Initial configuration of server using Ansible

Development Server

I have a personal server which I use to do various things like personal side projects, trying new things like running vpn service, jitsi service etc.

And often I re-build the server to try different OS and set of softwares. To do that I generaly start with configuring the server with specific user and softwares installed. And to do this I have used Ansible for automation for these manual tasks.

Ansible

Ansible is an open-source software provisioning, configuration management, and application-deployment tool enabling infrastructure as code.

https://en.wikipedia.org/wiki/Ansible_(software)

https://www.ansible.com/overview/how-ansible-works

Playbook

I have following steps for initial configuration of my server:

• Create a user group
• Allow passwordless sudo access to the above user group
• Create a new user in the above user group
• Add ssh key for the above new user
• Disable root login in the server
• Install some packages
• Configure UFW to allow only ssh

The above steps can be written as an Ansible Playbook using YAML as follows:

Create a user group (name=wheel), any other name can be used

- name: Make sure we have a 'wheel' group
  group:
    name: wheel
    state: present

Allow the wheel group to have passwordless sudo access

- name: Allow 'wheel' group to have passwordless sudo
  lineinfile:
    path: /etc/sudoers
    state: present
    regexp: '^%wheel'
    line: '%wheel ALL=(ALL) NOPASSWD: ALL'
    validate: '/usr/sbin/visudo -cf %s'

Create a user in the wheel group

- name: Create a new regular user with sudo privileges
  user:
    name: "{{ create_user }}"
    state: present
    groups: wheel
    append: true
    create_home: true
    shell: /bin/bash

Configure ssh key for the new user

- name: Set authorized key for remote user
  authorized_key:
    user: "{{ create_user }}"
    state: present
    key: "{{ copy_local_key }}"

Disable root user login using password

- name: Disable password authentication for root
  lineinfile:
    path: /etc/ssh/sshd_config
    state: present
    regexp: '^#?PermitRootLogin'
    line: 'PermitRootLogin prohibit-password'

Install some packages

- name: Update apt
  apt: update_cache=yes

- name: Install required system packages
  apt: name={{ sys_packages }} state=latest

Configure UFW

- name: UFW - Allow SSH connections
  ufw:
    rule: allow
    name: OpenSSH

- name: UFW - Deny all other incoming traffic by default
  ufw:
    state: enabled
    policy: deny
    direction: incoming

Additional steps

I have also configured ansible.cfg file. This helps define me some project specific configuration like specific private ssh key file etc. to have some playbook specific Ansible configuration at one place like this:

[defaults]
inventory = hosts
remote_user = root
private_key_file =  ~/.ssh/id_ed25519

Full source can be found here: https://github.com/ravikg/setup_ubuntu_ansible

References:

• https://github.com/ravikg/setup_ubuntu_ansible
• https://docs.ansible.com/ansible/latest/reference_appendices/config.html
• https://www.digitalocean.com/community/tutorials/how-to-use-ansible-to-automate-initial-server-setup-on-ubuntu-18-04