Introduction to Ansible Transcripts
Chapter: Configuring Servers
Lecture: Initial Configuration Playbook
0:00 We're a few videos into this chapter.
0:01 So how are we doing against our checklist
0:03 of what we want to accomplish?
0:05 Well, the first thing was to get a couple
0:07 of blank provision servers. Got that.
0:09 And the next thing we want to do is create
0:10 a non-root group and user.
0:12 That way we're not logging into the root user
0:14 into our servers.
0:15 Let's take care of that now.
0:17 There's a few ways to go about this
0:18 so I'll show you one way that involves a simple
0:20 separate playbook to specify an initial configuration.
0:24 Create a file name init_config.yml.
0:36 And what this one is going to do is just a one-time setup.
0:40 When we get a blank server, we have a root user.
0:42 We just want to create a non-root group and user.
0:45 And then we're never going to have to worry about
0:47 doing that again for those servers.
0:49 We'll specify the root user.
0:51 So this will be the only action taken
0:53 under the root user and then as soon as we have
0:56 our non-root user, every other action
0:58 will be taken with that user instead.
1:00 And we'll create a role init_config.
1:05 Go under roles, create a directory
1:08 for init_config, create a directory for tasks
1:12 within init_config.
1:16 And then under tasks, create a main.yml file.
1:31 We need to create a non-root group first
1:33 that way when we create our non-root user
1:35 we can associate the group immediately.
1:38 We'll use the group module for this task
1:40 and the name, the name of the group, will look familiar.
1:43 We're going to use a variable here called deploy_group
1:46 just as we did in our first playbook.
1:48 And the state should be present.
1:51 So that will ensure a non-root group is created.
1:54 Next, create that non-root user.
2:07 And we can associate this non-root user
2:09 with the group that we just created.
2:14 And I always like to use the Bash shell
2:16 so I just say bin Bash for the shell
2:19 and we want it to be present.
2:22 Now, how is our non-root user going to log in?
2:24 We want this to only be via private key access.
2:28 No passwords allowed.
2:30 So we need to add an authorized key
2:33 that is our public key to that account.
2:40 This uses the authorized key module.
2:42 You specify the user.
2:47 We want this key to be present.
2:54 And we want the contents of the file
2:56 which are stored in a variable.
2:58 This should look familiar from the first playbook.
3:05 Take note of two new variables here
3:07 ssh_dir and ssh_key_name.
3:09 We're going to have to specify that in our variables file.
3:13 Right now our non-root user does not have
3:15 sudo privileges, which are going to be necessary
3:18 for most of our deployment, so let's modify
3:20 the sudoers file to include our new non-root user.
3:32 The line in file module is going to change
3:35 file that already exists.
3:59 All right, almost done.
4:01 We want to disable the ability to log in directly
4:04 as the root user.
4:06 This is a recommended security practice
4:08 so that automated scripts that are going to scan
4:10 and find that you have a server up and running
4:12 don't know the name of one user
4:14 which is the root user, that's on your system.
4:33 In the SSH server configuration, we'll look
4:35 for PermitRootLogin and we'll replace that
4:40 with PermitRootLogin no.
4:44 The configuration should already be set
4:46 so that there are no password-based logins.
4:49 We're going to have task here just in case.
4:52 So we'll have roughly the same as we just did
4:54 to disable root SSH logins but instead
5:02 of PermitRootLogin we're going to search
5:06 for PasswordAuthentication.
5:09 One final step, let's make sure that the SSH
5:11 server restarts.
5:19 This way we know that it's definitely taking
5:21 our configuration.
5:22 Before we exit out, just glancing through
5:24 it does look like there may be one issue
5:26 with our two replace commands.
5:28 We don't want the caret under the replace line.
5:30 We want the caret in the regular expression
5:32 but not in the replace line.
5:33 So let's remove those carets because carets
5:35 should not literally be placed in the configuration file.
5:38 Let's give it a try.
5:42 Head back up to the base directory.
5:43 And actually we do need to have our group variables.
5:47 Go ahead and create a file named all
5:49 deploy_user, call this deployer, deploy_group
5:54 deployers plural.
5:59 Now replace ssh_dir with the name
6:02 of your user wherever you have the public key
6:05 that we just created at the beginning of this chapter.
6:13 Save that. Now we can give this a try.