{"id":16779803,"url":"https://github.com/petermosmans/ansible-role-bootstrap","last_synced_at":"2025-04-10T20:52:56.577Z","repository":{"id":41241351,"uuid":"46694444","full_name":"PeterMosmans/ansible-role-bootstrap","owner":"PeterMosmans","description":"Ansible role for bootstrapping a server installation","archived":false,"fork":false,"pushed_at":"2022-04-12T09:35:54.000Z","size":94,"stargazers_count":9,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-24T18:21:41.737Z","etag":null,"topics":["ansible","ansible-role","baseline","bootstrap","configuration","hardening","installation"],"latest_commit_sha":null,"homepage":null,"language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PeterMosmans.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-11-23T03:27:47.000Z","updated_at":"2023-07-25T02:24:43.000Z","dependencies_parsed_at":"2022-09-16T09:02:10.545Z","dependency_job_id":null,"html_url":"https://github.com/PeterMosmans/ansible-role-bootstrap","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PeterMosmans%2Fansible-role-bootstrap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PeterMosmans%2Fansible-role-bootstrap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PeterMosmans%2Fansible-role-bootstrap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PeterMosmans%2Fansible-role-bootstrap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PeterMosmans","download_url":"https://codeload.github.com/PeterMosmans/ansible-role-bootstrap/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248297011,"owners_count":21080309,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-role","baseline","bootstrap","configuration","hardening","installation"],"created_at":"2024-10-13T07:32:26.875Z","updated_at":"2025-04-10T20:52:56.547Z","avatar_url":"https://github.com/PeterMosmans.png","language":"Jinja","funding_links":[],"categories":[],"sub_categories":[],"readme":"Ansible Role: Bootstrap\n=======================\n\nBuild status for this role: [![Build Status](https://travis-ci.org/PeterMosmans/ansible-role-bootstrap.svg)](https://travis-ci.org/PeterMosmans/ansible-role-bootstrap)\n\n\nThis role bootstraps a (new) server into existence. It installs and tightens a\nfirewall, hardens SSH and modifies GRUB. The main focus is on **hardening a\nfresh server installation**.\n\n\nRequirements\n------------\n\nNone.\n\nRole Variables\n--------------\n\nAvailable variables are listed below alphabetically, along with default values.\n\n**bootstrap_alternatives**: A list with alternatives, to manage symbolic links\nusing the ``update-alternatives`` tool. Example:\n```\nbootstrap_alternatives:\n  - link: /usr/bin/pip\n    name: pip\n    path: /usr/bin/pip3\n```\n\n**bootstrap_commands**: A list with commands that will be executed on the host\nas last step of the bootstrap role. Example:\n```\nbootstrap_commands:\n- \"sudo /usr/bin/compact_box.sh\"\n```\n\n\n**bootstrap_directories**: A list with directories and files that will be\ncreated along with permissions, owner and groups. Example:\n```\nbootstrap_directories:\n - path: /var/git\n   mode: \"2660\"\n   owner: root\n   group: git\n - path: /tmp/empty\n   mode: \"0777\"\n   owner: root\n   group: root\n   state: touch\n```\n\n\n**bootstrap_files**: A list with files that will be copied to the target\nmachine. Example:\n```\nbootstrap_files:\n- src: my-file.py\n  dest: /tmp/my-file.py\n   mode: \"0755\"\n```\nThis will be provisioned when the `files` tags is being used.\n\n**bootstrap_git_repositories**: A list with common git repositories that will be\ncloned. Example:\n```\nbootstrap_git_repositories:\n - repo: https://github.com/PeterMosmans/security-scripts\n   dest: /var/git/security-scripts\n   version: master\n```\n\nNote that when this variable is set, the git package needs to be installed, or\npart of the **bootstrap_packages** list.