Skip to content

Instantly share code, notes, and snippets.

@Stakecraft

Stakecraft/new-server-setup-ubuntu-22.yaml

Last active November 18, 2023 21:01
Show Gist options
  • Save Stakecraft/c91fff3d0e371cb342e819c1e588745a to your computer and use it in GitHub Desktop.
Save Stakecraft/c91fff3d0e371cb342e819c1e588745a to your computer and use it in GitHub Desktop.
Download ZIP
ansible-playbook -i new-server.ini new-server-setup-ubuntu-22.yaml
Raw
new-server-setup-ubuntu-22.yaml
---
- hosts: all
become: yes
vars:
ansible_ssh_user: '{{ default_ssh_user }}'
ansible_ssh_port: '{{ default_ssh_port }}'
sudo_user:
# password must be generated through "mkpasswd" command from 'whois' package
- login: '{{ ansible_user }}'
group: '{{ ansible_user }}'
tasks:
### AGX1000 scripts ###
- name: Download hwdata.sh
get_url:
url: https://gist.githubusercontent.com/AGx10k/bebd6297c7d8a8bd856a55ad2f2393a5/raw/b42b5d9d3edc2c9be1fe36d1518f4a68eb46f2ad/hwdata.sh
dest: /root/hwdata.sh
mode: 'u+rwx'
- name: Download netdata.sh
get_url:
url: https://gist.githubusercontent.com/AGx10k/bebd6297c7d8a8bd856a55ad2f2393a5/raw/c72fe59642c34622b8014a4888bcf9734197815c/netdata.sh
dest: /root/hwdata.sh
mode: 'u+rwx'
- name: Adding the scripts in the profile file
lineinfile:
dest: '~/.profile'
line: '~/hwdata.sh && ~/netdata.sh'
insertafter: 'EOF'
state: present
- name: export env vars
shell: "export DEBIAN_FRONTEND=noninteractive"
### install packages ###
- name: Install required system packages
apt:
name: ['cpufrequtils', 'moreutils', 'ntp', 'iptables-persistent', 'software-properties-common', 'aptitude', 'git', 'curl', 'lm-sensors','moreutils', 'cpufrequtils', 'liblz4-tool', 'zip', 'unzip', 'jq', 'wget', 'nano', 'htop', 'smartmontools', 'tmux', 'net-tools', 'bash-completion', 'pciutils', 'ethtool', 'ufw', 'mc', 'python3', 'python3-dev', 'python3-virtualenv', 'python3-venv', 'python3-dev', 'libffi-dev', 'apt-transport-https', 'tzdata', 'ca-certificates', 'build-essential', 'libboost-all-dev', 'automake', 'autoconf', 'pkg-config', 'libcurl4-openssl-dev', 'libjansson-dev', 'libssl-dev', 'libgmp-dev', 'make', 'autotools-dev', 'libtool', 'psmisc', 'bsdmainutils', 'libminiupnpc-dev', 'libevent-dev', 'cmake', 'screen', 'atop', 'ncdu', 'fail2ban', 'ntp']
state: latest
update_cache: yes
###ssh configuration manipulation ###
- name: sshd config file update
blockinfile:
path: /etc/ssh/sshd_config
insertbefore: BOF # Beginning of the file
marker: "# {mark} ANSIBLE MANAGED BLOCK BY LINUX-ADMIN"
block: |
Port {{ sshd_config_port }}
UsePAM yes
PermitRootLogin no
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication no
backup: yes
validate: /usr/sbin/sshd -T -f %s
### tweak limits ###
- name: change security limits
shell: |
cp /etc/security/limits.conf /etc/security/limits.bak
echo '* hard nproc 1550000' | sudo tee -a /etc/security/limits.conf
echo '* soft nproc 1550000' | sudo tee -a /etc/security/limits.conf
echo '* hard nofile 1550000' | sudo tee -a /etc/security/limits.conf
echo '* soft nofile 1550000' | sudo tee -a /etc/security/limits.conf
echo 'root hard nproc 1550000' | sudo tee -a /etc/security/limits.conf
echo 'root soft nproc 1550000' | sudo tee -a /etc/security/limits.conf
echo 'root hard nofile 1550000' | sudo tee -a /etc/security/limits.conf
echo 'root soft nofile 1550000' | sudo tee -a /etc/security/limits.conf
- name: change systemd params
shell: |
echo 'DefaultLimitNOFILE=1000000' | sudo tee -a /etc/systemd/system.conf
echo 'DefaultLimitNOFILE=1000000' | sudo tee -a /etc/systemd/user.conf
- name: change systemd params
shell: |
cp /etc/sysctl.conf /etc/sysctl.bak
echo 'fs.file-max = 1550000' | sudo tee -a /etc/sysctl.conf
echo 'vm.max_map_count=1550000' | sudo tee -a /etc/sysctl.conf
echo always > /sys/kernel/mm/transparent_hugepage/enabled
echo 'vm.nr_hugepages=128' | sudo tee -a /etc/sysctl.conf
sysctl -p
bash -c "cat >/etc/sysctl.d/20-solana-udp-buffers.conf <<EOF
net.core.rmem_default = 134217728
net.core.rmem_max = 134217728
net.core.wmem_default = 134217728
net.core.wmem_max = 134217728
EOF"
sysctl -p /etc/sysctl.d/20-solana-udp-buffers.conf
- name: change fail2ban params
shell: |
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i 's/bantime = 10m/bantime = 60m/' /etc/fail2ban/jail.local
sed -i 's/#mode = normal/enabled = true \nmode = normal/' /etc/fail2ban/jail.local
- name: change auto-upgrades params
shell: |
sed -i 's/Unattended-Upgrade "1"/Unattended-Upgrade "0"/' /etc/apt/apt.conf.d/20auto-upgrades
echo 'SystemMaxUse=300M' | tee -a /etc/systemd/journald.conf
echo 'SystemMaxFileSize=100M' | tee -a /etc/systemd/journald.conf
- name: clean apt cache and install updates
shell: |
apt-get clean
purge-old-kernels -qy
apt update
apt autoremove -y; apt autoclean -y
- name: Checking if blacklist-hetzner.conf file exists
stat:
path: /etc/modprobe.d/blacklist-hetzner.conf
register: hetzner_file
- name: change hetzner blacklist
shell: |
sed -i 's/blacklist mei/#blacklist mei/' /etc/modprobe.d/blacklist-hetzner.conf
sed -i 's/blacklist mei-me/#blacklist mei-me/' /etc/modprobe.d/blacklist-hetzner.conf
when: hetzner_file.stat.exists
- name: tweak cpu params
shell: |
echo -e 'ENABLE="true"\nGOVERNOR="performance"' > /etc/default/cpufrequtils
### setup iptables ###
- name: setup iptables rules, block bogon nets etcetera
shell: |
iptables -A OUTPUT -p tcp -s 0/0 -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -p tcp -s 0/0 -d 100.64.0.0/10 -j DROP
iptables -A OUTPUT -p tcp -s 0/0 -d 169.254.0.0/16 -j DROP
iptables -A OUTPUT -p tcp -s 0/0 -d 192.0.0.0/24 -j DROP
iptables -A OUTPUT -p tcp -s 0/0 -d 192.0.2.0/24 -j DROP
iptables -A OUTPUT -p tcp -s 0/0 -d 192.88.99.0/24 -j DROP
iptables -A OUTPUT -p tcp -s 0/0 -d 198.18.0.0/15 -j DROP
iptables -A OUTPUT -p tcp -s 0/0 -d 198.51.100.0/24 -j DROP
iptables -A OUTPUT -p tcp -s 0/0 -d 203.0.113.0/24 -j DROP
iptables -A OUTPUT -p tcp -s 0/0 -d 224.0.0.0/4 -j DROP
iptables -A OUTPUT -p tcp -s 0/0 -d 240.0.0.0/4 -j DROP
iptables -A OUTPUT -p udp -s 0/0 -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -p udp -s 0/0 -d 100.64.0.0/10 -j DROP
