2018-12-23 12:20:19 +01:00
|
|
|
# Playbook et rôles Ansible d'Aurore
|
|
|
|
|
2018-12-23 12:25:52 +01:00
|
|
|
Pour cloner ce projet :
|
|
|
|
|
|
|
|
```
|
|
|
|
git clone --recursive git@gitlab.federez.net:erdnaxe/ansible-role-ldap-client.git
|
|
|
|
```
|
|
|
|
|
2018-12-23 12:20:19 +01:00
|
|
|
## Exécution d'un playbook
|
|
|
|
|
2018-12-24 10:50:22 +01:00
|
|
|
Pour tester :
|
|
|
|
```bash
|
2018-12-27 10:27:20 +01:00
|
|
|
ansible-playbook --ask-vault-pass -bK -i hosts base.yml --check --diff
|
2018-12-24 10:50:22 +01:00
|
|
|
```
|
|
|
|
|
|
|
|
Pour appliquer :
|
2018-12-23 12:20:19 +01:00
|
|
|
```bash
|
2018-12-27 10:27:20 +01:00
|
|
|
ansible-playbook --ask-vault-pass -bK -i hosts base.yml
|
2018-12-23 12:20:19 +01:00
|
|
|
```
|
|
|
|
|
|
|
|
## FAQ
|
|
|
|
|
2018-12-23 16:09:12 +01:00
|
|
|
### Mettre sa clé SSH sur une machine
|
|
|
|
|
|
|
|
```
|
|
|
|
ssh-copy-id -i ~/.ssh/id_rsa_aurore.pub virtu.fede-aurore.net
|
|
|
|
```
|
|
|
|
|
2018-12-23 12:20:19 +01:00
|
|
|
### Automatiquement ajouter fingerprint ECDSA (dangereux !)
|
|
|
|
|
|
|
|
Il faut changer la variable d'environnement suivante :
|
|
|
|
`ANSIBLE_HOST_KEY_CHECKING=0`.
|
|
|
|
|
|
|
|
### Configurer la connexion au bastion
|
|
|
|
|
2018-12-28 11:30:18 +01:00
|
|
|
Envoyer son agent SSH peut être dangereux ([source](https://heipei.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/)).
|
|
|
|
|
|
|
|
On va utiliser plutôt ProxyCommand.
|
2018-12-23 12:20:19 +01:00
|
|
|
Dans la configuration SSH :
|
|
|
|
|
|
|
|
```
|
|
|
|
# Keep session alive only for bastion
|
|
|
|
Host proxy.auro.re
|
|
|
|
ControlMaster auto
|
|
|
|
ControlPath ~/.ssh/%r@%h:%p
|
|
|
|
|
2018-12-28 12:04:19 +01:00
|
|
|
# Use a bastion and a key to log on all Aurore servers
|
2019-01-02 18:08:27 +01:00
|
|
|
Host 10.128.*
|
2018-12-28 12:04:19 +01:00
|
|
|
ProxyJump proxy.auro.re
|
2018-12-23 12:20:19 +01:00
|
|
|
IdentityFile ~/.ssh/id_rsa_aurore
|
|
|
|
```
|
2018-12-28 11:30:18 +01:00
|
|
|
|