Project for automatic server setup using ansible.
Tested on Ubuntu Server 18.04.2 LTS and ansible 2.8.0
.
-
Create config file
~/.ansible.cfg
:[defaults] inventory = ~/.ansible.hosts vault_password_file = ~/.ansible.vault.pass [ssh_connection] ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s pipelining = True
Few notes:
- Pipelining can make significant performance improvement when enabled, but have
incompatibility
with
requiretty
in/etc/sudoers
. - We will use
ssh-agent
and agent forwarding to exploit ssh keys from local machine on remotes. So don't forget to runssh-add
before running scripts.
- Pipelining can make significant performance improvement when enabled, but have
incompatibility
with
-
Create hosts file
~/.ansible.hosts
.
For example:[web] [email protected]
-
Create file
~/.ansible.vault.pass
with password for ansible vault.
For example:somesecretpassformyvault
-
Download project:
git clone https://github.com/artslob/vps-setup cd vps-setup
-
Create file
secrets.yml
in project root directory with this template:vault_user_password: somepass vault_user_salt: somesalt vault_cf_key: deadbeaf01010101010101010101010101fff vault_cf_email: [email protected]
This file contains secrets for user creation, cloudflare tokens for ssl setup (acme).
-
Encrypt it:
ansible-vault encrypt secrets.yml
Contents of secrets file should be something like this (run
cat secrets.yml
):$ANSIBLE_VAULT;1.1;AES256 31643131623866643738666533313633366533633133353534633461626355366230623339616437 ...
-
Run playbook to create user on your server:
ansible-playbook 01-create-user.yml -e "host_env=ec2 root_user=ubuntu"
Flag
-e
(or--extra-vars
) provides additional environment variables, which override default values in playbook.
Contents of encryptedsecrets.yml
parsed by ansible automatically.Few notes:
- This playbook will not create ssh keys on remote machine. Reason for this is because you should use SSH agent forwarding to exploit your keys from local machine on remotes.
- Playbook setup switching to
sudo
mode without password for default user. - Also setup for all
sudoers
preserving ofSSH_AUTH_SOCK
environment variable to exploit SSH agent forwarding insudo
mode.