Knowledgebase

How to Configure a Debian 11 Bullseye Server with Ansible Print

  • 0

Introduction

This guide will show you how to automate the initial Debian 11 Bullseye server configuration with Ansible. Ansible is a software tool that automates the configuration of one or more remote nodes from a local control node. The local node can be another Linux system, a Mac, or a Windows PC. If you are using a Windows PC, you can install Linux using the Windows Subsystem for Linux. This guide will focus on using a Mac as the control node to set up a fresh Rcs Debian 11 server.

The Debian 11 Ansible setup playbook is listed at the end of this guide. In addition, instructions are provided on how to install and use it.

It takes a little work to set up and start using Ansible, but once it is set up and you become familiar with it, using Ansible will save a lot of time and effort. For example, you may want to experiment with different applications. Using the Ansible setup playbook described in this guide, you can quickly reinstall your Debian 11 instance and then run the playbook to configure your base server. This playbook is a good base for installing web servers, database servers, or email servers.

We will use a single Ansible playbook that will do the following:

  • Replace the UFW firewall with firewalld & nftables.
  • Upgrade installed apt packages.
  • Install a base set of useful software packages.
  • Set a fully qualified domain name (FQDN).
  • Set the timezone.
  • Set the SSH port number.
  • Set sudo password timeout.
  • Create a regular user with sudo privileges.
  • Install SSH Keys for the new regular user.
  • Ensure authorized key for root user is installed.
  • Update/Change the root user password.
  • Disable password authentication for root.
  • Disable tunneled clear-text passwords.
  • Create a .vimrc resource file that disables vi visual mode for root and the user.
  • Create a 2-line prompt and bash ls aliases for root and the user.
  • Set up a local DNS resolver, using Unbound.
  • Configure a firewall, using firewalld and nftables.
  • Configure brute force mitigation using fail2ban.
  • Optionally configure static IP networking.
  • Reboot or restart services as needed.

Nftables is the default and recommended firewall framework since Debian Buster. However, legacy iptables syntax is still supported via a iptables-nft layer. Under the hood, UFW still uses the iptables syntax. This Ansible playbook will replace UFW with an nftables ruleset for the server firewall. At the user level, the nftables ruleset is created and managed with firewalld.

A local DNS resolver is created by installing the unbound package using the default installed configuration. It provides a local DNS recursive resolver, and the results are cached. This is important if you want to run an email server with DNS blacklist (DNSBL) lookups. Some DNSBL services will not work with a public DNS resolver because they limit the number of queries from a server IP.

If you have configured additional IPs in the Rcs control panel, you can use this playbook to install an updated network interfaces file (/etc/network/interfaces). By default, the Configure static networking playbook task is disabled.

Prerequisites

  • A Rcs server with a freshly installed Debian 11 instance.
  • A local Mac, Windows with WSL, or Linux system. This guide focuses on Mac, but the procedures are similar for any Linux control node.
  • If using a Mac, Homebrew should be installed.
  • A previously generated SSH Key for the Rcs host, and the SSH public key should be installed for the root user.
  • Ansible 2.9.x, or later stable version. This guide is tested with Ansible version 2.9.26 on a Mac, installed via Homebrew.

1. Install Ansible on the Local System

For this guide, we are using the Ansible 2.9.x Red Hat released version.

Using a Mac with Homebrew installed:

$ brew install ansible@2.9
$ brew link --force --overwrite ansible@2.9

This will install Ansible along with all the required dependencies, including python version 3.9.x. You can quickly test your installation by doing:

$ ansible --version
ansible 2.9.26
config file = /Users/george/.ansible.cfg
configured module search path = ['/Users/george/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/Cellar/ansible@2.9/2.9.26/libexec/lib/python3.9/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.9.7 (default, Sep  3 2021, 12:37:55) [Clang 12.0.5 (clang-1205.0.22.9)]

Create a Simple Ansible Configuration

Create the .ansible.cfg configuration file in the user home directory. This tells Ansible how to locate the host's inventory file.

Add the following content to ~/.ansible.cfg:

[defaults]
inventory  = /Users/user/ansible/hosts.yml
interpreter_python = auto

Be sure to replace user with your actual user name.

Create the folder to store the hosts.yml hosts inventory file:

$ mkdir ~/ansible
$ cd ~/ansible

Of course, you can put it anywhere you want to and give it any name. Just make sure that your .ansible.cfg file points to the correct location.

Add the following content to ~/ansible/hosts.yml:

all:
  vars:
    ansible_python_interpreter: /usr/bin/python3
    ansible_become: yes
    ansible_become_method: sudo 
  children:
    vultr:
      hosts:
        host.example.com:
          user: user
          user_passwd: "{{ host_user_passwd }}"
          root_passwd: "{{ host_root_passwd }}"
          ssh_pub_key: "{{ lookup('file', '~/.ssh/host_ed25519.pub')  }}"
          ansible_become_pass: "{{ host_user_passwd }}"
          cfg_static_network: false
    vmware:
      hosts:
        debian1.local:
          user: george
          user_passwd: "{{ db1_user_passwd }}"
          root_passwd: "{{ db1_root_passwd }}"
          ssh_pub_key: "{{ lookup('file', '~/.ssh/db1_ed25519.pub')  }}"
          ansible_become_pass: "{{ db1_user_passwd }}"
          cfg_static_network: true

The first block defines Ansible variables that are global to the host's inventory file. Hosts are listed under children groups.

Replace host with your actual host name. The vmware group shows a working example for setting up a VMware host on my Mac.

The user is the regular user to be created. The host_user_passwd and host_root_passwd are the user and root passwords that are stored in an Ansible vault, described below. ssh_pub_key points to the SSH public key for the Rcs host. The ansible_become lines provide the ability for the newly created user to execute sudo commands in future Ansible playbooks.

The cfg_static_network is a boolean variable that is set to true if you are configuring static networking in /etc/network/interfaces. Unless you have specifically created a static networking configuration, you should leave this set to false. Configuring a static network is beyond the scope of this guide; I will describe how to create a static network in a future guide.

