| ansible server prepping | Ansible Vault | arm k8s on prem | backup server - Part IV | backup solution | Cluster on a Pi | debian server setup | DNS on Ubuntu ARM | Docker Hub | Docker Swarm | downgrade k3s | GEO-blocking | HomeBrew | How to backup | install Docker Swarm | k3s | k3s cluster setup | k3s HA | K8s Dashboard | K8s Load Balancer | kube-vip | KVM-hypervisor | Mail setup on Pi | MetalLB | Mosquitto brocker on Swarm | Mosquitto container deployment | New Pi setup | new server setup | NFS-Share (shared storage) | Nginx reverse proxy | OPNsense ProtonVPN setup | Persisten Volume - Pi K8s | Portainer (Swarm) | Rancher HA on K3s | Raspbian 64bit | rclone backup - part 2 | Rclone continued III | Rclone GUI | rclone - part 1 | RPi backup solution | ssh-copy-id | SSH key exchange | ssh-keygen | sudo with no password | Swarm commands | sysadmin purpose | sysadmin skills | tmux | Traefik + cert-manager | Traefik + Consul + ssl/tls Letsencrypt | Traefik - oAuth and Letsencrypt | ubuntu webserver | upgrade k3s | Wazuh single node Swarm | webserver setup | what is a sysadmin

The Hotel Hero

Notes by a Sysadmin

Cluster | Philosophy | Stack

Use Ansible to prep your server

 January 9, 2023 | Stack

As time goes by, you may forget small features and settings you apply to your servers to make them fit you need. There is a tendency not to document every thing you do when you try out different solutions and suddenly everything works and you forget about the documentation. That's where Ansible comes into play.

Small playbooks to update all your servers or larger ones to install different libraries, comes in handy and will make life easier over time.

Vault

I have another article about Ansible Vault, so I don't wanna spend to much time on that. But, any time your work with secret data, it is good practis to opfuscate it. There are several tools to do that, but natively Ansible has Vault.

Now, this is probably not the optimal way of going around this issue. But I'll just make a temporary vault file for this, as It'll only be used for login the first time on any new server. Ideally you would make this vault file follow the host in inventory/host_vars/* . But, my experience in doing so is a bit messy so to keep things simple, the following is done first.

in your base ansible folder ../my-ansible-scripts/

create a new directory to save your vault files (the name isn't important):

mkdir vault

We will try to keep our secrets organized here, create a new vault (you will be prompted for a master password to unlock the vault)

ansible-vault create --vault-id @prompt vault/my_site1.yml

in the unencrypted file you can now add your keys and values ex.:

user: my_username
password: my_secret-password

if you want to edit the vault file later use the edit command:

ansible-vault edit vault/my_site1.yml

Now, to not complicate stuff to much, if you get a new server with a root user and password, you might just wan to start by logging in to you SSH account. To either remove old "known_hosts" or to at the public key to known hosts.

1. Playbook

This playbook: setup-server.yml

Will generate a new user with sudoer privileges and disable root login via SSH. This tends to be the first thing I do when i get a new server.

Search

About

I'm a Sysadmin, network manager and cyber security entusiast. The main purpose of this public "notebook" is for referencing repetitive tasks, but it might as well come in handy to others. Windows can not be supported! But all other OS compliant with the POSIX-standard can (with minor adjustments) apply the configs on the site. It is Mac OSX, RHEL and all the Fedora based distros and Debian based (several 100's of OS's), all the BSD distros, Solaris, AIX and HP-UX.

Links