majic-ansible-roles Changeset

Changeset - 61ddc6eab566

Parent rev.

Child rev.

[Not reviewed]

0 3 0

Branko Majic (branko) - 11 years ago 2015-05-05 01:18:18
branko@majic.rs

MAR-13: Updated documentation for the preseed role (added missin parameter description for ansible_key). Remove the ansible key from list of authorised keys for root user at end of bootstrap process. Updated testsite documentation to be more explicit for bootstrap process.

3 files changed with 21 insertions and 2 deletions:

docs/rolereference.rst

docs/testsite.rst

roles/bootstrap/tasks/main.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -6,24 +6,29 @@ Preseed @@
 -------
 The ``preseed`` role can be used for generating simple preseed files for Debian
 Wheezy installations.
 The generated preseed files allow simplified installation, with a single root
 partition. A number of common parameters can be provided.
 Parameters
 ~~~~~~~~~~
 **ansible_key** (string, mandatory)
   SSH public key that should be deployed to authorized_keys truststore for
   operating system user ``root``. This is necessary for the bootstrap process
   to work since Debian Jessie does not allow password-based logins for root.
 **preseed_directory** (mandatory)
     Destination directory where the preseed files should be stored.
 **preseed_servers** (mandatory)
   List of servers for which a preseed file should be created. Each item in
   this list defines options for a single server. The options are as follows:
   **name** (string, mandatory)
     Name associated with the server. This name is used in the preseed
     configuration filename.
   **language** (string, mandatory)
@@ @@ -137,24 +142,27 @@ Bootstrap @@
 The ``bootstrap`` role can be used for bootstraping a new server with
 Ansible. In order to apply this role to a server, all that is necessary is root
 access to the server (either via SSH or locally).
 The role implements the following:
 * Installs sudo package.
 * Creates operating system user and group for Ansible (``ansible``).
 * Sets-up an authorized_key for operating system user ``ansible`` (for remote
   SSH access).
 * Configures sudo to allow operating system user ``ansible`` to run sudo
   commands without password authentication.
 * Removes the Ansible user's key from the list of authorized keys for user root
   at the end of bootstrap process. This key was necessary only for the bootstrap
   process.
 Parameters
 ~~~~~~~~~~
 **ansible_key** (string, mandatory)
   SSH public key that should be deployed to authorized_keys truststore for
   operating system user ``ansible``.
 Examples
 ~~~~~~~~

docs/testsite.rst

➞

Show inline comments

    CA chain for the issued end entity certificates from previous step at
    location ``testsite/tls/example_ca_chain.pem``. It is very important to
    include the CA chain used for LDAP server.
 . Generate the preseed files:
   .. code-block:: shell
     ansible-playbook playbooks/preseed.yml
 . Install all servers using the generated preseed files.
 . Invoke the ``bootstrap.yml`` playbook in order to set-up some basic
 . Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to
    remove old entries if you are redoing the process). You can easily obtain all
    the necessary fingerprints with command:
    .. code-block:: shell
       ssh-keyscan mail.example.com ldap.example.com xmpp.example.com
 . Invoke the ``bootstrap.yml`` playbook in order to set-up some basic
    environment for Ansible runs on all servers:
   .. code-block:: shell
     ansible-playbook playbooks/bootstrap.yml
-. Finally, apply configuration on all servers:
+. Finally, apply configuration on all servers:
   .. code-block:: shell
     ansible-playbook playbooks/site.yml
 The playbooks and configurations for test site make a couple of assumptions:
 * Each server will be set-up with an operating system user ``admin``, capable of
   running the sudo commands.
 * The password for operating system user ``admin`` is hard-coded to ``admin``.
 * An SSH ``authorized_keys`` file is set-up for the operating system user
   ``admin``. The SSH key stored in it will be read from location

roles/bootstrap/tasks/main.yml

➞

Show inline comments

@@ @@ -5,12 +5,15 @@ @@
 - name: Set-up the Ansible group
   group: name=ansible system=yes
 - name: Set-up the Ansible user
   user: name=ansible system=yes group=ansible shell=/bin/bash
 - name: Set-up authorized key for the Ansible user
   authorized_key: user=ansible key="{{ ansible_key }}"
 - name: Set-up password-less sudo for the ansible user
   copy: src=ansible_sudo dest=/etc/sudoers.d/ansible mode=640 owner=root group=root
 - name: Revoke rights for Ansible user to log-in as root to server via ssh
   authorized_key: user=root key="{{ ansible_key }}" state=absent
@@ \ No newline at end of file @@

0 comments (0 inline, 0 general)