From 91b5a69fbad59634e5035f14bab14a0bd2689139 Mon Sep 17 00:00:00 2001
From: Fulvio Galeazzi <fulvio.galeazzi@garr.it>
Date: Sun, 22 Mar 2020 23:22:48 +0000
Subject: [PATCH] 2020-03-23: FG: Initial commit, bootstrap role.
---
README.md | 76 +++++++++++++++++++++-
ansible.cfg | 3 +
playbooks/bootstrapconfig.yml | 8 +++
roles/bootstrap/defaults/main.yml | 2 +
roles/bootstrap/handlers/main.yml | 2 +
roles/bootstrap/tasks/addUsersSudo.yml | 26 ++++++++
roles/bootstrap/tasks/configUserPrompt.yml | 16 +++++
roles/bootstrap/tasks/main.yml | 43 ++++++++++++
roles/bootstrap/tests/inventory | 1 +
roles/bootstrap/tests/test.yml | 5 ++
roles/bootstrap/vars/main.yml | 5 ++
11 files changed, 186 insertions(+), 1 deletion(-)
create mode 100644 ansible.cfg
create mode 100644 playbooks/bootstrapconfig.yml
create mode 100644 roles/bootstrap/defaults/main.yml
create mode 100644 roles/bootstrap/handlers/main.yml
create mode 100644 roles/bootstrap/tasks/addUsersSudo.yml
create mode 100644 roles/bootstrap/tasks/configUserPrompt.yml
create mode 100644 roles/bootstrap/tasks/main.yml
create mode 100644 roles/bootstrap/tests/inventory
create mode 100644 roles/bootstrap/tests/test.yml
create mode 100644 roles/bootstrap/vars/main.yml
diff --git a/README.md b/README.md
index 4ac4b8b..9d05891 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,76 @@
-# SetupOpenVPN
+SetupOpenVPN
+============
+
+This package sets up:
+ * an OpenVPN server, called `openvpn` in the following
+ * a machine acting as CA authority, based on EasyRSA, called `authca` in the following
+
+Pre-requisite
+-------------
+
+Ensure `ansible` is installed on both `openvpn` and `authca`, by executing::
+ ```
+ apt install ansible
+ ```
+
+These instructions assume that `openvpn` and `authca` were both installed with no
+direct `root` access but rather with a generic user (`ubuntu`, in this tutorial) with
+`sudoer` capability: login to these servers is only allowed by using a SSH key (same
+one, on both servers).
+
+Note that `authca` should only be accessed from `openvpn`: obviously, it should not be
+configured with a public IP address.
+
+To avoid storing the installation SSH key to `openvpn`, we will use `ssh-agent` to
+enable safer login to `authca`.
+From your client machine, execute the following::
+ ```
+ eval "$(ssh-agent)"
+ ssh-add <the_private_key_used_for_installation>
+ # input passphrase, if needed
+ ssh -A ubuntu@openvpn # you should not be prompted for password/passphrase
+ ```
+
+Now, on `openvpn`, verify your agent has the required identity loaded::
+ ssh-add -L
+
+You should now be able to log into `authca` with::
+ ssh ubuntu@authca
+
+Bootstrap Ansible configuration
+-------------------------------
+
+This step will::
+ * create a generic `ansible` user
+ * for such user, create `~/.ssh/authorized_keys` from keys stored by SSH-Agent on localhost (`ssh-add -L`)
+ * grant "sudo" privileges
+
+
+Execute the command (note that we override `ansible_user` with the `-e` switch,
+so it matches the generic user created during server installation)::
+ ansible-playbook -e "ansible_user=ubuntu" -v -i inventory.yml playbooks/bootstrapconfig.yml
+
+Installation
+------------
+
+
+
+
+
+
+License
+-------
+
+This work is protected by CC-BY 4.0
+[](https://creativecommons.org/licenses/by/4.0/)
+
+[](https://creativecommons.org/licenses/by/4.0/)
+
+
+Author Information
+------------------
+
+Originator: Fulvio Galeazzi, Consortium GARR, CSD Department
+
+Developers: `<add your name here>`
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..679b83a
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,3 @@
+[defaults]
+
+roles_path = ./roles
diff --git a/playbooks/bootstrapconfig.yml b/playbooks/bootstrapconfig.yml
new file mode 100644
index 0000000..a431e02
--- /dev/null
+++ b/playbooks/bootstrapconfig.yml
@@ -0,0 +1,8 @@
+---
+# Very first operations to be possibly done right after installation
+
+- hosts: all
+ become: True
+ roles:
+ - bootstrap
+
diff --git a/roles/bootstrap/defaults/main.yml b/roles/bootstrap/defaults/main.yml
new file mode 100644
index 0000000..c41faf3
--- /dev/null
+++ b/roles/bootstrap/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+# defaults file for bootstrap
diff --git a/roles/bootstrap/handlers/main.yml b/roles/bootstrap/handlers/main.yml
new file mode 100644
index 0000000..1ee063e
--- /dev/null
+++ b/roles/bootstrap/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file for bootstrap
diff --git a/roles/bootstrap/tasks/addUsersSudo.yml b/roles/bootstrap/tasks/addUsersSudo.yml
new file mode 100644
index 0000000..0d30573
--- /dev/null
+++ b/roles/bootstrap/tasks/addUsersSudo.yml
@@ -0,0 +1,26 @@
+---
+# tasks file for addUsersSudo
+
+- name: Add users to sudoers
+ blockinfile:
+ dest: "{{ rootDir }}etc/sudoers.d/{{ item }}"
+ create: yes
+ state: present
+ group: root
+ owner: root
+ mode: 0640
+ marker: "# {mark} ANSIBLE MANAGED BLOCK"
+ block: |
+ Defaults:{{ item }} !requiretty
+ {{ item }} ALL = (root) NOPASSWD:ALL
+ with_items:
+ - "{{ sudousers }}"
+- name: Add newline to sudoers (needed until blockinfile is fixed)
+ lineinfile:
+ dest: "{{ rootDir }}etc/sudoers.d/{{ item }}"
+ state: present
+ backrefs: yes
+ line: '\1 BLOCK\n'
+ regexp: '^(.*) BLOCK$'
+ with_items:
+ - "{{ sudousers }}"
diff --git a/roles/bootstrap/tasks/configUserPrompt.yml b/roles/bootstrap/tasks/configUserPrompt.yml
new file mode 100644
index 0000000..56b77da
--- /dev/null
+++ b/roles/bootstrap/tasks/configUserPrompt.yml
@@ -0,0 +1,16 @@
+---
+# configure prompt for user
+
+- name: Configure prompt for user {{ username }}
+ blockinfile:
+ dest: "{{ basedir }}/{{ username }}/.bashrc"
+ create: yes
+ state: present
+ owner: "{{ username }}"
+ mode: 0640
+ marker: "# {mark} ANSIBLE MANAGED BLOCK"
+ block: |
+ if [ "$PS1" ]; then
+ domain=`hostname | cut -d \. -f 1,2`
+ PS1="[\u@\h.${domain} \W]\\$ "
+ fi
diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml
new file mode 100644
index 0000000..ff8bff4
--- /dev/null
+++ b/roles/bootstrap/tasks/main.yml
@@ -0,0 +1,43 @@
+---
+# tasks file for bootstrap
+
+##### Users
+
+- name: Create users
+ user:
+ name: "{{ item }}"
+ comment: "{{ item }} User"
+ createhome: yes
+ home: "/home/{{ item }}"
+ shell: /bin/bash
+ uid: 20100
+ with_items:
+ - "{{ sudousers }}"
+
+- name: Gather pub keys from SSH-Agent on localhost
+ shell: ssh-add -L
+ changed_when: false
+ become: false
+ register: ssh_keys
+ delegate_to: 127.0.0.1
+
+- name: Prepare authorized_keys
+ authorized_key:
+ key: "{{ item[1] }}"
+ manage_dir: yes
+ state: present
+ user: "{{ item[0] }}"
+ with_nested:
+ - "{{ sudousers }}"
+ - "{{ ssh_keys.stdout }}"
+
+- include: addUsersSudo.yml rootDir=/
+
+##### Setup user prompt and keys
+
+- include: configUserPrompt.yml username=root basedir=
+ tags: configUserPrompt
+- include: configUserPrompt.yml username={{ item }} basedir=/home
+ with_items:
+ - "{{ sudousers }}"
+ tags: configUserPrompt
diff --git a/roles/bootstrap/tests/inventory b/roles/bootstrap/tests/inventory
new file mode 100644
index 0000000..d18580b
--- /dev/null
+++ b/roles/bootstrap/tests/inventory
@@ -0,0 +1 @@
+localhost
\ No newline at end of file
diff --git a/roles/bootstrap/tests/test.yml b/roles/bootstrap/tests/test.yml
new file mode 100644
index 0000000..c6da57d
--- /dev/null
+++ b/roles/bootstrap/tests/test.yml
@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+ remote_user: root
+ roles:
+ - bootstrap
\ No newline at end of file
diff --git a/roles/bootstrap/vars/main.yml b/roles/bootstrap/vars/main.yml
new file mode 100644
index 0000000..88ad736
--- /dev/null
+++ b/roles/bootstrap/vars/main.yml
@@ -0,0 +1,5 @@
+---
+# vars file for bootstrap
+
+sudousers:
+ - ansible
--
GitLab