Introduction to Ansible Transcripts
Chapter: Configuring Servers
Lecture: Initial Configuration Playbook

Login or purchase this course to watch this video and the rest of the course contents.
0:00 We're a few videos into this chapter. So how are we doing against our checklist of what we want to accomplish?
0:06 Well, the first thing was to get a couple of blank provision servers. Got that. And the next thing we want to do is create a non-root group and user.
0:13 That way we're not logging into the root user into our servers. Let's take care of that now. There's a few ways to go about this
0:19 so I'll show you one way that involves a simple separate playbook to specify an initial configuration. Create a file name init_config.yml.
0:37 And what this one is going to do is just a one-time setup. When we get a blank server, we have a root user.
0:43 We just want to create a non-root group and user. And then we're never going to have to worry about doing that again for those servers.
0:50 We'll specify the root user. So this will be the only action taken under the root user and then as soon as we have
0:57 our non-root user, every other action will be taken with that user instead. And we'll create a role init_config. Go under roles, create a directory
1:09 for init_config, create a directory for tasks within init_config. And then under tasks, create a main.yml file.
1:32 We need to create a non-root group first that way when we create our non-root user we can associate the group immediately.
1:39 We'll use the group module for this task and the name, the name of the group, will look familiar.
1:44 We're going to use a variable here called deploy_group just as we did in our first playbook. And the state should be present.
1:52 So that will ensure a non-root group is created. Next, create that non-root user. And we can associate this non-root user
2:10 with the group that we just created. And I always like to use the Bash shell so I just say bin Bash for the shell and we want it to be present.
2:23 Now, how is our non-root user going to log in? We want this to only be via private key access. No passwords allowed.
2:31 So we need to add an authorized key that is our public key to that account. This uses the authorized key module. You specify the user.
2:48 We want this key to be present. And we want the contents of the file which are stored in a variable. This should look familiar from the first playbook.
3:06 Take note of two new variables here ssh_dir and ssh_key_name. We're going to have to specify that in our variables file.
3:14 Right now our non-root user does not have sudo privileges, which are going to be necessary for most of our deployment, so let's modify
3:21 the sudoers file to include our new non-root user. The line in file module is going to change file that already exists.
4:00 All right, almost done. We want to disable the ability to log in directly as the root user. This is a recommended security practice
4:09 so that automated scripts that are going to scan and find that you have a server up and running don't know the name of one user
4:15 which is the root user, that's on your system.
4:34 In the SSH server configuration, we'll look for PermitRootLogin and we'll replace that with PermitRootLogin no. The configuration should already be set
4:47 so that there are no password-based logins. We're going to have task here just in case. So we'll have roughly the same as we just did
4:55 to disable root SSH logins but instead of PermitRootLogin we're going to search for PasswordAuthentication.
5:10 One final step, let's make sure that the SSH server restarts. This way we know that it's definitely taking our configuration.
5:23 Before we exit out, just glancing through it does look like there may be one issue with our two replace commands.
5:29 We don't want the caret under the replace line. We want the caret in the regular expression but not in the replace line.
5:34 So let's remove those carets because carets should not literally be placed in the configuration file. Let's give it a try.
5:43 Head back up to the base directory. And actually we do need to have our group variables. Go ahead and create a file named all
5:50 deploy_user, call this deployer, deploy_group deployers plural. Now replace ssh_dir with the name of your user wherever you have the public key
6:06 that we just created at the beginning of this chapter. Save that. Now we can give this a try.


Talk Python's Mastodon Michael Kennedy's Mastodon