Security Automation with Ansible (TLDR version)
Click here for the full version of this page.
Ramping up with Ansible
This is list of a list of technical dependencies and more of a recommended background to have when working with Ansible.
-
YouTube - Ansible - Powerful Open Source system management and task automation tooling! bu Awesome Open Source - If you've never touched Ansible before, start here!
-
YouTube - Getting started with Ansible playlist by Learn Linux TV - This playbook give provides a deeper dive into Ansible.
Basic security with sts_baseline
Note: This playbook is based on Debian/Ubuntu Server. It may accommodate dnf-based distributions like Fedora and its derivatives at a later date
1. Download the SovereignTechStack repository
Start with a fresh deployment of Ubuntu Server of Debian on a VPS. You should have root access and the root password. To begin, download the repository from here and cd into the ansible directory.
2. Edit inventory.ini
Add these three peices of information to your inventory.ini file:
- The "server tag" of the server under
[all:vars]. - The name of the non-root sudo user under
[all:vars]. - The server's IP address under
[baselines].
Example:
[all:vars]
server_tag=nextcloud
baseline_nonroot_user=serveradmin
[baselines]
203.0.113.74
[local]
localhost ansible_connection=local
3. Add login credential to Ansible Vault
From the ansible directory, run
- the password to your non-root user
- the password used to encrypt the SSH key you will use to authenticate to the server after the playbook is run.
# Baseline Server Details
baseline_nonroot_user_password: <your non-root user password>
sshkey_password: <SSH key password>
To make changes to the Vault, run this command...
...enter the Vault password, make your changes, and save and exit.4. Run the playbook - sts_baseline.yml
The playbook will perform the following:
- Update Ubuntu and install preferred packages.
- Provision the non-root user account and add it to the sudo group.
- Create an SSH key on your local machine.
- Upload the SSH public key to the non-root accounts
authorized-keysfile. - Install Docker and stuff.
- Disable root access and password logins on SSH.
Run this command from the playbook directory.
Note: If Ansible throws an error that says "Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host's fingerprint to your known_hosts file to manage this host.", simply SSH into the host to add it to your known_hosts file.ssh root@<server IP address>, add to your known and then log back out.
Authenticating to your server post-baseline
After baselining the server, you can authenticate to the server with this command.
ssh -i ~/.ssh/id_ed25519_<server_tag>_<baseline_nonroot_user> -p 22 <baseline_nonroot_user>@<server_ip>
Preparing for the next steps
5. Edit the Ansible Vault
- Create a new entry for this server.
- Change
baseline_nonroot_user_passwordto<server_tag>_become_pass. - Move that line to the new section you created.
- Remove the
sshkey_passwordline.
End result:
6. Edit inventory.ini
Delete the server entry under [baselines] and create a new host group. For example, add the host group [nextcloud] and include the following.
- The server's IP address.
ansible_user=<the non-root user you just created>ansible_become_pass="{{ <server tag>_become_pass }}"ansible_ssh_private_key_file="~/.ssh/id_ed25519_<server_tag>_<non-root user>"
Example:
[baselines]
[local]
localhost ansible_connection=local
[nextcloud]
203.0.113.74 ansible_user=serveradmin ansible_become_pass="{{ nextcloud_become_pass }}" ansible_ssh_private_key_file="~/.ssh/id_ed25519_nextcloud_serveradmin"
I ran the baselining playbook already, but made a mistake.
Put the edited server entry back in the [baselines] host group and you can run the playbook with tags like so.
Here are the other supported tags for the sts_baseline playbook that you can run individually after the first run.
updatespackagesprovisionuserprovisionkeyuploadkeysecuresshinstalldockersshkeydetails