\n\n**bootstrap_groups**: A list with user groups that will be added by default.\nOptionally the system parameter can be set, to denote whether it's a system\ngroup or not. The defaults can be found in `defaults/main.yml`:\n```\nbootstrap_groups:\n  - name: sudo\n    system: yes\n```\n\n\n**bootstrap_groups_remove**: A list with groups that will be removed by default.\nThe defaults can be found in `defaults/main.yml`:\n```\nbootstrap_groups_remove:\n  - bluetooth\n```\n\n\n**bootstrap_locale**: The locale to use (e.g. en_US.UTF-8). If not set, it will\ndefault to en_US.UTF-8. Example: ``` bootstrap_locale: \"en_US.UTF-8\" ``` Note\nthat this needs the locale package to properly function. If the package isn't\navailable, the role will still continue.\n\n**bootstrap_mounts**: A list of mounts that will be added to the mount file\n(`/etc/fstab`). Example:\n```\nbootstrap_mounts:\n  - path: /home/peter/demos\n    src: demos\n    fstype: vboxsf\n    opts: auto,rw,uid=1000,gid=1000\n    state: present\n```\nThis will be provisioned when the `mounts` tags is being used.\n\n**bootstrap_reboot_allowed**: Whether Ansible is allowed to perform a reboot, if\nthe kernel version has changed, or when the network has become 'unresponsive'\n(for instance after a hostname change). The default is false.\n\n\n**bootstrap_users**: A nested lists with users to add, with their SSH key, and\noptional: encrypted password, git repos to install (e.g. dotfiles), and installers to run (e.g.\nsetting up symlinks). Example:\n```\nbootstrap_users:\n - name: apenut\n   comment: \"Ape Nut\"\n   groups:\n     - git\n     - sudo\n   password: \"$6$Qpc015eEs$4Eav1QM.omXm8bD7DFOTNQx6L3SG47vDT8JuMfW15e5gNbgq/C6D/7ZRdH4qoGLi0AW/HBWjJ/pm1thSQPK.e0\"\n   shell: \"/bin/bash\"\n   ssh_key: https://github.com/your-github-username.keys\n   repos:\n     - src: https://github.com/your-github-username/dotfiles\n       dest: /home/apenut/.dotfiles\n       version: master\n   installers:\n     - command: /home/apenut/.dotfiles/installer.sh\n```\nIf you don't want to add any password, repositories or installer scripts, You can also\nrefrain from adding the `password` value, and leave the `repos` and `installers`\nvariables empty. The rest of the variables are required per user though.\n```\nboostrap_users:\n - name: apenut\n   comment: \"Ape Nut\"\n   groups:\n     - git\n     - sudo\n   shell: \"/bin/bash\"\n   ssh_key: https://github.com/your-github-username.keys\n   repos: []\n   installers: []\n```\n\n\n**bootstrap_packages**: A list with packages that will be installed by default.\nThe defaults can be found in `defaults/main.yml`:\n```\nbootstrap_packages:\n  - git\n  - python3-pip\n  - sudo\n  - ufw\n```\n\n**bootstrap_packages_remove**: A list with packages that will be removed by\ndefault. The defaults can be found in `defaults/main.yml`:\n```\nbootstrap_packages_remove:\n  # packages not needed on bare metal\n  - acpid\n  - bluez\n  - crda\n  - discover\n  - discover-data\n  - eject\n  - iw\n  - laptop-detect\n  - powertop\n  - task-laptop\n  - wireless-regdb\n  - wireless-tools\n  - wpasupplicant\n  # several superfluous packages\n  - console-setup\n  - cups\n  - dictionaries-common\n  - installation-report\n  - iso-codes\n  - ispell\n  - krb5-locales\n  - man-db\n  - manpages\n  - nano\n  - shared-mime-info\n  - task-english\n  - util-linux-locales\n  - wamerican\n  - xkb-data\n  - xz-utils\n```\n\n\n**bootstrap_pip_packages**: A list with pip packages that will be installed globally by default. Example:\n```\nbootstrap_pip_packages:\n  - ansible\n```\n\nNote that **pip** (e.g. `python3-pip`) needs to be installed for this, so don't\nforget to add that to the **bootstrap_packages** list.\n\n**bootstrap_pip_version**: The version of pip to be used. This defaults to pip3\nwhennot specified but can be overridden.