Last active
February 7, 2021 10:04
-
-
Save dhet/59cc8c8c3f0ef7f5604bdf2af7f0b960 to your computer and use it in GitHub Desktop.
An Ansible playbook for setting up a host which can run Docker Compose (including an unprivileged service account for deployments)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| docker_username: dhetbot | |
| docker_password: !vault | | |
| $ANSIBLE_VAULT;1.1;AES256 | |
| 33383361346365316566663434303530346663636261653934316366323162616137343464656438 | |
| 3032616265386530393237663533323834393064343531390a626233353961363632643661376164 | |
| 65336635366130663266623861613834646232393766396462316365346665613065646638333534 | |
| 6364373831346235610a366639393163666234643631396464643036623536396335666336343133 | |
| 6561 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - hosts: all | |
| remote_user: root | |
| gather_facts: false | |
| vars: | |
| users: | |
| - name: david | |
| groups: docker,appadmin | |
| key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGJXMAnZGc8+qZYm1Vb2ZyPsyKoweoqFQ0PBzkd1ZiioBWIK185zgV4VvVHruTc+xozFZPXacM0WAxBQ7CE2fyD9ssyDPA/bB+JQ4C572GV9MDA0mIsRUF3DxXbUB0ROmvQ6VDxqT+mUn1tDyLmxVqZAxSLEobgaWV7c5K8IPdF47RU7/elOWjTHssfsyghztbhr7LYlO5JJRGuK/kv40mVrQWGWrcHqNEgnJLuCC2I8OaZqzGNynL6gymTdYs/JtZahO/0E0SNct+dk+/eiVzkl9RzbBmAZXTKGOxG/qCF0G2SEQU7joDTwO6Ohc2hvdBe+g+uUWh/Mcpiq0+0EMIB5fiRSEJo1AAzphbp/zjUemAWzGcjo6Vt+6NgQm0BhU1L2mgptom44hVxtNbQebKnPk+6uB0addJf09LMQ+6qKJluGFefwTmpk5+yrXNhgfl5UP+i32X4XI6ofcF+lCsjK/MAml00LCWRFpfnw7NuWtKfmkd+blK5rgzWBL/zVyx2voBVRAOWu3ydid22j2AYzwSiG6KGdcZGweftm5meCsaZtbnwCTYCDhwvp2rie2SjfkGiimhGOT+vkXYa3XDO0I3L2kr110lqiVahjtjzArZK25qRcf2RmVtg4xxuekAfjDGPm5XWMiGDlVuP8uuknAuU6gP+/8Ig2UGpEBwZQ== david | |
| sudo: true | |
| - name: automation | |
| groups: docker,appadmin | |
| key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCXdd1mM0+xynLjXJ5TcaU1J1EKNYBMc0TzG2hWaHRufklMwLo4ZdaDyXjeEovWi84ZQGV0ldjni+D6doN2EvhSgeEumC2wW0nX98j/317m++jNfZpjIr3ut/P3+zfGPDJBa7xqzrLpEleU47iebo+Hm/sTuf50SqSt7sr5k33E15B4xil9TKuR/SF753OO1VnQqJh/a84QrC9IGJrOSrsxLCe1Qs1Rs98lMmuToGQ7C5ZRmrw7KGHVFecDcSvknZ9uOUwRqWDXebnTbCebVbyY2CJ6ZeIco4bYkioWZGU45xOAh4iLT5CHXmGWCYS5rU16JH1Jmajz4Zz8vdMBmCrehh3eN1sMgecu2r+VTVtlL2fQzPnSdl2994y6P4zhUJCTpzvChM0QkTE/4DR5+Wi+n+fUWUh0Ek2mjXduOGoie/yMBHH8yOzAM3GtzNnLTr/Z6IZEsvHz684wwTV3bEQ9YEYq/tIHLPszOpery6scDgppLhKCoGjYh8mb7FvFPY2dMqWIqvTgaC4hx55EBKrKvVkk4rpri5I2Hxrjlbr7K2+8KWI+Nw88gSZiPQthNeEVVsdy/krFWrdpYNr828Zqv9p8dXcTiF7aP9cSfmhZuRW2G0lxhUaTz3+B/SaCtjRjSw1GYZf2yd++KJvDV6+0jl/KvMS9D/1+A1vpfSQt7Q== automation | |
| sudo: true | |
| vars_files: | |
| - secrets.yaml | |
| handlers: | |
| - name: Restart ssh | |
| service: | |
| name: ssh | |
| state: restarted | |
| tasks: | |
| - name: Install packages | |
| apt: | |
| name: | |
| - ufw | |
| - fail2ban | |
| - vim | |
| - htop | |
| - jq | |
| - unattended-upgrades | |
| - docker | |
| - docker.io | |
| - docker-compose | |
| state: present | |
| update_cache: yes | |
| cache_valid_time: 3600 | |
| - name: Upgrade packages | |
| apt: | |
| upgrade: safe | |
| - name: Adjust update intervals | |
| copy: | |
| dest: /etc/apt/apt.conf.d/10periodic | |
| content: | | |
| APT::Periodic::Update-Package-Lists "1"; | |
| APT::Periodic::Download-Upgradeable-Packages "1"; | |
| APT::Periodic::AutocleanInterval "7"; | |
| APT::Periodic::Unattended-Upgrade "1"; | |
| - name: Setup firewall | |
| ufw: | |
| state: enabled | |
| policy: deny | |
| - name: Open ports | |
| ufw: | |
| rule: allow | |
| port: "{{ item }}" | |
| loop: [ "22", "80", "443"] | |
| - name: Disallow password authentication | |
| lineinfile: | |
| dest: /etc/ssh/sshd_config | |
| regexp: "^PasswordAuthentication" | |
| line: "PasswordAuthentication no" | |
| state: present | |
| notify: Restart ssh | |
| - name: Create appadmin group | |
| group: | |
| name: appadmin | |
| state: present | |
| - name: Add users | |
| user: | |
| name: "{{ item.name }}" | |
| groups: "{{ item.groups }}" | |
| shell: /bin/bash | |
| loop: "{{ users }}" | |
| - name: Configure SSH access | |
| authorized_key: | |
| user: "{{ item.name}}" | |
| key: "{{ item.key }}" | |
| loop: "{{ users }}" | |
| - name: Configure sudoers | |
| lineinfile: | |
| dest: /etc/sudoers | |
| regexp: "{{ item.name }} ALL" | |
| line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL" | |
| state: present | |
| when: item.sudo | |
| loop: "{{ users }}" | |
| - name: Log users into Dockerhub | |
| docker_login: | |
| username: "{{ docker_username }}" | |
| password: "{{ docker_password }}" | |
| become_user: "{{ item.name }}" | |
| loop: "{{ users }}" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment