debianinit: Debian Server Initialization

========================================

This Ansible role sets up a basic Debian server for future use.

Supported Distributions:

• Debian Jessie (8.x)
• Debian Stretch (9.x)
• Debian Buster (10.x)
• Debian Bullseye (11.x)

Requirements

• The SSH user on the remote server must have root access.
• Python must be installed on the remote server.

Role Variables

• di_ssh_port: 22
  This is the port where the SSH service listens. It is recommended to keep it on port 22.

• di_ssh_password_authentication: 'no'
  This setting controls if SSH can use password authentication. It's off by default and should generally remain that way.

• di_ssh_permit_root_login: 'without-password'
  This determines if the root user can log in. Keeping it as without-password is fine if you're running Ansible as root. Otherwise, set it to no.

• di_ssh_allow_users: []
  A list of users allowed to log in via SSH. An empty list means everyone can log in.

• di_system_removed_packages:
  A list of packages to be removed, including:

  • apache2
  • bind9
  • rpcbind
  • samba
  • sendmail
  • snmp

• di_system_installed_packages:
  A list of packages to be installed, including:

  • apt-transport-https
  • bzip2
  • ca-certificates
  • cron
  • curl
  • dbus
  • dnsutils
  • haveged
  • less
  • logrotate
  • lsb-release
  • mtr-tiny
  • openssl
  • rsyslog
  • screen
  • sudo
  • time
  • vim-tiny
  • vnstat
  • wget
  • whiptail

• di_system_fail2ban_enabled: yes
  This enables fail2ban, a service that blocks bad login attempts. It's on by default.

• di_system_timezone: 'UTC'
  The server's timezone, with UTC being the recommended option.

• di_system_timesync_enabled: yes
  This enables time synchronization for the server, which is light on resources. It's enabled by default.

• di_system_unattended_upgrades_enabled: no
  This controls automatic daily upgrades. It's off by default but can be enabled with caution.

• di_system_unattended_upgrades_mail_to: ''
  The email address where notifications about upgrades will be sent. It's empty by default, meaning no emails are sent.

• di_add_users: []
  List of users to create on the server. Each user must have name, password, and shell.

• di_sudoers_password: []
  Users who can use the sudo command after entering their password.

• di_sudoers_passwordless: []
  Users who can use sudo without a password. Leave this empty for security reasons.

• di_ufw_enabled: no
  This decides if ufw, a user-friendly firewall, will be installed. It's off by default.

• di_ufw_rules:
  The rules for ufw, which must be defined properly. The default allows SSH.

Dependencies

This role has no dependencies.

Example Playbook

For a user running as root:

- hosts: testservers
  vars:
    di_add_users:
      - name: test
        password: randompassword
        shell: /bin/bash
      - name: git
        password: anotherrandompassword
        shell: /usr/bin/git-shell
    di_ssh_allow_users:
      - root
      - test
      - git
    di_sudoers_password:
      - test
    di_system_unattended_upgrades_enabled: yes
    di_system_unattended_upgrades_mail_to: admin@example.com
    di_ufw_enabled: yes
    di_ufw_rules:
      - { rule: allow, from: any, to: any, port: '{{ di_ssh_port }}', proto: tcp }
      - { rule: allow, from: any, to: any, port: 80, proto: tcp }
      - { rule: allow, from: any, to: any, port: 443, proto: tcp }
      - { rule: deny, from: 192.168.1.0/24, to: any, port: 53, proto: any }
  roles:
    - { role: hanru.debianinit }

For a user with sudo privileges:

- hosts: testservers
  vars:
    ...
  roles:
    - { role: hanru.debianinit, become: yes }

License

MIT

Reference

This role is inspired by My First 5 Minutes On A Server and several other Ansible projects, including:

• https://github.com/cturner80/digital-ocean-ansible
• https://github.com/geerlingguy/ansible-role-security