Last active
August 5, 2016 10:21
-
-
Save LTGIV/8c142f0b974a58ef35065708736ee765 to your computer and use it in GitHub Desktop.
Ansible playbook: Initial provision of an Ubuntu Server
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# | |
# Ansible playbook: Initial provision of an Ubuntu Server v201608051020 | |
# Louis T. Getterman IV (@LTGIV) | |
# https://www.opensour.cc/network/ansible/examples/ubuntu-initial-setup | |
# | |
# Install Requirements: | |
# ansible-galaxy install resmo.ntp resmo.sshd | |
# | |
# Set Ansible inventory host: | |
# read -p "Ansible Inventory Host: " ansibleInvHost | |
# | |
# Run playbook against desired host: | |
# ansible-playbook ubuntu-initial.yml --extra-vars "target=$ansibleInvHost" | |
# | |
# Run playbook against desired host, with additional options for bastion host and interface SSH should answer on: | |
# ansible-playbook ubuntu-initial.yml --extra-vars "target=$ansibleInvHost interface=eth1 bastion=1.2.3.4" | |
# | |
- hosts: '{{ target }}' | |
become: yes | |
become_user: root | |
gather_facts: no | |
################################################################################ | |
pre_tasks: | |
################################################################################ | |
- name: 'Install Aptitude, Python 2, and Python Simple JSON for Ansible' | |
raw: sudo apt-get -y install aptitude python-simplejson | |
- name: Gathering facts | |
setup: | |
- name: 'Update repository cache (OS Family: Debian)' | |
apt: > | |
update_cache=yes | |
cache_valid_time=3600 | |
################################################################################ | |
- name: 'UFW: Install' | |
apt: > | |
pkg=ufw | |
state=installed | |
- name: 'UFW: Start service, if not running' | |
service: > | |
name=ufw | |
state=started | |
- name: 'UFW: Reset state' | |
ufw: > | |
state=reset | |
- name: 'UFW: enable state, allow all, turn on logging' | |
ufw: > | |
state=enabled | |
policy=allow | |
logging=on | |
- name: 'UFW: DNS - Allow' | |
ufw: > | |
rule=allow | |
port=53 | |
proto=udp | |
direction=out | |
- name: 'UFW: SSH' | |
ufw: > | |
rule=allow | |
port=ssh | |
proto=tcp | |
direction=in | |
interface='{{ interface | default( "eth0" ) }}' | |
from_ip='{{ bastion | default( "any" ) }}' | |
# Disabled, Ansible causes UFW to have a conflict: "ERROR: Invalid token 'on'" | |
# - name: 'UFW: SSH - Connection limiting' | |
# ufw: > | |
# rule=limit | |
# port=ssh | |
# proto=tcp | |
# interface='{{ interface | default( "eth0" ) }}' | |
- name: 'UFW: deny everything incoming' | |
ufw: > | |
policy=deny | |
direction=incoming | |
proto=any | |
- name: 'UFW: allow everything outgoing' | |
ufw: > | |
policy=allow | |
direction=outgoing | |
proto=any | |
- name: 'UFW: Reload' | |
ufw: > | |
state=reloaded | |
################################################################################ | |
- name: Install list of packages | |
action: apt pkg={{item}} state=installed | |
with_items: | |
- curl | |
- dnsutils | |
- fail2ban | |
- git | |
- htop | |
- iftop | |
- nano | |
- reptyr | |
- screen | |
- tree | |
- unattended-upgrades | |
- update-notifier-common | |
- wget | |
become: yes | |
- name: Check if there are packages available to be installed/upgraded | |
command: '/usr/lib/update-notifier/apt-check --package-names' | |
register: upgrade_packages | |
changed_when: false | |
- name: Packages available for upgrade | |
debug: var=upgrade_packages.stderr | |
when: upgrade_packages.stderr != "" | |
- name: Upgrade system | |
apt: > | |
upgrade=safe | |
when: upgrade_packages.stderr != "" | |
- name: Check if a reboot is required | |
stat: path=/var/run/reboot-required get_md5=no | |
register: reboot_file | |
- name: Restart machine | |
shell: sleep 2 && shutdown -r now "* Ansible updates triggered *" | |
async: 1 | |
poll: 0 | |
become: yes | |
ignore_errors: true | |
when: reboot_file.stat.exists == true | |
- name: Waiting for machine to return | |
local_action: > | |
wait_for | |
host='{{ ansible_ssh_host | default(inventory_hostname) }}' | |
state=started | |
delay=30 | |
timeout=60 | |
become: no | |
when: reboot_file.stat.exists == true | |
################################################################################ | |
- name: Set timezone to UTC | |
command: timedatectl set-timezone UTC | |
when: ansible_date_time.tz != 'UTC' | |
################################################################################ | |
tasks: | |
################################################################################ | |
- name: Set hostname | |
hostname: > | |
name='{{ inventory_hostname }}' | |
- name: Local hostname entry | |
lineinfile: > | |
dest='/etc/hosts' | |
regexp='^127.0.1.1' | |
line='127.0.1.1 {{ inventory_hostname }}' | |
state=present | |
insertbefore='^127.0.0.1' | |
roles: | |
- { | |
role: jnv.unattended-upgrades, | |
become: yes, | |
unattended_remove_unused_dependencies: True, | |
unattended_automatic_reboot: True, | |
unattended_origins_patterns: [ | |
'origin=Ubuntu,archive=${distro_codename}-security', | |
'o=Ubuntu,a=${distro_codename}', | |
'o=Ubuntu,a=${distro_codename}-updates', | |
'o=Ubuntu,a=${distro_codename}-proposed-updates', | |
], | |
} | |
- { role: resmo.ntp, become: yes } | |
- { | |
role: resmo.sshd, | |
become: yes, | |
sshd_permit_root_login: without-password, | |
sshd_password_authentication: 'no', | |
} | |
################################################################################ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment