Init ansible playbook for DFly VPS bootstrap

12 files changed, 200 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..68fe279
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,7 @@
+*~
+*.swp
+*.bak
+*.old
+*.retry
+
+/ssh/
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..30e8049
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Aaron LI
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..448573a
--- /dev/null
+++ b/README.md
@@ -0,0 +1,10 @@
+DragonFly BSD Configuration Ansible Playbook
+============================================
+
+Aaron LI
+2017-12-28
+
+References
+----------
+* Securing a Server with Ansible
+  https://ryaneschinger.com/blog/securing-a-server-with-ansible/
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..5ad3e6e
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,20 @@
+#
+# Ansible local config file
+# See `/etc/ansible/ansible.cfg' for the global config file.
+#
+# Aaron LI
+# 2018-02-12
+#
+
+[defaults]
+inventory = ./hosts.yml
+
+# uncomment this to disable SSH key host checking
+#host_key_checking = False
+
+[ssh_connection]
+pipelining = True
+
+# SSH arguments to use
+# Add 'IdentitiesOnly=yes'
+ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o IdentitiesOnly=yes
diff --git a/bootstrap.sh b/bootstrap.sh
new file mode 100755
index 0000000..cc0a6a3
--- /dev/null
+++ b/bootstrap.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+#
+# Copyright (c) 2018 Aaron LI
+# MIT License
+#
+# 2018-01-25
+#
+
+ROOTDIR="${0%/*}"
+PLAYBOOK="${ROOTDIR}/bootstrap.yml"
+echo "Playbook directory: ${ROOTDIR}"
+echo "Playbook: ${PLAYBOOK}"
+
+SSHDIR="${ROOTDIR}/ssh"
+SSHKEY="${SSHDIR}/ansible.key"
+if [ -f "${SSHKEY}" ]; then
+    echo "ERROR: SSH key already exists: ${SSHKEY}"
+    echo "Target machine already been bootstrapped?"
+else
+    [ ! -d "${SSHDIR}" ] && mkdir -v "${SSHDIR}"
+    echo "Generating SSH key ..."
+    ssh-keygen -t ed25519 -C "ansible" -f "${SSHKEY}"
+    echo "Generated SSH key: ${SSHKEY}"
+    echo "Bootstrap target by installing Python2.7 ..."
+    ansible vultr -u root \
+        -m raw -a "pkg install -y python27"
+    ansible-playbook \
+        --verbose --diff \
+        --ask-pass --ask-become-pass \
+        "${PLAYBOOK}"
+    echo "Bootstrapped the target machine!"
+    ansible vultr -u ansible -m ping
+    ansible vultr -u ansible -m command -a whoami
+    ansible vultr -u ansible -m command -a whoami -b
+fi
diff --git a/bootstrap.yml b/bootstrap.yml
new file mode 100644
index 0000000..d01d38e
--- /dev/null
+++ b/bootstrap.yml
@@ -0,0 +1,16 @@
+---
+# To override the bootstrapping host:
+#   $ ansible-playbook bootstrap.yml --extra-vars "host=<host>"
+#
+- name: Bootstrap hosts for Ansible deployment :-)
+  hosts: "{{ host | default('all') }}"
+  user: root
+  gather_facts: false
+
+  vars:
+    deploy_user: ansible
+
+  roles:
+    - bootstrap
+
+# vim: set ft=yaml sw=2: #
diff --git a/group_vars/all b/group_vars/all
new file mode 100644
index 0000000..9c078f2
--- /dev/null
+++ b/group_vars/all
@@ -0,0 +1,5 @@
+---
+deploy_user: ansible
+ansible_ssh_private_key_file: ./ssh/ansible.key
+
+# vim: set ft=yaml sw=2: #
diff --git a/host_vars/vultr b/host_vars/vultr
new file mode 100644
index 0000000..324b8c1
--- /dev/null
+++ b/host_vars/vultr
@@ -0,0 +1,6 @@
+---
+ansible_ssh_host: vultr.liwt.net
+ansible_ssh_port: 8864
+ansible_python_interpreter: /usr/local/bin/python2.7
+
+# vim: set ft=yaml sw=2: #
diff --git a/hosts.yml b/hosts.yml
new file mode 100644
index 0000000..b973ee1
--- /dev/null
+++ b/hosts.yml
@@ -0,0 +1,16 @@
+---
+#
+# Ansible inventory
+#
+# Aaron LI
+# 2018-02-12
+#
+
+# Use the YAML format
+# https://docs.ansible.com/ansible/latest/intro_inventory.html
+
+all:
+  hosts:
+    vultr:
+
+# vim: set ft=yaml sw=2: #
diff --git a/roles/bootstrap/handlers/main.yml b/roles/bootstrap/handlers/main.yml
new file mode 100644
index 0000000..6ecf94f
--- /dev/null
+++ b/roles/bootstrap/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart-sshd
+  command: service sshd restart
diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml
new file mode 100644
index 0000000..52eae5d
--- /dev/null
+++ b/roles/bootstrap/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+- debug: var=ansible_play_hosts
+- debug: var=deploy_user
+- debug: var=ansible_ssh_host
+- debug: var=ansible_ssh_port
+- debug: var=ansible_ssh_private_key_file
+
+- name: User - create deployment user account (group)
+  command: pw groupadd "{{ deploy_user }}" -g 999
+  ignore_errors: true
+
+- name: User - create deployment user account (user)
+  command: >
+    pw useradd "{{ deploy_user }}"
+    -u 999 -g "{{ deploy_user }}"
+    -m -d "/var/{{ deploy_user }}"
+    -C "Ansible Deployment"
+  ignore_errors: true
+
+- name: SSH - authorized_keys for the deployment user
+  authorized_key:
+    user: "{{ deploy_user }}"
+    state: present
+    key: "{{ lookup('file', item+'.pub') }}"
+  with_items:
+    - "{{ ansible_ssh_private_key_file }}"
+
+- name: sudo - no password for the deployment user
+  template:
+    src: sudoers.d_ansible.j2
+    dest: /usr/local/etc/sudoers.d/ansible
+    mode: 0440
+    validate: "visudo -cf %s"
+
+- name: SSH - disable password auth for the deployment user
+  blockinfile:
+    path: /etc/ssh/sshd_config
+    block: |
+      Match User {{ deploy_user }}
+          PasswordAuthentication no
+    backup: true
+    validate: "sshd -t -f %s"
+  notify: restart-sshd
+
+- name: SSH - disable empty password login
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?PermitEmptyPasswords"
+    line: "PermitEmptyPasswords no"
+    validate: "sshd -t -f %s"
+  notify: restart-sshd
+
+- name: SSH - disable root login
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?PermitRootLogin"
+    line: "PermitRootLogin no"
+    validate: "sshd -t -f %s"
+  notify: restart-sshd
diff --git a/roles/bootstrap/templates/sudoers.d_ansible.j2 b/roles/bootstrap/templates/sudoers.d_ansible.j2
new file mode 100644
index 0000000..6bd73ec
--- /dev/null
+++ b/roles/bootstrap/templates/sudoers.d_ansible.j2
@@ -0,0 +1,2 @@
+# Allow user `{{ deploy_user }}` do deployment without password
+{{ deploy_user }}  ALL=(ALL)  NOPASSWD: ALL