--- # YAML Start # Ansible Playbook zum initialen Einrichten der Ansible-Umgebung # # Aufruf aus dem entsprechenden Arbeits-Verzeichnis via: # ansible-playbook playbooks/ansible_grundconfig_v2.ym -K - name: ansible_grundconfig_v2.yml gather_facts: true hosts: localhost become: true vars: ansible_working_dir: ansible ansible_config: /etc/ansible/ansible.cfg admin_user: "{{ lookup('env','USER') }}" admin_mail: django@nausch.org vars_prompt: - name: pass_secret prompt: "Enter password for password-store?" - name: pass_secret_2nd prompt: "Retype password for password-store?" - name: become_secret prompt: "Enter become-password for sudo?" - name: become_secret_2nd prompt: "Retype become-password for sudo?" tasks: - name: "Playbooklauf abbrechen sofern die beiden eigegebenen Passwörter nicht übereinstimmen!" fail: msg: "Error: the entered password-store passwords do not match." when: - pass_secret != pass_secret_2nd - name: "Playbooklauf abbrechen sofern die beiden eigegebenen Passwörter nicht übereinstimmen!" fail: msg: "Error: the entered become-passwords for sudo do not match." when: - become_secret != become_secret_2nd - name: "Ansible Konfigurationsdatei {{ ansible_config }} vorhanden?" ansible.builtin.stat: path: '{{ ansible_config }}' register: check_ansible_config - name: "Fehlerhinweis im Fehlerfall ausgeben" ansible.builtin.fail: msg: "Ansible Konfigurationsdatei {{ ansible_config }} NICHT gefunden!" when: check_ansible_config.stat.exists != 1 - name: "Ansible Konfigurationsverzeichnis in das User/Admin-Verzeichnis kopieren" ansible.builtin.copy: dest: '/home/{{ admin_user }}/.ansible.cfg' group: '{{ admin_user }}' owner: '{{ admin_user }}' src: '{{ ansible_config }}' mode: '0640' - name: "Ansible Konfiguration anpassen" ansible.builtin.lineinfile: line: "{{ item.line }}" path: "/home/{{ admin_user }}/.ansible.cfg" regexp: "{{ item.regexp }}" state: present with_items: - { regexp: "^\\[defaults\\]", line: "[defaults]\n# Generated by Ansible on {{ ansible_date_time.date }}, do not edit manually!\n\ # default:\ninterpreter_python = auto_silent" } - { regexp: "^\\#inventory\ \ \ \ \ \ =\ /etc/ansible/hosts", line: "# Generated by Ansible on {{ ansible_date_time.date }}, do not edit manually!\n\ # default: #inventory = /etc/ansible/hosts\n\ inventory = /home/{{ admin_user }}/ansible/inventories/production" } - { regexp: "^\\#roles_path\ \ \ \ =\ /etc/ansible/roles", line: "# Generated by Ansible on {{ ansible_date_time.date }}, do not edit manually!\n\ # default: #roles_path = /etc/ansible/roles\n\ roles_path = ~/ansible/roles" } - { regexp: "^\\#vault_password_file\ =\ /path/to/vault_password_file", line: "# Generated by Ansible on {{ ansible_date_time.date }}, do not edit manually!\n\ # default: #vault_password_file = /path/to/vault_password_file\n\ vault_password_file = ~/bin/ansible_vault_password" } - name: "Ansible Directory Layout anlegen" ansible.builtin.file: path: '/home/{{ admin_user }}/{{ ansible_working_dir }}/{{ item.directory }}' state: directory owner: '{{ admin_user }}' group: '{{ admin_user }}' mode: '0755' with_items: - {directory: "filter_plugins/"} - {directory: "library/"} - {directory: "module_utils/"} - {directory: "playbooks/"} - {directory: "inventories/production/group_vars/"} - {directory: "inventories/production/host_vars/"} - {directory: "inventories/staging/group_vars/"} - {directory: "inventories/staging/host_vars/"} - {directory: "roles/common/defaults/"} - {directory: "roles/common/files/"} - {directory: "roles/common/handlers/"} - {directory: "roles/common/library/"} - {directory: "roles/common/lookup_plugins/"} - {directory: "roles/common/meta/"} - {directory: "roles/common/module_utils/"} - {directory: "roles/common/tasks/"} - {directory: "roles/common/templates/"} - {directory: "roles/common/vars/"} - name: "Ansible Directory Layout mit dummy-files main.yml befüllen" ansible.builtin.file: path: '/home/{{ admin_user }}/{{ ansible_working_dir }}/{{ item.file }}' state: touch owner: '{{ admin_user }}' group: '{{ admin_user }}' mode: '0640' with_items: - {file: "filter_plugins/main.yml"} - {file: "library/main.yml"} - {file: "module_utils/main.yml"} - {file: "inventories/production/hosts"} - {file: "inventories/production/group_vars/main.yml"} - {file: "inventories/production/host_vars/main.yml"} - {file: "inventories/staging/hosts"} - {file: "inventories/staging/group_vars/main.yml"} - {file: "inventories/staging/host_vars/main.yml"} - {file: "roles/common/defaults/main.yml"} - {file: "roles/common/files/main.yml"} - {file: "roles/common/handlers/main.yml"} - {file: "roles/common/library/main.yml"} - {file: "roles/common/lookup_plugins/main.yml"} - {file: "roles/common/meta/main.yml"} - {file: "roles/common/module_utils/main.yml"} - {file: "roles/common/tasks/main.yml"} - {file: "roles/common/templates/main.yml"} - {file: "roles/common/vars/main.yml"} - name: "Passwort-Manager pass installieren" ansible.builtin.package: name: pass update_cache: true state: latest - name: "Verzeichnis ~/bin anlegen" ansible.builtin.file: path: '/home/{{ admin_user }}/bin' group: '{{ admin_user }}' owner: '{{ admin_user }}' state: directory mode: '0750' - name: "vault-Wrapperscript anlegen" ansible.builtin.copy: dest: '/home/{{ admin_user }}/bin/ansible_vault_password' content: | #!/bin/bash # Ansible generated, do not edit manually! pass show ansible-vault-password owner: '{{ admin_user }}' group: '{{ admin_user }}' mode: '0750' - name: "Sicherstellen dass das pass Store-Verzeichnis nicht existiert" ansible.builtin.file: path: '/home/{{ admin_user }}/.password-store' state: absent - name: "Pass-Store Passwort ablegen" become_user: django become: true shell: | set -o pipefail && pass init '{{ admin_mail }}' && /usr/bin/echo '{{ pass_secret }}' | pass insert -ef ansible-vault-password changed_when: false args: executable: /bin/bash - name: "Sicherstellen dass das File für das verschlüsselte become-password noch nicht existiert" ansible.builtin.file: path: '/home/{{ admin_user }}/ansible/inventories/production/group_vars/all/vault' state: absent - name: "Ansible Become Password für sudo Rechteerweiterung anlegen" ansible.builtin.copy: dest: '/home/{{ admin_user }}/ansible/inventories/production/group_vars/all/vault' content: | # Generated by Ansible on {{ ansible_date_time.date }}, do not edit manually! ansible_become_pass: {{ become_secret }} owner: '{{ admin_user }}' group: '{{ admin_user }}' mode: '0640' - name: "Ansible Become Password mit ansible-vault verschlüsseln" become_user: django become: true shell: | ansible-vault encrypt /home/{{ admin_user }}/ansible/inventories/production/group_vars/all/vault changed_when: false - name: "Sicherstellen dass das File mit der Ansible-Konfiguration nicht existiert" ansible.builtin.file: path: '/home/{{ admin_user }}/ansible/inventories/production/group_vars/all/ansible_environment' state: absent - name: "Ansible Konfigurationsdatei mit den Definitionen zu privilege_escalation anlegen" ansible.builtin.copy: dest: '/home/{{ admin_user }}/ansible/inventories/production/group_vars/all/ansible_environment' content: | # Generated by Ansible on {{ ansible_date_time.date }}, do not edit manually! ansible_become: True ansible_become_method: sudo ansible_become_user: root ansible_become_ask_pass: False owner: '{{ admin_user }}' group: '{{ admin_user }}' mode: '0644' ... # YML Ende