-changes to ssh key deployment

-simplified instructions -attempt to prevent connman from installing - causes multiple ip's -cleanup some unused tasks -move openvpn to separate role
2022-06-28 18:06:59 -04:00
parent a4e5168c87
commit 7456afed0f
12 changed files with 61 additions and 98 deletions
--- a/README.md
+++ b/README.md
@@ -91,8 +91,7 @@ The Goal is to evenually be able to be a turnkey solution to spin up a "real" ne
  * execute _**ansible-galaxy collection install -r requirements.yml**_
  * execute _**nano ../hosts**_ and follow the instructions in that file to add all of your Pi devices
  * execute _**ssh-keygen -t rsa**_ you will need to press enter three times to accept the defaults
-  * execute _**PUBKEY="'$(<~/.ssh/id_rsa.pub)'" && ansible-playbook -i ../hosts deploy_authorized_keys.yml --ask-pass --extra-vars="pubkey=$PUBKEY"**_ it will prompt for the password which is still 'raspberry
+  * execute _**ansible-playbook -i ../hosts main.yaml -k -K**_ it will ask for the password which is still 'raspberry then you can enter a different username/password if needed'
  * execute _**ansible-playbook -i ../hosts main.yaml --ask-become-pass**_ it will ask for the password which is still 'raspberry'
  * after it completes without errors
    * execute _**ansible-playbook -i ../hosts reboot.yaml**_ and wait for it to complete
    * execute _**sudo reboot**_
--- a/main.yaml
+++ b/main.yaml
@@ -18,24 +18,13 @@
  - set_fact: def_password={{ def_pass }}
    no_log:
-  - name: make direcotry
+  - name:
-    file:
+    ansible.posix.authorized_key:
-      path: "/home/{{ def_username }}/.ssh"
+      user: "{{ def_username }}"
-      owner: "{{ def_username }}"
+      state: present
-      group: "{{ def_username }}"
+      key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
-      mode: '0700'
+
-      state: directory
+
  - name: create empty file
    file:
      path: "/home/{{ def_username }}/.ssh/authorized_keys"
      owner: "{{ def_username }}"
      group: "{{ def_username }}"
      mode: '0644'
      state: touch
  - name: put pubkey
    lineinfile:
      path: "/home/{{ def_username }}/.ssh/authorized_keys"
      line: "{{ pubkey }}"
 - hosts: update
  roles:
          - update
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -1,52 +1,17 @@
 ---
 - hosts: all
  tasks:
-          - name: Upgrade all packages o the latest version
+  - name: Upgrade all packages o the latest version
-            become: true
+    become: true
-            apt:
+    apt:
-                    upgrade: yes
+      upgrade: yes
-                    update_cache: yes
+      update_cache: yes
-            tags: apt_upgrade
+    tags: apt_upgrade
- hosts: pi
+
-  tasks:
+  - name: remove connman
-    - name: Install snmpd Package
+    become: yes
-      become: yes
+    ansible.builtin.apt:
-      apt:
+      name: connman
-        name: ['snmpd']
+      state: absent
-        state: present
+      purge: yes
        update_cache: true
      tags: install_snmpd
    - lineinfile:
        path: /etc/snmp/snmpd.conf
        state: present
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
      with_items:
        - { regexp: ' rocommunity public', line: ' rocommunity public' }
        - { regexp: 'agentAddress  udp:127.0.0.1:161', line: 'agentAddress udp:161' }
      tags: configure_snmpd
      become: true
    - name: enable snmpd service and ensure it is not masked
      systemd:
        name: snmpd
        enabled: yes
        masked: no
        state: restarted
      tags: enablestart_snmpd
      become: true
    - name: set timezone
      become: true
      timezone:
        name: America/New_York
      tags: set_timezone
 - hosts: smbclient
  tasks:
