When booting up a new server, if root is the primary account created, what is the best practice to handle running as root the first time a playbook runs vs running it as ansible after my script sets up its service own account?
Create the ansible service account and install the ssh public key at install time.
I have this scripted in my kickstart scripts:
%post --erroronfail # Set up ansible user useradd -rm ansible echo "ansible ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ansible chmod 440 /etc/sudoers.d/ansible mkdir -m 700 /home/ansible/.ssh echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsW/fNKMjMQjkYcQOqwD14UItgMBGIX7HHpP2YTvQkI ansible" > /home/ansible/.ssh/authorized_keys chmod 600 /home/ansible/.ssh/authorized_keys chown -R ansible.ansible /home/ansible/.ssh %end
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.