Using the Ansible Vault

Create the directory for the Ansible password vault and setup playbook:

$ mkdir -p ~/ansible/debian
$ cd ~/ansible/debian

Create the Ansible password vault:

$ ansible-vault create passwd.yml
New Vault password: 
Confirm New Vault password:

This will start up your default system editor. Add the following content:

host_user_passwd: ELqZ9L70SSOTjnE0Jq
host_root_passwd: tgM2Q5h8WCeibIdJtd

Replace host with your actual hostname and generate your own secure passwords, then save and exit your editor. This creates an encrypted file that only Ansible can read. You can add other host passwords to the same files.

pwgen is a very handy tool that you can use to generate secure passwords. Install it on a Mac via Homebrew: brew install pwgen. Use it as follows:

$ pwgen -s 18 2
ELqZ9L70SSOTjnE0Jq tgM2Q5h8WCeibIdJtd

You can view the contents of the ansible-vault file with:

$ ansible-vault view passwd.yml
Vault password:

You can edit the file with:

$ ansible-vault edit passwd.yml                
Vault password: 

2. Create an SSH Config File for the Rcs Host

Next, we need to define the Rcs hostname and SSH port number that Ansible will use to connect to the remote host.

The SSH configuration for the server host is stored in ~/.ssh/config. An example configuration on a Mac looks like:

Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentitiesOnly yes
  AddressFamily inet

Host host.example.com host
  Hostname host.example.com
  Port 22
  User user
  IdentityFile ~/.ssh/host_ed25519

Using the SSH config file, you can change the default SSH port number if changed by the Ansible playbook. The playbook is always executed the first time with SSH port 22. If the SSH port number is changed by the playbook, then the SSH port number in the SSH config file needs to be changed after the playbook runs or during a server reboot initiated by the playbook.

With this SSH configuration file, you can use a shorthand host name to log into the server.

For the user login:

$ ssh host

For the root login:

$ ssh root@host

UserKeychain is specific to macOS. It stores the SSH public key in the macOS key chain.

host.example.com is your Rcs server FQDN (Fully Qualified Domain Name) that needs to be defined in your DNS or /etc/hosts file on your local system. Port 22 is optional, but required if you define a non-standard SSH port.

Important: Install your SSH Key for the root user if you have not done so already:

$ ssh-copy-id -i ~/.ssh/host_ed25519 root@host

Verify that you can log in without using a password.

Note: If you reinstall your Rcs instance, be sure to delete your Rcs hostname from ~/.ssh/known_hosts on your local control node. Otherwise, you will see an SSH error when you try to log into your reinstalled host. The hostname is added to this file during the first login attempt:

$ ssh root@ap1
The authenticity of host 'ap1.example.com (192.0.2.22)' can't be established.
ECDSA key fingerprint is SHA256:oNczYD+xuXx0L6CM17Ciy+DWu3jOEbfVclIj9wUT7Y8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Answer yes to the question. If you don't delete the hostname from this file after reinstalling your instance, you will see an error like:

$ ssh root@ap1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
o o o

If this happens, just delete the line entered for your hostname in the known_hosts file and run the ssh command again.

3. Test Your SSH/Ansible Configuration

Before running the setup Ansible playbook, we need to verify that Ansible is working correctly, that you can access your Ansible vault, and connect to your Rcs host. First, verify that Ansible is installed correctly on a Mac:

$ ansible --version
ansible 2.9.26 
  config file = /Users/user/.ansible.cfg
  o o o

This is the latest version of Ansible on a Mac/Homebrew when this guide was written.

Run this command to test your Ansible and SSH configuration:

$ cd ~/ansible/debian
$ ansible -m ping --ask-vault-pass --extra-vars '@passwd.yml' vultr -u root
Vault password: 
host.example.com | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

If you see the above output, then everything is working fine. If not, go back and double-check all your SSH and Ansible configuration settings. Start by verifying that you can execute:

$ ssh root@host

You should be able to log in without a password, because you have installed your SSH key for root.

4. Running the Ansible Debian Server Configuration Playbook

You are ready to run the playbook; when you execute the playbook, you will be prompted for your vault password. The playbook will execute a number of tasks with a PLAY RECAP at the end. You can rerun the playbook multiple times; you may want to change something like the SSH port number, for example. It will only execute tasks when needed. Be sure to update variables at the beginning of the playbook, such as your SSH port number and your local client IP address, before running the playbook. Setting your local client IP address prevents you from being accidentally locked out by fail2ban.

You can easily determine your client IP address by logging into your host and executing the who command:

root@host:~# who
root     pts/1        2021-10-11 20:24 (192.0.2.22)

Your client IP address, 192.0.2.22, will be listed in the output.

We are finally ready to run the Ansible playbook, which I listed below. Be sure that you are in the ~/ansible/debian directory. This is the command to run:

$ ansible-playbook --ask-vault-pass --extra-vars '@passwd.yml' setup-pb.yml -l vultr -u root
Vault password:

Depending on the speed of your Mac, it may take a few seconds to start up. If it completes successfully, you will see PLAY RECAP like:

PLAY RECAP *************************************************************************************************************************
ap1.example.com          : ok=38   changed=27   unreachable=0    failed=0    skipped=5    rescued=0    ignored=0 

The most important thing to note is that there should be no failed tasks.

Next, I will describe some basic tests that you can run to verify your server setup.

5. Debian 11 Bullseye Server Verification

After successfully executing the Ansible setup playbook, here are some basic tests that you can run to verify your server setup. I will show some real-life examples with the server host that I used to test the setup playbook (my local hostname is ap1 and user name is george).

Verify your user login

Verify that you can log into your new user account using your host's public SSH key:

╭─george@imac1 ~/ansible/debian 
╰─$ ssh ap1
Linux ap1 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
george@ap1:~
$ 

Note the two-line prompt. The first line shows user@host and the current directory.

Now, note how the l, la, and ls LS aliases work and the presence of the .vimrc file:

george@ap1:~
$ touch tmpfile
george@ap1:~
$ l
tmpfile
george@ap1:~
$ la
.bash_logout  .bashrc  .profile  .ssh/  tmpfile  .vimrc
george@ap1:~
$ ll
total 28
drwxr-xr-x 3 george george 4096 Oct 11 15:50 ./
drwxr-xr-x 3 root   root   4096 Oct 11 15:34 ../
-rw-r--r-- 1 george george  220 Jun 21 21:26 .bash_logout
-rw-r--r-- 1 george george 3746 Oct 11 15:34 .bashrc
-rw-r--r-- 1 george george  807 Jun 21 21:26 .profile
drwx------ 2 george george 4096 Oct 11 15:34 .ssh/
-rw-r--r-- 1 george george    0 Oct 11 15:50 tmpfile
-rw-r--r-- 1 george george   13 Oct 11 15:34 .vimrc
george@ap1:~
$ cat .vimrc
set mouse-=a

The .vimrc set mouse-=a option turns off the VI visual mode, which makes it possible to use your mouse to select and copy a block of text in a VI window.

