(tldr: see my repository for my Ansible playbook collection)
In my journey to strip away some of the magic from modern cloud computing and understand more about how underlying systems are configured and managed (see also1), I’ve begun using ansible as a cloud-vendor agnostic tool for configuration.
Ansible allows me to automate and better standardize how I configure new linux servers from arbitrary cloud vendors. As I learn new best practices or security configurations, I’ve started adding them to ansible playbooks so I can better capture that knowledge, and build and improve over time. The playbooks serve as executable documentation. So rather than sifting through my notes or readme’s scattered throughout my machine, I can pull up my repository to remember how to get started.
My primary repository is server-config on GitHub.
Initial User Setup and Configuration
The ansible_user.yml playbook creates the ansible user I’ll use for further playbooks, so this one is run first, and it is unfortunately run as root. To make the normal ansible user, I first hashed password using
mkpasswd and saved it as PASSWORD_HASH in
mkpasswd <your password> --method=sha-512
Then, to run this one playbook as root:
source .secrets # to set the PASSWORD_HASH variable. previously made with mkpasswd ansible-playbook playbooks/ansible_user.yml --extra-vars='ansible_user=root'
Next, I can run config.yml:
config.yml runs the following for Ubuntu and Rocky distributions:
- Updates packages and package caches
- Sets the hostnames
- Ensures SSH Password Authentication is not allowed
- Installs and configures fail2ban and an sshd jail
Don’t Repeat Yourself, Use Ansible
Whenever I have software I want to install or configure, I take the extra time to write an ansible playbook for it, and add it to this repository. Currently, I have playbooks (either completed or in progress) for:
- Docker and Docker Swarm
My goal is to have all these playbooks working for Rocky and Ubuntu servers.
For me, Ansible playbooks serve as living/executable documentation for capturing best practices, configuration, and software installation for new Linux servers. It isn’t perfect, but it is rather close to hand tuning– it exposes me to all the ugly but important bits I want to know about, while only minimally abstracting it once I’ve learned.