opensour.cc developers' network - quick start guides to bootstrap examples

(Perfect for people with a short attention span, needing to get work done!)

In this example, our aims are to provision a freshly deployed Ubuntu Server:

  1. Install required packages on remote host for Ansible to properly work:
    • Aptitude
    • Python 2
    • Python Simple JSON
  2. After setting up base for Ansible, gather facts about the host in Ansible.
  3. Update repository cache if it's older than 1 hour.
  4. Install, start, and configure Ubuntu's Uncomplicated Firewall (UFW) service in a series of steps:
    1. Reset state
    2. Enable firewall state
    3. Temporarily allow all connections in both directions
    4. Turn on logging
    5. Allow outbound DNS
    6. Allow inbound SSH
      1. Interface is configurable with Ansible extra variable, interface
      2. Bastion Host is configurable with Ansible extra variable, bastion
    7. SSH connection limiting (e.g. someone is trying to brute-force a login)
      • Disabled, Ansible causes UFW to have a conflict: "ERROR: Invalid token 'on'" and without specifying an interface, this would open up SSH on other interfaces (e.g. VPN connections)
    8. Deny everything else that's incoming, on all protocols
    9. Allow all outbound connections
    10. Reload the firewall
  5. Install some base packages
  6. Check for packages to upgrade, reboot if necessary
  7. Adjust auto-upgrade settings
    • Update package lists
    • Download upgradeable packages
    • Auto-clean unnecessary packages
    • Upgrade without intervention
  8. Set timezone to UTC
  9. Set host name to Ansible inventory's entry
  10. Synchronize time to Network Time Protocol, and set time to auto-update for avoiding drift.
  11. Configure SSH Server
    • Allow root logins with authentication keys
    • Disable password authentication, and restrict system to authentication keys

Commands:

  • Install required Ansible Roles:
    • ansible-galaxy install \
          jnv.unattended-upgrades \
          resmo.ntp \
          resmo.sshd \
          ;
  • Execute Playbook
    1. read -p "Ansible Inventory Host: " ansibleInvHost
    2. ansible-playbook ubuntu-initial.yml --extra-vars "target=$ansibleInvHost"
      • If you use a different interface than eth0 and/or a bastion host, you can add extra-variables:
        ansible-playbook ubuntu-initial.yml --extra-vars "target=$ansibleInvHost interface=eth1 bastion=1.2.3.4"

Works with:

  • Ubuntu Server 14 LTS
  • Ubuntu Server 16 LTS

Where to go after here?:

ubuntu-initial.yml:

Navigation
Print/export