From 7a63ffd9493b0a8b636de26b8f0954cf08a2b9d9 Mon Sep 17 00:00:00 2001 From: Aaron LI Date: Wed, 14 Feb 2018 00:18:24 +0800 Subject: Init ansible playbook for DFly VPS bootstrap --- .gitignore | 7 +++ LICENSE | 21 +++++++++ README.md | 10 +++++ ansible.cfg | 20 +++++++++ bootstrap.sh | 35 +++++++++++++++ bootstrap.yml | 16 +++++++ group_vars/all | 5 +++ host_vars/vultr | 6 +++ hosts.yml | 16 +++++++ roles/bootstrap/handlers/main.yml | 3 ++ roles/bootstrap/tasks/main.yml | 59 ++++++++++++++++++++++++++ roles/bootstrap/templates/sudoers.d_ansible.j2 | 2 + 12 files changed, 200 insertions(+) create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 README.md create mode 100644 ansible.cfg create mode 100755 bootstrap.sh create mode 100644 bootstrap.yml create mode 100644 group_vars/all create mode 100644 host_vars/vultr create mode 100644 hosts.yml create mode 100644 roles/bootstrap/handlers/main.yml create mode 100644 roles/bootstrap/tasks/main.yml create mode 100644 roles/bootstrap/templates/sudoers.d_ansible.j2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..68fe279 --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +*~ +*.swp +*.bak +*.old +*.retry + +/ssh/ diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..30e8049 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2018 Aaron LI + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..448573a --- /dev/null +++ b/README.md @@ -0,0 +1,10 @@ +DragonFly BSD Configuration Ansible Playbook +============================================ + +Aaron LI +2017-12-28 + +References +---------- +* Securing a Server with Ansible + https://ryaneschinger.com/blog/securing-a-server-with-ansible/ diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..5ad3e6e --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,20 @@ +# +# Ansible local config file +# See `/etc/ansible/ansible.cfg' for the global config file. +# +# Aaron LI +# 2018-02-12 +# + +[defaults] +inventory = ./hosts.yml + +# uncomment this to disable SSH key host checking +#host_key_checking = False + +[ssh_connection] +pipelining = True + +# SSH arguments to use +# Add 'IdentitiesOnly=yes' +ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o IdentitiesOnly=yes diff --git a/bootstrap.sh b/bootstrap.sh new file mode 100755 index 0000000..cc0a6a3 --- /dev/null +++ b/bootstrap.sh @@ -0,0 +1,35 @@ +#!/bin/sh +# +# Copyright (c) 2018 Aaron LI +# MIT License +# +# 2018-01-25 +# + +ROOTDIR="${0%/*}" +PLAYBOOK="${ROOTDIR}/bootstrap.yml" +echo "Playbook directory: ${ROOTDIR}" +echo "Playbook: ${PLAYBOOK}" + +SSHDIR="${ROOTDIR}/ssh" +SSHKEY="${SSHDIR}/ansible.key" +if [ -f "${SSHKEY}" ]; then + echo "ERROR: SSH key already exists: ${SSHKEY}" + echo "Target machine already been bootstrapped?" +else + [ ! -d "${SSHDIR}" ] && mkdir -v "${SSHDIR}" + echo "Generating SSH key ..." + ssh-keygen -t ed25519 -C "ansible" -f "${SSHKEY}" + echo "Generated SSH key: ${SSHKEY}" + echo "Bootstrap target by installing Python2.7 ..." + ansible vultr -u root \ + -m raw -a "pkg install -y python27" + ansible-playbook \ + --verbose --diff \ + --ask-pass --ask-become-pass \ + "${PLAYBOOK}" + echo "Bootstrapped the target machine!" + ansible vultr -u ansible -m ping + ansible vultr -u ansible -m command -a whoami + ansible vultr -u ansible -m command -a whoami -b +fi diff --git a/bootstrap.yml b/bootstrap.yml new file mode 100644 index 0000000..d01d38e --- /dev/null +++ b/bootstrap.yml @@ -0,0 +1,16 @@ +--- +# To override the bootstrapping