This role allows for bootstrapping machines that haven't been provisioned by ansible yet, so can't have ansible run against them in the usual way due to missing user accounts and ssh keys.
This role initially connects to a machine with temporary bootstrap credentials which can either be supplied via variable or interactively, this bootstrap user is used to create a special ansible provision user with a unique name and UID to avoid collision with any user accounts that your ansible playbook wants to add.
The original bootstrap user can then be optionally deleted (to free up the UID) and any ansible tasks can then be run under the autogenerated provision user to setup proper user accounts and ssh keys.
The provision user can be used by assigning the following variables generated by this role to the corresponding ansible variables:
vars:
ansible_host: "{{ provision_host }}"
ansible_user: "{{ provision_username }}"
ansible_become_pass: "{{ provision_password }}"
ansible_ssh_private_key_file: "{{ provision_ssh_private_key }}"
Once this is done the ansible playbook can be run as normal as your regular account.
To use this role, the python package passlib must be installed on the host running ansible.
ENTRY POINT: main - Bootstrap and provision a new machine with ansible
This role allows for bootstrapping machines that haven't been
provisioned by ansible yet, so can't have ansible run against
them in the usual way due to missing user accounts and ssh
keys. This role initially connects to a machine with
temporary bootstrap credentials which can either be supplied
via variable or interactively, this bootstrap user is used to
create a special ansible provision user with a unique name and
UID to avoid collision with any user accounts that your
ansible playbook wants to add. The original bootstrap user
can then be optionally deleted (to free up the UID) and any
ansible tasks can then be run under the autogenerated
provision user to setup proper user accounts and ssh keys.
Once this is done the ansible playbook can be run as normal as
your regular account.
OPTIONS (= is mandatory):
- bootstrap_ansible_playbook_dir
Path to ansible playbook directory
default: '{{ ansible_config_file | dirname }}'
type: str
- bootstrap_apt_upgrade
If true, run full apt upgrade on initial connection to the
machine
default: true
type: bool
- bootstrap_become_method
Method to use to escalate from the bootstrap user to root
(e.g. sudo or su), or empty string to prompt the user to
provide this interactively
default: ''
type: str
- bootstrap_host_override_prompt
If true, prompt user if they want to override the hostname or
IP address of the machine they are provisioning.
default: true
type: bool
- bootstrap_packages
List of packages to install on initial connection to the
machine
default: [sudo]
elements: str
type: list
- bootstrap_password
Password for the bootstrap user to use for the initial
connection to the machine, or empty string to prompt the user
to provide this interactively
default: ''
type: str
- bootstrap_root_password
Password for the root user if the become method is su, or
empty string to prompt the user to provide this interactively
default: ''
type: str
- bootstrap_ssh_password_authentication
If true, use ssh password authentication for the initial
connection to the machine, or empty string to prompt the user
to provide this interactively
default: ''
type: bool
- bootstrap_user_remove
If true, remove the bootstrap user account after the provision
user account has been created, or empty string to prompt the
user to provide this interactively
default: ''
type: bool
- bootstrap_username
Username for the bootstrap user to use for the initial
connection to the machine, or empty string to prompt the user
to provide this interactively
default: ''
type: str
- provision_groups
List of groups the provision user account should be part of
default: [sudo]
elements: str
type: list
- provision_shell
Shell for the provision user account to be created
default: /bin/bash
type: str
- provision_ssh_key_has_passphrase
If true, create a random passphrease for the provision user's
ssh key and automatically add this ssh key to the ssh-agent of
the user running the ansible playbook
default: true
type: bool
- provision_ssh_key_type
Type of ssh key that should be created for the provision user
account
default: ed25519
type: str
- provision_uid
UID for the provision user account to be created
default: 50000
type: int
- provision_username
Username for the provision user account to be created
default: ansible-provision
type: str
This role can either be installed manually with the ansible-galaxy CLI tool:
ansible-galaxy install git+https://github.com/wandansible/bootstrap,main,wandansible.bootstrap
Or, by adding the following to requirements.yml:
- name: wandansible.bootstrap
src: https://github.com/wandansible/bootstrap
Roles listed in requirements.yml can be installed with the following ansible-galaxy command:
ansible-galaxy install -r requirements.yml
- name: Run bootstrap pre tasks
hosts: all
tasks:
- ansible.builtin.import_role:
name: wandansible.bootstrap
tasks_from: pre
gather_facts: false
- name: Create user accounts and groups as provision user
vars:
ansible_host: "{{ provision_host }}"
ansible_user: "{{ provision_username }}"
ansible_become_pass: "{{ provision_password }}"
ansible_ssh_private_key_file: "{{ provision_ssh_private_key }}"
ansible.builtin.import_playbook: users.yml
- name: Run bootstrap post tasks
hosts: all
vars:
ansible_host: "{{ provision_host }}"
tasks:
- ansible.builtin.import_role:
name: wandansible.bootstrap
tasks_from: post
gather_facts: false
- name: Run main playbook
vars:
ansible_host: "{{ provision_host }}"
ansible.builtin.import_playbook: site.yml