Verify your user password

Even though you use an SSH public key to log in to your user account, you still need to use your user password with the sudo command. For example, use the sudo command to change to the root account. Enter your user password when prompted:

george@ap1:~
$ sudo -i

We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for george: 
root@ap1:~
# 
root@ap1:~
# exit
logout
george@ap1:~
$ 

That sudo message appears the first time the sudo command is used.

Verify the root password

While in your user account, you can also use su - to change to the root account. One difference is that you will have to enter your root password:

george@ap1:~
$ su -
Password: 
root@ap1:~
# 

Verify your hostname

While we are in the root account, let's verify our hostname and some other features that the playbook set up for us:

root@ap1:~
# hostname
ap1

root@ap1:~
# hostname -f
ap1.example.com

root@ap1:~
# date
Mon 11 Oct 2021 04:44:09 PM CDT

Here we verified both the short and FQDN hostnames. With the date command, verify that the timezone is set correctly.

Verify the Unbound local DNS caching resolver

An in-depth discussion of Unbound is beyond the scope of this guide; however, I can provide a few quick tests to verify that the default Unbound local DNS caching resolver configuration is working. We will use the dig command.

To verify that the resolver is working, do, for example:

root@ap1:~
# dig +noall +answer +stats example.com
example.com.        3600    IN    A    192.0.2.22
;; Query time: 40 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Oct 11 16:56:48 CDT 2021
;; MSG SIZE  rcvd: 58

Note that the server address is 127.0.0.1. Also, note the TTL (Time To Live). For this example, the TTL is 3600 seconds. Also, note the Query time, 40 msec. Now execute the same command again:

root@ap1:~
# dig +noall +answer +stats example.com
example.com.        3426    IN    A    192.0.2.22
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Oct 11 16:59:42 CDT 2021
;; MSG SIZE  rcvd: 58

The Query time should be at or near 0 msec because the second query result came from our local cache. The cached result will remain active for the time-to-live interval, which, as you can see, is counting down.

Some email blacklist servers will rate-limit your access to their pre-defined DNS resolvers. This could cause issues when using a public DNS resolver. For example, when executing the following dig command, you should see "permanent testpoint" when using a local DNS resolver.

root#ap1:~
# dig test.uribl.com.multi.uribl.com txt +short
"permanent testpoint"

If you were using a public DNS resolver, you would see a failure like this after you first create your Rcs instance, but have not executed the setup playbook:

root@ap1:~# dig test.uribl.com.multi.uribl.com txt +short
"127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 192.0.2.22]"

You can have a look at that URL is read more about this topic.

Verify fail2ban and firewalld SSH port protection

This set of tests will verify that fail2ban and firewalld are integrated together to protect your SSH port. If you are using the default port 22, it will not take long for attackers to attempt to log in to your server. Their login attempt will fail, and fail2ban will take note of the failure. If there are multiple failed attempts in a short period of time as noted in your fail2ban configuration, fail2ban will ban the IP for the time that you configured in your fail2ban configuration. Fail2ban will notify firewalld to block the IP for the duration of the ban.

To see the current fail2ban status, you can execute fail2ban-client status sshd, or f2bst sshd to save some typing:

root@ap1:~
# f2bst sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:    1
|  |- Total failed:    4
|  `- File list:    /var/log/auth.log
`- Actions
   |- Currently banned:    1
   |- Total banned:    3
   `- Banned IP list:    192.0.2.123

This output shows that there is currently one failed login attempt. There have been a total of four failures. Of those failed attempts, three IP addresses met the criteria to be banned. There is currently one IP that is being actively banned.

You can execute the following firewalld command to get a quick view of the firewalld status:

root@ap1:~
# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources: 
  services: 
  ports: 22/tcp
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="192.0.2.22" port port="22" protocol="tcp" reject type="icmp-port-unreachable"
    

A complete discussion of firewalld is beyond the scope of this guide. However, from the above output, it's important to note the "public zone" is active. Our SSH TCP port 22 is allowed and all other ports are blocked. Also, a "rich rule" has been created to block the IP that fail2ban marked to be banned. This rule will be deleted when fail2ban clears the IP ban.

To just list the rich rules, you can execute:

root@ap1:~
# firewall-cmd --list-rich-rules
rule family="ipv4" source address="192.0.2.22" port port="22" protocol="tcp" reject type="icmp-port-unreachable"

6. Debian 11 Bullseye Ansible Set-Up Playbook Listing

This is the setup-pb.yml playbook to create in the ~/ansible/debian directory:

# Initial server setup
#
---
- hosts: all
  become: true
  vars:
    ssh_port: "22"
    my_client_ip: 192.0.2.22
    tmzone: America/Chicago
    sudo_timeout: 20
    vimrc: |
      set mouse-=a
    f2b_jail_local: |
      [DEFAULT]
      banaction = firewallcmd-rich-rules[actiontype=]
      banaction_allports = firewallcmd-rich-rules[actiontype=]
      ignoreip = 127.0.0.1/8 ::1 {{ my_client_ip }}
      findtime = 15m
      bantime = 2h
      maxretry = 5

      [sshd]
      enabled = true
      maxretry = 3
      port = {{ ssh_port }}

  tasks:
    # Stop and disable ufw before installing firewalld ...
    - name: Check if ufw is installed.
      stat: path="/usr/sbin/ufw"
      register: ufw_installed

    - name: Check if ufw status is active.
      command: ufw status
      changed_when: False
      register: ufw_status
      when: ufw_installed.stat.exists

    - name: Disable ufw ruleset if ufw is installed and active.
      ufw:
        state: reset
      when: ufw_installed.stat.exists and 'inactive' not in ufw_status.stdout

    - name: Flush any existing (ufw) nftables ruleset.
      command: nft flush ruleset
      when: ufw_installed.stat.exists and 'inactive' not in ufw_status.stdout

    - name: Stop and disable the ufw service.
      service:
        name: ufw
        state: stopped
        enabled: no
      when: ufw_installed.stat.exists

    # Update and install the base software
    - name: Update apt package cache.
      apt:
        update_cache: yes
        cache_valid_time: 600

    - name: Upgrade installed apt packages.
      apt:
        upgrade: dist
      register: upgrade

    - name: Ensure that a base set of software packages are installed.
      apt:
        pkg:
          - build-essential
          - curl
          - fail2ban
          - firewalld
          - git
          - htop
          - needrestart
          - net-tools
          - pwgen
          - resolvconf
          - rsync
          - sudo
          - unbound
          - unzip
          - vim-nox
        state: latest

    - name: Check if a reboot is needed for Debian-based systems
      stat:
        path: /var/run/reboot-required
      register: reboot_required

    # Host Setup
    - name: Set static hostname
      hostname:
        name: "{{ inventory_hostname_short }}"

    - name: Add FQDN to /etc/hosts
      lineinfile:
        dest: /etc/hosts
        regexp: '^127\.0\.1\.1'
        line: "127.0.1.1 {{ inventory_hostname }} {{ inventory_hostname_short }}"
        state: present

    - name: Check if cloud init is installed.
      stat: path="/etc/cloud/templates/hosts.debian.tmpl"
      register: cloud_installed

    - name: Add FQDN to /etc/cloud/templates/hosts.debian.tmpl
      lineinfile:
        dest: /etc/cloud/templates/hosts.debian.tmpl
        regexp: '^127\.0\.1\.1'
        line: "127.0.1.1 {{ inventory_hostname }} {{ inventory_hostname_short }}"
        state: present
      when: cloud_installed.stat.exists

    - name: Set timezone.
      timezone:
        name: "{{ tmzone }}"
      notify:
        - restart cron

    - name: Set ssh port port number
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: 'Port '
        line: 'Port {{ ssh_port }}'
        state: present
      notify:
        - restart sshd

    # Set sudo password timeout (default is 15 minutes)
    - name: Set sudo password timeout.
      lineinfile:
        path: /etc/sudoers
        regexp: '^Defaults\tenv_reset'
        line: 'Defaults    env_reset, timestamp_timeout={{ sudo_timeout }}'
        validate: '/usr/sbin/visudo -cf %s'

    - name: Create/update regular user with sudo privileges.
      user:
        name: "{{ user }}"
        password: "{{ user_passwd | password_hash('sha512') }}"
        groups: sudo
        append: true
        shell: /bin/bash

    - name: Ensure authorized keys for remote user is installed.
      authorized_key:
        user: "{{ user }}"
        key: "{{ ssh_pub_key }}"

    - name: Ensure authorized key for root user is installed.
      authorized_key:
        user: root
        key: "{{ ssh_pub_key }}"

    - name: Update root user password.
      user:
        name: root
        password: "{{ root_passwd | password_hash('sha512') }}"

    - name: Disable root password login via SSH.
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?PermitRootLogin'
        line: 'PermitRootLogin prohibit-password'
      notify:
        - restart sshd

    - name: Disable tunneled clear-text passwords.
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?PasswordAuthentication'
        line: 'PasswordAuthentication no'
      notify:
        - restart sshd

    - name: Configure user .vimrc.
      copy:
        dest: /home/{{ user }}/.vimrc
        content: "{{ vimrc }}"
        owner: "{{ user }}"
        group: "{{ user }}"
        mode: 0644

    - name: Configure root .vimrc.
      copy:
        dest: /root/.vimrc
        content: "{{ vimrc }}"
        owner: root
        group: root
        mode: 0644

    - name: Configure user 2-line prompt and .bashrc aliases.
      blockinfile:
        path: /home/{{ user }}/.bashrc
        block: |
          PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\n\$ '
          alias l='ls -CF'
          alias la='ls -AF'
          alias ll='ls -alF'

    - name: Configure root 2-line prompt and .bashrc aliases.
      blockinfile:
        path: /root/.bashrc
        block: |
          PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\n\$ '
          export LS_OPTIONS='--color=auto'
          eval "`dircolors`"
          alias ls='ls $LS_OPTIONS'
          alias l='ls -CF'
          alias la='ls -AF'
          alias ll='ls -alF'

    # Configure a firewall, using firewalld
    - name: "Check if the firewalld public zone is active for interface: {{ ansible_default_ipv4.interface }}."
      command: firewall-cmd --get-zone-of-interface={{ ansible_default_ipv4.interface }}
      register: zone_status
      failed_when: zone_status.rc != 0 and zone_status.rc != 2
      changed_when: zone_status.rc == 2

    - name: Set the default firewalld public zone to active if not already active.
      command: firewall-cmd --permanent --zone=public --change-interface={{ ansible_default_ipv4.interface }}
      when: '"public" not in zone_status.stdout'
      notify:
        - restart firewalld

    - name: Enable the firewalld ssh port (which may be different than port 22).
      firewalld:
        zone: public
        port: "{{ ssh_port }}/tcp"
        state: enabled
        permanent: yes
      notify:
        - restart firewalld

    - name: Disable firewalld dhcpv6-client and ssh service.
      firewalld:
        zone: public
        service: "{{ item }}"
        state: disabled
        permanent: yes
      with_items:
        - dhcpv6-client
        - ssh
      notify:
        - restart firewalld

    - name: Configure fail2ban local jail.
      copy:
        dest: /etc/fail2ban/jail.local
        content: "{{ f2b_jail_local }}"
        owner: root
        group: root
        mode: 0644
      notify:
        - restart fail2ban

    # simple shell script to display fail2ban-client status info;
    # example usage:
    #   f2bst
    #   f2bst sshd
    - name: Create f2bst shell script.
      copy:
        dest: /usr/local/bin/f2bst
        content: |
          #!/usr/bin/sh
          fail2ban-client status $*
        owner: root
        group: root
        mode: 0755

    - name: Check if any services needs to be restarted.
      command: needrestart -r a
      when: upgrade.changed and reboot_required.stat.exists == false

    - name: Configure static networking
      copy:
        src: etc/network/interfaces
        dest: /etc/network/interfaces
        owner: root
        group: root
        mode: 0644
      when: cfg_static_network == true
      notify:
        - restart networking

    - name: Reboot the server if needed.
      reboot:
        msg: "Reboot initiated by Ansible because of reboot required file."
        connect_timeout: 5
        reboot_timeout: 600
        pre_reboot_delay: 0
        post_reboot_delay: 30
        test_command: whoami
      when: reboot_required.stat.exists

    - name: Remove old packages from the cache.
      apt:
        autoclean: yes

    - name: Remove dependencies that are no longer needed.
      apt:
        autoremove: yes
        purge: yes

  handlers:
    - name: restart cron
      service:
        name: cron
        state: restarted
      when: reboot_required.stat.exists == false

    - name: restart fail2ban
      service:
        name: fail2ban
        state: restarted
      when: reboot_required.stat.exists == false

    - name: restart sshd
      service:
        name: sshd
        state: restarted
      when: reboot_required.stat.exists == false

    - name: restart firewalld
      service:
        name: firewalld
        state: restarted

    - name: restart networking
      service:
        name: networking
        state: restarted
      when: reboot_required.stat.exists == false

You can read the Ansible Documentation to learn more about Ansible.

