Added role bootstrap

README.md

@@ -10,4 +10,5 @@ Following roles have been defined to make creating a server configuration easy:
 - **acme** defines roles for handling the automatic handling of certificates with *acme.sh*
   - **application** installs main application
   - **certificate** issues a given certificate
+- **bootstrap** defines a way to connect to a server which has not been configured yet
 - **common** defines the installation of common packages and common configurations like firewall

roles/bootstrap/README.md

@@ -0,0 +1,21 @@
+# Ansible Bootstrap Role
+
+This role will manage to use another user to connect to the server,
+if your server hoster configures another root / sudo user as you want to use.
+This allows you to build one simple playbook and execute it
+no matter if your server is already configured or not.
+
+## Example
+
+My server hoster allows me to define a password for root while configuring the server,
+then I can connect via SSH using this password to this new server,
+however I prefer to use another account with sudo privileges.
+
+Now you can use this role to etablish this workflow to Ansible.
+Configure Ansible's `remote_user` to be the user you want to give sudo privileges to.
+Define this role to be the first executed and set the variable `bootstrap_sudo_user`
+to the user your hoster configures for you.
+Ansible will try to log in as `remote_user` at first,
+if this fails, then it will try to log in as `bootstrap_sudo_user`.
+As long as one of both connection attempts succeeds,
+the execution of the playbook will continue using the privileges of the first succeeded login.

roles/bootstrap/defaults/main.yml

@@ -0,0 +1,4 @@
+bootstrap_used: false
+
+bootstrap_user: root
+bootstrap_become_pass: ""

roles/bootstrap/tasks/deprivilege.yml

@@ -0,0 +1,9 @@
+---
+
+- user:
+    name: "{{ bootstrap_user }}"
+    state: absent
+  become: yes
+  when:
+    - bootstrap_user != "root"
+    - bootstrap_user != bootstrap_expected_user

roles/bootstrap/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Store facts given by configuration
+  set_fact:
+    bootstrap_expected_user: "{{ ansible_user }}"
+    bootstrap_expected_become_pass: "{{ ansible_become_pass }}"
+
+- name: Bootstrap shift if required
+  include_tasks: try_else_shift.yml
+
+- name: Privilege expected user
+  include_tasks: privilege.yml
+
+- name: Bootstrap shift back if was shifted
+  include_tasks: shift_back.yml
+  when: bootstrap_used
+
+- name: Deprivilege bootstrap user
+  include_tasks: deprivilege.yml

roles/bootstrap/tasks/privilege.yml

@@ -0,0 +1,37 @@
+---
+
+- name: Create new user {{ bootstrap_expected_user }}
+  user:
+    state: present
+    name: "{{ bootstrap_expected_user }}"
+    groups:
+      - sudo
+    append: yes
+    password: "{{ bootstrap_expected_become_pass | password_hash('sha512', LOCAL_SALT) }}"
+    update_password: on_create
+  register: bootstrap_expected_user_data
+
+- name: Copy SSH Keys if bootstraped now
+  when: bootstrap_used
+  block:
+    - name: Retrieve data from user {{ bootstrap_user }}
+      user:
+        name: "{{ bootstrap_user }}"
+        state: present
+      register: bootstrap_user_data
+    - name: Create .ssh directory for user {{ bootstrap_expected_user }}
+      file:
+        path: "{{ bootstrap_expected_user_data.home }}/.ssh"
+        state: directory
+        owner: "{{ bootstrap_expected_user }}"
+        group: "{{ bootstrap_expected_user }}"
+      become: yes
+    - name: Transfer SSH keys to new user
+      copy:
+        remote_src: yes
+        src: "{{ bootstrap_user_data.home }}/.ssh/authorized_keys"
+        dest: "{{ bootstrap_expected_user_data.home }}/.ssh/authorized_keys"
+        owner: "{{ bootstrap_expected_user }}"
+        group: "{{ bootstrap_expected_user }}"
+        mode: u=rw,g=r
+      become: yes

roles/bootstrap/tasks/shift_back.yml

@@ -0,0 +1,8 @@
+---
+
+- set_fact:
+    bootstrap_used: no
+    ansible_user: '{{ bootstrap_expected_user }}'
+    ansible_become_pass: '{{ bootstrap_expected_become_pass }}'
+
+- meta: reset_connection

roles/bootstrap/tasks/try_else_shift.yml

@@ -0,0 +1,12 @@
+---
+
+- action: ping
+  ignore_unreachable: true
+  ignore_errors: yes
+  register: pingtest
+- meta: clear_host_errors
+- set_fact:
+    bootstrap_used: yes
+    ansible_user: '{{ bootstrap_user }}'
+    ansible_become_pass: '{{ bootstrap_become_pass }}'
+  when: pingtest.failed | d(pingtest.unreachable) | d(false)