Enhanced quick start pr devel 2.x

install.sh

@@ -138,7 +138,7 @@ fi
   git ca-certificates git-lfs \
   openssh-client nfs-common stunnel4 \
   python3-venv python3-debian \
-  zip unzip gzip tar dnsutils net-tools
+  acl zip unzip gzip tar dnsutils net-tools
 /usr/bin/echo "-------------------------------------------------"
 
 # Install Ansible in a Python virtual environment.

plays/aws_ec2_standalone/mysql_client.yml

@@ -22,7 +22,7 @@
         profile: "{{ _aws_profile }}"
         db_instance_identifier: "{{ _aws_resource_name }}"
       become: true
-      become_user: "{{ user_provision.username }}"
+      become_user: "{{ _ce_provision_username }}"
       delegate_to: localhost # needs to run on controller
       register: _database_info
     # Install MySQL client

plays/launcher/README.md

@@ -0,0 +1,24 @@
+# Base playbook to configure a new target server
+This playbook configures a new target server, and should just work if you have followed the installation and configuration instructions [in our GitHub wiki](https://github.com/codeenigma/ce-provision/wiki/Installation). It will add the server to `hosts` in your config repository and install Ansible dependencies and the controller user on the target host. Once this is done you can orchestrate its future configuration with ce-provision.
+
+## Prerequisites
+* You have followed the official installation instructions for your controller
+* Your new target server has the controller's SSH public key assigned to a Linux user
+* Your new target server has port 22 open to the controller
+* Your Ansible `hosts` inventory file has `ansible_connection=local` set for your controller at `localhost`
+
+## Usage
+On your controller server:
+
+```shell
+sudo su -l controller
+cd /home/controller/ce-provision && \
+  ./scripts/provision.sh \
+  --workspace /home/controller/ce-provision \
+  --repo none --branch none \
+  --playbook plays/launcher/configure.yml \
+  --ansible-extra-vars "_provision_host=1.2.3.4 _target_username=admin" \
+  --force
+```
+
+Change the value of `1.2.3.4` on the last line to match your IP address or hostname. Change the value of `admin` to whatever the Linux username is installed by default with your SSH public key attached. This may vary, see your provider's documentation for details.

plays/launcher/configure.yml

@@ -6,34 +6,44 @@
 #     ./scripts/provision.sh --workspace /home/controller/ce-provision \
 #     --repo none --branch none \
 #     --playbook /home/controller/ce-provision/plays/launcher/configure.yml \
-#     --ansible-extra-vars "_provision_host=X.X.X.X"
+#     --ansible-extra-vars "_provision_host=X.X.X.X _target_username=admin" \
+#     --force
 #
 # Replace X.X.X.X with your hostname or IP address.
+# Replace admin with the username that has your SSH public key, see provider docs for details.
 - hosts: localhost
   vars:
     _ce_provision_username: controller
-    _add_host: true # set to false if you do not want to add the new server to hosts.yml
+    _add_host: true # set to false if you do not want to add the new server to hosts file
     _ce_provision_config_branch: 2.x # change this if you didn't use our example config and have a different main branch name
   tasks:
     - name: Add the server to Ansible hosts in memory.
       ansible.builtin.add_host:
         hostname: "{{ _provision_host }}"
 
-    - name: Add the server to hosts.yml.
-      when: _add_host
+    - name: Check if the hosts INI file exists.
+      ansible.builtin.stat:
+        path: "/home/{{ _ce_provision_username }}/ce-provision/config/hosts/hosts"
+      register: _hosts_ini_file
+
+    - name: Add the server to hosts if INI file exists.
+      when:
+        - _add_host
+        - _hosts_ini_file.stat.exists
       block:
-      - name: Edit hosts.yml file.
+      - name: Edit hosts file.
         ansible.builtin.lineinfile:
-          path: "/home/{{ _ce_provision_username }}/ce-provision/config/hosts/hosts.yml"
-          line: "{{ _provision_host }}:"
-          create: true
+          path: "/home/{{ _ce_provision_username }}/ce-provision/config/hosts/hosts"
+          line: "{{ _provision_host }}"
+          insertafter: "### ce-provision launcher hosts - do not remove"
+          state: present
 
-      - name: Add hosts.yml changes.
+      - name: Add hosts changes.
         ansible.builtin.command: git add .
         args:
           chdir: "/home/{{ _ce_provision_username }}/ce-provision/config"
 
-      - name: Commit hosts.yml changes.
+      - name: Commit hosts changes.
         ansible.builtin.shell: "git diff --staged --quiet || git commit -m 'Ansible autogenerated - host {{ _provision_host }} added.'"
         args:
           chdir: "/home/{{ _ce_provision_username }}/ce-provision/config"
@@ -45,7 +55,7 @@
 
