{"id":20748015,"url":"https://github.com/vicchi/ansible-pi-lockdown","last_synced_at":"2025-04-28T12:04:11.571Z","repository":{"id":142466153,"uuid":"104350261","full_name":"vicchi/ansible-pi-lockdown","owner":"vicchi","description":"Simple Ansible playbooks, roles and tasks to lock down and perform initial setup for a new Raspberry Pi.","archived":false,"fork":false,"pushed_at":"2017-09-22T08:47:34.000Z","size":8,"stargazers_count":21,"open_issues_count":0,"forks_count":10,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-28T12:04:07.303Z","etag":null,"topics":["ansible","deployment","raspberry-pi","yaml"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vicchi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-09-21T13:15:33.000Z","updated_at":"2024-05-19T23:50:00.000Z","dependencies_parsed_at":null,"dependency_job_id":"3e4d69c5-6beb-4093-a50d-a596f79cf1c3","html_url":"https://github.com/vicchi/ansible-pi-lockdown","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vicchi%2Fansible-pi-lockdown","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vicchi%2Fansible-pi-lockdown/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vicchi%2Fansible-pi-lockdown/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vicchi%2Fansible-pi-lockdown/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vicchi","download_url":"https://codeload.github.com/vicchi/ansible-pi-lockdown/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251311332,"owners_count":21569009,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","deployment","raspberry-pi","yaml"],"created_at":"2024-11-17T08:15:05.245Z","updated_at":"2025-04-28T12:04:11.563Z","avatar_url":"https://github.com/vicchi.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Ansible Playbooks for Initial Raspberry Pi Lockdown\n\nSimple Ansible playbooks, roles and tasks to lock down and perform initial setup for a new Raspberry Pi.\n\n## Assumptions and Dependencies\n\nThese playbooks assume a freshly minted Raspberry Pi running the current version of either Raspbian or Raspbian Lite. Other Raspberry Pi distros exist and [YMMV](https://www.urbandictionary.com/define.php?term=ymmv).\n\nThese playbooks also assume that you have [Ansible installed](https://docs.ansible.com/ansible/latest/intro_installation.html) and ready on your control machine.\n\n## Inventory\n\nWhen a Pi first boots it (usually) receives a DHCP assigned IP address, which the Lockdown playbook changes to a static IP.\n\nTo save having to create an inventory file and then immediately update it, these playbooks use a _feature_ of the `--inventory` command line argument for `ansible-playbook` where you can supply an IP address followed _**immediately**_ by a comma so that Ansible knows the inventory is a list of hosts (even though there's a single host being targeted).\n\nLike this ... `--inventory 192.168.10.20,`\n\n## Password Playbook\n\nChanges the password for the default `pi` account.\n\nWhy the separate playbook? As this playbook changes the password that Ansible is using to authenticate, Ansible will have reload its inventory and host variables, which will fail as the password provided at the start of the playbook is no longer valid.\n\nSee [this discussion](https://github.com/ansible/ansible/issues/15227) for more background.\n\n### Usage\n\n```bash\n$ ansible-playbook --user pi --ask-pass --inventory 'IP-ADDRESS,' password.yml\n```\n\nRunning this playbook on a Raspberry Pi with an initial DHCP assigned IP address of `192.168.1.237` will look something like this.\n\n```bash\n$ cd plays\n$ ansible-playbook --user pi --ask-pass --inventory '192.168.1.237,' password.yml\nSSH password:\nNew pi account password:\nconfirm New pi account password:\n\nPLAY [Default \"pi\" account password reset playbook] ****************************\n\nTASK [Gathering Facts] *********************************************************\nok: [192.168.1.237]\n\nTASK [pi-password : Set a new password for the default \"pi\" account] ***********\nchanged: [192.168.1.237]\n\nPLAY RECAP *********************************************************************\n192.168.1.237              : ok=2    changed=1    unreachable=0    failed=0   \n```\n\n\n## Lockdown Playbook\n\nPerforms some initial setup and lockdown on your new Pi.\n\n* Sets the hostname for the Pi\n* Creates a new user and deploys an SSH public key for the user\n* Disables password authentication and enforces SSH key authentication\n* Sets a static IP address, router and DNS servers\n* Expands the root filesystem to fill any remaining space on the Pi's SD card\n\n### Usage\n\n```bash\n$ cd plays\n$ ansible-playbook --user pi --ask-pass --inventory 'IP-ADDRESS,' lockdown.yml\n```\n\nRunning this playbook on the same Raspberry Pi described above, with a static IP of `192.168.1.2` looks something like this (remember to use the new password for the `pi` account!)\n\n```bash\n$ ansible-playbook --user pi --ask-pass --inventory '192.168.1.237,' lockdown.yml\nSSH password:\nHostname: dns.vicchi.local\nUser name: guest\nPassword:\nconfirm Password:\nUsername description: Guest Account\nPath to public SSH key: /tmp/id_rsa.pub\nEthernet interface [eth0]:\nStatic IPv4 address: 192.168.1.2\nRouters (comma separated): 192.168.1.1\nDNS servers (comma separated) [8.8.8.8,8.8.4.4]:\n\nPLAY [Application server specific playbook] ************************************\n\nTASK [Gathering Facts] *********************************************************\nok: [192.168.1.237]\n\nTASK [set-hostname : Set the hostname] *****************************************\nchanged: [192.168.1.237]\n\nTASK [set-hostname : Update /etc/hosts with new hostname] **********************\nchanged: [192.168.1.237]\n\nTASK [create-user : Create a (non default) user account] ***********************\nchanged: [192.168.1.237]\n\nTASK [create-user : Deploy user's SSH key] *************************************\nchanged: [192.168.1.237]\n\nTASK [disable-passwords : Disable SSH password authentication] *****************\nchanged: [192.168.1.237]\n\nTASK [static-ip : Configure static IP in  /etc/dhcpcd.conf] ********************\nchanged: [192.168.1.237] =\u003e (item={u'regexp': u'^interface eth[0-9]$', u'line': u'interface eth0'})\nchanged: [192.168.1.237] =\u003e (item={u'regexp': u'^static ip_address', u'line': u'static ip_address=192.168.1.2'})\nchanged: [192.168.1.237] =\u003e (item={u'regexp': u'^static routers', u'line': u'static routers=192.168.1.1'})\nchanged: [192.168.1.237] =\u003e (item={u'regexp': u'^static domain_name_servers', u'line': u'static domain_name_servers=8.8.8.8,8.8.4.4'})\n\nTASK [expand-filesystem : Expand filesystem to fill disk] **********************\nchanged: [192.168.1.237]\n\nRUNNING HANDLER [static-ip : reboot] *******************************************\nchanged: [192.168.1.237]\n\nPLAY RECAP *********************************************************************\n192.168.1.237              : ok=9    changed=8    unreachable=0    failed=0  \n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvicchi%2Fansible-pi-lockdown","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvicchi%2Fansible-pi-lockdown","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvicchi%2Fansible-pi-lockdown/lists"}