From d1831d704404381db87046af2093faee542aa17f Mon Sep 17 00:00:00 2001 From: Ambrose Chua Date: Sun, 16 Feb 2020 00:28:36 +0800 Subject: [PATCH] Major work complete - Added some documentation for setup process - Added productivity tools to configuration - Refactored artwork location - Improved Ansible privilege escalation - Default to 720p profile --- README.md | 99 +++++++++++++++++++ ansible/event | 9 +- ansible/event-fetch-generate.sh | 7 ++ ansible/event-generate.go | 59 +++++++++++ ansible/group_vars/recorders | 7 +- ansible/play | 4 +- ansible/productivity.yml | 4 + ansible/recorders-stop.yml | 7 ++ ansible/roles/productivity/tasks/chrome.yml | 30 ++++++ ansible/roles/productivity/tasks/main.yml | 8 ++ ansible/roles/productivity/tasks/packages.yml | 10 ++ ansible/roles/productivity/tasks/vscode.yml | 30 ++++++ ansible/roles/recorder/tasks/artwork.yml | 12 +-- ansible/roles/recorder/tasks/hostname.yml | 2 + ansible/roles/recorder/tasks/main.yml | 2 +- ansible/roles/recorder/tasks/obs.yml | 16 +-- ansible/roles/recorder/tasks/packages.yml | 2 + ansible/roles/recorder/tasks/user.yml | 5 +- .../recorder/{files => templates}/gdm.conf | 2 + .../basic/profiles/1080p/basic.ini.j2 | 5 +- .../basic/profiles/720p/basic.ini.j2 | 5 +- .../obs-studio/basic/scenes/event_id.json.j2 | 10 +- .../templates/obs-studio/global.ini.j2 | 4 +- ansible/ssh-key.yml | 25 +++++ 24 files changed, 329 insertions(+), 35 deletions(-) create mode 100755 ansible/event-fetch-generate.sh create mode 100644 ansible/event-generate.go create mode 100644 ansible/productivity.yml create mode 100644 ansible/recorders-stop.yml create mode 100644 ansible/roles/productivity/tasks/chrome.yml create mode 100644 ansible/roles/productivity/tasks/main.yml create mode 100644 ansible/roles/productivity/tasks/packages.yml create mode 100644 ansible/roles/productivity/tasks/vscode.yml rename ansible/roles/recorder/{files => templates}/gdm.conf (94%) create mode 100644 ansible/ssh-key.yml diff --git a/README.md b/README.md index 4d5e628..963ac98 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,101 @@ + # fossasia-video + The FOSSASIA video recording setup + +## Overview + +## Installing Debian + +For the recording machines, get a fresh copy of Debian, and install it with the following settings: + +- Username: opentech +- Hostname: model-increment + - Example: x220-01 +- Add GNOME Desktop +- Add OpenSSH Server + +If a GNOME Desktop and SSH daemon is already installed, a reinstall is not required but recommended. + +## WireGuard + +To set up the overlay WireGuard network to manage machines everywhere, a server needs to be set up. [`wireguard-negotiator`](https://github.com/serverwentdown/wireguard-negotiator) is a tool written to automate some of the key exchange, that must be run on a publicly accessible server as root: + +``` +# Create WireGuard interface +ip link add dev wg1 type wireguard +ip addr add fd11:f055:a514:0000::1/64 dev wg1 +# Configure the interface once. Assumes the configuration file exists +# See WireGuard docs on how to write this configuraion file +wg setconf wg1 /etc/wireguard/wg1.conf +# Bring up the interface +ip link set wg1 up +wireguard-negotiator server -i wg1 -e [hostname] -l :8080 -I -B +``` + +On every recording machine, the client can be easily configured like so: + +``` +# For now, we have to manually install WireGuard +echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable.list +printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | sudo tee /etc/apt/preferences.d/limit-unstable +sudo apt update +sudo apt install wireguard +# TODO: validate this section +sudo systemctl enable --now systemd-networkd +wget -O wgn http://[hostname]:8080 +chmod +x wgn +sudo ./wgn request -s http://[hostname]:8080 +``` + +## Configuring Rooms + +To specify the room for a specific host, do the following: + +``` +echo the_room_id > ~opentech/room_id +echo teh_room_type > ~opentech/room_type +``` + +This step is optional. This and the following steps should be done for every change in room or setup of the laptop. + +## Exporting Hosts + +Export all hosts on the overlay network from WireGuard configuration: + +``` +wireguard-negotiator dump > wireguard.list +``` + +This list of IPs can be exported into our Ansible hosts format as such: + +``` +go run event-generate.go opentech < wireguard.list > event +``` + +The script `event-fetch-generate.sh` does the exporting and generating of the `event` inventory. + +## Running Playbooks + +Before running any Playbooks, switch to SSH authentication: + +``` +ansible-playbook -Kf 8 -kc paramiko -i event ssh-key.yml +ansible -Kf 8 -kc paramiko -b -i event all -a reboot +``` + +Now, plays can be run like so: + +``` +./play [inventory] [playbook] +# Which executes the following command +ansible-playbook -Kf 4 -i [inventory] [playbook] +# Example: +./play event recorders.yml +``` + +## Install Wireless Drivers + +``` +ansible -Kf 8 -b -i event all -a 'apt install firmware-iwlwifi' +``` diff --git a/ansible/event b/ansible/event index 4f1aa34..def0531 100644 --- a/ansible/event +++ b/ansible/event @@ -1,6 +1,3 @@ -[recorders:children] -testgroup - -[testgroup] -#user@10.10.2.5 room_id=test -ambrose@10.10.0.90 room_id=test +[recorders] +x220-01 ansible_host=fd11:f055:a514::2 ansible_user=opentech room_id= room_type= +x230-01 ansible_host=fd11:f055:a514::3 ansible_user=opentech room_id=testroom1 room_type=special diff --git a/ansible/event-fetch-generate.sh b/ansible/event-fetch-generate.sh new file mode 100755 index 0000000..1ea5929 --- /dev/null +++ b/ansible/event-fetch-generate.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +set -e + +echo "Fetching event inventory" + +ssh saguaro /usr/local/bin/wireguard-negotiator dump -i wg1 | go run event-generate.go opentech > event diff --git a/ansible/event-generate.go b/ansible/event-generate.go new file mode 100644 index 0000000..5ef5c70 --- /dev/null +++ b/ansible/event-generate.go @@ -0,0 +1,59 @@ +package main + +import ( + "bufio" + "bytes" + "fmt" + "os" + "os/exec" + "strings" +) + +func main() { + s := bufio.NewScanner(os.Stdin) + if len(os.Args) != 1+1 { + fmt.Fprintf(os.Stderr, "not enough arguments\nusage: %s [ssh user]\n", os.Args[0]) + return + } + user := os.Args[1] + + fmt.Printf("[recorders]\n") + + for s.Scan() { + host := s.Text() + if strings.HasPrefix(host, "#") { + // Is a comment + continue + } + if strings.HasSuffix(host, ":0") { + // Is a "system" host + continue + } + hostname, roomId, roomType, err := discover(host, user) + if err != nil { + fmt.Fprintf(os.Stderr, "host %s discovery failed: %v\n", host, err) + } + fmt.Printf("%s ansible_host=%s ansible_user=%s room_id=%s room_type=%s\n", hostname, host, user, roomId, roomType) + } +} + +func discover(host, user string) (hostname, roomId, roomType string, err error) { + cmd := exec.Command("/usr/bin/ssh", "-l", user, host, "sh", "-c", "hostname; cat room_id; cat room_type; exit 0") + fmt.Fprintf(os.Stderr, "command: %s\n", cmd) + var out bytes.Buffer + cmd.Stdout = &out + err = cmd.Run() + if err != nil { + return + } + hostname, err = out.ReadString('\n') + if err != nil { + return + } + hostname = strings.TrimSpace(hostname) + roomId, _ = out.ReadString('\n') + roomId = strings.TrimSpace(roomId) + roomType, _ = out.ReadString('\n') + roomType = strings.TrimSpace(roomType) + return +} diff --git a/ansible/group_vars/recorders b/ansible/group_vars/recorders index b52bdeb..ad2c0d9 100644 --- a/ansible/group_vars/recorders +++ b/ansible/group_vars/recorders @@ -3,6 +3,11 @@ room_id: unknown # Overwrite in inventory if cannot cope -record_profile: 1080p +record_profile: 720p # Overwrite in inventory if want to use more storage to use less CPU record_fast: false + +record_user: mixer +record_home: /home/mixer + +autostart: true diff --git a/ansible/play b/ansible/play index 58b45ff..87bf06a 100755 --- a/ansible/play +++ b/ansible/play @@ -1,3 +1,5 @@ #!/bin/sh -ansible-playbook -Kbf 1 -i "$1" "$2" +set -e + +ansible-playbook -Kf 4 -i "$1" "$2" diff --git a/ansible/productivity.yml b/ansible/productivity.yml new file mode 100644 index 0000000..1041870 --- /dev/null +++ b/ansible/productivity.yml @@ -0,0 +1,4 @@ +--- +- hosts: recorders + roles: + - productivity diff --git a/ansible/recorders-stop.yml b/ansible/recorders-stop.yml new file mode 100644 index 0000000..fe47034 --- /dev/null +++ b/ansible/recorders-stop.yml @@ -0,0 +1,7 @@ +--- +- hosts: recorders + roles: + - role: recorder + - role: monitoring-client + vars: + autostart: false diff --git a/ansible/roles/productivity/tasks/chrome.yml b/ansible/roles/productivity/tasks/chrome.yml new file mode 100644 index 0000000..334e329 --- /dev/null +++ b/ansible/roles/productivity/tasks/chrome.yml @@ -0,0 +1,30 @@ +--- + +# Credits: Michael Heap + +- name: Does the Google apt file exist? + become: yes + command: test -f {{ apt_file }} + register: google_apt_exists + ignore_errors: True + +- name: Add Google Chrome key + become: yes + shell: wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - + when: google_apt_exists.rc == 1 + +- name: Add Google Chrome repo + become: yes + copy: content="deb http://dl.google.com/linux/chrome/deb/ stable main" dest={{ apt_file }} owner=root group=root mode=644 + when: google_apt_exists.rc == 1 + +- name: Update apt cache + become: yes + apt: update_cache=yes + when: google_apt_exists.rc == 1 + +- name: Install Google Chrome + become: yes + apt: + state: latest + pkg: google-chrome-stable diff --git a/ansible/roles/productivity/tasks/main.yml b/ansible/roles/productivity/tasks/main.yml new file mode 100644 index 0000000..cb989c6 --- /dev/null +++ b/ansible/roles/productivity/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- include: chrome.yml + vars: + - apt_file: /etc/apt/sources.list.d/google-chrome.list +- include: vscode.yml + vars: + - apt_file: /etc/apt/sources.list.d/vscode.list +- include: packages.yml diff --git a/ansible/roles/productivity/tasks/packages.yml b/ansible/roles/productivity/tasks/packages.yml new file mode 100644 index 0000000..082b025 --- /dev/null +++ b/ansible/roles/productivity/tasks/packages.yml @@ -0,0 +1,10 @@ +--- + +- name: install editors + become: yes + apt: + state: latest + name: + - neovim + - emacs + diff --git a/ansible/roles/productivity/tasks/vscode.yml b/ansible/roles/productivity/tasks/vscode.yml new file mode 100644 index 0000000..9e52bd8 --- /dev/null +++ b/ansible/roles/productivity/tasks/vscode.yml @@ -0,0 +1,30 @@ +--- + +# Credits: Michael Heap + +- name: Does the vscode apt file exist? + become: yes + command: test -f {{ apt_file }} + register: vscode_apt_exists + ignore_errors: True + +- name: Add Microsoft key + become: yes + shell: wget -q -O - https://packages.microsoft.com/keys/microsoft.asc | apt-key add - + when: vscode_apt_exists.rc == 1 + +- name: Add vscode repo + become: yes + copy: content="deb https://packages.microsoft.com/repos/vscode stable main" dest={{ apt_file }} owner=root group=root mode=644 + when: vscode_apt_exists.rc == 1 + +- name: Update apt cache + become: yes + apt: update_cache=yes + when: vscode_apt_exists.rc == 1 + +- name: Install vscode + become: yes + apt: + state: latest + pkg: code diff --git a/ansible/roles/recorder/tasks/artwork.yml b/ansible/roles/recorder/tasks/artwork.yml index c0dd4e2..9fc059d 100644 --- a/ansible/roles/recorder/tasks/artwork.yml +++ b/ansible/roles/recorder/tasks/artwork.yml @@ -2,19 +2,17 @@ - name: create artwork directory file: - dest: "/opt/artwork/{{ event.id }}" + dest: "{{ mixer_user.home }}/artwork/{{ event.id }}" state: directory recurse: yes - owner: root - group: root mode: u=rwx,g=rx,o=rx + become: yes + become_user: mixer - name: copy backgrounds copy: src: "../../../artwork/{{ event.id }}/{{ item }}.png" - dest: "/opt/artwork/{{ event.id }}" - owner: root - group: root + dest: "{{ mixer_user.home }}/artwork/{{ event.id }}" mode: u=rw,g=r,o=r with_items: - side-by-side @@ -22,3 +20,5 @@ - side-by-side-43 - side-by-side-43-reverse - blank + become: yes + become_user: mixer diff --git a/ansible/roles/recorder/tasks/hostname.yml b/ansible/roles/recorder/tasks/hostname.yml index b2db0a7..a7a5034 100644 --- a/ansible/roles/recorder/tasks/hostname.yml +++ b/ansible/roles/recorder/tasks/hostname.yml @@ -1,10 +1,12 @@ --- - name: generate hosts file + become: yes template: src: etc-hosts.j2 dest: /etc/hosts - name: