Table of contents
Open Table of contents
Repository
https://github.com/yl-miao/server-ansible
Background
The Ansible Playbook to configure new servers
For now, this ONLY supports Debian/Ubuntu (amd64/arm64)!
tested on Debian 12 (amd64) and Ubuntu 22.04 (amd64 and arm64)
Purpose:
It does the following:
- enable TCP BBR to improve network speed
- update and install common packages (use fnm instead of nvm, use nftables instead of iptables, use iproute2 instead of net-tools)
- install Caddy V2 (as Web Server), rustup, gvm (Go version manager), fnm (Node.js version manager), Minconda3, Docker CE
- install and configure nftables and fail2ban (ufw and iptables will be removed if they exist)
- configure vim
- block the ports 3306, 5432, 27017, and custom ports(
-e "custom_block_ports=[12345, 23456]") - the above said softwares will not be reinstalled if already exist on target machines. However, you can force reinstall them my way using
-e force_reinstalls=true - do the work in batch to save time
Preparation:
First, clone my repo:
git clone https://github.com/yl-miao/server-ansible
cd server-ansible
then, install Ansible: https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html
then, copy your SSH keys to the servers that you want to set up:
ssh-copy-id -p 2222 [email protected]
ssh-copy-id -p 2222 [email protected]
Then, edit ansible hosts file sudo vim /etc/ansible/hosts:
[servers]
serv1 ansible_host=1.1.1.1 ansible_ssh_port=2222 ansible_user=root
serv2 ansible_host=2.2.2.2 ansible_ssh_port=2222 ansible_user=root
[web]
#host1 ansible_host=192.168.1.20 ansible_user=webadmin ansible_ssh_private_key_file=/path/to/webkey
[all:vars]
ansible_python_interpreter=/usr/bin/python3
ansible_ssh_private_key_file=~/.ssh/id_rsa
and then, to check availability: ansible all -m ping
Run the playbook:
To run the playbook:
# ansible-galaxy role install andrewrothstein.miniconda
ansible-playbook server.yaml
or
ansible-playbook server.yaml -e "custom_block_ports=[12345, 23456]"
to start at task:
ansible-playbook server.yaml --start-at-task="<Your starting task name>"
to force reinstall docker and other softwares even if they exist on the target machine:
ansible-playbook server.yaml -e force_reinstalls=true
Check:
#check the log of fail2ban:
tail -f /var/log/fail2ban.log
#check if the nftables rules are used:
nft list ruleset
Manually unban all IP addresses in the fail2ban jail:
sudo fail2ban-client unban --all
Only unban certain address:
sudo fail2ban-client unban <ip-address>
fail2ban-client has many other options,provides a lot of possibilities and flexibilities. To learn more,look here