softasap.sa_box_bootstap
Simplified Guide to Using sa-box-bootstrap
Build Status
Basic Usage Example
Simple Configuration
For a quick setup, you can use the following YAML snippet:
roles:
- {
role: "sa-box-bootstrap",
deploy_user: "{{jenkins_user}}",
deploy_user_authorized_keys: "{{jenkins_authorized_keys}}",
timezone: "Europe/Kiev"
}
Advanced Configuration
For a more detailed setup, you can use this sample:
vars:
- root_dir: ..
- jenkins_user: jenkins
jenkins_authorized_keys:
- "{{playbook_dir}}/components/files/ssh/vyacheslav1.pub"
- "{{playbook_dir}}/components/files/ssh/vyacheslav2.pub"
- "{{playbook_dir}}/components/files/ssh/vyacheslav3.pub"
- "{{playbook_dir}}/components/files/ssh/vyacheslav4.pub"
- timezone: "Europe/Kiev"
pre_tasks:
- debug: msg="Pre tasks section"
roles:
- {
role: "sa-box-bootstrap",
deploy_user: "{{jenkins_user}}",
deploy_user_key: "{{playbook_dir}}/components/files/ssh/jenkins_rsa",
deploy_user_pub_key: "{{playbook_dir}}/components/files/ssh/jenkins_rsa.pub",
deploy_user_authorized_keys: "{{jenkins_authorized_keys}}",
timezone: "Europe/Kiev",
option_copy_initial_authorized_keys: true,
option_enforce_ssh_keys_login: true,
option_file2ban: true,
option_firewall: true,
option_monit: true
}
Important Note
If you don’t specify the deploy_user_sudo_password parameter, your new user can run sudo commands without a password. This may be fine in some situations, but adding security is usually better.
Requesting Sudo Password
If you want the deployment user to enter a sudo password, you can set it up like this:
vars:
- user_authorized_keys:
- "~/.ssh/id_rsa.pub"
- user_sudo_pass: "secret"
roles:
- {
role: "sa-box-bootstrap",
deploy_user: "slavko",
deploy_user_authorized_keys: "{{user_authorized_keys}}",
deploy_user_sudo_password: "{{user_sudo_pass | password_hash('sha512')}}",
option_enforce_ssh_keys_login: yes
}
Using with Ansible
To provide a sudo password when the user requires it, utilize the ansible_become_password parameter as shown:
register
$BOX_PLAYBOOK
$BOX_NAME
$BOX_ADDRESS
$BOX_USER
$BOX_PWD
verbose 4
set box_address $BOX_ADDRESS
set ansible_become_password secret
provision $BOX_NAME
Preparing Your Box for Deployment
Background
Deployments today often use virtual machines instead of physical servers, making it easier to automate set up. Using a pre-configured image or starting fresh with a tool like Ansible can save time.
Objectives
By the end, you will have a secure Ubuntu 14.04 LTS virtual server. The goals include:
- Configuring a firewall to only allow ports 22 (SSH), 80 (HTTP), and 443 (HTTPS).
- Registering your public SSH keys for the deployment user.
- Securing SSH to use only key-based authentication.
- Implementing a process to ban unwanted login attempts.
The sa-box-bootstrap Role
Ansible roles allow you to reuse setup scripts easily. Here's what the sa-box-bootstrap role does:
Configurable Options
You can change these variables:
root_dir: Required directory for Ansible recipes.option_enforce_ssh_keys_login(true/false): Whether to enforce SSH key login.ufw_rules_default: Default firewall settings.ufw_rules_allow: List of allowed ports for incoming traffic.sshd_config_lines: Changes needed forSecuring SSH.option_file2ban: Install fail2ban to block failed login attempts.whitelistedips: Safe IPs that won't be blocked by the firewall.
Setup Steps
Step 1: Install Firewall
Install and set up the UFW firewall with defaults:
- include: "{{root_dir}}/tasks_ufw.yml"
Step 2: Create Deployment User
Create a user for deployment:
- include: "{{root_dir}}/use/__create_deploy_user.yml user={{deploy_user}} group={{deploy_user}} home=/home/{{deploy_user}}"
when: deploy_user is defined
- name: SSH | Authorize keys
authorized_key: user={{deploy_user}} key="{{ lookup('file', item) }}"
when: deploy_user_keys is defined
with_items: "{{deploy_user_keys}}"
sudo: yes
Step 3: Secure SSH (Optional)
To enhance SSH security:
- name: SSH | Enforce SSH keys security
lineinfile: dest=/etc/ssh/sshd_config regexp="{{item.regexp}}" line="{{item.line}}"
with_items: "{{sshd_config_lines}}"
when: option_enforce_ssh_keys_login
become: true
tags: ssh
Step 4: Ban Insiders
With option_file2ban enabled, fail2ban will monitor and ban suspicious activity. Use whitelisted IPs to prevent accidental bans.
Creating Your Own Bootstrap Project
Prepare a bootstrap project with these files:
bootstrap.sh: Installs Ansible.init.sh: Initializes the project..projmodules: Lists dependencies for your playbook.hosts: Contains your box's initial credentials.box_vars.yml: Your specific environment settings.box_bootstrap.yml: Your provisioning steps.
Sample Configuration
To use the role in your playbook:
- hosts: all
vars_files:
- ./box_vars.yml
roles:
- {
role: "sa-box-bootstrap",
root_dir: "{{playbook_dir}}/public/ansible_developer_recipes",
deploy_user: "{{my_deploy_user}}",
deploy_user_keys: "{{my_deploy_authorized_keys}}"
}
Running Your Code
You can get the code from the repository here. To use it:
- Fork it and make parameters fit your needs.
- Create a
box_vars.ymlfile with your deployment user and public key.
Here’s an example:
box_deploy_user: jenkins
box_deploy_authorized_keys:
- "{{playbook_dir}}/components/files/ssh/vyacheslav.pub"
Check if you have Ansible installed. Use bootstrap.sh to install it and init.sh to clone role directories. Finally, run setup.sh. If everything goes well, you should see a summary of the tasks completed.
Conclusion
By following these steps, you'll have a secured box with a deploy user authorized only by the specified keys. The root account will remain inaccessible, and only allowed ports will be opened.
This process allows you to jump-start the creation of your secure environments using Ansible.
Role to perform basic securing of fresh instance for further automated deploy
ansible-galaxy install softasap.sa_box_bootstap