/ansible-bootstrap

A (slightly stripped down) production example of an Ansible bootstrapping role & playbook

ansible-bootstrap

This is a (slightly stripped down) production example of an Ansible bootstrapping role & playbook.

The role assumes the following in ansible.cfg:

[defaults]
roles_path = roles
remote_user = ansible

[privilege_escalation]
become=True
become_user=root

It is designed to support SSH pipelining:

[ssh_connection]
pipelining = True

This requires a dance of using paramiko for the first task to get rid of requiretty from the sudo configuration.

It also supports Mitogen.

You will need two public keys in roles/bootstrap/files/ named ansible.rsa.key.pub and ansible.ed25519.key.pub. It sets them both up to facilitate using RSA now (in support of older systems) but preparing for a move to ed25519. If you don't want both, you can remove the reference to one in the role tasks. Configure the private key in ansible.cfg:

[defaults]
private_key_file = /YOUR/PATH/TO/ansible.rsa.key

Usage

If the system already has a user named ansible with sudo access and a known password:

  ansible-playbook bootstrap.yaml \
    -e target=EXAMPLE.DOMAIN --ask-pass --ask-become-pass

If you wish to use a different user, specify it with -u:

  ansible-playbook bootstrap.yaml -u USERNAME \
    -e target=EXAMPLE.DOMAIN --ask-pass --ask-become-pass

If you wish to use a different user and have SSH key-based access, omit --ask-pass:

  ansible-playbook bootstrap.yaml -u USERNAME \
    -e target=EXAMPLE.DOMAIN --ask-become-pass

If the system does not have sudo installed (e.g. Debian 10 out of the box), but you have a user which can use SSH and have a root password, specify a become_method of su and, when prompted, specify the root password as the become password (which may be different from the SSH user's password):

  ANSIBLE_BECOME_METHOD=su ansible-playbook bootstrap.yaml \
    -u USERNAME -e target=EXAMPLE.DOMAIN --ask-pass --ask-become-pass