Fix bin/setup to use stored values. Simplify Makefile.

ksylvan · ksylvan · commit 453a1d457a03 · 2017-08-21T23:38:07.000-07:00
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,4 @@ group_vars/
 .vault_pass.txt
 *.retry
 .tmp*
+.bootstrap_done
diff --git a/Makefile b/Makefile
@@ -1,7 +1,7 @@
 # Makefile for mail server setup
 #
-.PHONY: all bootstrap mailserver rebootstrap reset clean \
-  edit edit_secrets redo save help
+.PHONY: all bootstrap mailserver reset clean \
+	edit edit_secrets save help setup rebootstrap
 
 USER_VAR = deploy_user_name
 VAR_FILE = group_vars/all/vars.yml
@@ -17,43 +17,41 @@ endif
 
 EDITOR ?= vi
 
-all:
-	@if [ ! -r $(VAR_FILE) ]; then \
-		./bin/setup; \
-		if [ $$? -ne 0 ]; then exit $$?; fi; \
-		make bootstrap; \
-	fi; \
-	make mailserver
+all: setup bootstrap mailserver
+
+setup:
+	@./bin/setup
 
 help:
 	@echo "all (default) - bootstrap if needed, then deploy mailserver."
 	@echo "bootstrap - run the bootstrap playbook as user root"
+	@echo "rebootstrap - run the bootstrap playbook as deploy user"
 	@echo "mailserver - deploy mail server stack (as deploy user)"
-	@echo "rebootstrap - run the bootstrap playbook as deploy user."
 	@echo "reset - delete inventory and variables for a fresh start."
 	@echo "clean - remove any *.retry files."
 	@echo "edit - run EDITOR (default vi) on variables file."
 	@echo "edit_secrets - decrypt, run EDITOR on secrets file, then encrypt."
-	@echo "redo - re-run bootstrap and mailserver playbooks (as deploy user)"
 	@echo "save - save variables and inventory in backup/domain-YYYYMMDD-hhmm.tgz"
 	@echo "help - print this message."
 
 mailserver:
 	@echo "Running playbooks using $(DEPLOY_USER) user"
 	ansible-playbook -u $(DEPLOY_USER) mailserver.yml
 
-# bootstrap sets up a secure debian server (the first time)
+# bootstrap sets up a secure debian server
 bootstrap:
-	ansible-playbook -u root -k bootstrap.yml
+	@if [ -r .bootstrap_done ]; then \
+	  ansible-playbook -u $(DEPLOY_USER) bootstrap.yml; \
+	else \
+	  ansible-playbook -u root -k bootstrap.yml; \
+	fi
 
-# since root ssh logins are disabled, need to run this when boostrapping again
+# bootstrap explicitly as deploy user
 rebootstrap:
 	ansible-playbook -u $(DEPLOY_USER) bootstrap.yml
 
-redo: rebootstrap all
-
 # GENERATED FILES
-GEN = inventory group_vars .vault_pass.txt
+GEN = inventory group_vars .vault_pass.txt .bootstrap_done
 
 # clean up and start over
 reset:
diff --git a/README.md b/README.md
@@ -120,6 +120,9 @@ to be backed up.
 On your control host, the first time you run this, it will run `./bin/setup`
 and set your `./inventory` files and variable files in `./group_vars/all/`.
 
+Subsequent runs of `./bin/setup` will read the stored values and present
+them as defaults.
+
 Use `make reset` to remove these files and start over.
 
 You can also `make redo` if you make changes to your
diff --git a/bin/setup b/bin/setup
@@ -4,48 +4,85 @@
 
 cd $(dirname $0)/..
 
-mkdir -p group_vars/all
-
 VARS=group_vars/all/vars.yml
 VAULT_VARS=group_vars/all/secret.yml
 VAULT_PASS=".vault_pass.txt"
 
