Skip to content

Latest commit

 

History

History
204 lines (164 loc) · 6.71 KB

README.md

File metadata and controls

204 lines (164 loc) · 6.71 KB

Ansible role: bootstrap

This role allows for bootstrapping machines that haven't been provisioned by ansible yet, so can't have ansible run against them in the usual way due to missing user accounts and ssh keys.

This role initially connects to a machine with temporary bootstrap credentials which can either be supplied via variable or interactively, this bootstrap user is used to create a special ansible provision user with a unique name and UID to avoid collision with any user accounts that your ansible playbook wants to add.

The original bootstrap user can then be optionally deleted (to free up the UID) and any ansible tasks can then be run under the autogenerated provision user to setup proper user accounts and ssh keys.

The provision user can be used by assigning the following variables generated by this role to the corresponding ansible variables:

vars:
    ansible_host: "{{ provision_host }}"
    ansible_user: "{{ provision_username }}"
    ansible_become_pass: "{{ provision_password }}"
    ansible_ssh_private_key_file: "{{ provision_ssh_private_key }}"

Once this is done the ansible playbook can be run as normal as your regular account.

Requirements

To use this role, the python package passlib must be installed on the host running ansible.

Role Variables

ENTRY POINT: main - Bootstrap and provision a new machine with ansible

        This role allows for bootstrapping machines that haven't been
        provisioned by ansible yet, so can't have ansible run against
        them in the usual way due to missing user accounts and ssh
        keys.  This role initially connects to a machine with
        temporary bootstrap credentials which can either be supplied
        via variable or interactively, this bootstrap user is used to
        create a special ansible provision user with a unique name and
        UID to avoid collision with any user accounts that your
        ansible playbook wants to add.  The original bootstrap user
        can then be optionally deleted (to free up the UID) and any
        ansible tasks can then be run under the autogenerated
        provision user to setup proper user accounts and ssh keys.
        Once this is done the ansible playbook can be run as normal as
        your regular account.

OPTIONS (= is mandatory):

- bootstrap_ansible_playbook_dir
        Path to ansible playbook directory
        default: '{{ ansible_config_file | dirname }}'
        type: str

- bootstrap_apt_upgrade
        If true, run full apt upgrade on initial connection to the
        machine
        default: true
        type: bool

- bootstrap_become_method
        Method to use to escalate from the bootstrap user to root
        (e.g. sudo or su), or empty string to prompt the user to
        provide this interactively
        default: ''
        type: str

- bootstrap_host_override_prompt
        If true, prompt user if they want to override the hostname or
        IP address of the machine they are provisioning.
        default: true
        type: bool

- bootstrap_packages
        List of packages to install on initial connection to the
        machine
        default: [sudo]
        elements: str
        type: list

- bootstrap_password
        Password for the bootstrap user to use for the initial
        connection to the machine, or empty string to prompt the user
        to provide this interactively
        default: ''
        type: str

- bootstrap_root_password
        Password for the root user if the become method is su, or
        empty string to prompt the user to provide this interactively
        default: ''
        type: str

- bootstrap_ssh_password_authentication
        If true, use ssh password authentication for the initial
        connection to the machine, or empty string to prompt the user
        to provide this interactively
        default: ''
        type: bool

- bootstrap_user_remove
        If true, remove the bootstrap user account after the provision
        user account has been created, or empty string to prompt the
        user to provide this interactively
        default: ''
        type: bool

- bootstrap_username
        Username for the bootstrap user to use for the initial
        connection to the machine, or empty string to prompt the user
        to provide this interactively
        default: ''
        type: str

- provision_groups
        List of groups the provision user account should be part of
        default: [sudo]
        elements: str
        type: list

- provision_shell
        Shell for the provision user account to be created
        default: /bin/bash
        type: str

- provision_ssh_key_has_passphrase
        If true, create a random passphrease for the provision user's
        ssh key and automatically add this ssh key to the ssh-agent of
        the user running the ansible playbook
        default: true
        type: bool

- provision_ssh_key_type
        Type of ssh key that should be created for the provision user
        account
        default: ed25519
        type: str

- provision_uid
        UID for the provision user account to be created
        default: 50000
        type: int

- provision_username
        Username for the provision user account to be created
        default: ansible-provision
        type: str

Installation

This role can either be installed manually with the ansible-galaxy CLI tool:

ansible-galaxy install git+https://github.com/wandansible/bootstrap,main,wandansible.bootstrap

Or, by adding the following to requirements.yml:

- name: wandansible.bootstrap
  src: https://github.com/wandansible/bootstrap

Roles listed in requirements.yml can be installed with the following ansible-galaxy command:

ansible-galaxy install -r requirements.yml

Example Playbook

- name: Run bootstrap pre tasks
  hosts: all
  tasks:
    - ansible.builtin.import_role:
        name: wandansible.bootstrap
        tasks_from: pre
  gather_facts: false

- name: Create user accounts and groups as provision user
  vars:
    ansible_host: "{{ provision_host }}"
    ansible_user: "{{ provision_username }}"
    ansible_become_pass: "{{ provision_password }}"
    ansible_ssh_private_key_file: "{{ provision_ssh_private_key }}"
  ansible.builtin.import_playbook: users.yml

- name: Run bootstrap post tasks
  hosts: all
  vars:
    ansible_host: "{{ provision_host }}"
  tasks:
    - ansible.builtin.import_role:
        name: wandansible.bootstrap
        tasks_from: post
  gather_facts: false

- name: Run main playbook
  vars:
    ansible_host: "{{ provision_host }}"
  ansible.builtin.import_playbook: site.yml