-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* bootstrap is the main script to run * bootstrap.yml is the playbook that does the actual job (This is still work in progress, see bootstrap.yml for comments)
- Loading branch information
Mikhail Sobolev
committed
Nov 22, 2014
1 parent
45b676c
commit e81f47d
Showing
4 changed files
with
91 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
#! /bin/sh | ||
# | ||
# This script invokes bootstrap.yml while settings special parameters | ||
# | ||
# Usage: ./bootstrap [-i <inventory>] -k <ansible-playbook-options> | ||
# | ||
# -i <inventory> is needed when you deploy on hosts other than listed in 'dev-hosts' | ||
# | ||
# Note: `-k` option would require a sshpass program. For some reason, this | ||
# approach hangs on Dustin and Mikhail. As a workaround, the `ControlPersist` | ||
# parameter below is set to 10m, so ssh would keep the connection after the | ||
# first authentication. | ||
# | ||
|
||
export ANSIBLE_HOST_KEY_CHECKING=False | ||
export ANSIBLE_SSH_ARGS="-o PreferredAuthentications=password,keyboard-interactive -o ControlPersist=10m" | ||
|
||
exec ansible-playbook bootstrap.yml $* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
# Playbook to bootstrap new service hosts | ||
# | ||
# Prerequisites: | ||
# * basic system is installed (FreeBSD 10.0+) on the target machines | ||
# * there's only root account that allows to connect to those machines | ||
# * root passwords are known for all target machines so we can connect as root | ||
# * ssh access for 'root' is enabled (`PermitRootLogin yes`) | ||
# | ||
# Outcome: | ||
# * machine has basic infrastructure so it can be managed by Ansible: | ||
# * user "{{ service_account }}" is created | ||
# * this user is granted passwordless sudo right (added to wheel group) | ||
# * a crontab entry for running ansible-pull is added | ||
--- | ||
- name: perform initial bootstrap of service hosts | ||
hosts: servicehosts | ||
gather_facts: no | ||
# we do not have admin users on the target hosts yet, hence using root | ||
# directly | ||
remote_user: root | ||
|
||
tasks: | ||
# This is the only task that requires 'raw' module | ||
- name: install ansible | ||
raw: "env ASSUME_ALWAYS_YES=YES pkg install ansible" | ||
|
||
- name: install mandatory packages | ||
pkgng: | ||
name: "{{item}}" | ||
state: present | ||
with_items: mandatory_packages | ||
|
||
- name: add service account | ||
user: | ||
name: "{{ service_account }}" | ||
comment: Buildbot Service Account | ||
state: present | ||
groups: wheel | ||
|
||
- name: enable sudo modular configuration | ||
lineinfile: | ||
dest: "/usr/local/etc/sudoers" | ||
line: "#includedir /usr/local/etc/sudoers.d" | ||
state: present | ||
validate: "visudo -cf %s" | ||
|
||
- name: enable passwordless sudo for members of the wheel group | ||
copy: | ||
src: "files/sudoers-wheel" | ||
dest: "/usr/local/etc/sudoers.d/sudoers-wheel" | ||
|
||
# As Sean suggested, this could be an item for periodic(8) | ||
# Things to decide/understand: | ||
# * how to run the things under correct user | ||
# * how to make sure the environment is correct (e.g. PATH) | ||
# * whether to send a mail or keep things in a log or both | ||
# * how often this needs to be run (Misha: daily sounds reasonable with an | ||
# option to force deployment when neccessary) | ||
- name: add crontab entry to run ansible-pull | ||
debug: | ||
msg: "We will!" | ||
|
||
# vim:ft=yaml:nosi:noai:ts=2:sw=2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
%wheel ALL=(ALL) NOPASSWD: ALL |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters