72 lines
2.5 KiB
Bash
Executable File
72 lines
2.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Initial-Provisioning eines Clients fuer Ansible-Verwaltung.
|
|
# Ausfuehrung als root, einmal pro Client (z.B. via MeshCentral-Shell).
|
|
# Idempotent — wiederholte Laeufe aendern nichts.
|
|
set -euo pipefail
|
|
|
|
ANSIBLE_USER="ansible"
|
|
PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOzJuCu5KZAEjsoiWE8nl9U9BKZ0OwK46Kpt4Y4huPoz ansible@docker-ansible"
|
|
|
|
if [[ $EUID -ne 0 ]]; then
|
|
echo "ERR: muss als root laufen" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# 1. User anlegen
|
|
if ! id -u "${ANSIBLE_USER}" >/dev/null 2>&1; then
|
|
useradd -m -s /bin/bash -c "Ansible Automation" "${ANSIBLE_USER}"
|
|
echo "User '${ANSIBLE_USER}' angelegt."
|
|
else
|
|
echo "User '${ANSIBLE_USER}' existiert bereits."
|
|
fi
|
|
|
|
# 2. sudoer-Drop-in (nur fuer diesen User, NOPASSWD)
|
|
SUDOERS_FILE="/etc/sudoers.d/90-ansible"
|
|
printf '%s ALL=(ALL) NOPASSWD:ALL\n' "${ANSIBLE_USER}" > "${SUDOERS_FILE}"
|
|
chmod 440 "${SUDOERS_FILE}"
|
|
visudo -cf "${SUDOERS_FILE}" >/dev/null
|
|
echo "sudoers-Eintrag gesetzt: ${SUDOERS_FILE}"
|
|
|
|
# 3. SSH authorized_keys
|
|
SSH_DIR="/home/${ANSIBLE_USER}/.ssh"
|
|
AUTH_KEYS="${SSH_DIR}/authorized_keys"
|
|
|
|
install -d -m 0700 -o "${ANSIBLE_USER}" -g "${ANSIBLE_USER}" "${SSH_DIR}"
|
|
touch "${AUTH_KEYS}"
|
|
chmod 600 "${AUTH_KEYS}"
|
|
chown "${ANSIBLE_USER}:${ANSIBLE_USER}" "${AUTH_KEYS}"
|
|
|
|
if ! grep -qxF "${PUBKEY}" "${AUTH_KEYS}"; then
|
|
echo "${PUBKEY}" >> "${AUTH_KEYS}"
|
|
echo "Public-Key installiert."
|
|
else
|
|
echo "Public-Key bereits vorhanden."
|
|
fi
|
|
|
|
# 4. Pakete: minimalsatz fuer Ansible-Verwaltung
|
|
# openssh-server (fehlt auf Zorin-Desktop), python3, rsync (skeleton-sync), curl
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
NEEDED_PKGS=()
|
|
command -v python3 >/dev/null 2>&1 || NEEDED_PKGS+=("python3")
|
|
command -v rsync >/dev/null 2>&1 || NEEDED_PKGS+=("rsync")
|
|
command -v curl >/dev/null 2>&1 || NEEDED_PKGS+=("curl")
|
|
dpkg -s openssh-server >/dev/null 2>&1 || NEEDED_PKGS+=("openssh-server")
|
|
if (( ${#NEEDED_PKGS[@]} )); then
|
|
apt-get update -qq
|
|
apt-get install -y "${NEEDED_PKGS[@]}"
|
|
echo "Installiert: ${NEEDED_PKGS[*]}"
|
|
else
|
|
echo "openssh-server + python3 + rsync + curl bereits vorhanden."
|
|
fi
|
|
|
|
# 5. sshd sicher aktiv
|
|
systemctl enable --now ssh >/dev/null 2>&1 || systemctl enable --now sshd >/dev/null 2>&1 || true
|
|
systemctl is-active --quiet ssh && echo "sshd laeuft." || echo "WARN: sshd nicht aktiv." >&2
|
|
|
|
# 6. UFW-Regel, falls Firewall aktiv
|
|
if command -v ufw >/dev/null 2>&1 && ufw status | grep -q "Status: active"; then
|
|
ufw allow 22/tcp >/dev/null && echo "UFW: Port 22 freigegeben."
|
|
fi
|
|
|
|
echo "--- Bootstrap abgeschlossen auf $(hostname) ---"
|