- Ansible installed:
sudo apt install python3 python3 -m ensurepip --upgrade pip3 install ansible- Requirements.yaml installed (this role uses pimvh.ssh_keygen):
ansible-galaxy install -r requirements.yamlReview the variables as shown in defaults.
cloud_init_machine_name: "" cloud_init_ansible_user_passwd_hash: "" # the hash of the password for the ansible user cloud_init_github_token: "" cloud_init_userdata: hostname: hostname fqdn: hostname.example.com groups: [] users: - name: my user gecos: My user description shell: /bin/bash sudo: ALL=(ALL) NOPASSWD:ALL # passwordless sudo groups: sudo # member of sudo lock_passwd: false # unlock password passwd: "{{ password_here | password_hash('sha512') }}" ssh_authorized_keys: [] # optional authorized key runcmd: [] # additional command to run in cloudinit writefiles: [] # additional files to write packages: [] # additional packages to install cloud_init_networkdata: # define IPs and use the `default routes` and `nameservers` below ipv4: << ipv4 >> ipv6: << ipv6 >> # --- OR --- # dump an entire netplan # like the following netplan: network: version: 2 ethernets: enp1s0: dhcp4: false addresses: - << addr >> gateway4: << addr >> gateway6: << addr >> nameservers: addresses: - << dns_server ip >> cloud_init_netplan_routes: - to: default via: 1.0.0.1 - to: default via: 2001:db8::11 cloud_init_netplan_nameservers: addresses: - 1.1.1.1 - 1.0.0.1 cloud_init_add_to_known_hosts: true cloud_init_reboot_on_finish: true cloud_init_enable_ssh_ca: true # My recommendation is to use lookup plugins like this: # cloud_init_ssh_host_ca_publickey: "{{ lookup('ansible.builtin.file', 'your_ca') }}" # or vars lookups like this: # "{{ lookup('ansible.builtin.vars', 'your_ca') }}" cloud_init_ssh_host_ca_privatekey: "" cloud_init_ssh_host_ca_privatekey_pass: "" cloud_init_ssh_host_ca_publickey: "" cloud_init_ssh_user_ca_publickeys: [] cloud_init_enable_ansible_pull: false cloud_init_ansible_pull_repo_owner: "" cloud_init_ansible_pull_repo_name: "" cloud_init_ansible_pull_playbook_name: "" cloud_init_ansible_pull_deploy_key_name: "Ansible-pull deploy key" cloud_init_validity_period: 520w cloud_init_ssh_ca_runcmd: # configure ca usage on the server - echo "@cert-authority * $(cat /etc/ssh/host_ca.pub)" >> /etc/ssh/ssh_known_hosts # just remove the host CAs public key - rm -f /etc/ssh/host_ca.pub # configure new trustedUserCAkey key by appending the create cloud-init ssh config - echo "TrustedUserCAKeys /etc/ssh/ssh_trusted_user_ca_keys" >> /etc/ssh/sshd_config.d/50-cloud-init.conf # restart sshd to make changes have effect - systemctl restart sshdhosts: - foo roles: - pimvh.cloud_init - Assert required variables are defined
- Create directory to start cloud-init files
- Fetch Github hostkeys (when requested)
- Generate SSH key pair for Ansible pull (when requested)
- Configure SSH Host CAs and User CAs (when requested)
- Sign certificate keys on the controller
- Configure Ansible-pull by putting requirements.yaml of the repo_url in the cloud-int config (when requested)
- Template cloud_init
- Template signed certificates to cloud-init configuration
- Template required cloud-init userdata
- Template cloud-init networkdata
- Template Ansible pull requirements.yaml
- Add Github deploy key to requested Ansiblepull repository (when requested)
- Run Ansible-pull as the ansible user on the system (when requested)
- Add SSH CA to known hosts (when requested)
- Find a better way to get shortlived access to Github using different auth method.
Part of the SSH CA logic is based on the following blog