Ansible playbook(s) for personal servers. They automate my (not terribly unique) routine for setting up a new Ubuntu server:
common
role: apply basic security hardening- Many of the steps used in this role are explained in more detail by these two posts:
- My First 5 Minutes On A Server by Bryan Kennedy
- How to Set Up Your Linode for Maximum Awesomeness by Feross Aboukhadijeh
- Many of the steps used in this role are explained in more detail by these two posts:
mysql
role: install and secure mysql- Uses roles imported from galaxy for configuring Apache and PHP (see Setup below)
websites
role: Set up and enable individual sites in Apachecertbot
role: Install the EFF Certbot client (aka letsencrypt) and enable individual SSL certificates for all websites
I’m also making use of ansible-vault
for keeping server credentials secure while still including them in the repo.
Ensure workstation and VMs are configured according to ‘Setup’ (below).
When running against VMs for the first time:
ansible-playbook site-initonce.yml -e "ansible_port=22" --ask-vault-pass
To run against a single VM for the first time (note ending comma)
ansible-playbook site-initonce.yml -i "machine1," -e "ansible_port=22" --ask-vault-pass
Because this will disable root and password use in ssh as well change the ssh port, you should only be able to (and only need to) use this once.
For all subsequent runs to the same server(s):
# ansible-playbook site.yml --ask-vault-pass
To test without actually performing any changes, use the -C
flag.
Because all of that is a bit annoying to type, I’ve created a basic bash script ap
to make it simpler.
Usage: ap [-c] [-i] [-h host1,host2]" [-p playbook.yml]
-c Runs ansible-playbook in Check mode (-C)
-i Initialize (use site-initonce.yml w/port 22 and root login)
-p file Specify a playbook (can be overridden if followed by -i)
-h hosts Limit to specified hosts (comma-separated)
Example usage:
./ap -i # Runs site-initonce.yml with port 22
./ap -i -h host1 # -- same as above, limit to one host
./ap # Runs site.yml
./ap -h host1,host2 # -- same as above, limit to two hosts
./ap -p web.yml # Specifies a playbook
./ap -c # Runs ansible in Check mode (-C)
./ap -ci -h host1 # Check mode, init playbook...you get the idea
These playbooks assume:
- Ubuntu 14.04 LTS
- Passwordless login via public key is already configured for root. (Most cloud providers will allow you to select public keys to be added to root when you provision the VM.)
-
Install ansible:
brew install ansible
-
Install roles from galaxy (these get put into
/usr/local/etc/ansible
):# ansible-galaxy install -r galaxy-roles.yml
-
Ensure
~/.ssh/id_rsa.pub
exists (generate if not) -
Create the inventory of your servers:
mkdir -p /usr/local/etc/ansible
- Create
/usr/local/etc/ansible/hosts
and add your servers (instructions) - You may wish to
ln -s /usr/local/etc/ansible/hosts ./inv
for convenient editing of the inventory
-
Edit vars files under
group_vars/all
to match your setup -
Set variables for passwords, port numbers, etc. with
ansible-vault edit group_vars/all/secret.yml
- Password vars with a
_PLAIN
suffix are the plain text of the password; other password vars are hashes of the password. You will need to generate these hashes using one of these methods. - If anyone besides me uses this, you will need to replace
group_vars/all/secret.yml
with your own Ansible vault. Just make sure it includes all the vars with thevault_
prefix referenced ingroup_vars/all/vars.yml
. - You should have an Ansible vault password stored in your password manager (1Password, KeePass, etc).
- Password vars with a
Folders or files | Description |
---|---|
ap |
Shortcut script for using ansible-playbook without having to type out all the options (see above) |
galaxy-roles.yml |
Roles to install from galaxy |
site-initonce.yml |
Playbook for new VMs (root login) |
site.yml |
Playbook for all servers |
webservers.yml |
Playbook for web servers |
group_vars/all/*.yml |
These vars are automatically loaded for all playbooks |
roles/ |
Any main.yml files are added to specific parts of the play (tasks, handlers, etc) automatically for that role. Any files under role/x/files/ can be referenced without specifying a path. (more info) |
- PHP and PHP-FM
- Logrotate