5.1 KiB
Executable File

| 1. Raspberry Pi - Install OS | 2. Roles And Playbooks | 3. Rework |

⚠️ The files described here are located in the sub-folder ansible in this repo. ⚠️

Roles And Playbooks

Files and Folders

  • ansible.cfg = general Ansible configuration file
  • inventory.ini = global variable definition for all tasks
  • playbooks = all tasks which are included in the main playbook nextcloud-server.yml
  • vars = files for the user management
    • users-to-create.yml = user creation
    • users-to-delete.yml = user deletion
    • ssh-key-list.yml = ssh key distribution

Install Ansible

Make sure Ansible is installed on your client or on the machine you would like to execute it.

On Debian based distribution you can install Ansible directly from the repository

sudo apt install ansible

On a MacOS X you can use Homebrew to install Ansible

brew install ansible

Variables inventory.ini

Before the Ansible Playbook can be executed the variables in inventory.yml needs to be adjusted to the specific requirements.

  1. inventory.ini - First Section

In the first section of the file variables are defined that are required for the installation of the OS and Nextcloud.

  1. inventory.ini - Second Section

In the second section of the file the link to the playbooks are defined. Normally it is not necessary to alter these lines.

User Management Of The Operating System

This playbooks enables it to implement an easy to use and maintain user management of the OS.

⚠️ It is not the user management of the Nextcloud instance. ⚠️

User management is very important and users should only get access to the system and services as needed.

Ansible helps to automatically:

  • create new users 👥
  • deploy SSH keys 🔑
  • and even can delete existing users from the system

The specific files are located in vars folder.

Raspberry Pi OS is no longer shipped with a standard user. The former user pi got removed due to security issues.

Make sure you add the correct user on inventory.ini to get access to the new machine via ansible.

During the first run of the playbooks Ansible will add the user to sshadmin group by the task /playbooks/task_user_management!

SSH Setup And sshd_config

The Ansible playbook setup is designed to use a hardware token, like YubiKey, to connect to the server via SSH ONLY.

Manuals you find in my blog

The SSH connection setup must be done prior to the playbook run to ensure that only a privileged user is allowed to connect.

The playbook will make some major changes to the SSH login behavior so make sure you fully understand the configuration! Any changes to ssh.d can prevent a login via SSH to the machine. It is still possible to get access to the system but you have to connect an external monitor to login and revers any changes to ssh.d.

The SSH configuration file is located in /etc/ssh.d/ on your new server.

This file gets replaced by a new file which is located in /playbooks/task_ssh/files.

  • The most significant change PASSWORD LOGIN is NOT allowed.
  • Only members of the group sshadmin are allowed to connect via SSH
  • SSH keys must be available for each user

Run Playbooks

⚠️ Before you run the Playbook please make sure to verify / change the credentials in your *-inventory.ini file. (User name, passwords, paths, md5, etc.)

cd into-playbook-directory

# Dry Run
ansible-playbook -i inventory.ini nextcloud-server.yml -u pi --ask-become-pass --check

# Run playbook:
ansible-playbook -i inventory.ini nextcloud-server.yml -u pi --ask-become-pass -v

If some more details are required add up to 3 -vvv (verbose) to the command.


The next step is really simple, wait.

Depending on the Raspberry Pi model the run can take up to 20 mins so be patient. 😄

If you don't know which Pi model you have in use, run:

cat /sys/firmware/devicetree/base/model


Limit SSH connection

TASK [Limit SSH connection] ********************************************************************************************
fatal: [new-server1]: FAILED! => {"changed": false, "msg": "Failed to find required executable \"ufw\" in paths: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"}

This error occurred during the dry rund because ufw is not installed.