 - hosts: "{{ _provision_host }}"
   vars:
-    ansible_user: admin
+    ansible_user: "{{ _target_username }}"
     _ce_provision_build_id: 0
   become: true
   tasks:

roles/_exit/tasks/allowed_vars.yml

@@ -22,6 +22,8 @@
   ansible.builtin.command: "git status -s"
   args:
     chdir: "{{ _ce_provision_build_tmp_dir }}/extra"
+  become: true
+  become_user: "{{ _ce_provision_username }}"
   delegate_to: localhost
   register: _ce_provision_extra_vars_git_changed
 
@@ -30,7 +32,7 @@
   args:
     chdir: "{{ _ce_provision_build_tmp_dir }}/extra"
   become: true
-  become_user: "{{ ce_provision.username }}"
+  become_user: "{{ _ce_provision_username }}"
   delegate_to: localhost
   when:
     - ce_provision_extra_vars_computed is defined
@@ -41,7 +43,7 @@
   args:
     chdir: "{{ _ce_provision_build_tmp_dir }}/extra"
   become: true
-  become_user: "{{ ce_provision.username }}"
+  become_user: "{{ _ce_provision_username }}"
   delegate_to: localhost
   when:
     - ce_provision_extra_vars_computed is defined
@@ -52,7 +54,7 @@
   args:
     chdir: "{{ _ce_provision_build_tmp_dir }}/extra"
   become: true
-  become_user: "{{ ce_provision.username }}"
+  become_user: "{{ _ce_provision_username }}"
   delegate_to: localhost
   when:
     - ce_provision_extra_vars_computed is defined

roles/_init/tasks/allowed_vars.yml

@@ -5,14 +5,14 @@
     version: "{{ _init.ce_provision_extra_repository_branch }}"
   delegate_to: localhost
   become: true
-  become_user: "{{ ce_provision.username }}"
+  become_user: "{{ _ce_provision_username }}"
 
 - name: Check if file exists.
   ansible.builtin.stat:
     path: "{{ _ce_provision_build_tmp_dir }}/extra/{{ _init.ce_provision_extra_repository_vars_file }}"
   delegate_to: localhost
   become: true
-  become_user: "{{ ce_provision.username }}"
+  become_user: "{{ _ce_provision_username }}"
   register: _extra_repository_vars_file
 
 - name: Include custom variables.
@@ -21,7 +21,7 @@
     name: _ce_provision_extra_vars
   delegate_to: localhost
   become: true
-  become_user: "{{ ce_provision.username }}"
+  become_user: "{{ _ce_provision_username }}"
   when:
     - _extra_repository_vars_file.stat.exists
 

roles/debian/aws_efs_client/tasks/fstab.yml

@@ -5,8 +5,8 @@
     region: "{{ aws_efs_client.region }}"
     name: "{{ mount.src }}"
   become: true
-  become_user: "{{ user_provision.username }}"
-  delegate_to: "localhost"
+  become_user: "{{ _ce_provision_username }}"
+  delegate_to: localhost
   register: aws_efs_client_efs_volume
 
 - name: Make sure mount point exists.

roles/debian/gitlab/tasks/main.yml

@@ -1,33 +1,32 @@
 ---
-- name: Add a DNS record for GitLab
-  amazon.aws.route53:
-    state: "{{ gitlab.gitlab_route_53.state }}"
-    profile: "{{ gitlab.gitlab_route_53.aws_profile }}"
-    zone: "{{ gitlab.gitlab_route_53.zone }}"
-    record: "{{ gitlab.server_name }}"
-    type: "{{ gitlab.gitlab_route_53.type }}"
-    value: "{{ gitlab.gitlab_route_53.value }}"
-    overwrite: true
-  delegate_to: localhost
-  become: false
+- name: Add DNS records.
   when:
     - gitlab.gitlab_route_53.zone is defined
     - gitlab.gitlab_route_53.zone | length > 0
-
-- name: Add a DNS record for Mattermost
-  amazon.aws.route53:
-    state: "{{ gitlab.mattermost_route_53.state }}"
-    profile: "{{ gitlab.mattermost_route_53.aws_profile }}"
-    zone: "{{ gitlab.mattermost_route_53.zone }}"
-    record: "{{ gitlab.mattermost_url }}"
-    type: CNAME
-    value: "{{ gitlab.server_name }}"
-    overwrite: true
-  delegate_to: localhost
-  become: false
-  when:
-    - gitlab.mattermost_route_53.zone is defined
-    - gitlab.mattermost_route_53.zone | length > 0
+  block:
+    - name: Add a DNS record for GitLab.
+      amazon.aws.route53:
+        state: "{{ gitlab.gitlab_route_53.state }}"
+        profile: "{{ gitlab.gitlab_route_53.aws_profile }}"
+        zone: "{{ gitlab.gitlab_route_53.zone }}"
+        record: "{{ gitlab.server_name }}"
+        type: "{{ gitlab.gitlab_route_53.type }}"
+        value: "{{ gitlab.gitlab_route_53.value }}"
+        overwrite: true
+      delegate_to: localhost
+      become: false
+
+    - name: Add a DNS record for Mattermost.
+      amazon.aws.route53:
+        state: "{{ gitlab.mattermost_route_53.state }}"
+        profile: "{{ gitlab.mattermost_route_53.aws_profile }}"
+        zone: "{{ gitlab.mattermost_route_53.zone }}"
+        record: "{{ gitlab.mattermost_url }}"
+        type: CNAME
+        value: "{{ gitlab.server_name }}"
+        overwrite: true
+      delegate_to: localhost
+      become: false
 
