Created
July 21, 2017 17:00
-
-
Save lordmuffin/cf15afcb2842e2bd98d1f5d6984405fa to your computer and use it in GitHub Desktop.
example catches
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # Be sure to set the following variables for all hosts: | |
| # vars: | |
| # oldsshport: 22 | |
| # sshport: 555 | |
| # Might fail without setting remote_tmp = /tmp/ansible/$USER in your ansible.cfg. Also fix for directly below. | |
| # Once host is setup most of the checks are skipped and works very quickly. | |
| # Also, be sure to set non-standard shells in a different playbook later. Stick with /bin/bash until you can run apt install. | |
| # Assumes root user has sshkey setup already. Not sure how to utilize the --ask-pass option. For now, use ssh-copy-id prior to running playbook on new host for root user (if needed). | |
| # Test new ssh port | |
| - name: ssh test nc {{ sshport }} | |
| local_action: shell nc -z -w5 {{ inventory_hostname }} {{ sshport }} | |
| register: nc_ssh_port | |
| failed_when: nc_ssh_port.stdout.find('failed') != -1 | |
| changed_when: nc_ssh_port.stdout == "" | |
| ignore_errors: yes | |
| # Set port to new port if connection success | |
| - name: set ansible_ssh_port | |
| set_fact: ansible_ssh_port={{ sshport }} | |
| when: nc_ssh_port|success | |
| # Fail back to old port if new ssh port fails | |
| - name: ssh test nc port {{ oldsshport }} | |
| local_action: shell nc -z -w5 {{ inventory_hostname }} {{ oldsshport }} | |
| register: nc_ssh_default | |
| changed_when: nc_ssh_default.stdout == "" | |
| ignore_errors: yes | |
| when: nc_ssh_port|changed | |
| # Set ansible to old port since new failed | |
| - name: set ansible_ssh_port to {{ oldsshport }} | |
| set_fact: ansible_ssh_port={{ oldsshport }} | |
| when: nc_ssh_default|success and nc_ssh_port|changed | |
| # Check if root user can ssh | |
| - name: find user | |
| local_action: shell ssh -o StrictHostKeyChecking=no -o BatchMode=yes -o ConnectTimeout=5 -p {{ ansible_ssh_port }} root@{{ inventory_hostname }} exit | |
| register: ssh_as_root | |
| failed_when: ssh_as_root.stdout.find('failed') != -1 | |
| changed_when: ssh_as_root.stderr.find('Permission denied') == -1 | |
| # If root user success, set this up to change later | |
| - name: first user | |
| set_fact: first_user={{ ansible_ssh_user }} | |
| when: ssh_as_root|changed | |
| # Set ssh user to root | |
| - name: root user | |
| set_fact: ansible_ssh_user=root | |
| when: ssh_as_root|changed | |
| # ANSIBLE FIX: /tmp/ansible isn't world-writable for setting remote_tmp = /tmp/ansible/$USER in ansible.cfg | |
| - name: /tmp/ansible/ directory exists with 0777 permission | |
| file: path=/tmp/ansible/ owner=root group=root mode=0777 recurse=no state=directory | |
| changed_when: False | |
| sudo: yes | |
| # Setup user accounts | |
| - include: users.yml | |
| # Set ssh user back to default user (that was setup in users.yml) | |
| - name: ansible_ssh_user back to default | |
| set_fact: ansible_ssh_user={{ first_user }} | |
| when: ssh_as_root|changed | |
| # Reconfigure ssh with new port (also disables non-ssh key logins and disable root logins) | |
| - name: sshd.conf | |
| template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 | |
| register: sshd_config | |
| sudo: yes | |
| # Force changes immediately to ssh | |
| - name: restart ssh | |
| service: name=ssh state=restarted | |
| when: sshd_config|changed | |
| sudo: yes | |
| # Use updated ssh port | |
| - name: set ansible_ssh_port | |
| set_fact: ansible_ssh_port={{ sshport }} | |
| when: nc_ssh_port|changed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment