Glenn K. Lockwood
6f72567578
|
4 years ago | |
---|---|---|
docs | 4 years ago | |
roles/common | 4 years ago | |
.gitignore | 4 years ago | |
README.md | 4 years ago | |
hosts | 6 years ago | |
local.yml | 6 years ago | |
requirements.txt | 4 years ago |
README.md
Raspberry Pi Ansible
Glenn K. Lockwood, October 2018
Introduction
This is an Ansible configuration that configures a fresh Raspbian installation on Raspberry Pi. It is intended to be run in local (pull) mode, where ansible is running on the same Raspberry Pi to be configured.
Bootstrapping on Raspbian
You will need ansible installed on the Raspberry Pi being configured. This
playbook relies on Ansible 2.8 or newer, which means you can no longer use
sudo apt-get install ansible
. Instead, you must
$ python3 -m venv --system-site-packages ansible_env
$ source ./ansible_env/bin/activate
# Make sure that pip will install into our virtualenv
(ansible_env) $ which pip
/home/pi/src/git/rpi-ansible/ansible/bin/pip
# Install ansible and any other requirements
(ansible_env) $ pip install -r requirements.txt
Note that the Python 3.5 that ships with Debian 9.13 doesn't install pip when
-m venv
is used as above. It may be easier to simply use
$ pip3 install --user ansible
which pollutes your login Python environment, but is better than nothing.
Configuration
The macaddrs
structure in roles/common/vars/main.yml maps the MAC address of
a Raspberry Pi to its intended configuration state. Add your Raspberry Pi's MAC
address (specifically for eth0
if your RPi has multiple NICs) to that
structure and set its configuration accordingly.
To add local users, create and edit roles/common/vars/users.yml
. Follow the
structure in roles/common/vars/users.yml.example
. You can/should
ansible-vault
this file.
Running the playbook
Then run the playbook:
(ansible_env) $ ansible-playbook --ask-vault-pass --become --become-user root --ask-become-pass ./local.yml
The playbook will self-discover its settings, then idempotently configure the Raspberry Pi.
After running the playbook
This playbook purposely requires a few manual steps after running the playbook to ensure that it does not lock you out of your Raspberry Pi.
-
While logged in as pi,
sudo passwd glock
(or whatever username you created) to set a password for that user. This is not required to log in as that user, but it is required tosudo
as that user. You may also choose to set a password for the pi and/or root users. -
usermod --lock pi
to ensure that the default user is completely disabled.
Optional configurations
SSH host keys
This playbook can install ssh host keys. To do so,
- Drop the appropriate
ssh_host_*_key
files intoroles/common/files/etc/ssh/
- Rename each file from
ssh_host_*_key
tossh_host_*_key.hostname
wherehostname
matches thehostname
inroles/common/vars/main.yml
to which the hostkey should be deployed ansible-vault encrypt roles/common/files/etc/ssh/ssh_host_*_key.*
- Add these files to
roles/common/vars/main.yml
The format expected in roles/common/vars/main.yml
is something like
---
macaddrs:
dc:a6:32:8c:8a:53:
hostname: "cloverdale"
# ...
ssh_host_key_files:
- etc/ssh/ssh_host_rsa_key.cloverdale
- etc/ssh/ssh_host_dsa_key.cloverdale
- etc/ssh/ssh_host_ecdsa_key.cloverdale
- etc/ssh/ssh_host_ed25519_key.cloverdale
Acknowledgment
I stole a lot of knowledge from https://github.com/giuaig/ansible-raspi-config/.