{"id":20716385,"url":"https://github.com/mvladislav/ansible-env-setup","last_synced_at":"2025-07-16T09:39:22.839Z","repository":{"id":48868808,"uuid":"383649551","full_name":"MVladislav/ansible-env-setup","owner":"MVladislav","description":"ansible playbooks with roles to setup client or server. with security related parts","archived":false,"fork":false,"pushed_at":"2025-05-11T13:04:47.000Z","size":686,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-03T23:21:10.499Z","etag":null,"topics":["aide","ansible","ansible-playbook","cis","docker","linux","lynis","postfix","security","ssh","submodules","ubuntu","ufw"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MVladislav.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-07-07T02:18:42.000Z","updated_at":"2025-05-11T13:04:50.000Z","dependencies_parsed_at":"2023-02-18T13:30:29.230Z","dependency_job_id":"825c5f7d-c008-45aa-a440-a89a51078e9c","html_url":"https://github.com/MVladislav/ansible-env-setup","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/MVladislav/ansible-env-setup","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MVladislav%2Fansible-env-setup","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MVladislav%2Fansible-env-setup/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MVladislav%2Fansible-env-setup/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MVladislav%2Fansible-env-setup/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MVladislav","download_url":"https://codeload.github.com/MVladislav/ansible-env-setup/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MVladislav%2Fansible-env-setup/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265500532,"owners_count":23777503,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aide","ansible","ansible-playbook","cis","docker","linux","lynis","postfix","security","ssh","submodules","ubuntu","ufw"],"created_at":"2024-11-17T03:05:38.860Z","updated_at":"2025-07-16T09:39:22.828Z","avatar_url":"https://github.com/MVladislav.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Ansible Env Setup\n\n[![Ansible Lint](https://github.com/MVladislav/ansible-env-setup/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/MVladislav/ansible-env-setup/actions/workflows/ansible-lint.yml)\n\n- [Ansible Env Setup](#ansible-env-setup)\n - [Clone project](#clone-project)\n - [Install dependencies on host \\\u0026 setup](#install-dependencies-on-host--setup)\n - [\\[Optional\\] Molecule install for tests](#optional-molecule-install-for-tests)\n - [Setup host](#setup-host)\n - [Setup targets](#setup-targets)\n - [Flow for Security Playbook](#flow-for-security-playbook)\n - [Playbooks overview](#playbooks-overview)\n - [ansible-install-server](#ansible-install-server)\n - [ansible-install-client](#ansible-install-client)\n\n---\n\n## Clone project\n\nClone this repo recursive, roles are included as submoduls:\n\n```sh\n$git clone --recursive https://github.com/MVladislav/ansible-env-setup.git\n\n# load\n$git submodule update --init --recursive\n# update\n$git submodule update --recursive --remote\n```\n\n## Install dependencies on host \u0026 setup\n\nInstall ansible on host to run the playbook:\n\n```sh\n$sudo apt install python3 python3-pip python3-venv libssl-dev sshpass\n$python3 -m venv .venv \u0026\u0026 source .venv/bin/activate\n$python3 -m pip install ansible-core ansible-lint yamllint\n$ansible-galaxy collection install --upgrade -r requirements.yml\n```\n\n### [Optional] Molecule install for tests\n\n```sh\n$python3 -m pip install molecule molecule-plugins[docker]\n\n\n```\n\n## Setup host\n\nCopy the inventory template `inventory/inventory-example.yml` as `inventory/inventory.yml`:\n\n```sh\n$cp inventory/inventory-example.yml inventory/inventory.yml\n```\n\nCopy **vars default** `playbooks/vars/default-example.yml` as `playbooks/vars/default.yml`\nwhich holds the **ssh-keys** for setup in `pre-tasks.yml` defined by clients in `inventory.yml`:\n\n\u003e clients are identified in `playbooks/vars/default.yml` by **key** with `\"{{ ansible_user }}-{{ ansible_host }}\"`\n\u003e inside `inventory.yml` you can define in **`ansible_ssh_private_key_file`** the related **ssh-key**\n\n```sh\n$cp playbooks/vars/default-example.yml playbooks/vars/default.yml\n```\n\nUpdate `inventory/inventory.yml` with your own configuration as you need.