host: +# $ ansible-playbook bootstrap.yml --extra-vars "host=" +# +- name: Bootstrap hosts for Ansible deployment :-) + hosts: "{{ host | default('all') }}" + user: root + gather_facts: false + + vars: + deploy_user: ansible + + roles: + - bootstrap + +# vim: set ft=yaml sw=2: # diff --git a/group_vars/all b/group_vars/all new file mode 100644 index 0000000..9c078f2 --- /dev/null +++ b/group_vars/all @@ -0,0 +1,5 @@ +--- +deploy_user: ansible +ansible_ssh_private_key_file: ./ssh/ansible.key + +# vim: set ft=yaml sw=2: # diff --git a/host_vars/vultr b/host_vars/vultr new file mode 100644 index 0000000..324b8c1 --- /dev/null +++ b/host_vars/vultr @@ -0,0 +1,6 @@ +--- +ansible_ssh_host: vultr.liwt.net +ansible_ssh_port: 8864 +ansible_python_interpreter: /usr/local/bin/python2.7 + +# vim: set ft=yaml sw=2: # diff --git a/hosts.yml b/hosts.yml new file mode 100644 index 0000000..b973ee1 --- /dev/null +++ b/hosts.yml @@ -0,0 +1,16 @@ +--- +# +# Ansible inventory +# +# Aaron LI +# 2018-02-12 +# + +# Use the YAML format +# https://docs.ansible.com/ansible/latest/intro_inventory.html + +all: + hosts: + vultr: + +# vim: set ft=yaml sw=2: # diff --git a/roles/bootstrap/handlers/main.yml b/roles/bootstrap/handlers/main.yml new file mode 100644 index 0000000..6ecf94f --- /dev/null +++ b/roles/bootstrap/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart-sshd + command: service sshd restart diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml new file mode 100644 index 0000000..52eae5d --- /dev/null +++ b/roles/bootstrap/tasks/main.yml @@ -0,0 +1,59 @@ +--- +- debug: var=ansible_play_hosts +- debug: var=deploy_user +- debug: var=ansible_ssh_host +- debug: var=ansible_ssh_port +- debug: var=ansible_ssh_private_key_file + +- name: User - create deployment user account (group) + command: pw groupadd "{{ deploy_user }}" -g 999 + ignore_errors: true + +- name: User - create deployment user account (user) + command: > + pw useradd "{{ deploy_user }}" + -u 999 -g "{{ deploy_user }}" + -m -d "/var/{{ deploy_user }}" + -C "Ansible Deployment" + ignore_errors: true + +- name: SSH - authorized_keys for the deployment user + authorized_key: + user: "{{ deploy_user }}" + state: present + key: "{{ lookup('file', item+'.pub') }}" + with_items: + - "{{ ansible_ssh_private_key_file }}" + +- name: sudo - no password for the deployment user + template: + src: sudoers.d_ansible.j2 + dest: /usr/local/etc/sudoers.d/ansible + mode: 0440 + validate: "visudo -cf %s" + +- name: SSH - disable password auth for the deployment user + blockinfile: + path: /etc/ssh/sshd_config + block: | + Match User {{ deploy_user }} + PasswordAuthentication no + backup: true + validate: "sshd -t -f %s" + notify: restart-sshd + +- name: SSH - disable empty password login + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#?PermitEmptyPasswords" + line: "PermitEmptyPasswords no" + validate: "sshd -t -f %s" + notify: restart-sshd + +- name: SSH - disable root login + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#?PermitRootLogin" + line: "PermitRootLogin no" + validate: "sshd -t -f %s" + notify: restart-sshd diff --git a/roles/bootstrap/templates/sudoers.d_ansible.j2 b/roles/bootstrap/templates/sudoers.d_ansible.j2 new file mode 100644 index 0000000..6bd73ec --- /dev/null +++ b/roles/bootstrap/templates/sudoers.d_ansible.j2 @@ -0,0 +1,2 @@ +# Allow user `{{ deploy_user }}` do deployment without password +{{ deploy_user }} ALL=(ALL) NOPASSWD: ALL -- cgit v1.2.2