-
Notifications
You must be signed in to change notification settings - Fork 62
/
playbook.yml
287 lines (251 loc) · 7.73 KB
/
playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
---
# sudo must be preinstalled if you are using become
- name: Bootstrap python
hosts: workshop_instances
gather_facts: false
pre_tasks:
- name: Bootstrap Python3 for Ansible
raw: bash -c "test -e /usr/bin/python3 || (apt -qqy update && apt install -qqy python3)"
register: output
changed_when: output.stdout != ""
- name: Configure workshop VMs
hosts: workshop_instances
tasks:
# TODO: this is not generic enough for users named anything other than Ubuntu
- name: Copy ssh key to training machines
copy:
src: id_rsa
dest: /home/ubuntu/.ssh/id_rsa
owner: ubuntu
group: ubuntu
mode: '0600'
- name: Fix hostname
hostname:
name: "{{ inventory_hostname }}"
- name: "Add Region Key {{ ansible_ssh_private_key_file }}.pub to authorized keys"
authorized_key:
user: ubuntu
state: present
key: "{{ lookup('file', ansible_ssh_private_key_file + '.pub') }}"
- name: "Add remote id_rsa to authorized_keys (allows ssh to localhost)"
authorized_key:
user: ubuntu
state: present
key: "{{ lookup('file', 'id_rsa.pub') }}"
- name: "Add one key to rule them all to authorized keys"
authorized_key:
user: ubuntu
state: present
key: "{{ lookup('file', 'gat-one-key-to-rule-them-all.pub') }}"
- name: Disable cgroupv2
copy:
content: |
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT systemd.unified_cgroup_hierarchy=0 systemd.legacy_systemd_cgroup_controller=1"
dest: /etc/default/grub.d/99-cgroupv1.cfg
mode: 0644
notify:
- update-grub
- reboot
- name: Switch to kiwi update servers
copy:
content: |
deb http://nz.archive.ubuntu.com/ubuntu/ focal main restricted universe multiverse
deb http://nz.archive.ubuntu.com/ubuntu/ focal-updates main restricted universe multiverse
deb http://nz.archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse
deb http://nz.archive.ubuntu.com/ubuntu/ focal-security main restricted universe multiverse
dest: /etc/apt/sources.list.d/au_archive_ubuntu_com_ubuntu.list
mode: 0644
when: "'workshop_oz' in group_names"
tags:
- upgrades
- name: Update repos
apt:
update_cache: yes
cache_valid_time: 900
tags:
- upgrades
- name: Upgrade packages
apt:
upgrade: yes
autoremove: yes
notify:
- reboot
tags:
- upgrades
- name: Ensure sshd allows password auth
replace:
path: "/etc/ssh/sshd_config"
regexp: '^PasswordAuthentication\s+no\s+.*$$'
replace: 'PasswordAuthentication yes # set by Ansible'
register: __ssh_config_change
- name: Restart sshd for config changes
service:
name: ssh
state: restarted
when: __ssh_config_change is changed
- name: Install other packages
package:
name:
- acl
- bc
- sudo
- make
- build-essential
- git
- nano
- vim-nox
- vim-pathogen
- emacs-nox
- virtualenv
- python3-pip
- jq
- htop
- zlib1g-dev
- libbz2-dev # planemo -> samtools
- liblzma-dev # planemo -> samtools
- tree
- byobu
- screen
- cockpit # web console
- moreutils # for gat-cli
- silversearcher-ag # For @hexylena
state: latest
tags:
- packages
- name: Ensure unnecessary stuff is purged
package:
name:
- python
- fail2ban
- snapd
- emacs-lucid
- emacs-gtk
state: absent
- name: Have cockpit listen on port 8080
file:
path: "/etc/systemd/system/cockpit.socket.d"
state: directory
mode: 0755
- name: Have cockpit listen on port 8080
copy:
content: |
[Socket]
ListenStream=
ListenStream=8080
dest: "/etc/systemd/system/cockpit.socket.d/override.conf"
mode: 0644
- ansible.builtin.systemd:
daemon_reload: yes
state: restarted
name: cockpit.socket
#- name: Enable pathogen for all users
# command: vim-addons -w install pathogen
- name: Add pathogen infect to global vimrc
copy:
content: |
execute pathogen#infect()
set paste
dest: "/etc/vim/vimrc.local"
mode: 0644
- name: Install pearofducks/ansible-vim for all users
git:
repo: "https://github.com/pearofducks/ansible-vim"
dest: /etc/vim/bundle/ansible-vim
- name: Correct editor selected
alternatives:
name: editor
path: /bin/nano
- name: Install pip packages
pip:
name:
- ansible
- planemo
executable: pip3
state: latest
- name: Download the "Fake LE Root X1" certificate
get_url:
url: https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem
dest: /usr/local/share/ca-certificates/fakeleroot-x1.crt
register: __fake_le_root
tags:
- certbot
- name: Download the "Fake LE Root X2" certificate
get_url:
url: https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x2.pem
dest: /usr/local/share/ca-certificates/fakeleroot-x2.crt
register: __fake_le_root2
tags:
- certbot
- name: Update CA certificates
command: update-ca-certificates
when: __fake_le_root is changed or __fake_le_root2 is changed
tags:
- certbot
- name: Ensure CA is used instead of certifi for requests bundle
copy:
content: |
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
dest: /home/ubuntu/.bash_aliases
owner: ubuntu
group: ubuntu
mode: 0750
tags:
- certbot
- name: Enable byobu for users (forcing them into a Screen/TMUX session on login via ssh)
command: byobu-launcher-install
become: true
become_user: ubuntu
- name: Configure Cockpit to listen on port 8080
copy:
content: |
[Socket]
ListenStream=
ListenStream=8080
dest: /etc/systemd/system/cockpit.socket.d/override.conf
owner: root
group: root
mode: 0755
- name: Add gat-cli command for users
copy:
src: gat-cli
dest: /usr/bin/gat
owner: root
group: root
mode: 0755
tags:
- gat-cli
- name: Add galaxy-create-user command for testing
copy:
src: galaxy-create-user.py
dest: /usr/bin/galaxy-create-user
owner: root
group: root
mode: 0755
tags:
- gat-cli
- name: Manage passwords
block:
- name: Install pwgen as needed
package:
name:
- pwgen
# For some instances, they don't come pre-configured with a password, so we do that now.
- name: Generate a host-specific password
command: |
/usr/bin/pwgen -H /etc/hostname 10 1
register: actual_pw
- name: Set a password if requested
user:
name: ubuntu
password: "{{ actual_pw.stdout | password_hash('sha512', 'gatGATgat') }}"
#- name: "Output password for admins"
#debug:
#msg: "password: {{ inventory_hostname }} {{ actual_pw.stdout }}"
when: set_password|bool
tags:
- password
handlers:
- name: update-grub
command: /usr/sbin/update-grub
- name: reboot
reboot: