5.1 KiB
Executable File
| 1. Raspberry Pi - Install OS | 2. Roles And Playbooks | 3. Rework |
⚠️ The files described here are located in the sub-folder ansible in this repo. ⚠️
Roles And Playbooks
Files and Folders
ansible.cfg= general Ansible configuration fileinventory.ini= global variable definition for all tasksplaybooks= all tasks which are included in the main playbooknextcloud-server.ymlvars= files for the user managementusers-to-create.yml= user creationusers-to-delete.yml= user deletionssh-key-list.yml= ssh key distribution
Install Ansible
Make sure Ansible is installed on your client or on the machine you would like to execute it.
On Debian based distribution you can install Ansible directly from the repository
sudo apt install ansible
On a MacOS X you can use Homebrew to install Ansible
brew install ansible
Variables inventory.ini
Before the Ansible Playbook can be executed the variables in inventory.yml needs to be adjusted to the specific requirements.
inventory.ini- First Section
In the first section of the file variables are defined that are required for the installation of the OS and Nextcloud.
inventory.ini- Second Section
In the second section of the file the link to the playbooks are defined. Normally it is not necessary to alter these lines.
User Management Of The Operating System
This playbooks enables it to implement an easy to use and maintain user management of the OS.
⚠️ It is not the user management of the Nextcloud instance. ⚠️
User management is very important and users should only get access to the system and services as needed.
Ansible helps to automatically:
- create new users 👥
- deploy SSH keys 🔑
- and even can delete ❗ existing users from the system
The specific files are located in vars folder.
Raspberry Pi OS is no longer shipped with a standard user. The former user pi got removed due to security issues.
Make sure you add the correct user on inventory.ini to get access to the new machine via ansible.
During the first run of the playbooks Ansible will add the user to sshadmin group by the task /playbooks/task_user_management!
SSH Setup And sshd_config
The Ansible playbook setup is designed to use a hardware token, like YubiKey, to connect to the server via SSH ONLY.
Manuals you find in my blog
The SSH connection setup must be done prior to the playbook run to ensure that only a privileged user is allowed to connect.
The playbook will make some major changes to the SSH login behavior so make sure you fully understand the configuration!
Any changes to ssh.d can prevent a login via SSH to the machine. It is still possible to get access to the system but you have to connect an external monitor to login and revers any changes to ssh.d.
The SSH configuration file is located in /etc/ssh.d/ on your new server.
This file gets replaced by a new file which is located in /playbooks/task_ssh/files.
- The most significant change PASSWORD LOGIN is NOT allowed.
- Only members of the group
sshadminare allowed to connect via SSH - SSH keys must be available for each user
Run Playbooks
⚠️ Before you run the Playbook please make sure to verify / change the credentials in your *-inventory.ini file. (User name, passwords, paths, md5, etc.)
cd into-playbook-directory
# Dry Run
ansible-playbook -i inventory.ini nextcloud-server.yml -u pi --ask-become-pass --check
# Run playbook:
ansible-playbook -i inventory.ini nextcloud-server.yml -u pi --ask-become-pass -v
If some more details are required add up to 3 -vvv (verbose) to the command.
Wait
The next step is really simple, wait.
Depending on the Raspberry Pi model the run can take up to 20 mins so be patient. 😄
If you don't know which Pi model you have in use, run:
cat /sys/firmware/devicetree/base/model
Troubleshooting
Limit SSH connection
TASK [Limit SSH connection] ********************************************************************************************
fatal: [new-server1]: FAILED! => {"changed": false, "msg": "Failed to find required executable \"ufw\" in paths: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"}
This error occurred during the dry rund because ufw is not installed.