pimvh.cloud_init
Requirements
- Install Ansible:
sudo apt install python3
python3 -m ensurepip --upgrade
pip3 install ansible
- Install
requirements.yaml(this role uses pimvh.ssh_keygen):
ansible-galaxy install -r requirements.yaml
Required variables
Check the variables listed in defaults.
cloud_init_machine_name: "" # Name of the machine
cloud_init_ansible_user_passwd_hash: "" # Password hash for the Ansible user
cloud_init_github_token: "" # GitHub token
cloud_init_userdata:
hostname: hostname # Machine hostname
fqdn: hostname.example.com # Fully qualified domain name
groups: [] # User groups
users: # User configuration
- name: my user # Username
gecos: My user description # User description
shell: /bin/bash # User shell
sudo: ALL=(ALL) NOPASSWD:ALL # Passwordless sudo
groups: sudo # Sudo group membership
lock_passwd: false # User password is not locked
passwd: "{{ password_here | password_hash('sha512') }}" # User password
ssh_authorized_keys: [] # Optional SSH keys
runcmd: [] # Commands to run during initialization
writefiles: [] # Files to write
packages: [] # Packages to install
cloud_init_networkdata:
# Define IP addresses and use the `default routes` and `nameservers` below
ipv4: << ipv4 >>
ipv6: << ipv6 >>
# OR dump a complete netplan
netplan:
network:
version: 2
ethernets:
enp1s0:
dhcp4: false
addresses:
- << addr >>
gateway4: << addr >>
gateway6: << addr >>
nameservers:
addresses:
- << dns_server ip >>
cloud_init_netplan_routes:
- to: default
via: 1.0.0.1
- to: default
via: 2001:db8::11
cloud_init_netplan_nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1
cloud_init_add_to_known_hosts: true
cloud_init_reboot_on_finish: true
cloud_init_enable_ssh_ca: true
# Recommendation to use lookup plugins:
# cloud_init_ssh_host_ca_publickey: "{{ lookup('ansible.builtin.file', 'your_ca') }}"
# or variable lookups like:
# "{{ lookup('ansible.builtin.vars', 'your_ca') }}"
cloud_init_ssh_host_ca_privatekey: "" # Private key for SSH host CA
cloud_init_ssh_host_ca_privatekey_pass: "" # Password for the private key
cloud_init_ssh_host_ca_publickey: "" # Public key for SSH host CA
cloud_init_ssh_user_ca_publickeys: [] # List of user CA public keys
cloud_init_enable_ansible_pull: false # Enable Ansible pull
cloud_init_ansible_pull_repo_owner: "" # Owner of the repo
cloud_init_ansible_pull_repo_name: "" # Name of the repo
cloud_init_ansible_pull_playbook_name: "" # Name of the playbook
cloud_init_ansible_pull_deploy_key_name: "Ansible-pull deploy key" # Deploy key name
cloud_init_validity_period: 520w # Validity period for certificates
cloud_init_ssh_ca_runcmd:
# Configure SSH CA usage on the server
- echo "@cert-authority * $(cat /etc/ssh/host_ca.pub)" >> /etc/ssh/ssh_known_hosts
# Remove public key for host CA
- rm -f /etc/ssh/host_ca.pub
# Configure trusted user CA key
- echo "TrustedUserCAKeys /etc/ssh/ssh_trusted_user_ca_keys" >> /etc/ssh/sshd_config.d/50-cloud-init.conf
# Restart SSH service
- systemctl restart sshd
Example playbook
hosts:
- foo
roles:
- pimvh.cloud_init
TLDR - What happens when you run this
- Ensure required variables are set
- Create directory for cloud-init files
- Retrieve GitHub host keys (if requested)
- Generate SSH key pair for Ansible pull (if requested)
- Set up SSH Host and User CAs (if requested)
- Sign certificate keys on the controller
- Configure Ansible pull with
requirements.yamlfrom the repo URL (if requested) - Prepare cloud-init configuration
- Add signed certificates to the cloud-init configuration
- Provide necessary user data
- Provide network data for cloud-init
- Prepare Ansible pull
requirements.yaml
- Add GitHub deploy key to Ansible pull repository (if requested)
- Run Ansible pull as the Ansible user (if requested)
- Add SSH CA to known hosts (if requested)
Future Improvements
- Find a better method for short-term access to GitHub using different authentication methods.
Sources
Part of the SSH CA logic is based on this blog post
Informazioni sul progetto
Role to configure cloud-init.
Installa
ansible-galaxy install pimvh.cloud_initLicenza
gpl-3.0
Download
1.5k
Proprietario