\nBy default multiple playbooks are pre defined. Use and update them as you need.\n\nFollowing are some main playbooks to install clients or servers:\n\n- base\n - playbook-sec-short.yml\n- clients\n - playbook-client.yml\n - playbook-client-vm.yml\n - playbook-client-dev.yml\n - playbook-client-pentest.yml\n- servers\n - playbook-server-minimal.yml\n - playbook-server-dev.yml\n - playbook-server-cluster.yml\n\n## Setup targets\n\n\u003e `-k` =\u003e will use **ssh with a password**, as a fresh setup has no **ssh-key** installed\n\u003e if **ssh-key** is installed on target you not need to inclide `-k`\n\nExample to run `playbook-sec-short`:\n\n```sh\n$ansible-playbook playbooks/playbook-sec-short.yml -i inventory/inventory-example-server.yml --ask-become-pass -k\n\n# or with less output information\n$ansible-playbook playbooks/playbook-sec-short.yml -i inventory/inventory-example-server.yml --ask-become-pass -k | grep -v \"started TASK\\|included: \"\n```\n\n### Flow for Security Playbook\n\n![Playbook Sec Short](\u003cdocs/Playbook Sec Short.png\u003e)\n\n## Playbooks overview\n\nIn general following playbooks/roles/tasks are run by each client playbook with its specific configuration:\n\n- playbook-s-cis\n \u003e Harden the client by CIS rules\n - ansible-cis-ubuntu-2204\n - cis aide env extender\n- playbook-s-pre-install\n \u003e some pre installs and configs\n - pre-tasks\n - ansible-updater\n - community.general.ufw\n - ansible-ssh\n - ansible-netplan\n - playbook-s-pre-mailing\n - ansible-postfix\n - nullmailer\n- playbook-s-hardening\n \u003e some more general client hardenings\n - ansible-security\n- [ansible-install-server](#ansible-install-server)\n \u003e install tools/service for server usage, which also useful for clients\n- [ansible-install-client](#ansible-install-client)\n \u003e install tools/service for client usage\n- playbook-s-container\n - ansible-docker\n \u003e install docker with CIS harden\n - ansible-kubernetes\n\n### ansible-install-server\n\n- servers:\n - s1: default (TODO)\n - s2: minimal\n - s3: dev\n - s4: cluster\n- clients:\n - c1: default\n - c2: vm\n - c3: dev\n - c4: pentest\n\n| apps | s1 | s2 | s3 | s4 | c1 | c2 | c3 | c4 |\n| :---------------------- | :-: | :-: | :-: | :-: | :-: | :-: | :-: | :-: |\n| apt_base | | x | x | x | x | x | x | x |\n| apt_exa | | | | | | | | |\n| apt_eza | | x | x | x | x | x | x | x |\n| apt_bat | | x | x | x | x | x | x | x |\n| apt_ncdu | | | | | | | | |\n| apt_auth_priv | | | x | | x | x | x | x |\n| apt_cert | | x | x | x | x | x | x | x |\n| apt_archive | | | x | | | x | x | x |\n| apt_dev | | | x | | | x | x | x |\n| apt_build | | | x | | | | | x |\n| apt_libs | | | x | | | | | x |\n| apt_php | | | | | | | | |\n| apt_lua | | | | | | | | |\n| apt_java_jre_headless | | | x | | | | | |\n| apt_java_jdk | | | | | | | | |\n| apt_java_ant | | | | | | | | |\n| apt_java_maven | | | | | | | | |\n| apt_java_gradle | | | | | | | | |\n| apt_snap | | | x | | x | x | x | x |\n| apt_qemu_guest_agent | | x | x | x | | x | | x |\n| apt_rasp_pi_pkg | | | | | | | | |\n| apt_vpn_resolvconf | | | | | | | | |\n| apt_vpn_wireguard | | | | | | | | |\n| apt_vpn_openvpn | | | | | | | | |\n| apt_vpn_openconnect | | | | | | | | |\n| apt_latex | | | | | | x | x | x |\n| apt_pandoc | | | | | | x | x | x |\n| apt_apt_john_the_ripper | | | | | | | | x |\n| apt_nmap | | | | | | x | x | x |\n| snap_john_the_ripper | | | | | | | | |\n| snap_nmap | | | x | | | | | |\n| snap_juju | | | | | | | | |\n| snap_maas | | | | | | | | |\n| snap_microk8s | | | | | | | | |\n| snap_kubectl | | | | | | | | |\n| snap_helm | | | | | | | | |\n| snap_multipass | | | | | | | | |\n| snap_btop | | | x | | x | x | x | x |\n| snap_glow | | | x | | | | | x |\n| snap_go | | | | | | | | |\n| snap_httpie | | | | | | | x | |\n| snap_node | | | | | | | x | |\n| snap_ruby | | | | | | | | |\n| snap_rust | | | | | | | | |\n| snap_openjdk | | | | | | | | |\n| snap_openjfx | | | | | | | | |\n| inst_git_conf | | x | x | x | x | x | x | x |\n| inst_fonts | | x | x | x | | x | x | x |\n| inst_zsh_conf | | x | x | x | | x | x | x |\n| inst_tmux_conf | | x | x | | | x | x | x |\n| inst_nvim_conf | | x | x | | | x | x | x |\n| apt_python | | x | x | | | x | x | x |\n| apt_python_pip | | x | x | | | x | x | x |\n| apt_python_venv | | x | x | | | x | x | x |\n| apt_python_dev | | | x | | | x | x | x |\n| pip_s_tui | | x | x | | | x | x | x |\n| pip_virtualenv | | | | | | | | |\n| pip_autopep8 | | | x | | | x | x | x |\n| pip_black | | | x | | | x | x | x |\n| pip_mypy | | | x | | | x | x | x |\n| pip_pre_commit | | | x | | | x | x | x |\n| pip_openconnect_sso | | | | | | | | |\n| pip_ansible | | | x | | | x | x | |\n| go_kompose | | | | | | | | |\n| go_act | | | | | | | | |\n\n### ansible-install-client\n\n| services/tools | default | dev | pentest | vm |\n| :----------------------- | :-----: | :-: | :-----: | :-: |\n| dev | x | x | x | x |\n| fonts | x | x | x | x |\n| gnome additional's | x | x | x | x |\n| gnome dep. | | | | |\n| gnome ext. | x | x | x | x |\n| gnome ext. ubuntu tiling | | | | |\n| gnome ext. caffeine | | | | |\n| gnome ext. sound | | | | |\n| gnome ext. blur shell | x | x | x | x |\n| gnome ext. burn window | | | | |\n| gnome ext. dash to panel | x | x | x | x |\n| gnome ext. ui tune | | | | |\n| gnome keybinding | | | | |\n| gnome overlay | x | x | x | x |\n| gnome terminal overlay | x | x | x | x |\n\n| apps | default | vm | dev | pentest |\n| :----------------------- | :-----: | :-: | :-: | :-----: |\n| base | x | x | x | x |\n| auth_priv | x | x | x | x |\n| ubuntu | x | x | x | x |\n| archive | | x | x | x |\n| codec | | | | |\n| gnome | | | | |\n| snap | x | x | x | x |\n| flatpak | x | x | x | x |\n| texmaker | | | | |\n| logitech_unifying_solaar | | | | |\n| mpv | | | | |\n| vpn_resolvconf | | | | |\n| vpn_l2tp | | | | |\n| vpn_openvpn | | | | |\n| vpn_openconnect | | | | |\n| vpn_wireguard | | | | |\n| gnome_boxes | | | | |\n| virt_viewer | | | x | |\n| veracrypt | x | x | x | x |\n| veracrypt_cli | | | | |\n| virtualbox | | | | |\n| 1password_cli | | | | |\n| portmaster | | | | |\n| parsec | | | | |\n| brim | | | | x |\n| logseq | | x | x | x |\n| ultimaker | | | x | |\n| | | | | |\n| 1password | | | | |\n| keepassxc | | | | |\n| yubioath | | | | |\n| chromium | | x | x | x |\n| denaro | | | | |\n| firefox | x | x | x | x |\n| flameshot | | | | |\n| foliate | | | | |\n| libreoffice | | | | |\n| newsflash | | | | |\n| okular | | | | |\n| onlyoffice | x | x | x | x |\n| thunderbird | x | | x | |\n| xournalpp | | | | |\n| zoom | | | | |\n| discord | | | | |\n| jdownloader | | | | |\n| signal | x | | x | |\n| telegram | x | | x | |\n| blender | | | | |\n| darktable | | | x | |\n| drawio | x | | x | x |\n| gimp | x | | x | |\n| inkscape | x | | x | x |\n| krita | | | | |\n| lunacy | | | x | |\n| upscayl | | | x | x |\n| amberol | | | | |\n| haruna | x | x | x | x |\n| obs | | | | |\n| parabolic | | | | |\n| video_trimmer | | | | |\n| vlc | | | | |\n| moosync | | | | |\n| spotify | x | | x | |\n| steam | | | | |\n| android_studio | | | | x |\n| beekeeper_studio | | | | x |\n| code | | x | x | x |\n| dbeaver | | | | x |\n| insomnia | | | | x |\n| postman | | | | |\n| remmina | | x | x | x |\n| rpi_imager | | | | |\n| ghidra | | | | x |\n| zaproxy | | | | x |\n| | | | | |\n| mqtt_explorer | | | | x |\n| UBports | | | | |\n| fbreader | | | | |\n| pixelfx | | | | |\n| | | | | |\n| cryptomator | | | | x |\n| flatseal | x | x | x | x |\n| pika_backup | | | | |\n| ausweisapp2 | | | | |\n| easy_effects | | | x | |\n| extension_manager | | | | |\n| filezilla | | | | |\n| missioncenter | | | | |\n| planify | | | | |\n| warp | | | | x |\n| threemaqt | | | | |\n| conjure | | | | |\n| peek | | | | |\n| girens | | | | |\n| lutris | | | | |\n| arduinoide | | | | |\n| betaflightconfigurator | | | | |\n| fritzing | | | | |\n| mongodb_compass | | | | |\n| sublimetext | | | | |\n| wireshark | | | | |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmvladislav%2Fansible-env-setup","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmvladislav%2Fansible-env-setup","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmvladislav%2Fansible-env-setup/lists"}