-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsetup.yml
More file actions
131 lines (116 loc) · 3.86 KB
/
setup.yml
File metadata and controls
131 lines (116 loc) · 3.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
---
- name: One Shot System Configuration
hosts: all
become: true
vars_files:
- secrets.yml
vars:
# Default variables; can be overridden at runtime
new_username: "sysadmin"
git_user_name: "Admin User"
git_user_email: "admin@example.org"
# Variables expected to be passed via CLI or Vault:
# public_key_file: ""
# openstack_rc_file: ""
# vault_private_key: ""
# vault_public_key: ""
tasks:
- name: Update apt cache and upgrade packages
ansible.builtin.apt:
update_cache: true
upgrade: dist
cache_valid_time: 3600
- name: Verify system reboot requirement
ansible.builtin.stat:
path: /var/run/reboot-required
register: reboot_required_file
- name: Execute system reboot if required
ansible.builtin.reboot:
when: reboot_required_file.stat.exists
- name: Install system dependencies and utilities
ansible.builtin.apt:
name:
- acl # Required for unprivileged become_user operations
- git
- build-essential
- rclone
- python3-openstackclient
- curl
state: present
- name: Install uv Python package manager
ansible.builtin.shell: |
curl -LsSf https://astral.sh/uv/install.sh | env UV_INSTALL_DIR="/usr/local/bin" bash
args:
creates: /usr/local/bin/uv
executable: /bin/bash
- name: Provision new user account
ansible.builtin.user:
name: "{{ new_username }}"
shell: /bin/bash
create_home: true
- name: Add user to sudo group
ansible.builtin.user:
name: "{{ new_username }}"
groups: sudo
append: true
become: true
- name: Check if user has existing password
ansible.builtin.command: passwd -S "{{ new_username }}"
register: passwd_status
changed_when: false
failed_when: false
become: true
- name: Lock password field (no password set)
ansible.builtin.command: passwd -l "{{ new_username }}"
when: "'P' not in passwd_status.stdout"
become: true
changed_when: true
- name: Initialize SSH directory structure
ansible.builtin.file:
path: "/home/{{ new_username }}/.ssh"
state: directory
owner: "{{ new_username }}"
group: "{{ new_username }}"
mode: '0700'
- name: Provision private SSH key from Vault
ansible.builtin.copy:
content: "{{ vault_private_key }}"
dest: "/home/{{ new_username }}/.ssh/id_rsa"
owner: "{{ new_username }}"
group: "{{ new_username }}"
mode: '0600'
when: vault_private_key is defined
- name: Provision public SSH key from Vault
ansible.builtin.copy:
content: "{{ vault_public_key }}"
dest: "/home/{{ new_username }}/.ssh/id_rsa.pub"
owner: "{{ new_username }}"
group: "{{ new_username }}"
mode: '0644'
when: vault_public_key is defined
- name: Authorize external SSH key for initial login
ansible.posix.authorized_key:
user: "{{ new_username }}"
state: present
key: "{{ lookup('file', public_key_file) }}"
when: public_key_file is defined
- name: Define global Git user name
community.general.git_config:
name: user.name
scope: global
value: "{{ git_user_name }}"
become_user: "{{ new_username }}"
- name: Define global Git user email
community.general.git_config:
name: user.email
scope: global
value: "{{ git_user_email }}"
become_user: "{{ new_username }}"
- name: Deploy OpenStack credentials file
ansible.builtin.copy:
src: "{{ openstack_rc_file }}"
dest: "/home/{{ new_username }}/.openrc"
owner: "{{ new_username }}"
group: "{{ new_username }}"
mode: '0600'
when: openstack_rc_file is defined