view | history | commit | commitdiff
Guillaume Coré
2018-11-14 1c72dabdaf626a7d0d84fd13f5de3bd74e0a15a3
commit | author | age
b8fd3e 1 #vim: set ft=ansible:
1c8513 2 ---
S 3 # tasks file for bastion
4
5 ######################### Setting up environment for post deployment administration
928f77 6 - name: create /root/.ssh
GC 7   file:
8     dest: /root/.ssh
9     mode: 0700
10     state: directory
1c72da 11   when: not hostvars.localhost.skip_packer_tasks | d(false)
GC 12   tags: packer
928f77 13
1c8513 14 - name: copy the environment .pem key
S 15   become: true
16   copy:
aa20d9 17     src: "{{ ANSIBLE_REPO_PATH }}/workdir/{{ env_authorized_key }}"
987dce 18     dest: /root/.ssh/{{env_authorized_key}}.pem
1c8513 19     owner: root
S 20     group: root
21     mode: 0400
987dce 22   when: use_own_key|bool
760e95 23
987dce 24 - name: copy the user's SSH private key
760e95 25   become: true
S 26   copy:
27     src: "~/.ssh/{{key_name}}.pem"
987dce 28     dest: "/root/.ssh/{{key_name}}.pem"
760e95 29     owner: root
S 30     group: root
31     mode: 0400
987dce 32   when: not use_own_key|bool
1c8513 33   tags:
S 34     - copy_env_private_key
f91167 35
1c8513 36 - name: Generate host .ssh/config Template
S 37   become: no
aa20d9 38   local_action: template src={{ role_path }}/files/bastion_ssh_config.j2 dest={{ ANSIBLE_REPO_PATH }}/workdir/ssh-config-{{ env_type }}-{{ guid }}
1c8513 39   tags:
S 40     - gen_sshconfig_file
41
42 - name: copy over host .ssh/config Template
43   become: true
44   copy:
c6075f 45     src: "{{ ANSIBLE_REPO_PATH }}/workdir/ssh-config-{{ env_type }}-{{ guid }}"
1c8513 46     dest: /root/.ssh/config
S 47     owner: root
48     group: root
49     mode: 0400
50   tags:
51     - copy_sshconfig_file
28bb01 52
822a8e 53 - name: Install python-requests
d272e8 54   ignore_errors: yes
28bb01 55   become: true
d167c9 56   yum:
8bccfd 57     name:
d272e8 58     - python-requests
1c72da 59   when: not hostvars.localhost.skip_packer_tasks | d(false)
GC 60   tags: packer
5449f0 61
b4e931 62 # - name: Ensure that iptables service is installed
WK 63 #   yum:
64 #     name: iptables-services
65 #     state: latest
ca2848 66
WK 67 # - name: Ensure that iptables service is enabled and started
68 #   service:
69 #     name: iptables
70 #     enabled: yes
71 #     state: started
d8715b 72
WK 73 - name: Install mosh
74   become: true
75   yum:
632e80 76     name: http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/m/mosh-1.3.0-1.el7.x86_64.rpm
d8715b 77   ignore_errors: yes
1c72da 78   when: not hostvars.localhost.skip_packer_tasks | d(false)
GC 79   tags: packer
d8715b 80
632e80 81 - name: Open UDP Ports 60001 - 61000 for Mosh
GC 82   iptables:
83     action: insert
84     protocol: udp
85     destination_port: "60001:61000"
86     state: present
87     chain: INPUT
88     jump: ACCEPT
d8715b 89
632e80 90 - name: Stat /etc/sysconfig/iptables
GC 91   stat:
92     path: /etc/sysconfig/iptables
93   register: statiptables
94
95 - when: statiptables.stat.exists
96   block:
97     - name: Ensure SSH rule is present
98       command: >
99         grep "^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT"
100         /etc/sysconfig/iptables
101       changed_when: false
102       failed_when: false
103       register: ensuresshpresent
104
105     - name: Open iptables Mosh firewall ports for future sessions
106       lineinfile:
107         insertbefore: "-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT"
108         state: present
109         path: /etc/sysconfig/iptables
110         line: "-A INPUT -p udp -m multiport --dports 60001:61000 -j ACCEPT"
111       when: ensuresshpresent.rc == 0