{"id":24484518,"url":"https://github.com/dariodip/ansible-pi","last_synced_at":"2026-05-06T08:31:11.693Z","repository":{"id":118776664,"uuid":"242547586","full_name":"dariodip/ansible-pi","owner":"dariodip","description":"Simple Ansible playbooks, roles, tasks and scripts to lock down and perform initial setup for a new Raspberry Pi.","archived":false,"fork":false,"pushed_at":"2022-04-19T07:33:01.000Z","size":21,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-07-18T04:30:21.410Z","etag":null,"topics":["ansible","configuration","raspberry-pi"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dariodip.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-02-23T16:05:38.000Z","updated_at":"2022-11-16T10:43:38.000Z","dependencies_parsed_at":null,"dependency_job_id":"32b9b6c2-483d-4133-9350-37683cca56cc","html_url":"https://github.com/dariodip/ansible-pi","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/dariodip/ansible-pi","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dariodip%2Fansible-pi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dariodip%2Fansible-pi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dariodip%2Fansible-pi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dariodip%2Fansible-pi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dariodip","download_url":"https://codeload.github.com/dariodip/ansible-pi/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dariodip%2Fansible-pi/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32684585,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-06T02:33:58.958Z","status":"ssl_error","status_checked_at":"2026-05-06T02:33:39.611Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","configuration","raspberry-pi"],"created_at":"2025-01-21T13:15:00.534Z","updated_at":"2026-05-06T08:31:11.676Z","avatar_url":"https://github.com/dariodip.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Ansible Playbooks and Scripts for Initial Raspberry Pi Lockdown\n\n\u003e Simple Ansible playbooks, roles, tasks and scripts to lock down and perform initial setup for a new Raspberry Pi.\n\n## Assumptions and Dependencies\n\nThese playbooks assume a freshly minted Raspberry Pi running the current version of either Raspbian or Raspbian Lite.\n\nThese playbooks also assume that you have [Ansible installed](https://docs.ansible.com/ansible/latest/intro_installation.html) and ready on your control machine.\n\n## Scripts\n### Raspbian install\n\nThe script `scripts/install.sh` fetches the latest *Raspbian* image and tries to clone it on the SD card.\n\nTo execute the script, run:\n```bash\n./scripts/install.sh /dev/diskN\n```\n\nwhere `diskN` is the SD card disk. To discover this value, you have to run\n\n```bash\ndiskutil list\n```\n\nThe script uses `wget` to download the latest image, `unzip` to unzip it, `dd` to copy the image on the SD card and eventually `diskutil` to eject the SD card.\n\n#### Variables\n\nThe following variables may be configured to customize the script:\n- `RPI_OS_IMAGE_URL`: URL for dowloading OS for Raspberry (default is `https://downloads.raspberrypi.org/raspbian_lite_latest`);\n- `UNZIP_CMD`: command to run to unzip downloaded OS (default is `unzip`)\n\n### Setup Wi-Fi and SSD on the SD card\n\nTo setup WLAN supplicant (to connect to the Wi-Fi) and SSH, you may use the scripts:\n- `scripts/network.sh`: this script creates the file `wpa_supplicant.conf` in the mounted SD card and creates an empty SSH file to enable SSD. You must set the environment variables `SSID` and `PSK`;\n- `scripts/ssh-key.sh`: this scripts takes a list of users (space separated) and generates an SSH key for each one. Eventually copies the SSH key to the Raspberry and tests if everything works. You must set the environment variable `RASPBERRY_HOST` as the host of you raspberry.\n\n## Ansible Playbooks\n\n### Inventory\n\nWhen a Pi first boots it usually receives a DHCP assigned IP address, which the `bootstrap` playbook changes to a static IP.\n\nTo save having to create an inventory file and then immediately update it, these playbooks use a _feature_ of the `--inventory` command line argument for `ansible-playbook` where you can supply an IP address followed _**immediately**_ by a comma so that Ansible knows the inventory is a list of hosts (even though there's a single host being targeted).\n\nLike this ... `--inventory 192.168.10.20,`\n\n### `pi_password` Playbook\n\nChanges the password for the default `pi` account.\n\nWhy the separate playbook? As this playbook changes the password that Ansible is using to authenticate, Ansible will have reload its inventory and host variables, which will fail as the password provided at the start of the playbook is no longer valid.\n\nSee [this discussion](https://github.com/ansible/ansible/issues/15227) for more background.\n\n### \n### Usage\n\n```bash\n$ ansible-playbook --user pi --ask-pass --inventory 'IP-ADDRESS,' pi_password.yml\n```\n\nRunning this playbook on a Raspberry Pi with an initial DHCP assigned IP address of `192.168.1.237` will look something like this.\n\n```bash\n$ ansible-playbook --user pi --ask-pass -i \u003cpath to hosts\u003e pi-password.yml\nSSH password:\nNew pi account password:\nconfirm New pi account password:\n\nPLAY [Default pi account password reset playbook] ******************************\n\nTASK [Gathering Facts] *********************************************************\nok: [192.168.1.237]\n\nTASK [pi-password : Set a new password for the default \"pi\" account] ***********\nchanged: [192.168.1.237]\n\nPLAY RECAP *********************************************************************\n192.168.1.237              : ok=2    changed=1    unreachable=0    failed=0   \n```\n\n## Lockdown Playbook\n\nPerforms some initial setup and lockdown on your new Pi.\n\n* Creates a new user and deploys an SSH public key for the user\n* Expands the root filesystem to fill any remaining space on the Pi's SD card\n* Disables password authentication and enforces SSH key authentication\n* Installs Docker on the RaspberryPi\n* Creates and configures a UFW for RaspberryPi opening only the port `22`\n* Sets a static IP address, router and DNS servers\n* Sets the hostname for the RaspberryPi (local)\n* Sets `wpa_supplicant` for connecting via WiFi (wifi)\n\n### Usage\n\n```bash\n$ ansible-playbook --user pi --ask-pass -i \u003cpath to hosts\u003e --tags \"bootstrap,wifi,local\" bootstrap.yml\n```\n\n`bootstrap.yml` playbook has four tags:\n- **bootstrap**: defines the abovementioned operations without setting WiFi and local hostname;\n- **docker**: installs and setups docker;\n- **wifi**: sets wpa_supplicant for Raspberry;\n- **local**: sets Raspberry host as desired for local machine.\n\nRunning this playbook on the same Raspberry Pi described above, with a static IP of `192.168.1.90` looks something like this (remember to use the new password for the `pi` account!)\n\n```bash\n$ ansible-playbook --user pi --ask-pass -i \u003cpath to hosts\u003e --tags \"bootstrap\" lockdown.yml\nSSH password:\nUser name: dario \nPassword:\nconfirm Password:\nUsername description: Super Account\nPath to public SSH key [keys/id_rsa.pub]: ./keys/id_rsa.pub\nEthernet interface [wlan0]:\nStatic IPv4 address: 192.168.1.90\nRouters (comma separated): 192.168.1.1\nDNS servers (comma separated) [192.168.1.1]:\n\n...\n```\n\nThe latter command will setup your Raspberry with the provided variables and will install Docker on it.\n\nTo avoid variables prompt, you can provide a variables file via `--extra-vars '@path-to-vars.{yml,json}`.\n\n## Contribution\n\nWhen contributing to this repository, please first discuss the change you wish to make via issue,\nemail, or any other method with the owners of this repository before making a change. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdariodip%2Fansible-pi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdariodip%2Fansible-pi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdariodip%2Fansible-pi/lists"}