This role bootstraps a (new) server into existence. It installs and tightens a firewall, hardens SSH and modifies GRUB. The main focus is on hardening a fresh server installation.
Available variables are listed below alphabetically, along with default values.
bootstrap_alternatives: A list with alternatives, to manage symbolic links
using the update-alternatives
tool. Example:
- link: /usr/bin/pip
name: pip
path: /usr/bin/pip3
bootstrap_commands: A list with commands that will be executed on the host as last step of the bootstrap role. Example:
- "sudo /usr/bin/"
bootstrap_directories: A list with directories and files that will be created along with permissions, owner and groups. Example:
- path: /var/git
mode: "2660"
owner: root
group: git
- path: /tmp/empty
mode: "0777"
owner: root
group: root
state: touch
bootstrap_files: A list with files that will be copied to the target machine. Example:
- src:
dest: /tmp/
mode: "0755"
This will be provisioned when the files
tags is being used.
bootstrap_git_repositories: A list with common git repositories that will be cloned. Example:
- repo:
dest: /var/git/security-scripts
version: master
Note that when this variable is set, the git package needs to be installed, or part of the bootstrap_packages list.
bootstrap_groups: A list with user groups that will be added by default.
Optionally the system parameter can be set, to denote whether it's a system
group or not. The defaults can be found in defaults/main.yml
- name: sudo
system: yes
bootstrap_groups_remove: A list with groups that will be removed by default.
The defaults can be found in defaults/main.yml
- bluetooth
bootstrap_locale: The locale to use (e.g. en_US.UTF-8). If not set, it will
default to en_US.UTF-8. Example: bootstrap_locale: "en_US.UTF-8"
that this needs the locale package to properly function. If the package isn't
available, the role will still continue.
bootstrap_mounts: A list of mounts that will be added to the mount file
). Example:
- path: /home/peter/demos
src: demos
fstype: vboxsf
opts: auto,rw,uid=1000,gid=1000
state: present
This will be provisioned when the mounts
tags is being used.
bootstrap_reboot_allowed: Whether Ansible is allowed to perform a reboot, if the kernel version has changed, or when the network has become 'unresponsive' (for instance after a hostname change). The default is false.
bootstrap_users: A nested lists with users to add, with their SSH key, and optional: encrypted password, git repos to install (e.g. dotfiles), and installers to run (e.g. setting up symlinks). Example:
- name: apenut
comment: "Ape Nut"
- git
- sudo
password: "$6$Qpc015eEs$4Eav1QM.omXm8bD7DFOTNQx6L3SG47vDT8JuMfW15e5gNbgq/C6D/7ZRdH4qoGLi0AW/HBWjJ/pm1thSQPK.e0"
shell: "/bin/bash"
- src:
dest: /home/apenut/.dotfiles
version: master
- command: /home/apenut/.dotfiles/
If you don't want to add any password, repositories or installer scripts, You can also
refrain from adding the password
value, and leave the repos
and installers
variables empty. The rest of the variables are required per user though.
- name: apenut
comment: "Ape Nut"
- git
- sudo
shell: "/bin/bash"
repos: []
installers: []
bootstrap_packages: A list with packages that will be installed by default.
The defaults can be found in defaults/main.yml
- git
- python3-pip
- sudo
- ufw
bootstrap_packages_remove: A list with packages that will be removed by
default. The defaults can be found in defaults/main.yml
# packages not needed on bare metal
- acpid
- bluez
- crda
- discover
- discover-data
- eject
- iw
- laptop-detect
- powertop
- task-laptop
- wireless-regdb
- wireless-tools
- wpasupplicant
# several superfluous packages
- console-setup
- cups
- dictionaries-common
- installation-report
- iso-codes
- ispell
- krb5-locales
- man-db
- manpages
- nano
- shared-mime-info
- task-english
- util-linux-locales
- wamerican
- xkb-data
- xz-utils
bootstrap_pip_packages: A list with pip packages that will be installed globally by default. Example:
- ansible
Note that pip (e.g. python3-pip
) needs to be installed for this, so don't
forget to add that to the bootstrap_packages list.
bootstrap_pip_version: The version of pip to be used. This defaults to pip3 whennot specified but can be overridden.
bootstrap_ufw_tcp_allow: A list of TCP ports that will be opened up in the firewall. It defaults to port 22 only. Example:
- "22"
- "80"
- "443"
Note that when this variable is set, the ufw package needs to be installed, or part of the bootstrap_packages list.
bootstrap_url_packages: A list of URLs that will be installed as packages. Example:
grub_settings: A list of name / value pairs that will be applied to the GRUB config file. The defaults can be found in defaults/main.yml
- name: "GRUB_TIMEOUT"
value: "0"
value: "0"
sshd_moduli_remove: A list of moduli values that will be removed from the /etc/ssh/moduli list. The defaults can be found in defaults/main.yml
- 1023
- 1535
timezone: The timezone for the machine. The default can be found in defaults/main.yml
timezone: Etc/UTC
bootstrap_templates: A list with templates that will be applied and deployed. The defaults can be found in defaults/main.yml
- src: hosts.j2
dest: /etc/hosts
mode: "0644"
- src: issue.ssh.j2
dest: /etc/issue.ssh
mode: "0644"
- src: locale.j2
dest: /etc/default/locale
mode: "0644"
- src: sshd_config.j2
dest: /etc/ssh/sshd_config
mode: "0644"
The following templates will be applied and deployed by default:
The template templates/hosts.j2
will be copied to the host. The list of IP - name pairs in the variable bootstrap_hostsfile
will be deployed. Example:
- ip:
name: mywebsite
The template templates/issue.ssh.j2
will be copied to the host, and applied as SSH banner using the company variable. Change the text to something that applies to you(r company). The default can be found in defaults/main.yml
company: "Go Forward"
The template templates/locale.j2
will be copied to the host, and contain the correct bootstrap_locale string(s).
The following (Jinja) variables will be applied to the SSH daemon template file in templates/sshd_config.j2
. The defaults can be found in defaults/main.yml
sshd_acceptenv: LANG LC_*
sshd_banner: /etc/issue.ssh
sshd_ciphers: "[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr"
sshd_gssapiauthentication: "no"
sshd_hostkeyalgorithms: "[email protected],[email protected],ssh-ed25519,ssh-rsa"
sshd_kexalgorithms: "[email protected],diffie-hellman-group-exchange-sha256"
"[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]"
sshd_maxauthtries: 2
sshd_passwordauthentication: "no"
sshd_permitemptypasswords: "no"
sshd_permitrootlogin: "no"
sshd_pubkeyauthentication: "yes"
sshd_usedns: "no"
sshd_usepam: "yes"
sshd_x11forwarding: "no"
- hosts: all
become: yes
become_method: sudo
- role: PeterMosmans.bootstrap
hostname: "myhostname"
This example will harden SSH, configure GRUB, and name the host "myhostname"
Created by Peter Mosmans.