set hostname to room_id + become: yes hostname: name: "room-{{ room_id }}" diff --git a/ansible/roles/recorder/tasks/main.yml b/ansible/roles/recorder/tasks/main.yml index 6122515..eea10dc 100644 --- a/ansible/roles/recorder/tasks/main.yml +++ b/ansible/roles/recorder/tasks/main.yml @@ -1,6 +1,6 @@ --- - include: user.yml -- include: hostname.yml +#- include: hostname.yml - include: packages.yml - include: artwork.yml - include: obs.yml diff --git a/ansible/roles/recorder/tasks/obs.yml b/ansible/roles/recorder/tasks/obs.yml index fce52f4..b976103 100644 --- a/ansible/roles/recorder/tasks/obs.yml +++ b/ansible/roles/recorder/tasks/obs.yml @@ -5,39 +5,39 @@ dest: "{{ mixer_user.home }}/.config/obs-studio/{{ item }}" state: directory recurse: yes - owner: mixer - group: mixer mode: u=rwx,g=rx,o=rx with_items: - basic/profiles/1080p - basic/profiles/720p - basic/scenes + become: yes + become_user: mixer - name: create videos directory file: dest: "{{ mixer_user.home }}/Videos/{{ event.id }}/{{ room_id }}" state: directory recurse: yes - owner: mixer - group: mixer mode: u=rwx,g=rx,o=rx + become: yes + become_user: mixer - name: generate base obs configuration files template: src: "obs-studio/{{ item }}.j2" dest: "{{ mixer_user.home }}/.config/obs-studio/{{ item }}" - owner: mixer - group: mixer mode: u=rw,g=r,o=r with_items: - global.ini - basic/profiles/1080p/basic.ini - basic/profiles/720p/basic.ini + become: yes + become_user: mixer - name: generate event obs configuration files template: src: "obs-studio/basic/scenes/event_id.json.j2" dest: "{{ mixer_user.home }}/.config/obs-studio/basic/scenes/{{ event.id }}.json" - owner: mixer - group: mixer mode: u=rw,g=r,o=r + become: yes + become_user: mixer diff --git a/ansible/roles/recorder/tasks/packages.yml b/ansible/roles/recorder/tasks/packages.yml index fddef1e..78b0a4b 100644 --- a/ansible/roles/recorder/tasks/packages.yml +++ b/ansible/roles/recorder/tasks/packages.yml @@ -1,12 +1,14 @@ --- - name: install general packages + become: yes apt: state: latest name: - git - name: install packages required to be a recorder + become: yes apt: state: latest name: diff --git a/ansible/roles/recorder/tasks/user.yml b/ansible/roles/recorder/tasks/user.yml index 50d4658..d22ab53 100644 --- a/ansible/roles/recorder/tasks/user.yml +++ b/ansible/roles/recorder/tasks/user.yml @@ -1,10 +1,12 @@ --- - name: create mixer group + become: yes group: name: mixer - name: create mixer user with password mixer + become: yes user: name: mixer group: mixer @@ -14,7 +16,8 @@ register: mixer_user - name: enable gdm autologin to mixer user - copy: + become: yes + template: src: gdm.conf dest: /etc/gdm3/daemon.conf owner: root diff --git a/ansible/roles/recorder/files/gdm.conf b/ansible/roles/recorder/templates/gdm.conf similarity index 94% rename from ansible/roles/recorder/files/gdm.conf rename to ansible/roles/recorder/templates/gdm.conf index 4ff3506..0199deb 100644 --- a/ansible/roles/recorder/files/gdm.conf +++ b/ansible/roles/recorder/templates/gdm.conf @@ -8,9 +8,11 @@ # Uncomment the line below to force the