Merge branch 'sam/ansible'

4 files changed, 74 insertions, 0 deletions

diff --git a/README.mdwn b/README.mdwn
index cc32a371..a978114a 100644
--- a/README.mdwn
+++ b/README.mdwn
@@ -170,3 +170,27 @@ The the Packer tool requires a floating IP to be available at the time a system
 is being deployed to OpenStack. Currently 85.199.252.152 should be used for
 this.  If you specify a floating IP that is in use by an existing instance, you
 will steal it for your own instance and probably break one of our web services.
+
+
+General notes
+-------------
+
+Ensure SSH password login is disabled in all systems you deploy! See:
+<https://testbit.eu/is-ssh-insecure/> for why. The Ansible playbook
+admin/sshd_config.yaml can ensure that all systems have password login
+disabled.
+
+
+Administration
+--------------
+
+You can use Ansible to automate tasks on the baserock.org systems.
+
+To run a playbook:
+
+    ansible-playbook -i hosts $PLAYBOOK.yaml
+
+To run an ad-hoc command (upgrading, for example):
+
+    ansible-playbook -i hosts fedora -m command -a 'sudo yum update'
+    ansible-playbook -i hosts ubuntu -m command -a 'sudo apt-get update'
diff --git a/admin/sshd_config.yaml b/admin/sshd_config.yaml
new file mode 100644
index 00000000..dda981b2
--- /dev/null
+++ b/admin/sshd_config.yaml
@@ -0,0 +1,7 @@
+---
+- hosts: all
+  tasks:
+    - name: ensure SSH login with password is disabled
+      lineinfile:
+        dest=/etc/ssh/sshd_config
+        line='PasswordAuthentication no'
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 00000000..b81f6a5d
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,5 @@
+# Proxy SSH connection through the frontend-haproxy machine to access
+# the instances that don't have public IPs.
+[ssh_connection]
+ssh_args = -o ProxyCommand="ssh -q -A fedora@185.43.218.170  'nc %h %p'"
+
diff --git a/hosts b/hosts
new file mode 100644
index 00000000..13b8d9f4
--- /dev/null
+++ b/hosts
@@ -0,0 +1,38 @@
+# Ansible hosts file for Baserock infrastructure.
+# See: <http://docs.ansible.com/intro_inventory.html>.
+
+# We don't have DNS working for instances in the OpenStack cloud we use, which
+# makes this file a lot more fiddly than it would be otherwise. Access to these
+# machines works because the `ansible.cfg` file in the same directory redirects
+# all SSH access through the frontend machine.
+
+[baserock]
+baserock-mason-x86-64 ansible_ssh_host=192.168.222.48
+cache.baserock.org ansible_ssh_host=192.168.222.14
+#devel-system-64b ansible_ssh_host=192.168.222.41  (off)
+firehose ansible_ssh_host=192.168.222.45
+git.baserock.org ansible_ssh_host=192.168.222.58
+mason-armv7lhf.baserock.org ansible_ssh_host=192.168.222.15
+mason-x86-64.baserock.org ansible_ssh_host=192.168.222.13
+
+[fedora]
+frontend-haproxy ansible_ssh_host=185.43.218.170
+database-mariadb ansible_ssh_host=192.168.222.30
+openid.baserock.org ansible_ssh_host=192.168.222.39
+storyboard.baserock.org ansible_ssh_host=192.168.222.40
+
+[ubuntu]
+paste.baserock.org ansible_ssh_host=192.168.222.6
+testgerrit.baserock.org ansible_ssh_host=192.168.222.46
+testirclogs.baserock.org ansible_ssh_host=192.168.222.11
+#gerrit.baserock.org-test ansible_ssh_host=192.168.222.44  # (off)
+
+
+[baserock:vars]
+ansible_ssh_user=root
+
+[ubuntu:vars]
+ansible_ssh_user=ubuntu
+
+[fedora:vars]
+ansible_ssh_user=fedora