commit | author | age
|
b8fd3e
|
1 |
#vim: set ft=ansible: |
1c8513
|
2 |
--- |
S |
3 |
# tasks file for bastion |
|
4 |
|
|
5 |
######################### Setting up environment for post deployment administration |
928f77
|
6 |
- name: create /root/.ssh |
GC |
7 |
file: |
|
8 |
dest: /root/.ssh |
|
9 |
mode: 0700 |
|
10 |
state: directory |
1c72da
|
11 |
when: not hostvars.localhost.skip_packer_tasks | d(false) |
GC |
12 |
tags: packer |
928f77
|
13 |
|
1c8513
|
14 |
- name: copy the environment .pem key |
S |
15 |
become: true |
|
16 |
copy: |
aa20d9
|
17 |
src: "{{ ANSIBLE_REPO_PATH }}/workdir/{{ env_authorized_key }}" |
987dce
|
18 |
dest: /root/.ssh/{{env_authorized_key}}.pem |
1c8513
|
19 |
owner: root |
S |
20 |
group: root |
|
21 |
mode: 0400 |
987dce
|
22 |
when: use_own_key|bool |
760e95
|
23 |
|
987dce
|
24 |
- name: copy the user's SSH private key |
760e95
|
25 |
become: true |
S |
26 |
copy: |
|
27 |
src: "~/.ssh/{{key_name}}.pem" |
987dce
|
28 |
dest: "/root/.ssh/{{key_name}}.pem" |
760e95
|
29 |
owner: root |
S |
30 |
group: root |
|
31 |
mode: 0400 |
987dce
|
32 |
when: not use_own_key|bool |
1c8513
|
33 |
tags: |
S |
34 |
- copy_env_private_key |
f91167
|
35 |
|
1c8513
|
36 |
- name: Generate host .ssh/config Template |
S |
37 |
become: no |
aa20d9
|
38 |
local_action: template src={{ role_path }}/files/bastion_ssh_config.j2 dest={{ ANSIBLE_REPO_PATH }}/workdir/ssh-config-{{ env_type }}-{{ guid }} |
1c8513
|
39 |
tags: |
S |
40 |
- gen_sshconfig_file |
|
41 |
|
|
42 |
- name: copy over host .ssh/config Template |
|
43 |
become: true |
|
44 |
copy: |
c6075f
|
45 |
src: "{{ ANSIBLE_REPO_PATH }}/workdir/ssh-config-{{ env_type }}-{{ guid }}" |
1c8513
|
46 |
dest: /root/.ssh/config |
S |
47 |
owner: root |
|
48 |
group: root |
|
49 |
mode: 0400 |
|
50 |
tags: |
|
51 |
- copy_sshconfig_file |
28bb01
|
52 |
|
822a8e
|
53 |
- name: Install python-requests |
d272e8
|
54 |
ignore_errors: yes |
28bb01
|
55 |
become: true |
d167c9
|
56 |
yum: |
8bccfd
|
57 |
name: |
d272e8
|
58 |
- python-requests |
1c72da
|
59 |
when: not hostvars.localhost.skip_packer_tasks | d(false) |
GC |
60 |
tags: packer |
5449f0
|
61 |
|
b4e931
|
62 |
# - name: Ensure that iptables service is installed |
WK |
63 |
# yum: |
|
64 |
# name: iptables-services |
|
65 |
# state: latest |
ca2848
|
66 |
|
WK |
67 |
# - name: Ensure that iptables service is enabled and started |
|
68 |
# service: |
|
69 |
# name: iptables |
|
70 |
# enabled: yes |
|
71 |
# state: started |
d8715b
|
72 |
|
WK |
73 |
- name: Install mosh |
|
74 |
become: true |
|
75 |
yum: |
632e80
|
76 |
name: http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/m/mosh-1.3.0-1.el7.x86_64.rpm |
d8715b
|
77 |
ignore_errors: yes |
1c72da
|
78 |
when: not hostvars.localhost.skip_packer_tasks | d(false) |
GC |
79 |
tags: packer |
d8715b
|
80 |
|
632e80
|
81 |
- name: Open UDP Ports 60001 - 61000 for Mosh |
GC |
82 |
iptables: |
|
83 |
action: insert |
|
84 |
protocol: udp |
|
85 |
destination_port: "60001:61000" |
|
86 |
state: present |
|
87 |
chain: INPUT |
|
88 |
jump: ACCEPT |
d8715b
|
89 |
|
632e80
|
90 |
- name: Stat /etc/sysconfig/iptables |
GC |
91 |
stat: |
|
92 |
path: /etc/sysconfig/iptables |
|
93 |
register: statiptables |
|
94 |
|
|
95 |
- when: statiptables.stat.exists |
|
96 |
block: |
|
97 |
- name: Ensure SSH rule is present |
|
98 |
command: > |
|
99 |
grep "^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT" |
|
100 |
/etc/sysconfig/iptables |
|
101 |
changed_when: false |
|
102 |
failed_when: false |
|
103 |
register: ensuresshpresent |
|
104 |
|
|
105 |
- name: Open iptables Mosh firewall ports for future sessions |
|
106 |
lineinfile: |
|
107 |
insertbefore: "-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT" |
|
108 |
state: present |
|
109 |
path: /etc/sysconfig/iptables |
|
110 |
line: "-A INPUT -p udp -m multiport --dports 60001:61000 -j ACCEPT" |
|
111 |
when: ensuresshpresent.rc == 0 |