The Hotel Hero

Notes by a Sysadmin


Cluster | Philosophy | Stack

Use Ansible to prep your server

January 9, 2023 | Stack

As time goes by, you may forget small features and settings you apply to your servers to make them fit you need. There is a tendency not to document every thing you do when you try out different solutions and suddenly everything works and you forget about the documentation. That's where Ansible comes into play.

Small playbooks to update all your servers or larger ones to install different libraries, comes in handy and will make life easier over time.

Vault

I have another article about Ansible Vault, so I don't wanna spend to much time on that. But, any time your work with secret data, it is good practis to opfuscate it. There are several tools to do that, but natively Ansible has Vault.

Now, this is probably not the optimal way of going around this issue. But I'll just make a temporary vault file for this, as It'll only be used for login the first time on any new server. Ideally you would make this vault file follow the host in inventory/host_vars/* . But, my experience in doing so is a bit messy so to keep things simple, the following is done first.

in your base ansible folder ../my-ansible-scripts/

create a new directory to save your vault files (the name isn't important):

mkdir vault 

We will try to keep our secrets organized here, create a new vault (you will be prompted for a master password to unlock the vault)

ansible-vault create --vault-id @prompt vault/my_site1.yml

in the unencrypted file you can now add your keys and values ex.:

user: my_username
password: my_secret-password

if you want to edit the vault file later use the edit command:

ansible-vault edit vault/my_site1.yml

Now, to not complicate stuff to much, if you get a new server with a root user and password, you might just wan to start by logging in to you SSH account. To either remove old "known_hosts" or to at the public key to known hosts.

1. Playbook

This playbook: setup-server.yml

Will generate a new user with sudoer privileges and disable root login via SSH. This tends to be the first thing I do when i get a new server.


About

I'm a Sysadmin, network manager and cyber security entusiast. The main purpose of this public "notebook" is for referencing repetitive tasks, but it might as well come in handy to others. Windows can not be supported! But all other OS compliant with the POSIX-standard can (with minor adjustments) apply the configs on the site. It is Mac OSX, RHEL and all the Fedora based distros and Debian based (several 100's of OS's), all the BSD distros, Solaris, AIX and HP-UX.

Links