>On Sunday, June 1, 2014 8:21:09 PM UTC-4, Matt Gushee wrote: >My OS of choice is FreeBSD 10; as far as I can tell, my provider (Greenqloud)
Hi Matt.. Before I go on to comment on your ansible+FreeBSD questions.. just a quick comment on Greenqloud.. Be a little ware of them.. at the moment. They have lost 2 FreeBSD VMs.. and I mean completely, totally lost.. I am currently using Rackspace, but just started testing https://www.vultr.com Vultr has some very competitive prices. >does not give me the ability to replicate a fully-configured VPS .. and no ETA when they will have it either.. >, so I want to use Ansible to configure the system and install the necessary software The way I do it with providers that don't provide cloning/imaging is to have a prep script where I setup the minimum needed to make the machine an ansible target. It varies from provider to provider what you get pre-installed so I end up slightly changing the script. If you like I can send you my script.. Just let me know and I will send it to you outside the list.. since it has little to do with Ansible per se.. > Now, FreeBSD doesn't have Python installed by default But many providers have it installed by the time you get the VM. >1. Create a normal user account, and set its password. I let Ansible do all of the user management. >2. Disallow root logins. I do this #Allow ansible master as root Match Address #.#.#.# PermitRootLogin yes >3. Change the SSHD port. I have not done it yet, but I am thinking I will let ansible manage the /etc/ssh/sshd file. >4. Upload an authorized_keys file for the normal user. Currently I upload the key for the root user so between the IP requirement and the key requirement only the ansible machine can login to the machine as root. >5. Disallow password authentication (actually it's PAM challenge-response ... but anyway, I want to allow only public key authentication). Agree.. >6. Install python, py-simplejson, and sudo. In my particular case I let ansible do that too. >So, a couple of questions about this: I understand that if I did step 6 first >, I could probably do everything else with standard modules >. But I feel it is important to tighten up SSH access first Do both at the same time.. > Or do you think I'm being too paranoid? Not at all. I think it makes perfect sense.. not root login, ssh key logins only and change port.. >do you agree with my approach in principle? Yes. >The other thing I'm wondering is how to set the password for the new user I let ansible manage all my users >The documentation for the 'pw' utility states that it is possible to read a password from stdin The user module for ansible can create a user and give it a password. I consider myself an ansible newbie myself, but I would be more than happy to share with you my freebsd-base role. Once I have more knowledge... and more time.. I am thinking of starting to contribute to galaxy, the ansible repository, for FreeBSD oriented modules.. or help with existing ones to make them FreeBSD aware. By the way.. are you having any issues installing from ports with ansible? Just filled a bug report.. I am able to install using the pkg module, but not ports. At least the two that I tried to far both failed.. I don't go exploring for the sake of exploring.. I use ansible to manage infrastructure for clients and have a smaller set of clients using FreeBSD.. so have not tried other ports.. Would be curious to know if the issue I am having something others are having to... Was just on my way to post about that.. when I saw your post.. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/385abaa3-651b-46db-a69c-d067689609a8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