          - name: enable cron job for smb traffic
            cron:
                    name: "smbtraff"
                    minute: "*/20"
                    hour: "7-18"
                    weekday: "1-5"
                    job: "/usr/bin/perl -e 'sleep int rand 1199' && /home/{{ def_username }}/scripts/smb-session.sh"
            tags: smbtraff_cron
--- a/roles/common/tasks/main.yaml
+++ b/roles/common/tasks/main.yaml
@@ -20,6 +20,16 @@
          content: "{{ lookup('template', '{{ role_path }}/templates/hosts.j2') }}"
          state: present
  tags: update_hosts
 - name: update package cache
  become: true
  ansible.builtin.apt:
    update_cache: yes
 - name: hold connman - using netplan
  become: true
  dpkg_selections:
    name: connman
    selection: hold
 - name: install required packages
  become: true
  package:
@@ -30,29 +40,6 @@
  hostname:
    name: '{{ inventory_hostname }}'
  tags: set_hostname
 - name: enable openvpn
  become: true
  service:
          name: openvpn
          enabled: yes
  tags: enable_openvpn
  register: openvpn_enabled
 - name: enable openvpn config
  become: true
  lineinfile:
          path: /etc/default/openvpn
          state: present
          regexp: '^#AUTOSTART="all"'
          line: 'AUTOSTART="all"'
  tags: enable_openvpn
 - name: start openvpn
  become: true
  systemd:
          daemon_reload: yes
          name: openvpn
          state: restarted
  tags: enable_openvpn
  when: openvpn_enabled
 - name: allow pi to sudo without pw
  lineinfile:
    path: /etc/sudoers
--- a/roles/common/vars/os_Debian_10.yml
+++ b/roles/common/vars/os_Debian_10.yml
@@ -7,4 +7,3 @@ dependency_packages:
  - screen
  - cockpit-storaged
  - cockpit
  - openvpn
--- a/roles/common/vars/os_Raspbian_10.yml
+++ b/roles/common/vars/os_Raspbian_10.yml
@@ -16,7 +16,6 @@ dependency_packages:
  - smbclient
  - ncurses-dev
  - build-essential
  - openvpn
  - lightdm
  - lxde
  - realvnc-vnc-server
--- a/roles/common/vars/os_Raspbian_11.yml
+++ b/roles/common/vars/os_Raspbian_11.yml
@@ -16,7 +16,6 @@ dependency_packages:
  - smbclient
  - ncurses-dev
  - build-essential
  - openvpn
  - lightdm
  - lxde
  - realvnc-vnc-server
--- a/roles/common/vars/os_Raspbian_9.yml
+++ b/roles/common/vars/os_Raspbian_9.yml
@@ -16,7 +16,6 @@ dependency_packages:
  - smbclient
  - ncurses-dev
  - build-essential
  - openvpn
  - lightdm
  - lxde
  - realvnc-vnc-server
--- a/roles/common/vars/os_Ubuntu_18.yml
+++ b/roles/common/vars/os_Ubuntu_18.yml
@@ -3,7 +3,6 @@ dependency_packages:
  - vim
  - mc
  - build-essential
  - openvpn
  - aptitude
  - mtr
  - screen
--- a/roles/common/vars/os_Ubuntu_20.yml
+++ b/roles/common/vars/os_Ubuntu_20.yml
@@ -3,7 +3,6 @@ dependency_packages:
  - vim
  - mc
  - build-essential
  - openvpn
  - aptitude
  - mtr
  - screen
--- a/roles/common/vars/os_Ubuntu_22.yml
+++ b/roles/common/vars/os_Ubuntu_22.yml
@@ -3,7 +3,6 @@ dependency_packages:
  - vim
  - mc
  - build-essential
  - openvpn
  - aptitude
  - mtr
  - screen
--- a/roles/openvpn/taks/main.yaml
+++ b/roles/openvpn/taks/main.yaml
@@ -0,0 +1,30 @@
 ---
 - name: install openvpn
  ansible.builtin.apt:
    name: openvpn
    state: present
    update_cache: yes
 - name: enable openvpn
  become: true
  service:
          name: openvpn
          enabled: yes
  tags: enable_openvpn
  register: openvpn_enabled
 - name: enable openvpn config
  become: true
  lineinfile:
          path: /etc/default/openvpn
          state: present
          regexp: '^#AUTOSTART="all"'
          line: 'AUTOSTART="all"'
  tags: enable_openvpn
 - name: start openvpn
  become: true
  systemd:
          daemon_reload: yes
          name: openvpn
          state: restarted
  tags: enable_openvpn
  when: openvpn_enabled