Quick start

Attention

Always test the playbooks with parameter –check and –diff first. Only remove --check when you’re happy with the changes.

General information

What follows are the three most important tasks for administrators.

Deploy Users and SSH Keys

To deploy all users along with their ssh-keys to all target-systems and phonehome run:

ansible-playbook playbook_update_user_keys.yml --diff --check

To deploy ssh-keys to a limited amount of systems run:

ansible-playbook playbook_update_user_keys.yml --diff --limit SYSTEM|GROUP --check

Deploy Host Keys to Phonehome

The playbook update_phonehome_host_keys will install SSH keys of hosts using phonehome in the authorized_keys file for pfremote:

ansible-playbook playbook_phonehome_update_remote_keys.yml --diff --check

Create and Deploy Email Signatures

The source and single point of truth of mail signatures is the Ansible repository.

Have a look at possible vars and at <https://ema.perfact.de/WebApp/PerFactEMA/InfoBoard/Guidelines/docs/Internal_IT/241_mail_signature.html>

Add a host to BackupPC

It is strictly recommended that only qualified personal with knowledge in adding a host to BackupPC should work on this sophisticated task. If necessary, contact the responsible person and get permission to do this.

Documentation on BackupPC:

https://backuppc.github.io/backuppc/

http://backuppc.sourceforge.net/faq/BackupPC.html

Add host with “vars” (parameters) to ./data/hosts/[DEPARTMENT]/[SSH-HOSTNAME]. Possible vars can be found in Possible Vars. You need at least quadrant_backup:.

Hint

If the hostname cannot be resolved by pf-backup, you need to add the host to the file ./roles/quadrant_backup_pc_host_config/tasks/main.yml in section ‘add clients that cannot be resolved to /etc/hosts’

Then let Ansible make the necessary changes to the client configuration:

ansible-playbook playbook_quadrant_backuppc_client_config.yml --diff --check

Then let Ansible make the necessary changes to the server configuration:

ansible-playbook playbook_quadrant_backuppc_server_config.yml --diff --check

Confirm the changes and start the command without --check

Now you need to connect manually once and accept the hostkey of the client:

su - backuppc
ssh NAME_OF_CLIENT

Handling missing host key fingerprints

The SSH prompt which asks you to confirm the fingerprint (the host key verification) cannot be answered during ansible calls, because the keyboard is not available. Ansible hangs in those cases.

The authenticity of host '[127.0.0.1]:<Port> ([127.0.0.1]:<Port>)' can´t be established.
ECDSA key fingerprint is SHA256:LvTLiGmsVgZJizy34T3chPHdrRtR4SWmUehGbb1soeE.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

To fix this, cancel ansible, and then SSH to the host in question directly. You can then answer the fingerprint prompt with “yes” and go back to ansible.