From 7456afed0f3ea10ca9f070c716f6c5f69601c2ee Mon Sep 17 00:00:00 2001 From: Michael Pellegrino Date: Tue, 28 Jun 2022 18:06:59 -0400 Subject: [PATCH] -changes to ssh key deployment -simplified instructions -attempt to prevent connman from installing - causes multiple ip's -cleanup some unused tasks -move openvpn to separate role --- README.md | 3 +- main.yaml | 25 ++++-------- playbook.yaml | 61 ++++++---------------------- roles/common/tasks/main.yaml | 33 +++++---------- roles/common/vars/os_Debian_10.yml | 1 - roles/common/vars/os_Raspbian_10.yml | 1 - roles/common/vars/os_Raspbian_11.yml | 1 - roles/common/vars/os_Raspbian_9.yml | 1 - roles/common/vars/os_Ubuntu_18.yml | 1 - roles/common/vars/os_Ubuntu_20.yml | 1 - roles/common/vars/os_Ubuntu_22.yml | 1 - roles/openvpn/taks/main.yaml | 30 ++++++++++++++ 12 files changed, 61 insertions(+), 98 deletions(-) create mode 100644 roles/openvpn/taks/main.yaml diff --git a/README.md b/README.md index b09d14b..357f3ad 100644 --- a/README.md +++ b/README.md @@ -91,8 +91,7 @@ The Goal is to evenually be able to be a turnkey solution to spin up a "real" ne * execute _**ansible-galaxy collection install -r requirements.yml**_ * execute _**nano ../hosts**_ and follow the instructions in that file to add all of your Pi devices * execute _**ssh-keygen -t rsa**_ you will need to press enter three times to accept the defaults - * execute _**PUBKEY="'$(<~/.ssh/id_rsa.pub)'" && ansible-playbook -i ../hosts deploy_authorized_keys.yml --ask-pass --extra-vars="pubkey=$PUBKEY"**_ it will prompt for the password which is still 'raspberry - * execute _**ansible-playbook -i ../hosts main.yaml --ask-become-pass**_ it will ask for the password which is still 'raspberry' + * execute _**ansible-playbook -i ../hosts main.yaml -k -K**_ it will ask for the password which is still 'raspberry then you can enter a different username/password if needed' * after it completes without errors * execute _**ansible-playbook -i ../hosts reboot.yaml**_ and wait for it to complete * execute _**sudo reboot**_ diff --git a/main.yaml b/main.yaml index 276d5a9..ece8024 100644 --- a/main.yaml +++ b/main.yaml @@ -18,24 +18,13 @@ - set_fact: def_password={{ def_pass }} no_log: - - name: make direcotry - file: - path: "/home/{{ def_username }}/.ssh" - owner: "{{ def_username }}" - group: "{{ def_username }}" - mode: '0700' - state: directory - - name: create empty file - file: - path: "/home/{{ def_username }}/.ssh/authorized_keys" - owner: "{{ def_username }}" - group: "{{ def_username }}" - mode: '0644' - state: touch - - name: put pubkey - lineinfile: - path: "/home/{{ def_username }}/.ssh/authorized_keys" - line: "{{ pubkey }}" + - name: + ansible.posix.authorized_key: + user: "{{ def_username }}" + state: present + key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" + + - hosts: update roles: - update diff --git a/playbook.yaml b/playbook.yaml index fd276e9..efb634f 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -1,52 +1,17 @@ --- - hosts: all tasks: - - name: Upgrade all packages o the latest version - become: true - apt: - upgrade: yes - update_cache: yes - tags: apt_upgrade -- hosts: pi - tasks: - - name: Install snmpd Package - become: yes - apt: - name: ['snmpd'] - state: present - update_cache: true - tags: install_snmpd - - lineinfile: - path: /etc/snmp/snmpd.conf - state: present - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: ' rocommunity public', line: ' rocommunity public' } - - { regexp: 'agentAddress udp:127.0.0.1:161', line: 'agentAddress udp:161' } - tags: configure_snmpd - become: true - - name: enable snmpd service and ensure it is not masked - systemd: - name: snmpd - enabled: yes - masked: no - state: restarted - tags: enablestart_snmpd - become: true - - name: set timezone - become: true - timezone: - name: America/New_York - tags: set_timezone + - name: Upgrade all packages o the latest version + become: true + apt: + upgrade: yes + update_cache: yes + tags: apt_upgrade + + - name: remove connman + become: yes + ansible.builtin.apt: + name: connman + state: absent + purge: yes -- hosts: smbclient - tasks: - - name: enable cron job for smb traffic - cron: - name: "smbtraff" - minute: "*/20" - hour: "7-18" - weekday: "1-5" - job: "/usr/bin/perl -e 'sleep int rand 1199' && /home/{{ def_username }}/scripts/smb-session.sh" - tags: smbtraff_cron diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml index 9ed34f5..64a0c90 100644 --- a/roles/common/tasks/main.yaml +++ b/roles/common/tasks/main.yaml @@ -20,6 +20,16 @@ content: "{{ lookup('template', '{{ role_path }}/templates/hosts.j2') }}" state: present tags: update_hosts +- name: update package cache + become: true + ansible.builtin.apt: + update_cache: yes +- name: hold connman - using netplan + become: true + dpkg_selections: + name: connman + selection: hold + - name: install required packages become: true package: @@ -30,29 +40,6 @@ hostname: name: '{{ inventory_hostname }}' tags: set_hostname -- name: enable openvpn - become: true - service: - name: openvpn - enabled: yes - tags: enable_openvpn - register: openvpn_enabled -- name: enable openvpn config - become: true - lineinfile: - path: /etc/default/openvpn - state: present - regexp: '^#AUTOSTART="all"' - line: 'AUTOSTART="all"' - tags: enable_openvpn -- name: start openvpn - become: true - systemd: - daemon_reload: yes - name: openvpn - state: restarted - tags: enable_openvpn - when: openvpn_enabled - name: allow pi to sudo without pw lineinfile: path: /etc/sudoers diff --git a/roles/common/vars/os_Debian_10.yml b/roles/common/vars/os_Debian_10.yml index 3214ac2..e13cfb9 100644 --- a/roles/common/vars/os_Debian_10.yml +++ b/roles/common/vars/os_Debian_10.yml @@ -7,4 +7,3 @@ dependency_packages: - screen - cockpit-storaged - cockpit - - openvpn diff --git a/roles/common/vars/os_Raspbian_10.yml b/roles/common/vars/os_Raspbian_10.yml index 7be703a..9254d00 100644 --- a/roles/common/vars/os_Raspbian_10.yml +++ b/roles/common/vars/os_Raspbian_10.yml @@ -16,7 +16,6 @@ dependency_packages: - smbclient - ncurses-dev - build-essential - - openvpn - lightdm - lxde - realvnc-vnc-server diff --git a/roles/common/vars/os_Raspbian_11.yml b/roles/common/vars/os_Raspbian_11.yml index 7be703a..9254d00 100644 --- a/roles/common/vars/os_Raspbian_11.yml +++ b/roles/common/vars/os_Raspbian_11.yml @@ -16,7 +16,6 @@ dependency_packages: - smbclient - ncurses-dev - build-essential - - openvpn - lightdm - lxde - realvnc-vnc-server diff --git a/roles/common/vars/os_Raspbian_9.yml b/roles/common/vars/os_Raspbian_9.yml index 7be703a..9254d00 100644 --- a/roles/common/vars/os_Raspbian_9.yml +++ b/roles/common/vars/os_Raspbian_9.yml @@ -16,7 +16,6 @@ dependency_packages: - smbclient - ncurses-dev - build-essential - - openvpn - lightdm - lxde - realvnc-vnc-server diff --git a/roles/common/vars/os_Ubuntu_18.yml b/roles/common/vars/os_Ubuntu_18.yml index 37ed7b7..f000fcb 100644 --- a/roles/common/vars/os_Ubuntu_18.yml +++ b/roles/common/vars/os_Ubuntu_18.yml @@ -3,7 +3,6 @@ dependency_packages: - vim - mc - build-essential - - openvpn - aptitude - mtr - screen diff --git a/roles/common/vars/os_Ubuntu_20.yml b/roles/common/vars/os_Ubuntu_20.yml index ee8bd30..389138c 100644 --- a/roles/common/vars/os_Ubuntu_20.yml +++ b/roles/common/vars/os_Ubuntu_20.yml @@ -3,7 +3,6 @@ dependency_packages: - vim - mc - build-essential - - openvpn - aptitude - mtr - screen diff --git a/roles/common/vars/os_Ubuntu_22.yml b/roles/common/vars/os_Ubuntu_22.yml index c6cb1a9..a45521e 100644 --- a/roles/common/vars/os_Ubuntu_22.yml +++ b/roles/common/vars/os_Ubuntu_22.yml @@ -3,7 +3,6 @@ dependency_packages: - vim - mc - build-essential - - openvpn - aptitude - mtr - screen diff --git a/roles/openvpn/taks/main.yaml b/roles/openvpn/taks/main.yaml new file mode 100644 index 0000000..0b9f260 --- /dev/null +++ b/roles/openvpn/taks/main.yaml @@ -0,0 +1,30 @@ +--- +- name: install openvpn + ansible.builtin.apt: + name: openvpn + state: present + update_cache: yes + +- name: enable openvpn + become: true + service: + name: openvpn + enabled: yes + tags: enable_openvpn + register: openvpn_enabled +- name: enable openvpn config + become: true + lineinfile: + path: /etc/default/openvpn + state: present + regexp: '^#AUTOSTART="all"' + line: 'AUTOSTART="all"' + tags: enable_openvpn +- name: start openvpn + become: true + systemd: + daemon_reload: yes + name: openvpn + state: restarted + tags: enable_openvpn + when: openvpn_enabled