askadm
/
ansible.infra.services
1
0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
Repos with recipes to deploy some infrastructure services
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
7 Révisions
1 Branche
145 KiB
 
 
Aborescence: bc1aa07b43
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de 'bc1aa07b43'
${ noResults }
ansible.infra.services/playbook_jumpbox.yml

97 lignes
2.5 KiB
Brut Annotations Historique 

  1. ---

  2. - import_playbook: playbook_ssh_known_host.yml

  3. - name: Configure jumpbox

  4.   hosts:

  5.     - all

  6.   gather_facts: yes

  7.   vars_files:

  8.     - vars/jumpbox.yml

  9.   tasks:

  10.     - name: Install useful packages

  11.       package:

  12.         name: "{{ packages }}"

  13.         state: present

  14.       become: true

  15.       become_method: sudo

  16. 

  17.     - name: Install pip useful packages

  18.       pip:

  19.         name: "{{ pip_packages }}"

  20.         executable: "{{ pip_exe | default(omit, true) }}"

  21.         state: present

  22.         extra_args: "{{ pip_args }}"

  23. 

  24.     - name: Update ssh config

  25.       block:

  26.         - name: Modify sshd config

  27.           lineinfile: 

  28.             path: /etc/ssh/sshd_config

  29.             regexp: '^MaxStartups.*'

  30.             line: MaxStartups 100:30:100

  31. 

  32.         - name: Modify ssh config

  33.           lineinfile: 

  34.             path: /etc/ssh/ssh_config

  35.             regexp: '^ServerAliveInterval.*'

  36.             line: ServerAliveInterval 60

  37. 

  38.         - name: Restart service ssh

  39.           service:

  40.             name: sshd

  41.             state: restarted

  42.       become: true

  43.       become_method: sudo

  44. 

  45.     - name: Determine existing users

  46.       shell: 'cut -d: -f1 /etc/passwd | grep d*-local'

  47.       register: existing_users

  48.       failed_when: false

  49.     

  50.     - name: Create username list

  51.       set_fact:

  52.         new_usernames: "{{ new_usernames | default([]) }} + ['{{item.username}}']"

  53.       loop: "{{ users }}"

  54. 

  55.     - name: Update users

  56.       block:

  57.         - name: Delete removed users

  58.           user:

  59.             name: "{{ item }}"

  60.             remove: true

  61.             force: true

  62.             state: absent

  63.           loop: "{{ existing_users.stdout_lines | default([]) }}"

  64.           when: item not in new_usernames

  65. 

  66.         - name: Create local user accounts

  67.           user:

  68.             name: "{{ item.username }}"

  69.             password: "{{ item.passwd | password_hash('sha512') }}"

  70.           loop: "{{ users }}"

  71.           

  72.         - name: Add authorized keys

  73.           authorized_key:

  74.             user: "{{ item.username }}"

  75.             key: "{{ item.pubkey }}"

  76.           loop: "{{ users }}"

  77. 

  78.         - name: Ensure sudoers.d exist

  79.           file:

  80.             path: "/etc/sudoers.d/"

  81.             state: directory

  82.             owner: root

  83.             group: root

  84. 

  85.         - name: Create user sudoers files

  86.           template:

  87.             src: sudoers.j2

  88.             dest: "/etc/sudoers.d/99-users"

  89.             owner: root

  90.             group: root

  91.             mode: '0640'

  92. 

  93.       become: true

  94.       become_method: sudo

  95.       no_log: True

  96. ...