\n\n\n**bootstrap_ufw_tcp_allow**: A list of TCP ports that will be opened up in the firewall. It defaults to port 22 only. Example:\n```\nbootstrap_ufw_tcp_allow:\n  - \"22\"\n  - \"80\"\n  - \"443\"\n```\n\nNote that when this variable is set, the ufw package needs to be installed, or\npart of the **bootstrap_packages** list.\n\n\n**bootstrap_url_packages**: A list of URLs that will be installed as packages.\nExample:\n```\nbootstrap_url_packages:\n- https://github.com/sharkdp/bat/releases/download/v0.12.1/bat_0.12.1_amd64.deb\n```\n\n**grub_settings**: A list of name / value pairs that will be applied to the GRUB config file. The defaults can be found in `defaults/main.yml`:\n```\ngrub_settings:\n  - name: \"GRUB_TIMEOUT\"\n    value: \"0\"\n  - name: \"GRUB_RECORDFAIL_TIMEOUT\"\n  value: \"0\"\n```\n\n\n**sshd_moduli_remove**: A list of moduli values that will be removed from the /etc/ssh/moduli list. The defaults can be found in `defaults/main.yml`:\n```\nsshd_moduli_remove:\n  - 1023\n  - 1535\n```\n\n\n**timezone**: The timezone for the machine. The default can be found in `defaults/main.yml`:\n```\ntimezone: Etc/UTC\n```\n\n## Templates\n\n**bootstrap_templates**: A list with templates that will be applied and deployed.  The defaults can be found in `defaults/main.yml`:\n```\nbootstrap_templates:\n  - src: hosts.j2\n    dest: /etc/hosts\n    mode: \"0644\"\n  - src: issue.ssh.j2\n    dest: /etc/issue.ssh\n    mode: \"0644\"\n  - src: locale.j2\n    dest: /etc/default/locale\n    mode: \"0644\"\n  - src: sshd_config.j2\n    dest: /etc/ssh/sshd_config\n    mode: \"0644\"\n```\n\n\nThe following templates will be applied and deployed by default:\n\n#### hosts\nThe template `templates/hosts.j2` will be copied to the host. The list of IP - name pairs in the variable `bootstrap_hostsfile` will be deployed. Example:\n```\nbootstrap_hostsfile:\n  - ip: 127.0.0.1\n    name: mywebsite\n```\n\n\n#### issue.ssh\nThe template `templates/issue.ssh.j2` will be copied to the host, and applied as SSH banner using the **company** variable. Change the text to something that applies to you(r company). The default can be found in `defaults/main.yml`:\n```\ncompany: \"Go Forward\"\n```\n\n\n#### locale\nThe template `templates/locale.j2` will be copied to the host, and contain the correct bootstrap_locale string(s).\n\n\n#### sshd_config\nThe following (Jinja) variables will be applied to the SSH daemon template file in `templates/sshd_config.j2`. The defaults can be found in `defaults/main.yml`:\n```\nsshd_acceptenv: LANG LC_*\nsshd_banner: /etc/issue.ssh\nsshd_ciphers: \"chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\"\nsshd_gssapiauthentication: \"no\"\nsshd_hostkeyalgorithms: \"ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa\"\nsshd_kexalgorithms: \"curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\"\nsshd_macs:\n\"hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\"\nsshd_maxauthtries: 2\nsshd_passwordauthentication: \"no\"\nsshd_permitemptypasswords: \"no\"\nsshd_permitrootlogin: \"no\"\nsshd_pubkeyauthentication: \"yes\"\nsshd_usedns: \"no\"\nsshd_usepam: \"yes\"\nsshd_x11forwarding: \"no\"\n```\n\n\nDependencies\n------------\n\nNone.\n\n\n\nExample Playbook\n----------------\n```\n- hosts: all\n  become: yes\n  become_method: sudo\n  roles:\n  - role: PeterMosmans.bootstrap\n  vars:\n  hostname: \"myhostname\"\n```\nThis example will harden SSH, configure GRUB, and name the host \"myhostname\"\n\n\n\nLicense\n-------\n\nGPLv3\n\n\nAuthor Information\n------------------\n\nCreated by Peter Mosmans.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpetermosmans%2Fansible-role-bootstrap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpetermosmans%2Fansible-role-bootstrap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpetermosmans%2Fansible-role-bootstrap/lists"}