You should only have to update the vars: section to change the settings for your specific situation. Most likely, you will want to set the client IP and timezone.

Conclusion

In this guide, we have introduced Ansible for automating the initial Debian server setup. This is very useful for deploying or redeploying a server after testing an application. It also creates a solid foundation for creating a web, database, or email server.

Introduction This guide will show you how to automate the initial Debian 11 Bullseye server configuration with Ansible. Ansible is a software tool that automates the configuration of one or more remote nodes from a local control node. The local node can be another Linux system, a Mac, or a Windows PC. If you are using a Windows PC, you can install Linux using the Windows Subsystem for Linux. This guide will focus on using a Mac as the control node to set up a fresh Rcs Debian 11 server. The Debian 11 Ansible setup playbook is listed at the end of this guide. In addition, instructions are provided on how to install and use it. It takes a little work to set up and start using Ansible, but once it is set up and you become familiar with it, using Ansible will save a lot of time and effort. For example, you may want to experiment with different applications. Using the Ansible setup playbook described in this guide, you can quickly reinstall your Debian 11 instance and then run the playbook to configure your base server. This playbook is a good base for installing web servers, database servers, or email servers. We will use a single Ansible playbook that will do the following: Replace the UFW firewall with firewalld & nftables. Upgrade installed apt packages. Install a base set of useful software packages. Set a fully qualified domain name (FQDN). Set the timezone. Set the SSH port number. Set sudo password timeout. Create a regular user with sudo privileges. Install SSH Keys for the new regular user. Ensure authorized key for root user is installed. Update/Change the root user password. Disable password authentication for root. Disable tunneled clear-text passwords. Create a .vimrc resource file that disables vi visual mode for root and the user. Create a 2-line prompt and bash ls aliases for root and the user. Set up a local DNS resolver, using Unbound. Configure a firewall, using firewalld and nftables. Configure brute force mitigation using fail2ban. Optionally configure static IP networking. Reboot or restart services as needed. Nftables is the default and recommended firewall framework since Debian Buster. However, legacy iptables syntax is still supported via a iptables-nft layer. Under the hood, UFW still uses the iptables syntax. This Ansible playbook will replace UFW with an nftables ruleset for the server firewall. At the user level, the nftables ruleset is created and managed with firewalld. A local DNS resolver is created by installing the unbound package using the default installed configuration. It provides a local DNS recursive resolver, and the results are cached. This is important if you want to run an email server with DNS blacklist (DNSBL) lookups. Some DNSBL services will not work with a public DNS resolver because they limit the number of queries from a server IP. If you have configured additional IPs in the Rcs control panel, you can use this playbook to install an updated network interfaces file (/etc/network/interfaces). By default, the Configure static networking playbook task is disabled. Prerequisites A Rcs server with a freshly installed Debian 11 instance. A local Mac, Windows with WSL, or Linux system. This guide focuses on Mac, but the procedures are similar for any Linux control node. If using a Mac, Homebrew should be installed. A previously generated SSH Key for the Rcs host, and the SSH public key should be installed for the root user. Ansible 2.9.x, or later stable version. This guide is tested with Ansible version 2.9.26 on a Mac, installed via Homebrew. 1. Install Ansible on the Local System For this guide, we are using the Ansible 2.9.x Red Hat released version. Using a Mac with Homebrew installed: $ brew install ansible@2.9 $ brew link --force --overwrite ansible@2.9 This will install Ansible along with all the required dependencies, including python version 3.9.x. You can quickly test your installation by doing: $ ansible --version ansible 2.9.26 config file = /Users/george/.ansible.cfg configured module search path = ['/Users/george/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/local/Cellar/ansible@2.9/2.9.26/libexec/lib/python3.9/site-packages/ansible executable location = /usr/local/bin/ansible python version = 3.9.7 (default, Sep 3 2021, 12:37:55) [Clang 12.0.5 (clang-1205.0.22.9)] Create a Simple Ansible Configuration Create the .ansible.cfg configuration file in the user home directory. This tells Ansible how to locate the host's inventory file. Add the following content to ~/.ansible.cfg: [defaults] inventory = /Users/user/ansible/hosts.yml interpreter_python = auto Be sure to replace user with your actual user name. Create the folder to store the hosts.yml hosts inventory file: $ mkdir ~/ansible $ cd ~/ansible Of course, you can put it anywhere you want to and give it any name. Just make sure that your .ansible.cfg file points to the correct location. Add the following content to ~/ansible/hosts.yml: all: vars: ansible_python_interpreter: /usr/bin/python3 ansible_become: yes ansible_become_method: sudo children: vultr: hosts: host.example.com: user: user user_passwd: "{{ host_user_passwd }}" root_passwd: "{{ host_root_passwd }}" ssh_pub_key: "{{ lookup('file', '~/.ssh/host_ed25519.pub') }}" ansible_become_pass: "{{ host_user_passwd }}" cfg_static_network: false vmware: hosts: debian1.local: user: george user_passwd: "{{ db1_user_passwd }}" root_passwd: "{{ db1_root_passwd }}" ssh_pub_key: "{{ lookup('file', '~/.ssh/db1_ed25519.pub') }}" ansible_become_pass: "{{ db1_user_passwd }}" cfg_static_network: true The first block defines Ansible variables that are global to the host's inventory file. Hosts are listed under children groups. Replace host with your actual host name. The vmware group shows a working example for setting up a VMware host on my Mac. The user is the regular user to be created. The host_user_passwd and host_root_passwd are the user and root passwords that are stored in an Ansible vault, described below. ssh_pub_key points to the SSH public key for the Rcs host. The ansible_become lines provide the ability for the newly created user to execute sudo commands in future Ansible playbooks. The cfg_static_network is a boolean variable that is set to true if you are configuring static networking in /etc/network/interfaces. Unless you have specifically created a static networking