Warning: This library is no longer supported. It won't get any security updates, new features, or bug fixes. It's kept here on GitHub for reference only. If you choose to use it, we recommend copying the repository and checking the code before using it. For questions, please contact us at info@stackbuilders.com.

Recommended Roles:

• https://github.com/dev-sec/ansible-collection-hardening

Stack Builders - Debian Base

This is a generic Debian image for servers. You need Ansible version 2.7.0 or higher to use this Galaxy.

Supported Platforms

• Debian

  • 10 (buster)
  • 9 (stretch)

• Ubuntu

  • 18.04 (bionic)
  • 16.04 (xenial)

Important Changes:

• Haskell tasks have been removed. The variables install_haskell_stack and install_haskell_dependencies are no longer in use.

How to Use This Role

The current version uses Ansible control flow to run tasks based on defined conditions. It also includes useful tags for setting the hostname or creating deployment directories.

To start, create a requirements.yml file and add a reference to this repository like this:

---
- src: [email protected]:stackbuilders/sb-debian-base.git
  version: <tag, commit or branch>
  path: external-roles

Then, run this command:

ansible-galaxy install -r requirements.yml

Create a Playbook

Create a playbook file and specify the tasks in the roles section. You can use tests/site.yml as a reference or use the example below:

# site.yml
- hosts: all
  remote_user: foo
  vars:
    sb_debian_base_admin_user_authorized_keys:
      - ssh-rsa AAAAB3NzaC1yc1E ADMIN_USER_1
      - ssh-rsa AAAAB3Nzac2Yc2e ADMIN_USER_2
    sb_debian_base_deploy_user_authorized_keys:
      - ssh-rsa AAAAB3NzaC1yc1E DEPLOY_USER_1
      - ssh-rsa AAAAB3Nzac2Yc2e DEPLOY_USER_2
  roles:
    - role: sb-debian-base
      prebootstrap: yes
    - role: sb-debian-base
      bootstrap: yes
      add_remove_keys: yes
      vars:
        sb_debian_base_deploy_user: deployer
        sb_debian_base_supplementary_packages: [ "pkg-config", "traceroute" ]
        sb_debian_base_environment_variables:
          ONE: "uno"
          TWO: "dos"

You can also run individual tasks, but it's not the preferred method:

ansible-playbook -l local -i hosts site.yml -k -u root -e "prebootstrap: yes"

Run the playbook using:

# For basic image setup
ansible-playbook -l local -i hosts site.yml -k -u root

# For administrator account setup
ansible-playbook -l local -i hosts site.yml -u administrator

Available Task Groups:

Prebootstrap (prebootstrap)

This group does basic setup tasks, including:

• Adding an administrator user (default name is admin for Debian, ubuntu for Ubuntu; you can change it with {{ sb_debian_base_admin_user }})
• Updating package cache
• Installing sudo
• Allowing sudo without a password for the sudo group
• Setting up authorized SSH keys for the admin user (define {{ sb_debian_base_admin_user_authorized_keys }}).

Bootstrap (bootstrap)

This group performs advanced setup tasks, including:

• Disabling password authentication for SSH
• Disabling root SSH access
• Setting the hostname (define {{ hostname }})
• Setting the time zone (define {{ sb_debian_base_ntp_timezone }})
• Enabling NTP with systemd-timesyncd
• Making journald data persistent
• Upgrading all packages
• Installing basic packages (like vim, tmux, etc.)
• Installing extra packages beyond the standard ones
• Enabling the firewall with UFW
  • Opening common ports (e.g. SSH, HTTP; SSH is open by default)
    • Define {{ ports }} for specifics
  • Open specific ports for specific IPs
    • Define {{ port_ips }} for this
  • Disable UFW with sb_debian_base_firewall: no
• Updating environment variables (define {{ sb_debian_base_environment_variables }})
• Creating a Unix user and group for the deployer (define {{ sb_debian_base_deploy_user }})
• Creating a deployment directory for applications
• Adding SSH keys for GitHub's Deploy
• Setting up authorized SSH keys for the deployer (define {{ sb_debian_base_deploy_user_authorized_keys }})
• Making sure GitHub is a known host
  • Define {{ sb_debian_base_deploy_user }} for this (it adds GitHub by default)
• Setting global bash history to a specific format.

Set Hostname

• Sets the hostname using a defined variable (define {{ hostname }}).

Bash History Configuration:

• Enable/disable the history feature: sb_debian_base_bash_history: true

• Under sb_debian_base_bash_history_config:

  • Define how many lines to keep in history histsize: '5000'
  • Define how many lines to keep in the history file histfilesize: '3000'
  • Define the time format for history commands histtimeformat: '%c%t'

Create App Directory

• Creates the deployment directory when {{ sb_debian_base_deploy_user }} is defined.

Included External Dependencies

• kamaln7.swapfile (Sets up a swap file)
  • Define the size with {{ sb_debian_base_swap_file_size }} (e.g. 2048MB)
• Installs unattended-upgrades for security updates
  • Define email alerts with {{ sb_debian_base_uu_email_alerts }} (e.g. example@example.com)

Update Authorized SSH Keys (add-remove-keys)

• Updates SSH authorized keys:
  • Define the following lists of SSH public keys for both admin and deploy users:

{{ sb_debian_base_admin_user_authorized_keys }}
{{ sb_debian_base_deploy_user_authorized_keys }}

License

MIT. See the LICENSE file in this repository.

Author Information

Justin Leitgeb, Stack Builders Inc.