-cp bin/all.yml group_vars/all/vars.yml
+if [ ! -d group_vars/all ]; then
+  mkdir -p group_vars/all
+fi
+
+tmp_vars=/tmp/tmpvars$$
+cp bin/all.yml $tmp_vars
+
+cleanup()
+{
+  rm -f $tmp_vars
+  if [ -r $VAULT_PASS ]; then
+    ansible-vault encrypt $VAULT_VARS
+  fi
+}
+
+trap cleanup EXIT
+
+if [ -r $VAULT_VARS -a -r $VAULT_PASS ]; then
+  ansible-vault decrypt $VAULT_VARS
+fi
+
+get_stored_default()
+{
+  case $1 in
+    vault_*)
+      __r=$(grep "$1" $VAULT_VARS 2>/dev/null| awk '{print $2}' )
+      ;;
+    *)
+      __r=$(grep "$1" $VARS 2>/dev/null| awk '{print $2}')
+      ;;
+  esac
+  __r=$(echo $__r | sed "s/^\([\"']\)\(.*\)\1\$/\2/g")
+  if [ -z "$__r" ]; then echo "$2"; else echo "$__r"; fi
+}
 
 prompt_with_default()
 {
-  __prompt="$(eval echo \"$1 [\$$2\]: \")"
+  __get="$3" # set to grab the stored values
+  __def="$(eval echo \$$2)"
+  if [ -n "$__get" ]; then __def="$(get_stored_default $2 $__def)"; fi
+  __prompt="$(eval echo \"$1 [\$__def\]: \")"
   read -p "$__prompt" ans
-  eval "$2=\${ans:-\$$2}"
+  eval "$2=\${ans:-\$__def}"
 }
 
 domain_name=domain.com
-prompt_with_default "Top level domain name" domain_name
+prompt_with_default "Top level domain name" domain_name -stored
 
-echo ${domain_name} > inventory
+inventory_hostname=$domain_name
+if [ -r inventory ]; then inventory_hostname=$(cat inventory); fi
+prompt_with_default "Hostname (for Ansible inventory)" inventory_hostname
+echo ${inventory_hostname} > inventory
 
 timezone='America/Los_Angeles'
-prompt_with_default "Server timezone" timezone
+prompt_with_default "Server timezone" timezone -stored
 
 vault_root_password=MyR00tPa33w0rd
-prompt_with_default "root password" vault_root_password
+prompt_with_default "root password" vault_root_password -stored
 
 deploy_user_name=deploy
-prompt_with_default "deploy user name" deploy_user_name
+prompt_with_default "deploy user name" deploy_user_name -stored
 vault_deploy_password=MyD3pl0yPas3w0rd
-prompt_with_default "deploy user password" vault_deploy_password
+prompt_with_default "deploy user password" vault_deploy_password -stored
 
 admin_email=postmaster@${domain_name}
-prompt_with_default "Admin reports email (for logwatch, etc.)" admin_email
+prompt_with_default "Admin reports email (for logwatch, etc.)" admin_email -stored
 
 vault_db_password=myDBpa88w0rd
-prompt_with_default "MariaDB root user password" vault_db_password
+prompt_with_default "MariaDB root user password" vault_db_password -stored
 
 vault_user_password=postf1x001a9
-prompt_with_default "MariaDB postfix user password" vault_user_password
+prompt_with_default "MariaDB postfix user password" vault_user_password -stored
 
 self_signed_certs=false
-prompt_with_default "Use self-signed certs (use for testing)" self_signed_certs
+prompt_with_default "Use self-signed certs (use for testing)" self_signed_certs -stored
 
 echo ""
 echo "NOTE: When DB is initialized, database passwords are set."
@@ -54,7 +91,7 @@ echo ""
 
 for i in domain_name deploy_user_name admin_email timezone self_signed_certs
 do
-  echo "$i: $(eval echo \$$i)" >> $VARS
+  echo "$i: $(eval echo \$$i)" >> $tmp_vars
 done
 
 vault_root_encrypted_password=$(./bin/mkpasswd "$vault_root_password")
@@ -74,5 +111,6 @@ done
 
 vault_pass='This is my c00l vault password'
 prompt_with_default "Your vault password" vault_pass
+
 echo "$vault_pass" > $VAULT_PASS
-ansible-vault encrypt $VAULT_VARS
+cp $tmp_vars $VARS
diff --git a/roles/secure-server/tasks/main.yml b/roles/secure-server/tasks/main.yml
@@ -90,3 +90,7 @@
   timezone: name={{ timezone }}
   notify:
   - Restart cron
+
+- name: Create .bootstrap_done marker
+  local_action: file path=.bootstrap_done state=touch
+  become: false
