# Setup initial Debian 12 avec Ansible

> Contexte :
>
> - On vient d'installer une debian 12.5 sans rien.
> - On veut automatiser la création de comptes utilisateurs

Mes deux hosts sur le LAN sont :

- debian-111 : 192.168.1.18
- debian-112 : 192.168.1.85
- debian-113 : 192.168.1.109

## Etapes

- Création `inventory.ini` avec les deux hosts.
- Création playbook qui va

  - installer sudo
  - créer des utilisateurs avec droits sudo

## NOTE sur utilisation macOS comme _control node_

Voir `ansible-macos-control-node/README.md`.

On va utiliser une VM debian comme control node.

## Setup control node Debian 12.5

### Install Ansible

Mon control node est `192.168.1.181`.

- `su -` (pas encore installé `sudo`)
- `apt install gnupg curl`
- les commandes données dans la [doc officielle pour l'install sur Debian](https://docs.ansible.com/ansible/latest/installation_guide/installation_distros.html#installing-ansible-on-debian) ne **marchent pas**
- `curl -o ansible.gpg "https://keyserver.ubuntu.com/pks/lookup?fingerprint=on&op=get&search=0x6125E2A8C77F2818FB7BD15B93C4A3FD7BB9C367"`
- `gpg --dearmour -o /usr/share/keyrings/ansible-archive-keyring.gpg ansible.gpg` (toujours comme `root`)
- `echo "deb [signed-by=/usr/share/keyrings/ansible-archive-keyring.gpg] http://ppa.launchpad.net/ansible/ansible/ubuntu $UBUNTU_CODENAME main" | tee /etc/apt/sources.list.d/ansible.list`
- `apt update`
- `apt install -y ansible`

MIEUX de tout faire en `sudo` je suppose. On va aussi installer `etckeeper`.

### Install Git et clone repo...

... où j'ai ma config `ansible.cfg` et mon `inventory.ini`.

## D'abord commandes ad-hoc pour tester

### Ping

```
$ ansible -i ./inventory.ini all -m ping -u debian -k
SSH password:
192.168.1.18 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}
192.168.1.85 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}
192.168.1.109 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}

```

### `setup`

```
ansible -i ./inventory.ini all -m setup -k
```

Produit une _énorme_ sortie.

## Setup initial

`sudo` n'est pas installé sur les managed nodes.

On va essayer de tout config en utilisant un vault pour le password root.

```
$ ansible-vault create creds.yml
```

stocke dedans :

```
root_password: ******
```

Playbook `playbook-initial-setup.yml`.

Le jouer :

```
ansible-playbook -i inventory.ini playbook-initial-setup.yml --ask-vault-pass -u debian -k
```

`-k` pour demander password de l'utilisateur régulier `debian`
`--ask-vault-pass` pour demander le mot de passe du vault

### revert cette étape

* `apt uninstall sudo`

## Ajouter `debian` aux sudoers

```
ansible-playbook -i inventory.ini playbook-add-debian-sudoers.yml --ask-vault-pass -u debian -k
```


> **→ c'est pas tellement simple**... mais en même temps sans `sudo` on fait ce qu'on peut.

Peut-être qu'un `-K` pour juste demander le mot de passe root sans le mettre dans un vault...

## Lundi 19/02 aprem

### prep

- divise inventory en 2 parties (debian et alpine)

### alpine

#### 1er essai

```
$ ansible -i ./inventory.ini alpine -m ping -u alpine -k
SSH password: 
[WARNING]: No python interpreters found for host 192.168.1.48 (tried ['python3.11', 'python3.10', 'python3.9', 'python3.8', 'python3.7',
'python3.6', 'python3.5', '/usr/bin/python3', '/usr/libexec/platform-python', 'python2.7', '/usr/bin/python', 'python'])
192.168.1.48 | FAILED! => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "module_stderr": "Shared connection to 192.168.1.48 closed.\r\n",
    "module_stdout": "/bin/sh: /usr/bin/python: not found\r\n",
    "msg": "The module failed to execute correctly, you probably need to set the interpreter.\nSee stdout/stderr for the exact error",
    "rc": 127
}
[WARNING]: No python interpreters found for host 192.168.1.72 (tried ['python3.11', 'python3.10', 'python3.9', 'python3.8', 'python3.7',
'python3.6', 'python3.5', '/usr/bin/python3', '/usr/libexec/platform-python', 'python2.7', '/usr/bin/python', 'python'])
192.168.1.72 | FAILED! => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "module_stderr": "Shared connection to 192.168.1.72 closed.\r\n",
    "module_stdout": "/bin/sh: /usr/bin/python: not found\r\n",
    "msg": "The module failed to execute correctly, you probably need to set the interpreter.\nSee stdout/stderr for the exact error",
    "rc": 127
}
```