 - name: Add GitLab repository and key.
   ansible.builtin.include_role:
@@ -50,19 +49,18 @@
       enabled: true
       key_refresh_timer_OnCalendar: "Mon *-*-* 00:20:00"
 
-- name: Add GitLab repository to unattended-upgrades origins list.
-  ansible.builtin.set_fact:
-    _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [gitlab.apt_origin] }}"
-  when:
-    - apt_unattended_upgrades.enable is defined
-    - apt_unattended_upgrades.enable
-
-- name: Install the unattended-upgrades config.
-  ansible.builtin.include_role:
-    name: debian/apt_unattended_upgrades
+- name: Set up unattended-upgrades.
   when:
     - apt_unattended_upgrades.enable is defined
     - apt_unattended_upgrades.enable
+  block:
+    - name: Add GitLab repository to unattended-upgrades origins list.
+      ansible.builtin.set_fact:
+        _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [gitlab.apt_origin] }}"
+
+    - name: Install the unattended-upgrades config.
+      ansible.builtin.include_role:
+        name: debian/apt_unattended_upgrades
 
 - name: Ensure Gitlab is installed.
   ansible.builtin.apt:

roles/debian/gitlab_runner/tasks/main.yml

@@ -20,19 +20,18 @@
       enabled: true
       key_refresh_timer_OnCalendar: "Mon *-*-* 00:30:00"
 
-- name: Add GitLab Runner repository to unattended-upgrades origins list.
-  ansible.builtin.set_fact:
-    _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [gitlab_runner.apt_origin] }}"
+- name: Set up unattended-upgrades.
   when:
     - apt_unattended_upgrades.enable is defined
     - apt_unattended_upgrades.enable
+  block:
+    - name: Add GitLab Runner repository to unattended-upgrades origins list.
+      ansible.builtin.set_fact:
+        _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [gitlab_runner.apt_origin] }}"
 
-- name: Install the unattended-upgrades config.
-  ansible.builtin.include_role:
-    name: debian/apt_unattended_upgrades
-  when:
-    - apt_unattended_upgrades.enable is defined
-    - apt_unattended_upgrades.enable
+    - name: Install the unattended-upgrades config.
+      ansible.builtin.include_role:
+        name: debian/apt_unattended_upgrades
 
 - name: Ensure Gitlab Runner is installed.
   ansible.builtin.apt:

roles/debian/gpg_key/tasks/gpg.yml

@@ -38,7 +38,7 @@
     - gpg_user.publish
     - not user_ansible_gpg_key_exists.stdout
 
-- name: Publish GPG key to openpgp.org.
+- name: Publish GPG key to key servers.
   ansible.builtin.command:
     cmd: "gpg --keyserver {{ server }} --send-keys {{ user_ansible_gpg_key.stdout_lines[1] }}"
   become: true

roles/debian/ldap_server/tasks/main.yml

@@ -67,6 +67,8 @@
   ansible.builtin.stat:
     path: "{{ ldap_server.config.path }}"
   register: _ldap_server_ldifs
+  become_user: "{{ _ce_provision_username }}"
+  become: true
   delegate_to: localhost
 
 - name: Copy LDAP schemas from config repo.

roles/debian/wazuh/tasks/main.yml

@@ -10,6 +10,8 @@
 - name: Generate certificates.
   ansible.builtin.import_role:
     name: "contrib/{{ wazuh.path }}/roles/wazuh/wazuh-indexer"
+  become_user: "{{ _ce_provision_username }}"
+  become: true
   delegate_to: localhost
   vars:
     indexer_node_master: "{{ wazuh.indexer.indexer_node_master }}"