Ansible scripts for bootstrapping, securing and managing an ubuntu server.

• Requirements
• Preparations
  • First Run
• Usage
  • Playbook setup.yml
    • Tag bootstrap
    • Tag acme-sh
    • Tag nginx
    • Tag nginxconf
    • Tag docker
  • Playbook issue-cert.yml
  • Playbook user.yml
  • Playbook reboot.yml
• Development
• License

• ansible
  Install via pip: sudo easy_install pip && sudo pip install ansible

• passlib for creating hashes with ansible
  Install via pip: sudo pip install passlib

• vagrant and VirtualBox
  (if you want to run playbooks against a local vm for development)

We're assuming, you have just set up a server with Ubuntu 18.04 LTS minimum installation and you have root access using ssh (password or keyfile)

Edit the project files according to your needs:

• Edit ./hosts to match your server ip and port.

• Create vault_password_file containing the password for ansible vault:

  echo -n "secret-password" > vault_password_file

• Edit settings in ./group_vars/all if necessary

Run first-run.yml to install minimum requirements and create the admin user for ansible. This is the only playbook that uses the root user. Specify keyfile or password if necessary:

ansible-playbook --user root [--ask-pass] [--key-file path/to/id] first-run.yml

ansible-playbook <PLAYBOOK> [-t <TAG>]

See ./group_vars/ for common task settings.

Read through playbooks and tasks. They are self-explaining.

Runs all tags by order:

ansible-playbook setup.yml

ansible-playbook setup.yml -t bootstrap

Changes:

• set the hostname
• update apt package cache; upgrade apt to the latest packages; install unattended-upgrades package; adjust apt update intervals; only installs from security channel
• create sftponly group
• setup iptables (see ./roles/bootstrap/templates/iptables/iptables.sh)
• setup fail2ban
• disallow password authentication for all users; disallow ssh access for root; delete root password
• set locale and timezone
• setup ntp
• install optional packages

ansible-playbook setup.yml -t acme-sh

• setup acme.sh for letsencrypt certificate creation and renewal
• set letsencrypt account email for notifications

ansible-playbook setup.yml -t nginx

Changes:

• install nginx
• copy nginx.conf, common configs and sites configs (see ./roles/nginx/templates/)
• remove unmanaged configs
• ensure nginx cache and public html directory properties
• remove default nginx site configuration

ansible-playbook setup.yml -t nginxconf

Changes:

• copy nginx.conf, common configs and sites configs (see ./roles/nginx/templates/)
• remove unmanaged configs

ansible-playbook setup.yml -t docker

Changes:

• iXnstall docker and docker-compose with required dependencies and apt sources

ansible-playbook issue-cert.yml

Issue a certificate using acme.sh for prompted domain (also cares for renewal).

ansible-playbook user.yml

Create a system user from prompted options.

ansible-playbook reboot.yml

Reboot the system and wait for it to come back.

You can use vargrant to create a virtual server for testing and development.

vagrant up
ln -s .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory vagranthosts
ansible-playbook -i vagranthosts <PLAYBOOK> [-t <TAG>]

Calling vagrant up will automatically use first-run-yml for provisioning.

The MIT License (MIT)
Copyright © 2016 Simon Lepel [email protected]