#### faire installer python3

Attention

- cibler hosts `alpine`

```yaml
- hosts: alpine
  gather_facts: no
  tasks:
    - name: Install Python3
      raw: apk update && apk add python3
```

exec va demander

- password ssh
- password become

```
ansible-playbook -i inventory.ini playbook-install-python-alpine.yml -u alpine -bkK
```

#### 2nde tentative ping

```
$ ansible -i ./inventory.ini alpine -m ping -u alpine -k
SSH password: 
[WARNING]: Platform linux on host 192.168.1.72 is using the discovered Python interpreter at /usr/bin/python3.11, but future installation
of another Python interpreter could change the meaning of that path. See https://docs.ansible.com/ansible-
core/2.15/reference_appendices/interpreter_discovery.html for more information.
192.168.1.72 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3.11"
    },
    "changed": false,
    "ping": "pong"
}
[WARNING]: Platform linux on host 192.168.1.48 is using the discovered Python interpreter at /usr/bin/python3.11, but future installation
of another Python interpreter could change the meaning of that path. See https://docs.ansible.com/ansible-
core/2.15/reference_appendices/interpreter_discovery.html for more information.
192.168.1.48 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3.11"
    },
    "changed": false,
    "ping": "pong"
}
```

## Fedora

- DL Fedora Server 39 + checksum depuis <https://fedoraproject.org/server/download>
    
    - wget https://download.fedoraproject.org/pub/fedora/linux/releases/39/Server/x86_64/images/Fedora-Server-KVM-39-1.5.x86_64.qcow2
    - wget https://download.fedoraproject.org/pub/fedora/linux/releases/39/Server/x86_64/images/Fedora-Server-39-1.5-x86_64-CHECKSUM
- Vérif checksum

    - curl -O https://fedoraproject.org/fedora.gpg
    - gpgv --keyring ./fedora.gpg Fedora-Server-39-1.5-x86_64-CHECKSUM
    - sha256sum -c Fedora-Server-39-1.5-x86_64-CHECKSUM
- Crée VM **sans media** et avec un disque vide 8 Go
- dans le term en étant sous `/var/lib/vz/template/qcow` : `qm importdisk 131 Fedora-Server-KVM-39-1.5.x86_64.qcow2 local-lvm` (`local` en dernier ne marche pas)

**GROSSE bidouille pour faire marcher le HDD**

```
   60  qm importdisk
   61  cd qcow/
   62  qm importdisk 131 Fedora-Server-KVM-39-1.5.x86_64.qcow2 
   63  qm importdisk 131 Fedora-Server-KVM-39-1.5.x86_64.qcow2 local
   64  qm importdisk 131 Fedora-Server-KVM-39-1.5.x86_64.qcow2 local-lvm
   65  history
   66  pwd
   67  qm config 131
   # --------- Détacher le précédent ide0 ---------
   68  qm set 131 -ide0 none
   69  lvremove /dev/local-lvm/vm-131-disk-0
   70  lvremove /dev/local/vm-131-disk-0
   71  lvmdump
   72  cd
   73  tar tvzf lvmdump-pve-20240219163630.tgz 
   # --------- Attacher disque importé via qm importdisk sur ide0 et le set en disk boot ---------
   74  qm set 131 -ide0 local-lvm:vm-131-disk-1
   75  qm set 131 -boot order=ide0
   76  history
```

### post-install

```
hostnamectl hostname fedora-131
```