spiderunderurbed's blog

How to configure declarative ssh with ansible

By SpiderUnderUrBedPosted on Posted in UncategorizedNo Comments on How to configure declarative ssh with ansible

In this tutorial I will show you how to declaratively configure ssh with ansible. I will show you two ways to do this, the secure way, and the in-a-rush not so secure way (you will have to be wary of who has read-perms on those files). The first way consists of initializing the ansible files with the ssh keys in plain text, the second way is a addon for your existing work, utilizing ansible vault.

The way I will show you now is not the most secure way to run ansible, (if you choose to do this only in plaintext), if you do wish to make automated playbooks with credentials, you should use permission protected files, with encryption if you are really serious about your security (! which you should be !)

So first install ansible, there are many, many posts of how to install ansible, in this case i installed it on my raspberry pi,

Here are the type of varibles you would need

ansible_host: <- this takes the ip of your server

ansible_user: <- the user ansible will use to run commands

ansible_password <- the password for the user, and initial log in over ssh

ansible_ssh_private_key_file <- this is the location of your private key file needed for the ssh connection

ansible_become_password: <- this is the password ansible will use to escalate its privlages, used whenever running a command that needs sudo.

Full inventory.yml

all:
  hosts:
    your_server:
      ansible_host: <host>
      ansible_user: <ansible user>
      ansible_password: <ansible password>
      ansible_ssh_private_key_file: <ansible private key for ssh>
      ansible_become_password: <ansible escalation password>

Now that you have your inventory.yml set up, lets see what you would need to lets say, install docker. I made a install_docker.yml but before that I will show you what command you need to run whenever running a playbook, ansible-playbook -i inventory.yml install_docker.yml <- replace install_docker.yml with whatever playbook you wish to run.

Now here is how you encrypt your existing inventory.yml so its secure, first off, install ansible-vault, this is ansibles way of securing playbooks which might contains credentials, now once you install ansible-vault run this command:

ansible-vault encrypt inventory.yml

Now you get prompted to enter a password, this is obviously the password it will use the encrypt the playbook, if you want to decrypt it, to run it normally, (which you shouldnt), run the same command but replace encrypt with decrypt. If you wish to use a password file (which you should never upload to any public repo or leave with anyone but the user (suggest root user) read perms with, you need to first create that password files, either you can use many different ways of generating your password, via random method, or you could run these commands to put a password you have in a existing file:

echo "your-vault-password" > vault-password.txt
chmod 600 vault-password.txt

Now you have a vault-password file! there are many cases you might want to use one of these, if your in a tty especially or without a gui interface and have a long password, which is a common situation for me. Now here is how to encrypt the inventory with your newly created password file,

run this command:

ansible-vault encrypt--vault-password-file vault-password.txt inventory.yml

If you have a different name for your vault-password file be sure to use that. Now all this does is take the content from the file and use it to encrypt the inventory.yml, Now here is how to run a encrypted playbook/playbook with a encrypted inventory for both password file and regular password:

 ansible-playbook -i inventory.yml  install_docker.yml --vault-password-file vault-password.txt
ansible-playbook -i inventory.yml install_docker.yml --ask-vault-pass

Again I am using my install_docker.yml as a example. In both of these cases it should run successfully unless there is some other factor, and docker should be installed on your remote system! Yay! If you wish to use another playbook you can do so and it will have no affects, if you wish to try it out with my install_docker.yml I left it linked here:

Here is my install_docker.yml:

---
- name: Install Docker on Remote Server
  hosts: all
  become: yes
  tasks:
    - name: Install required packages
      apt:
        name:
          - apt-transport-https
          - ca-certificates
          - curl
          - software-properties-common
        state: present
        update_cache: yes

    - name: Add Docker GPG key
      apt_key:
        url: https://download.docker.com/linux/ubuntu/gpg
        state: present

    - name: Add Docker repository
      apt_repository:
        repo: deb https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable
        state: present

    - name: Install Docker
      apt:
        name: docker-ce
        state: present
        update_cache: yes

    - name: Start and enable Docker
      systemd:
        name: docker
        enabled: yes
        state: started
How to configure declarative ssh with ansible

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top