homelab/bootstrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
bootstrap/README.md
Sebastian Rust 702b7d2fe1
Some checks failed
Build Bootstrap Bundle / build (push) Failing after 54s
Details
feat(bundle): initial commit
2026-02-05 18:19:37 +01:00

78 lines
2.2 KiB
Markdown
Raw Permalink Blame History

# Host Bootstrap Bundle
Ansible playbook for bootstrapping new servers with a secure user and hardened SSH configuration. Designed to be built with [ansible-bundler](https://pypi.org/project/ansible-bundler/) and distributed via CI/CD.
## Features
- Creates a user with SSH key authentication
- Configures passwordless sudo (optional)
- Hardens SSH with secure defaults (no root login, no password auth)
- Works with Debian, Ubuntu, RHEL/CentOS, Arch Linux
## Usage
### Direct with Ansible
```bash
ansible-playbook bootstrap.yml -i "host," -e user_name=operator \
-e 'user_pubkey="ssh-ed25519 AAAA..."'
```
### With Bundled Version
```bash
# Download and verify
curl -sL https://your-server/bootstrap.run -o /tmp/bootstrap.run
curl -sL https://your-server/bootstrap.run.sha256 -o /tmp/bootstrap.run.sha256
cd /tmp && sha256sum -c bootstrap.run.sha256
# Run
chmod +x /tmp/bootstrap.run
./bootstrap.run -e user_name=operator \
-e 'user_pubkey="ssh-ed25519 AAAA..."' \
-e user_password=changeme
```
## Variables
### Required
| Variable | Description |
|----------|-------------|
| `user_name` | Username to create |
| `user_pubkey` | SSH public key (or use `user_pubkey_file` / `user_pubkey_url`) |
### Optional
| Variable | Default | Description |
|----------|---------|-------------|
| `user_password` | - | Password for the user |
| `user_shell` | `/bin/bash` | User's login shell |
| `user_home` | `/home/{user}` | Home directory |
| `user_sudo_enabled` | `true` | Enable sudo access |
| `user_sudo_nopasswd` | `true` | Passwordless sudo |
| `user_pubkey_exclusive` | `true` | Replace existing authorized_keys |
| `ssh_server_ports` | `["22"]` | SSH port(s) |
| `ssh_permit_root_login` | `"no"` | Allow root SSH login |
| `ssh_allow_users` | - | Restrict SSH to specific users |
See `bootstrap.example.yml` for all options.
## Building
```bash
pip install ansible ansible-bundler
ansible-bundler bootstrap.yml -o bootstrap.run
sha256sum bootstrap.run > bootstrap.run.sha256
```
## CI/CD
The included Gitea Actions workflow (`.gitea/workflows/build.yml`) automatically builds and publishes the bundle on push to main.
Required secret: `DEPLOY_TOKEN` - Gitea token with `write:package` scope.
## License
MIT
Reference in New Issue View Git Blame Copy Permalink