Feature/security

[nathanielks]

No description provided.

[nathanielks]

Alrighty, have a few things to work out. In the latest commit, c73a4a5, I had to allow root access in /etc/ssh/sshd_config in order for ansible to continue to be able to provision the server. Do we want to create another user that has sudo access and restrict root ssh login? deploy perhaps? Or continue to allow root ssh login?

[swalkinshaw]

root ssh access should definitely be disabled in production. I'm not sure the "general" user should be deploy (it should still exist but just for deploys). We could go with the common ubuntu that services like AWS use or something generic like web. Not really sure if there's a more standard user name for this purpose.

[austinpray]

something generic like web

This sounds good

We could go with the common ubuntu

Ehh not great for folks that like to use Debian

[nathanielks]

hrm... my only problem with web is that does it really describe the user's purpose. How about admin? It'll be a user with sudo privileges, so that makes a little more sense to me.

[swalkinshaw]

👍 to admin

[nathanielks]

Done and done.

[austinpray]

brilliant

[nathanielks]

I'm starting to write the documentation for the README and am realizing it's getting pretty huge. Should I continue writing the documentation in the README file, or write it in a separate readme, like SECURE-ROOT.md or perhaps a wiki?

[nathanielks]

After second thought, maybe not. The other roles I'd be writing documentation for already have readme's in their role directories. How do we want to let the user know they exist?

[austinpray]

You can link them up with relative links. 

I have never seen a well maintained wiki on GH, it seems they always fall behind. 
—
Sent from my iPhone

On Tue, Sep 23, 2014 at 8:17 PM, Nathaniel notifications@github.com
wrote:

After second thought, maybe not. The other roles I'd be writing documentation for already have readme's in their role directories. How do we want to let the user know they exist?

Reply to this email directly or view it on GitHub:
#58 (comment)

[mAAdhaTTah]

Would it be possible to set the general user via a variable (like with the MySQL root pw) or does it have to be hard-coded somewhere?

[nathanielks]

@swalkinshaw The admin users are set up using 2 different variables: sudoers and sudoer_passwords. More in the documentation

[swalkinshaw]

@nathanielks this is looking great. Finally got a chance to look over the READMEs. Just going to try and do some basic testing of this before merging it in since it's big.

[nathanielks]

NP @swalkinshaw!

[mAAdhaTTah]

Is this PR good to go? Does it need more testing? I'm going to be provisioning some things tonight so wondering if I can help w/ this.

[swalkinshaw]

More testing mainly so any help with that would be great.

@nathanielks could we get a rebase on this?

[nathanielks]

I sure hope so @mAAdhaTTah! I'll need to squash everything before we merge, but afaik it should be ok.

[nathanielks]

yup, I'll get that done now.

[nathanielks]

Okie doke. Rebasing is all done. Once I get the 👍 I'll squash! I did a quick provision on a vanilla server and everything seems to be checking out. Test away @mAAdhaTTah!

[mAAdhaTTah]

Don't know if this is a huge deal, but in the hosts/production file, ansible_ssh_user=admin needs to be removed when running the initial secure-root.yml playbook.

[nathanielks]

@mAAdhaTTah aye, you're right. Looking into that.

[mAAdhaTTah]

I think I have a solution. Gimme a few to test.

[nathanielks]

The one I'm pursuing is defining the user in the playbooks as opposed to the inventory files. Vagrant disregards the remote user, so in this case I think we'd be good to go.

Was that what you were thinking?

[mAAdhaTTah]

Yup! Got it working for me too.

[mAAdhaTTah]

FWIW, I had to add remote_user: admin to both plays in the site.yml playbook.

[mAAdhaTTah]

This looks like the changes I made. I'll pull down and do one more test, but otherwise, 👍

[nathanielks]

sweet!

[mAAdhaTTah]

👍

[nathanielks]

Squashed and ready to go.

[mAAdhaTTah]

WOO!

[austinpray]

yall are ballers