login screen to use Xorg #WaylandEnable=false +{% if autostart %} # Enabling automatic login AutomaticLoginEnable = true AutomaticLogin = mixer +{% endif %} # Enabling timed login # TimedLoginEnable = true diff --git a/ansible/roles/recorder/templates/obs-studio/basic/profiles/1080p/basic.ini.j2 b/ansible/roles/recorder/templates/obs-studio/basic/profiles/1080p/basic.ini.j2 index b4087cd..f03c989 100644 --- a/ansible/roles/recorder/templates/obs-studio/basic/profiles/1080p/basic.ini.j2 +++ b/ansible/roles/recorder/templates/obs-studio/basic/profiles/1080p/basic.ini.j2 @@ -11,7 +11,7 @@ OutputCY=1080 Mode=Simple [Audio] -SampleRate=48000 +SampleRate=44100 [Hotkeys] OBSBasic.StartRecording={\n "bindings": [\n {\n "control": true,\n "key": "OBS_KEY_RETURN"\n }\n ]\n} @@ -20,7 +20,8 @@ OBSBasic.Transition={\n "bindings": [\n {\n "key": "OBS_KEY [SimpleOutput] RecFormat=mkv -RecQuality=Small +RecQuality=Stream +VBitrate=3000 {% if record_fast %} RecEncoder=x264_lowcpu {% else %} diff --git a/ansible/roles/recorder/templates/obs-studio/basic/profiles/720p/basic.ini.j2 b/ansible/roles/recorder/templates/obs-studio/basic/profiles/720p/basic.ini.j2 index e213f0b..fb615f0 100644 --- a/ansible/roles/recorder/templates/obs-studio/basic/profiles/720p/basic.ini.j2 +++ b/ansible/roles/recorder/templates/obs-studio/basic/profiles/720p/basic.ini.j2 @@ -11,7 +11,7 @@ OutputCY=720 Mode=Simple [Audio] -SampleRate=48000 +SampleRate=44100 [Hotkeys] OBSBasic.StartRecording={\n "bindings": [\n {\n "control": true,\n "key": "OBS_KEY_RETURN"\n }\n ]\n} @@ -20,7 +20,8 @@ OBSBasic.Transition={\n "bindings": [\n {\n "key": "OBS_KEY [SimpleOutput] RecFormat=mkv -RecQuality=Small +RecQuality=Stream +VBitrate=3000 {% if record_fast %} RecEncoder=x264_lowcpu {% else %} diff --git a/ansible/roles/recorder/templates/obs-studio/basic/scenes/event_id.json.j2 b/ansible/roles/recorder/templates/obs-studio/basic/scenes/event_id.json.j2 index 37d4dab..4457530 100644 --- a/ansible/roles/recorder/templates/obs-studio/basic/scenes/event_id.json.j2 +++ b/ansible/roles/recorder/templates/obs-studio/basic/scenes/event_id.json.j2 @@ -159,7 +159,7 @@ "push-to-talk": false, "push-to-talk-delay": 0, "settings": { - "file": "/opt/artwork/{{ event.id }}/blank.png", + "file": "{{ mixer_user.home }}/artwork/{{ event.id }}/blank.png", "unload": true }, "sync": 0, @@ -446,7 +446,7 @@ "push-to-talk": false, "push-to-talk-delay": 0, "settings": { - "file": "/opt/artwork/{{ event.id }}/side-by-side-43-reverse.png", + "file": "{{ mixer_user.home }}/artwork/{{ event.id }}/side-by-side-43-reverse.png", "unload": true }, "sync": 0, @@ -609,7 +609,7 @@ "push-to-talk": false, "push-to-talk-delay": 0, "settings": { - "file": "/opt/artwork/{{ event.id }}/side-by-side-43.png", + "file": "{{ mixer_user.home }}/artwork/{{ event.id }}/side-by-side-43.png", "unload": true }, "sync": 0, @@ -913,7 +913,7 @@ "push-to-talk": false, "push-to-talk-delay": 0, "settings": { - "file": "/opt/artwork/{{ event.id }}/side-by-side.png", + "file": "{{ mixer_user.home }}/artwork/{{ event.id }}/side-by-side.png", "unload": false }, "sync": 0, @@ -1103,7 +1103,7 @@ "push-to-talk": false, "push-to-talk-delay": 0, "settings": { - "file": "/opt/artwork/{{ event.id }}/side-by-side-reverse.png", + "file": "{{ mixer_user.home }}/artwork/{{ event.id }}/side-by-side-reverse.png", "unload": false }, "sync": 0, diff --git a/ansible/roles/recorder/templates/obs-studio/global.ini.j2 b/ansible/roles/recorder/templates/obs-studio/global.ini.j2 index 5d0192e..8575b37 100644 --- a/ansible/roles/recorder/templates/obs-studio/global.ini.j2 +++ b/ansible/roles/recorder/templates/obs-studio/global.ini.j2 @@ -9,8 +9,8 @@ cx=720 cy=580 [BasicWindow] -geometry=AdnQywACAAAAAABDAAAAGwAAA/8AAAL/AAAAWAAAAEYAAAOuAAACwgAAAAACAAAABAA= -DockState=AAAA/wAAAAD9AAAAAQAAAAMAAAO9AAAA+/wBAAAABfsAAAAUAHMAYwBlAG4AZQBzAEQAbwBjAGsBAAAAAAAAANsAAACoAP////sAAAAWAHMAbwB1AHIAYwBlAHMARABvAGMAawEAAADhAAAA3AAAAKgA////+wAAABIAbQBpAHgAZQByAEQAbwBjAGsBAAABwwAAASoAAADkAP////sAAAAeAHQAcgBhAG4AcwBpAHQAaQBvAG4AcwBEAG8AYwBrAAAAAlgAAAC/AAAAggD////7AAAAGABjAG8AbgB0AHIAbwBsAHMARABvAGMAawEAAALzAAAAygAAAJsA////AAADvQAAAZkAAAAEAAAABAAAAAgAAAAI/AAAAAA= +geometry=AdnQywACAAAAAAAAAAAAGwAABVUAAAL/AAAAAAAAAEAAAAQ2AAAC/wAAAAACAAAABVY= +DockState=AAAA/wAAAAD9AAAAAQAAAAMAAAVWAAABF/wBAAAABfsAAAAUAHMAYwBlAG4AZQBzAEQAbwBjAGsBAAAAAAAAAToAAACoAP////sAAAAWAHMAbwB1AHIAYwBlAHMARABvAGMAawEAAAFAAAABPAAAAKgA////+wAAABIAbQBpAHgAZQByAEQAbwBjAGsBAAACggAAAawAAADkAP////sAAAAeAHQAcgBhAG4AcwBpAHQAaQBvAG4AcwBEAG8AYwBrAAAAAlgAAAC/AAAAggD////7AAAAGABjAG8AbgB0AHIAbwBsAHMARABvAGMAawEAAAQ0AAABIgAAAJoA////AAAFVgAAAXIAAAAEAAAABAAAAAgAAAAI/AAAAAA= PreviewEnabled=true AlwaysOnTop=false SceneDuplicationMode=true diff --git a/ansible/ssh-key.yml b/ansible/ssh-key.yml new file mode 100644 index 0000000..7b94406 --- /dev/null +++ b/ansible/ssh-key.yml @@ -0,0 +1,25 @@ +--- +- hosts: recorders + tasks: + - name: set permissions for .ssh directory + file: + path: "{{ ansible_env.HOME }}/.ssh" + state: directory + mode: u=rwx,g=-rwx,o=-rwx + - name: create authorized_keys file + file: + path: "{{ ansible_env.HOME }}/.ssh/authorized_keys" + state: touch + mode: u=rwx,g=r-wx,o=r-wx + - name: insert ambrose's public ssh key + blockinfile: + dest: "{{ ansible_env.HOME }}/.ssh/authorized_keys" + block: | + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDBsAEpJLRUzF9O58EkRFAe+WFp46SNEEz6ChOEkzWs+Vn4b60uKABXB60l56S1Ok6PHlNxyIlLuF+IXUOfalO+V9HXxZmjdHp7SibOXcEDFRDnCgGqnRTwd5zEbdMnZ9g0ia7NnIeaS7M5pXGtir7S86pNNaVWWnBvobDuc1As4NGIHa7hPHPOsPRgjNgB6YqaRq6a98j1yGghMiQJJvsBeZ0S00MZp9lfUiB+jrxhDgGyPsU5M9U+ObJmOFlaLx5XqZW3/5tTJoEmyD/vRV6IzOhhR6PPgGpQXJBdmrbJOKWtTwckwWE2xR+rs3J154OyZadkJ9+1aj/EKleTYs5GfDzGQeTb/wsyRz3tgTesFcXW/klVYVEcvZZxPvOoMPUK8vtYIt2LiFJov+/EQu5wfeilLURfZwKk2fBIC+CFUwg6ewogb4Ynvxv7++J11+7uMSOkuqu/0t/7rrv4TDt06dtA5oUNfZ5cUH0/H/KX48DkCp+mRI7S5uJ6majXZEm5Nmi7u+gOCSjAewe6Ex++I91MsX3WrgVG5OUffx/QTsLeRhT9ZMAlnED7lcTXNhDCEmJif87CQFucRnrkO9FvDnZG2i9721MLGo9Sf/M7AliwMH7fcVucgvY4AJuESspEjWjQn9YEqhp1cDb/PtNZtRl/v1TJOV4eQUDSWusdw== ambrose-yubikey + - name: prevent password login + become: yes + blockinfile: + dest: /etc/ssh/sshd_config + block: | + PasswordAuthentication no +