configuration, you should leave this set to false. Configuring a static network is beyond the scope of this guide; I will describe how to create a static network in a future guide. Using the Ansible Vault Create the directory for the Ansible password vault and setup playbook: $ mkdir -p ~/ansible/debian $ cd ~/ansible/debian Create the Ansible password vault: $ ansible-vault create passwd.yml New Vault password: Confirm New Vault password: This will start up your default system editor. Add the following content: host_user_passwd: ELqZ9L70SSOTjnE0Jq host_root_passwd: tgM2Q5h8WCeibIdJtd Replace host with your actual hostname and generate your own secure passwords, then save and exit your editor. This creates an encrypted file that only Ansible can read. You can add other host passwords to the same files. pwgen is a very handy tool that you can use to generate secure passwords. Install it on a Mac via Homebrew: brew install pwgen. Use it as follows: $ pwgen -s 18 2 ELqZ9L70SSOTjnE0Jq tgM2Q5h8WCeibIdJtd You can view the contents of the ansible-vault file with: $ ansible-vault view passwd.yml Vault password: You can edit the file with: $ ansible-vault edit passwd.yml Vault password: 2. Create an SSH Config File for the Rcs Host Next, we need to define the Rcs hostname and SSH port number that Ansible will use to connect to the remote host. The SSH configuration for the server host is stored in ~/.ssh/config. An example configuration on a Mac looks like: Host * AddKeysToAgent yes UseKeychain yes IdentitiesOnly yes AddressFamily inet Host host.example.com host Hostname host.example.com Port 22 User user IdentityFile ~/.ssh/host_ed25519 Using the SSH config file, you can change the default SSH port number if changed by the Ansible playbook. The playbook is always executed the first time with SSH port 22. If the SSH port number is changed by the playbook, then the SSH port number in the SSH config file needs to be changed after the playbook runs or during a server reboot initiated by the playbook. With this SSH configuration file, you can use a shorthand host name to log into the server. For the user login: $ ssh host For the root login: $ ssh root@host UserKeychain is specific to macOS. It stores the SSH public key in the macOS key chain. host.example.com is your Rcs server FQDN (Fully Qualified Domain Name) that needs to be defined in your DNS or /etc/hosts file on your local system. Port 22 is optional, but required if you define a non-standard SSH port. Important: Install your SSH Key for the root user if you have not done so already: $ ssh-copy-id -i ~/.ssh/host_ed25519 root@host Verify that you can log in without using a password. Note: If you reinstall your Rcs instance, be sure to delete your Rcs hostname from ~/.ssh/known_hosts on your local control node. Otherwise, you will see an SSH error when you try to log into your reinstalled host. The hostname is added to this file during the first login attempt: $ ssh root@ap1 The authenticity of host 'ap1.example.com (192.0.2.22)' can't be established. ECDSA key fingerprint is SHA256:oNczYD+xuXx0L6CM17Ciy+DWu3jOEbfVclIj9wUT7Y8. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Answer yes to the question. If you don't delete the hostname from this file after reinstalling your instance, you will see an error like: $ ssh root@ap1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! o o o If this happens, just delete the line entered for your hostname in the known_hosts file and run the ssh command again. 3. Test Your SSH/Ansible Configuration Before running the setup Ansible playbook, we need to verify that Ansible is working correctly, that you can access your Ansible vault, and connect to your Rcs host. First, verify that Ansible is installed correctly on a Mac: $ ansible --version ansible 2.9.26 config file = /Users/user/.ansible.cfg o o o This is the latest version of Ansible on a Mac/Homebrew when this guide was written. Run this command to test your Ansible and SSH configuration: $ cd ~/ansible/debian $ ansible -m ping --ask-vault-pass --extra-vars '@passwd.yml' vultr -u root Vault password: host.example.com | SUCCESS => { "changed": false, "ping": "pong" } If you see the above output, then everything is working fine. If not, go back and double-check all your SSH and Ansible configuration settings. Start by verifying that you can execute: $ ssh root@host You should be able to log in without a password, because you have installed your SSH key for root. 4. Running the Ansible Debian Server Configuration Playbook You are ready to run the playbook; when you execute the playbook, you will be prompted for your vault password. The playbook will execute a number of tasks with a PLAY RECAP at the end. You can rerun the playbook multiple times; you may want to change something like the SSH port number, for example. It will only execute tasks when needed. Be sure to update variables at the beginning of the playbook, such as your SSH port number and your local client IP address, before running the playbook. Setting your local client IP address prevents you from being accidentally locked out by fail2ban. You can easily determine your client IP address by logging into your host and executing the who command: root@host:~# who root pts/1 2021-10-11 20:24 (192.0.2.22) Your client IP address, 192.0.2.22, will be listed in the output. We are finally ready to run the Ansible playbook, which I listed below. Be sure that you are in the ~/ansible/debian directory. This is the command to run: $ ansible-playbook --ask-vault-pass --extra-vars '@passwd.yml' setup-pb.yml -l vultr -u root Vault password: Depending on the speed of your Mac, it may take a few seconds to start up. If it completes successfully, you will see PLAY RECAP like: PLAY RECAP ************************************************************************************************************************* ap1.example.com : ok=38 changed=27 unreachable=0 failed=0 skipped=5 rescued=0 ignored=0 The most important thing to note is that there should be no failed tasks. Next, I will describe some basic tests that you can run to verify your server setup. 