https://github.com/simbo/srvkist
Ansible scripts for bootstrapping, securing and managing an ubuntu server.
https://github.com/simbo/srvkist
Last synced: over 1 year ago
JSON representation
Ansible scripts for bootstrapping, securing and managing an ubuntu server.
- Host: GitHub
- URL: https://github.com/simbo/srvkist
- Owner: simbo
- License: mit
- Created: 2017-09-12T01:35:28.000Z (almost 9 years ago)
- Default Branch: master
- Last Pushed: 2018-07-25T00:12:08.000Z (almost 8 years ago)
- Last Synced: 2025-01-21T09:09:17.468Z (over 1 year ago)
- Language: Shell
- Size: 32.2 KB
- Stars: 1
- Watchers: 2
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
srvkist
=======
> Ansible scripts for bootstrapping, securing and managing an ubuntu server.
---
- [Requirements](#requirements)
- [Preparations](#preparations)
- [First Run](#first-run)
- [Usage](#usage)
- [Playbook `setup.yml`](#playbook-setupyml)
- [Tag `bootstrap`](#tag-bootstrap)
- [Tag `acme-sh`](#tag-acme-sh)
- [Tag `nginx`](#tag-nginx)
- [Tag `nginxconf`](#tag-nginxconf)
- [Tag `docker`](#tag-docker)
- [Playbook `issue-cert.yml`](#playbook-issue-certyml)
- [Playbook `user.yml`](#playbook-useryml)
- [Playbook `reboot.yml`](#playbook-rebootyml)
- [Development](#development)
- [License](#license)
---
## Requirements
- [ansible](http://docs.ansible.com/ansible/latest/intro_installation.html)
Install via pip: `sudo easy_install pip && sudo pip install ansible`
- `passlib` for creating hashes with ansible
Install via pip: `sudo pip install passlib`
- [vagrant](https://www.vagrantup.com/downloads.html) and
[VirtualBox](https://www.virtualbox.org/wiki/Downloads)
(if you want to run playbooks against a local vm for development)
## Preparations
We're assuming, you have just set up a server with **Ubuntu 18.04 LTS** minimum
installation and you have root access using ssh (password or keyfile)
Edit the project files according to your needs:
- Edit `./hosts` to match your server ip and port.
- Create `vault_password_file` containing the password for ansible vault:
``` sh
echo -n "secret-password" > vault_password_file
```
- Edit settings in `./group_vars/all` if necessary
### First Run
Run `first-run.yml` to install minimum requirements and create the admin user
for ansible. This is the only playbook that uses the root user. Specify keyfile
or password if necessary:
``` sh
ansible-playbook --user root [--ask-pass] [--key-file path/to/id] first-run.yml
```
## Usage
``` sh
ansible-playbook [-t ]
```
See `./group_vars/` for common task settings.
Read through playbooks and tasks. They are self-explaining.
### Playbook `setup.yml`
Runs all tags by order:
``` sh
ansible-playbook setup.yml
```
#### Tag `bootstrap`
``` sh
ansible-playbook setup.yml -t bootstrap
```
Changes:
- set the hostname
- update apt package cache; upgrade apt to the latest packages; install
unattended-upgrades package; adjust apt update intervals; only installs from
security channel
- create `sftponly` group
- setup iptables (see `./roles/bootstrap/templates/iptables/iptables.sh`)
- setup fail2ban
- disallow password authentication for all users; disallow ssh access for
root; delete root password
- set locale and timezone
- setup ntp
- install optional packages
#### Tag `acme-sh`
``` sh
ansible-playbook setup.yml -t acme-sh
```
- setup acme.sh for letsencrypt certificate creation and renewal
- set letsencrypt account email for notifications
#### Tag `nginx`
``` sh
ansible-playbook setup.yml -t nginx
```
Changes:
- install nginx
- copy nginx.conf, common configs and sites configs (see `./roles/nginx/templates/`)
- remove unmanaged configs
- ensure nginx cache and public html directory properties
- remove default nginx site configuration
#### Tag `nginxconf`
``` sh
ansible-playbook setup.yml -t nginxconf
```
Changes:
- copy nginx.conf, common configs and sites configs (see `./roles/nginx/templates/`)
- remove unmanaged configs
#### Tag `docker`
``` sh
ansible-playbook setup.yml -t docker
```
Changes:
- iXnstall docker and docker-compose with required dependencies and apt sources
### Playbook `issue-cert.yml`
``` sh
ansible-playbook issue-cert.yml
```
Issue a certificate using acme.sh for prompted domain (also cares for renewal).
### Playbook `user.yml`
``` sh
ansible-playbook user.yml
```
Create a system user from prompted options.
### Playbook `reboot.yml`
``` sh
ansible-playbook reboot.yml
```
Reboot the system and wait for it to come back.
## Development
You can use vargrant to create a virtual server for testing and development.
``` sh
vagrant up
ln -s .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory vagranthosts
ansible-playbook -i vagranthosts [-t ]
```
Calling `vagrant up` will automatically use `first-run-yml` for provisioning.
## License
The MIT License (MIT)
Copyright © 2016 Simon Lepel