From f0b33a8b579bbf2a161fe873525fd1aea07f6ad3 Mon Sep 17 00:00:00 2001 From: Maxim Vershinin Date: Sun, 5 Jul 2026 15:43:23 +0000 Subject: [PATCH] FEATURE: Simple playbook for configuring Ansible user implement. One host, simple vault, script to run it. Task creates user, grants sudo --- data/secrets template.yaml | 7 ++++ data/secrets.yaml | 21 ++++++++++ inventory/deploy/hosts.yaml | 7 ++++ inventory/maintain/hosts.yaml | 2 + playbooks/deploy.yaml | 17 ++++++++ .../prepare_ansible_user.yaml | 41 +++++++++++++++++++ roles/0_basic_postinstall/tasks/main.yaml | 3 ++ run_playbook.sh | 2 + 8 files changed, 100 insertions(+) create mode 100644 data/secrets template.yaml create mode 100644 data/secrets.yaml create mode 100644 inventory/deploy/hosts.yaml create mode 100644 inventory/maintain/hosts.yaml create mode 100644 playbooks/deploy.yaml create mode 100644 roles/0_basic_postinstall/prepare_ansible_user.yaml create mode 100644 roles/0_basic_postinstall/tasks/main.yaml create mode 100644 run_playbook.sh diff --git a/data/secrets template.yaml b/data/secrets template.yaml new file mode 100644 index 0000000..dad995a --- /dev/null +++ b/data/secrets template.yaml @@ -0,0 +1,7 @@ +--- +# Password for Ansible user +ansible_become_password: p@a$$word +# SSH key for Ansible user +ansible_ssh_key: $$h_key +# Password for the default unprivileged user +user_password: p@a$$word \ No newline at end of file diff --git a/data/secrets.yaml b/data/secrets.yaml new file mode 100644 index 0000000..087823e --- /dev/null +++ b/data/secrets.yaml @@ -0,0 +1,21 @@ +$ANSIBLE_VAULT;1.1;AES256 +66633664323430633839313237323961383861313238613533373836343632623630373236363931 +3938336530333965623137333061383430306630333936340a393334613631346536666435303536 +63623437393938303032333431386433383532313663303164633639383966666331666639316161 +3934336133623933660a343636303735333838326536636534356234363333393533633534333065 +32363862336233363932376233623935616230613761663564623830623436626166646164366630 +65316266313538643762333438653938613362666266633834323236383062653466373935656666 +61363239386535316136346539653964646533653566616430373764633763646665616135323137 +33333064323464643837343139363638313266353136636637646132376232653962383662643365 +64373364393165303562653131663061316266333737643561613936353036346239646666646132 +38656334303861623966626233366336303264366439666231353465663361613835643030333736 +62366265393339333832386537353635323838323062333163323364643964323838396332636133 +32373136646265613962313636343738363430646130653339626434623362326662323839393366 +32366634623631366362343231316664356539306664313235626461326463376166356435663065 +63323863376236623030656466383562366366316662306332383036633335636138633038323830 +34383162373966663666303130623364666535353738656433636463396534653735393362303633 +38306132396533356262353837366532316631643864313033353564626663366166316431303735 +33623965613337613838396165373363363331636132336466633236646331636239393766323662 +37376332343534346438366566623930663737663566373965313934333337373630663738613163 +31383937343534356537326636386133646466303235303966313363623530346535383531643164 +66353839383966336331 diff --git a/inventory/deploy/hosts.yaml b/inventory/deploy/hosts.yaml new file mode 100644 index 0000000..6c99f80 --- /dev/null +++ b/inventory/deploy/hosts.yaml @@ -0,0 +1,7 @@ +--- +physical: + vars_files: + ../../data/secrets.yaml + hosts: + 192.168.0.5: + ansible_become_password: "{{ ansible_become_password }}" \ No newline at end of file diff --git a/inventory/maintain/hosts.yaml b/inventory/maintain/hosts.yaml new file mode 100644 index 0000000..cd21505 --- /dev/null +++ b/inventory/maintain/hosts.yaml @@ -0,0 +1,2 @@ +--- + diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml new file mode 100644 index 0000000..ce69927 --- /dev/null +++ b/playbooks/deploy.yaml @@ -0,0 +1,17 @@ +--- +- name: Basic Proxmox guest deployment + hosts: all + remote_user: root + roles: + - ../roles/0_basic_postinstall + vars_files: + ../data/secrets.yaml + vars: + ansible_user_passwd_hash: "{{ ansible_become_password | password_hash('sha512', 's3edscrj45e6r') }}" + user_passwd_hash: "{{ user_password | password_hash('sha512', 's3ed6123jhgcr') }}" + + handlers: + - name: restart sshd + service: + name: sshd + state: restarted \ No newline at end of file diff --git a/roles/0_basic_postinstall/prepare_ansible_user.yaml b/roles/0_basic_postinstall/prepare_ansible_user.yaml new file mode 100644 index 0000000..b6421a1 --- /dev/null +++ b/roles/0_basic_postinstall/prepare_ansible_user.yaml @@ -0,0 +1,41 @@ +--- +## Installing packages +- name: Install sudo on apt systems + when: (ansible_facts['distribution'] == "Debian") or + (ansible_facts['distribution'] == "Ubuntu") + apt: + name: + - sudo + update-cache: yes + +- name: Update Alpine packages + when: (ansible_facts['distribution'] == "Alpine") + command: /sbin/apk update + +- name: Install sudo package on Alpine + when: (ansible_facts['distribution'] == "Alpine") + command: /sbin/apk add sudo + + +## Creating and setting up the ansible user +## First, create sshusers group to grant ssh access +- name: Ensure group "sshusers" exists + ansible.builtin.group: + name: sshusers + state: present + +## Add the user to its own group, sshusers (for ssh access) and sudo (gain root access) +- name: Create a new user with a password for Ansible + user: + name: ansible + password: "{{ ansible_user_passwd_hash }}" + + groups: ansible,sshusers,sudo + append: yes + +## Since password authentication in SSH will be disabled, we need to add an authorized key +- name: Set authorized key taken from file + ansible.posix.authorized_key: + user: ansible + state: present + key: "{{ ansible_ssh_key }}" \ No newline at end of file diff --git a/roles/0_basic_postinstall/tasks/main.yaml b/roles/0_basic_postinstall/tasks/main.yaml new file mode 100644 index 0000000..ed3da0c --- /dev/null +++ b/roles/0_basic_postinstall/tasks/main.yaml @@ -0,0 +1,3 @@ +--- +- name: Create and set up Ansible user and environment + ansible.builtin.include_tasks: prepare_ansible_user.yaml \ No newline at end of file diff --git a/run_playbook.sh b/run_playbook.sh new file mode 100644 index 0000000..1526cd6 --- /dev/null +++ b/run_playbook.sh @@ -0,0 +1,2 @@ +#!/bin/sh +ansible-playbook -i inventory/deploy/hosts.yaml playbooks/deploy.yaml --private-key ~/.ssh/ansible_key \ No newline at end of file