The Problem:
You have a throw away server that you only need for the next couple of hours to try something out. You need the server configured so that you can login and get to work without messing with yum updates or adding your user and public ssh keys to access it.
The solution:
This Ansible playbook that is simple and to the point. It updates yum or apt, applies a sane sshd config, adds users and groups and then gets your public ssh key onto the throwaway box so you can login without a password.
GitHub - e30chris/ServerDelivery
Backstory:
After pitching Ansible as a great solution to infrastructure automation I wanted a simple playbook to demo that would show off the simplest side of Ansible. I also need the short lived servers I spin up on Digital Ocean to be secured and easy to login to without any manual steps. This playbook takes care of both requirements.
ToDo:
- Add a role to this playbook to kick off the droplet creation and then register the names and IP's for the new servers before handing off to this current playbook config.
Pre-Requisites
- Servers booted and running
- SSH access
- SSH public keys for each user in files/
- Server OS is in the Debian family or the RedHat family.
Create the new droplets
Using the excellent Digital Ocean cli tool - TugBoat - GitHub
sandor@theargo$ tugboat create bloggindroplet -s 66 -i 10322623 -r 3 -k 915832
That equals: -s size (66 = 512 mb) -i image (Centos 7 x64) -r region (San Francisco) -k ssh public key (mine)
Add new droplet to SSH config
sandor@theargo$ cat ~/.ssh/config
#SSH Stuff
Host bloggindroplet
Hostname 45.55.7.178
User root
Host *
ServerAliveInterval 60
ServerAliveCountMax 30
ControlMaster auto
ControlPath ~/.ssh/connections/ssh-%r@%h:%p
ControlPersist 4h
StrictHostKeyChecking no
IdentityFile ~/.ssh/id_rsa
Add new droplet to Ansible hosts file
sandor@theargo$ › cat ~/.ansible/hosts
# All Servers
docks
cent7
fed22
# App servers
[app]
# DB servers
[db]
# Group 'multi' with all servers
[multi:children]
# Variables applied to all servers
[multi:vars]
Test ssh login
sandor@theargo$ ssh bloggindroplet
Last login: Thu Jul 9 00:34:41 2015 from 67.135.32.227
[root@bloggindroplet ~]#
Test Ansible
sandor@theargo$ ansible bloggindroplet -m ping
servfed | success >> {
"changed": false,
"ping": "pong"
}
sandor@theargo$
git clone the playbook
Download:
sandor@theargo$ git clone git@github.com:e30chris/Ansible-ServerDelivery.git ~/Codestuff/Ansible/.
Create the user accounts
via the variables in group_vars/main.yml
delivered_users: this is the user accounts you want created on the new server, each with sudo access.
---
# vars file for ServerDelivery
delivered_users:
- chrisl
- dpr
- weev
Give each users ssh key a password
and encrypt it with Ansible Vault
via group_vars/passes.yml
this file will need to be created with ansible-vault
sandor@theargo$ ansible-vault create group_vars/passes.yml
---
# vars file for ServerDelivery encrypted via ansible-vault
users_ssh_key_pass: stallman was right
Run the playbook
This will run with ‘hosts: all’ which will put every server in your Ansible hosts file in this state. This should be ok since all this playbook does is ensure sane security, adds users and updates packages. Because Ansible is idempotent if these setting have not changed then nothing will be done. If you do not want to run on all your hosts then specify that with either a group in the Ansible hosts file or with a cli switch.
sandor@theargo$ ansible-playbook site.yml -vv --ask-vault-pass
which returns lots of cows:
2.2.3 in ServerDelivery/ on dev
› ansible-playbook -i "docks,cent7,fed22," site.yml --ask-vault-pass
Vault password:
____________
< PLAY [all] >
------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
_________________
< GATHERING FACTS >
-----------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
ok: [fed22]
ok: [cent7]
ok: [docks]
docks: importing group_vars/Ubuntu.yml
cent7: importing group_vars/CentOS.yml
fed22: importing group_vars/Fedora.yml
_____________________________________
< TASK: update all packages on CentOS >
-------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
skipping: [docks]
skipping: [fed22]
skipping: [cent7]
_______________________________
< TASK: install EPEL for CentOS >
-------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
skipping: [cent7]
skipping: [fed22]
skipping: [docks]
________________________________________
< TASK: add the must have apps on CentOS >
----------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
skipping: [cent7]
skipping: [docks]
skipping: [fed22]
____________________________________________
< TASK: update all packages on Ubuntu family >
--------------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
skipping: [cent7]
skipping: [fed22]
ok: [docks]
________________________________________
< TASK: add the must have apps on Ubuntu >
----------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
skipping: [cent7]
skipping: [fed22]
ok: [docks] => (item=sudo,vim,htop,tmux,unzip,fail2ban)
_____________________________________
< TASK: update all packages on Fedora >
-------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
skipping: [docks]
skipping: [cent7]
ok: [fed22]
________________________________________
< TASK: add the must have apps on Fedora >
----------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
skipping: [docks]
skipping: [cent7]
ok: [fed22] => (item=sudo,vim,htop,tmux,unzip,fail2ban)
_______________________________
< TASK: adding users to servers >
-------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
ok: [docks] => (item=chrisl)
ok: [fed22] => (item=chrisl)
ok: [cent7] => (item=chrisl)
ok: [docks] => (item=dpr)
ok: [fed22] => (item=dpr)
ok: [cent7] => (item=dpr)
ok: [cent7] => (item=weev)
ok: [fed22] => (item=weev)
ok: [docks] => (item=weev)
_________________________________
< TASK: add users ssh public keys >
---------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
ok: [fed22] => (item=chrisl)
ok: [cent7] => (item=chrisl)
ok: [docks] => (item=chrisl)
ok: [fed22] => (item=dpr)
ok: [docks] => (item=dpr)
ok: [cent7] => (item=dpr)
ok: [fed22] => (item=weev)
ok: [docks] => (item=weev)
ok: [cent7] => (item=weev)
_______________________
< TASK: add admin group >
-----------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
ok: [docks]
ok: [fed22]
ok: [cent7]
________________________________
< TASK: add users to admin group >
--------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
ok: [cent7] => (item=chrisl)
ok: [fed22] => (item=chrisl)
ok: [docks] => (item=chrisl)
ok: [cent7] => (item=dpr)
ok: [fed22] => (item=dpr)
ok: [docks] => (item=dpr)
ok: [cent7] => (item=weev)
ok: [fed22] => (item=weev)
ok: [docks] => (item=weev)
______________________________
< TASK: add users sudoers file >
------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
ok: [cent7] => (item=chrisl)
ok: [fed22] => (item=chrisl)
ok: [docks] => (item=chrisl)
ok: [cent7] => (item=dpr)
ok: [fed22] => (item=dpr)
ok: [docks] => (item=dpr)
ok: [cent7] => (item=weev)
ok: [fed22] => (item=weev)
ok: [docks] => (item=weev)
__________________________________________
< TASK: secure SSH with a sane sshd_config >
------------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
ok: [docks]
ok: [cent7]
ok: [fed22]
_______________________
< TASK: restarting sshd >
-----------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
changed: [cent7]
changed: [fed22]
changed: [docks]
____________
< PLAY RECAP >
------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
cent7 : ok=8 changed=1 unreachable=0 failed=0
docks : ok=10 changed=1 unreachable=0 failed=0
fed22 : ok=10 changed=1 unreachable=0 failed=0