5. Debian 11 Bullseye Server Verification After successfully executing the Ansible setup playbook, here are some basic tests that you can run to verify your server setup. I will show some real-life examples with the server host that I used to test the setup playbook (my local hostname is ap1 and user name is george). Verify your user login Verify that you can log into your new user account using your host's public SSH key: ╭─george@imac1 ~/ansible/debian ╰─$ ssh ap1 Linux ap1 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. george@ap1:~ $ Note the two-line prompt. The first line shows user@host and the current directory. Now, note how the l, la, and ls LS aliases work and the presence of the .vimrc file: george@ap1:~ $ touch tmpfile george@ap1:~ $ l tmpfile george@ap1:~ $ la .bash_logout .bashrc .profile .ssh/ tmpfile .vimrc george@ap1:~ $ ll total 28 drwxr-xr-x 3 george george 4096 Oct 11 15:50 ./ drwxr-xr-x 3 root root 4096 Oct 11 15:34 ../ -rw-r--r-- 1 george george 220 Jun 21 21:26 .bash_logout -rw-r--r-- 1 george george 3746 Oct 11 15:34 .bashrc -rw-r--r-- 1 george george 807 Jun 21 21:26 .profile drwx------ 2 george george 4096 Oct 11 15:34 .ssh/ -rw-r--r-- 1 george george 0 Oct 11 15:50 tmpfile -rw-r--r-- 1 george george 13 Oct 11 15:34 .vimrc george@ap1:~ $ cat .vimrc set mouse-=a The .vimrc set mouse-=a option turns off the VI visual mode, which makes it possible to use your mouse to select and copy a block of text in a VI window. Verify your user password Even though you use an SSH public key to log in to your user account, you still need to use your user password with the sudo command. For example, use the sudo command to change to the root account. Enter your user password when prompted: george@ap1:~ $ sudo -i We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for george: root@ap1:~ # root@ap1:~ # exit logout george@ap1:~ $ That sudo message appears the first time the sudo command is used. Verify the root password While in your user account, you can also use su - to change to the root account. One difference is that you will have to enter your root password: george@ap1:~ $ su - Password: root@ap1:~ # Verify your hostname While we are in the root account, let's verify our hostname and some other features that the playbook set up for us: root@ap1:~ # hostname ap1 root@ap1:~ # hostname -f ap1.example.com root@ap1:~ # date Mon 11 Oct 2021 04:44:09 PM CDT Here we verified both the short and FQDN hostnames. With the date command, verify that the timezone is set correctly. Verify the Unbound local DNS caching resolver An in-depth discussion of Unbound is beyond the scope of this guide; however, I can provide a few quick tests to verify that the default Unbound local DNS caching resolver configuration is working. We will use the dig command. To verify that the resolver is working, do, for example: root@ap1:~ # dig +noall +answer +stats example.com example.com. 3600 IN A 192.0.2.22 ;; Query time: 40 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Oct 11 16:56:48 CDT 2021 ;; MSG SIZE rcvd: 58 Note that the server address is 127.0.0.1. Also, note the TTL (Time To Live). For this example, the TTL is 3600 seconds. Also, note the Query time, 40 msec. Now execute the same command again: root@ap1:~ # dig +noall +answer +stats example.com example.com. 3426 IN A 192.0.2.22 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Oct 11 16:59:42 CDT 2021 ;; MSG SIZE rcvd: 58 The Query time should be at or near 0 msec because the second query result came from our local cache. The cached result will remain active for the time-to-live interval, which, as you can see, is counting down. Some email blacklist servers will rate-limit your access to their pre-defined DNS resolvers. This could cause issues when using a public DNS resolver. For example, when executing the following dig command, you should see "permanent testpoint" when using a local DNS resolver. root#ap1:~ # dig test.uribl.com.multi.uribl.com txt +short "permanent testpoint" If you were using a public DNS resolver, you would see a failure like this after you first create your Rcs instance, but have not executed the setup playbook: root@ap1:~# dig test.uribl.com.multi.uribl.com txt +short "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 192.0.2.22]" You can have a look at that URL is read more about this topic. Verify fail2ban and firewalld SSH port protection This set of tests will verify that fail2ban and firewalld are integrated together to protect your SSH port. If you are using the default port 22, it will not take long for attackers to attempt to log in to your server. Their login attempt will fail, and fail2ban will take note of the failure. If there are multiple failed attempts in a short period of time as noted in your fail2ban configuration, fail2ban will ban the IP for the time that you configured in your fail2ban configuration. Fail2ban will notify firewalld to block the IP for the duration of the ban. To see the current fail2ban status, you can execute fail2ban-client status sshd, or f2bst sshd to save some typing: root@ap1:~ # f2bst sshd Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 4 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 1 |- Total banned: 3 `- Banned IP list: 192.0.2.123 This output shows that there is currently one failed login attempt. There have been a total of four failures. Of those failed attempts, three IP addresses met the criteria to be banned. There is currently one IP that is being actively banned. You can execute the following firewalld command to get a quick view of the firewalld status: root@ap1:~ # firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: enp1s0 sources: services: ports: 22/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.0.2.22" port port="22" protocol="tcp" reject type="icmp-port-unreachable" A complete discussion of firewalld is beyond the scope of this guide. However, from the above output, it's important to note the "public zone" is active. Our SSH TCP port 22 is allowed and all other ports are blocked. Also, a "rich rule" has been created to block the IP that fail2ban marked to be banned. This rule will be deleted when fail2ban clears the IP ban. To just list the rich rules, you can execute: root@ap1:~ # firewall-cmd --list-rich-rules rule family="ipv4" source address="192.0.2.22" port port="22" protocol="tcp" reject type="icmp-port-unreachable" 6. Debian 11 Bullseye Ansible Set-Up Playbook Listing This is the setup-pb.yml playbook to create in the ~/ansible/debian directory: # Initial server setup # --- - hosts: all become: true vars: ssh_port: "22" my_client_ip: 192.0.2.22 tmzone: America/Chicago sudo_timeout: 20 vimrc: | set mouse-=a f2b_jail_local: | [DEFAULT] banaction = firewallcmd-rich-rules[actiontype=] banaction_allports = firewallcmd-rich-rules[actiontype=] ignoreip = 127.0.0.1/8 ::1 {{ my_client_ip }} findtime = 15m bantime = 2h maxretry = 5 [sshd] enabled = true maxretry = 3 port = {{ ssh_port }} tasks: # Stop and disable ufw before installing firewalld ... - name: Check if ufw is installed. stat: path="/usr/sbin/ufw" register: ufw_installed - name: Check if ufw status is active. command: ufw status changed_when: False register: ufw_status when: ufw_installed.stat.exists - name: Disable ufw ruleset if ufw is installed and active. ufw: state: reset when: ufw_installed.stat.exists and 'inactive' not in ufw_status.stdout - name: Flush any existing (ufw) nftables ruleset. command: nft flush ruleset when: ufw_installed.stat.exists and 'inactive' not in ufw_status.stdout - name: Stop and disable the ufw service. service: name: ufw state: stopped enabled: no when: ufw_installed.stat.exists # Update and install the base software - name: Update apt package cache. apt: update_cache: yes cache_valid_time: 600 - name: Upgrade installed apt packages. apt: upgrade: dist register: upgrade - name: Ensure that a base set of software packages are installed. apt: pkg: - build-essential - curl - fail2ban - firewalld - git - htop - needrestart - net-tools - pwgen - resolvconf - rsync - sudo - unbound - unzip - vim-nox state: latest - name: Check if a reboot is needed for Debian-based systems stat: path: /var/run/reboot-required register: reboot_required # Host Setup - name: Set static hostname hostname: name: "{{ inventory_hostname_short }}" - name: Add FQDN to /etc/hosts lineinfile: dest: /etc/hosts regexp: '^127\.0\.1\.1' line: "127.0.1.1 {{ inventory_hostname }} {{ inventory_hostname_short }}" state: present - name: Check if cloud init is installed. stat: path="/etc/cloud/templates/hosts.debian.tmpl" register: cloud_installed - name: Add FQDN to /etc/cloud/templates/hosts.debian.tmpl lineinfile: dest: /etc/cloud/templates/hosts.debian.tmpl regexp: '^127\.0\.1\.1' line: "127.0.1.1 {{ inventory_hostname }} {{ inventory_hostname_short }}" state: present when: cloud_installed.stat.exists - name: Set timezone. timezone: name: "{{ tmzone }}" notify: - restart cron - name: Set ssh port port number lineinfile: dest: /etc/ssh/sshd_config regexp: 'Port ' line: 'Port {{ ssh_port }}' state: present notify: - restart sshd # Set sudo password timeout (default is 15 minutes) - name: Set sudo password timeout. lineinfile: path: /etc/sudoers regexp: '^Defaults\tenv_reset' line: 'Defaults env_reset, timestamp_timeout={{ sudo_timeout }}' validate: '/usr/sbin/visudo -cf %s' - name: Create/update regular user with sudo privileges. user: name: "{{ user }}" password: "{{ user_passwd | password_hash('sha512') }}" groups: sudo append: true shell: /bin/bash - name: Ensure authorized keys for remote user is installed. authorized_key: user: "{{ user }}" key: "{{ ssh_pub_key }}" - name: Ensure authorized key for root user is installed. authorized_key: user: root key: "{{ ssh_pub_key }}" - name: Update root user password. user: name: root password: "{{ root_passwd | password_hash('sha512') }}" - name: Disable root password login via SSH. lineinfile: path: /etc/ssh/sshd_config regexp: '^#?PermitRootLogin' line: 'PermitRootLogin prohibit-password' notify: - restart sshd - name: Disable tunneled clear-text passwords. lineinfile: path: /etc/ssh/sshd_config regexp: '^#?PasswordAuthentication' line: 'PasswordAuthentication no' notify: - restart sshd - name: Configure user .vimrc. copy: dest: /home/{{ user }}/.vimrc content: "{{ vimrc }}" owner: "{{ user }}" group: "{{ user }}" mode: 0644 - name: Configure root .vimrc. copy: dest: /root/.vimrc content: "{{ vimrc }}" owner: root group: root mode: 0644 - name: Configure user 2-line prompt and .bashrc aliases. blockinfile: path: /home/{{ user }}/.bashrc block: | PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\n\$ ' alias l='ls -CF' alias la='ls -AF' alias ll='ls -alF' - name: Configure root 2-line prompt and .bashrc aliases. blockinfile: path: /root/.bashrc block: | PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\n\$ ' export LS_OPTIONS='--color=auto' eval "`dircolors`" alias ls='ls $LS_OPTIONS' alias l='ls -CF' alias la='ls -AF' alias ll='ls -alF' # Configure a firewall, using firewalld - name: "Check if the firewalld public zone is active for interface: {{ ansible_default_ipv4.interface }}." command: firewall-cmd --get-zone-of-interface={{ ansible_default_ipv4.interface }} register: zone_status failed_when: zone_status.rc != 0 and zone_status.rc != 2 changed_when: zone_status.rc == 2 - name: Set the default firewalld public zone to active if not already active. command: firewall-cmd --permanent --zone=public --change-interface={{ ansible_default_ipv4.interface }} when: '"public" not in zone_status.stdout' notify: - restart firewalld - name: Enable the firewalld ssh port (which may be different than port 22). firewalld: zone: public port: "{{ ssh_port }}/tcp" state: enabled permanent: yes notify: - restart firewalld - name: Disable firewalld dhcpv6-client and ssh service. firewalld: zone: public service: "{{ item }}" state: disabled permanent: yes with_items: - dhcpv6-client - ssh notify: - restart firewalld - name: Configure fail2ban local jail. copy: dest: /etc/fail2ban/jail.local content: "{{ f2b_jail_local }}" owner: root group: root mode: 0644 notify: - restart fail2ban # simple shell script to display fail2ban-client status info; # example usage: # f2bst # f2bst sshd - name: Create f2bst shell script. copy: dest: /usr/local/bin/f2bst content: | #!/usr/bin/sh fail2ban-client status $* owner: root group: root mode: 0755 - name: Check if any services needs to be restarted. command: needrestart -r a when: upgrade.changed and reboot_required.stat.exists == false - name: Configure static networking copy: src: etc/network/interfaces dest: /etc/network/interfaces owner: root group: root mode: 0644 when: cfg_static_network == true notify: - restart networking - name: Reboot the server if needed. reboot: msg: "Reboot initiated by Ansible because of reboot required file." connect_timeout: 5 reboot_timeout: 600 pre_reboot_delay: 0 post_reboot_delay: 30 test_command: whoami when: reboot_required.stat.exists - name: Remove old packages from the cache. apt: autoclean: yes - name: Remove dependencies that are no longer needed. apt: autoremove: yes purge: yes handlers: - name: restart cron service: name: cron state: restarted when: reboot_required.stat.exists == false - name: restart fail2ban service: name: fail2ban state: restarted when: reboot_required.stat.exists == false - name: restart sshd service: name: sshd state: restarted when: reboot_required.stat.exists == false - name: restart firewalld service: name: firewalld state: restarted - name: restart networking service: name: networking state: restarted when: reboot_required.stat.exists == false You can read the Ansible Documentation to learn more about Ansible. You should only have to update the vars: section to change the settings for your specific situation. Most likely, you will want to set the client IP and timezone. Conclusion In this guide, we have introduced Ansible for automating the initial Debian server setup. This is very useful for deploying or redeploying a server after testing an application. It also creates a solid foundation for creating a web, database, or email server.

Was this answer helpful?
Back

Powered by WHMCompleteSolution