|
|
| Line 22: |
Line 22: |
| Runs the non-vital services that used to run on [[Boole]]. Might get used for other stuff as well. Same hardware as [[Boole]] | | Runs the non-vital services that used to run on [[Boole]]. Might get used for other stuff as well. Same hardware as [[Boole]] |
|
| |
|
| Runs the spacefed node for the space (via a freeradius server) and has an LDAP server. the LDAP db is replicated from [[Turing]]. | | Runs the local LDAP server. The LDAP db is replicated from [[Turing]]. |
|
| |
|
| Runs zone minder, see below. | | Runs zone minder, see below. |
| Line 59: |
Line 59: |
|
| |
|
| Has only a single mechanical harddrive so vulnerable to data loss. | | Has only a single mechanical harddrive so vulnerable to data loss. |
|
| |
| == Ansible procedures ==
| |
|
| |
| === using Ansible with a Rasbperry Pi ===
| |
|
| |
| <nowiki>
| |
| dd raspbian image (use the 02-09 one to avoid usb issues)
| |
| boot pi
| |
| watch dhcp logs on boole
| |
| ssh pi@ip
| |
| passwd: raspberry
| |
|
| |
| sudo raspi-config
| |
| update it
| |
| expand filesystem
| |
| change password
| |
| boot to console
| |
| advanced options -> hostname
| |
|
| |
| cd /etc/network
| |
| edit interfaces to get a static ip
| |
| reboot
| |
|
| |
| on boole:
| |
|
| |
| add hostname to fwd and rev. dns, don't forget to commit your changes.
| |
|
| |
| log into denning with ssh keys forwarded
| |
|
| |
| add hostname to /etc/ansible/hosts in both the [lhshosts] and [rpis]
| |
| sections, and [doorbot] if it's a doorbot, make the syslocation="something sensible"
| |
|
| |
| then:
| |
|
| |
| if it's a replacement for an old machine then:
| |
|
| |
| ssh-keygen -R hostname
| |
| ssh-keygen -R hostname.lan.london.hackspace.org.uk
| |
| ssh-keygen -R ipv4 address (?)
| |
| ssh-keygen -R ipv6 address (?)
| |
|
| |
| then:
| |
|
| |
| cd /etc/ansible
| |
|
| |
| install python-apt which ansible needs:
| |
|
| |
| ansible -vvv -u pi -k -s -m command -a "apt-get -y install python-apt" "hostname"
| |
|
| |
| Then run it
| |
|
| |
| ansible-playbook -u pi -s -k -l "hostname" lhs/site.yml
| |
|
| |
| The 2nd one will add our users, ssh keys, packages, etc etc.
| |
|
| |
| notes:
| |
|
| |
| not sure how resolv.conf gets setup, I thought having:
| |
|
| |
| iface eth0 inet static
| |
| [...]
| |
| dns-nameservers 172.31.24.2
| |
| dns-search lan.london.hackspace.org.uk
| |
|
| |
| Would sort it, but maybe that dosn't and we got lucky from dhcp?
| |
|
| |
| The dns stuff in /etc/network/interfaces appears to be bogus and resolv.conf needs to be
| |
| done manually, add to ansible.
| |
|
| |
| </nowiki>
| |
|
| |
| === Bootstrapping a new machine to a static ip ===
| |
|
| |
| <nowiki>
| |
| Login to the new install and find it's ip, make sure you know the root password, or have an sshkey for the root account.
| |
|
| |
| Choose a hostname for your new machine.
| |
|
| |
| Log in to boole, and as root cd /etc/bind, and edit lan.london.hackspace.org.uk. and 24.31.172.in-addr.arpa. to add your new host, remember the new static ip you choose.
| |
|
| |
| There is only a few static ip's left, you may end up needing to shrink the dhcp range and change the dhcpserver config on boole as well.
| |
|
| |
| zkt-signer -v -r to sign and push out your changes.
| |
|
| |
| Check that the hostname works in fwd and reverse dns.
| |
|
| |
| and git commit your changes and log out of boole.
| |
|
| |
| on denning edit /etc/ansible/hosts, add:
| |
|
| |
| <ip> syslocation="something" lhs_host=<hostname>
| |
|
| |
| to at least [lhshosts], you probably want [ldap-clients] as well, and maybe some other sections, depending on what you want.
| |
|
| |
| then edit /etc/ansible/lhs/vars/defaults.yml , adding your host and the last octet of the new static ip to the hosts: section
| |
|
| |
| now ssh to the host to check that ssh works:
| |
|
| |
| ssh root@<ip>
| |
|
| |
| You may need to fix old cached pub keys, and/or allowing root to ssh to your new machine with a password ( PermotRootLogin yes in /etc/ssh/sshd_config on the machine you are setting up).
| |
|
| |
| Now you can run ansible. This example assumes you are using a password for root
| |
|
| |
| cd /etc/ansible
| |
| ansible-playbook -l "<ip>" -k -u root lhs/site.yml
| |
|
| |
| and hopefully ansible should run ok and set everything up!
| |
|
| |
| Note that ansible will change the root password, hopefully you've got a way to get back in (either you are an admin in ansible, or in the Admins group in ldap, in either case you can login as yourself and then sudo).
| |
|
| |
| Now reboot the new machine, it should come back with the static ip. double check that it's right.
| |
|
| |
| Now edit /etc/ansible/hosts on denning again and in the entries you added earlier change <ip> to the machines new full hostname.
| |
|
| |
| Now run ansible again (needed to fix the snmp config), if it's an ldap client you'll have to use your ldap password - (You could always add your ssh key to your account on the new machine).
| |
|
| |
| git commit your changes on denning.
| |
|
| |
| and you are done!
| |
|
| |
| </nowiki>
| |
|
| |
| === Removing an admin ===
| |
|
| |
| edit <code>/etc/ansible/lhs/vars/defaults.yml</code>, remove them from users, add them to disable_users, then re-run ansible.
| |
|
| |
| == Ansible Troubleshooting ==
| |
|
| |
| ; problem, ansible dies in the snmp config cos it can't find a default ipv4 address.
| |
| : fix: make sure the machine has an ipv4 default route
| |
| ; problem, the sshfp stuff just has hostname. rather than hostname.lan.london.hackspace.org.uk.
| |
| : fix: edit /etc/hosts on the effected machine so that both the long and short versions of the hostname are in there.
| |
