    
    

    

        

                

                    roles/bootstrap/tasks/main.yml
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
	
		
 
---

			




	
	
	
		
 

			




	
	
	
		
 
- name: Install sudo

			




	
	
	
		
 
  apt: name=sudo state=installed

			




	
	
	
		
 

			




	
	
	
		
 
- name: Set-up the Ansible group

			




	
	
	
		
 
  group: name=ansible system=yes

			




	
	
	
		
 

			




	
	
	
		
 
- name: Set-up the Ansible user

			




	
	
	
		
 
  user: name=ansible system=yes group=ansible shell=/bin/bash

			




	
	
	
		
 

			




	
	
	
		
 
- name: Set-up authorized key for the Ansible user

			




	
	
	
		
 
  authorized_key: user=ansible key="{{ lookup('file', ansible_key) }}"

			




	
	
	
		
 
  authorized_key: user=ansible key="{{ ansible_key }}"

			




	
	
	
		
 

			




	
	
	
		
 
- name: Set-up password-less sudo for the ansible user

			




	
	
	
		
 
  copy: src=ansible_sudo dest=/etc/sudoers.d/ansible mode=640 owner=root group=root

			




	
	
		
 
\ No newline at end of file

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2024 by various authors & licensed under GPLv3.