iptables -A OUTPUT -p udp -s 0/0 -d 169.254.0.0/16 -j DROP
iptables -A OUTPUT -p udp -s 0/0 -d 192.0.0.0/24 -j DROP
iptables -A OUTPUT -p udp -s 0/0 -d 192.0.2.0/24 -j DROP
iptables -A OUTPUT -p udp -s 0/0 -d 192.88.99.0/24 -j DROP
iptables -A OUTPUT -p udp -s 0/0 -d 198.18.0.0/15 -j DROP
iptables -A OUTPUT -p udp -s 0/0 -d 198.51.100.0/24 -j DROP
iptables -A OUTPUT -p udp -s 0/0 -d 203.0.113.0/24 -j DROP
iptables -A OUTPUT -p udp -s 0/0 -d 224.0.0.0/4 -j DROP
iptables -A OUTPUT -p udp -s 0/0 -d 240.0.0.0/4 -j DROP
netfilter-persistent save
iptables -A OUTPUT -p tcp -s 0/0 -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -p udp -s 0/0 -d 192.168.0.0/16 -j DROP
### setup ufw ###
- name: ufw rule for custom ssh port
ufw:
rule: allow
port: '{{ sshd_config_port }}'
proto: tcp
comment: allow sshd port
- name: ufw rule for prometheus_node_exporter
ufw:
rule: allow
src: '{{ prometheus_source_ip }}'
port: '{{ prometheus_port }}'
proto: tcp
comment: allow from prometheus host
- name: Enable UFW
ufw:
state: enabled
policy: deny
### setup time on the server ###
- name: configure time sync
shell: |
timedatectl set-ntp false
ntpq -p
### node_exporter ###
- name: Install node_exporter systemd unit file
template:
src: node_exporter.service.j2
dest: "{{ systemd_path }}/node_exporter.service"
mode: '0600'
- name: Download node_exporter binary to local folder and unpack
ansible.builtin.unarchive:
src: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-{{ go_arch }}.tar.gz"
dest: /tmp
remote_src: yes
- name: Propagate node_exporter binaries
copy:
src: "/tmp/node_exporter-{{ node_exporter_version }}.linux-{{ go_arch }}/node_exporter"
dest: "{{ _node_exporter_binary_install_dir }}/node_exporter"
remote_src: yes
mode: 0755
owner: root
group: root
### create sudo group ###
- name: Make sure we have a 'sudo' group
group:
name: sudo
state: present
- name: Change group sudo to passwordless
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
### systemd manipulations ###
- name: restart cpufrequtils service
systemd:
name: cpufrequtils
state: restarted
- name: enable netfilter service
systemd:
name: netfilter-persistent
enabled: yes
- name: start node_exporter service
systemd:
name: node_exporter
state: started
enabled: yes
- name: restart fail2ban service
systemd:
name: fail2ban
state: restarted
- name: restart sshd service
systemd:
name: sshd
state: restarted
# - name: Creating a file hosts.allow file
# copy:
# dest: "/etc/hosts.allow"
# content: |
# sshd : localhost : allow
# sshd : YOUR-IP1 : allow
# sshd : YOUR-IP1 : allow
# sshd : ALL : deny
Raw
new-server.ini
[servers]
YOUR-IP
[all:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
ansible_python_interpreter='/usr/bin/python3'
prometheus_source_ip='PROMETHEUS-IP'
systemd_path='/etc/systemd/system'
default_ssh_user='ubuntu'
default_ssh_port='22'
sshd_config_port='12345'
prometheus_port='9100'
node_exporter_version='1.4.0'
go_arch='amd64'
_node_exporter_binary_install_dir='/usr/local/bin'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment