Best practices bootstrapping new Ansible servers with the root account

Justin asked:

When booting up a new server, if root is the primary account created, what is the best practice to handle running as root the first time a playbook runs vs running it as ansible after my script sets up its service own account?

My answer:

Create the ansible service account and install the ssh public key at install time.

I have this scripted in my kickstart scripts:

%post --erroronfail
# Set up ansible user
useradd -rm ansible
echo "ansible ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ansible
chmod 440 /etc/sudoers.d/ansible
mkdir -m 700 /home/ansible/.ssh
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsW/fNKMjMQjkYcQOqwD14UItgMBGIX7HHpP2YTvQkI ansible" > /home/ansible/.ssh/authorized_keys
chmod 600 /home/ansible/.ssh/authorized_keys
chown -R ansible.ansible /home/ansible/.ssh

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.