Ansible role for SSH configuration on newly provisioned servers

This is anĀ Ansible role I use when IĀ provision new servers, the role add my SSH key, and disable remote root login, password loginm and GSS login to secure down the SSH server and then restart it.



- name: check remote SSH host is in known_hosts
  command: /bin/grep -Fq {{ inventory_hostname }} /home/{{ ansible_ssh_user }}/.ssh/known_hosts
  register: check_known_hosts
  always_run: True
  ignore_errors: True
  changed_when: False
  - ssh
- name: add remote host fingerprint to known_hosts if not found
  shell: /usr/bin/ssh-keyscan {{ inventory_hostname }} >> /home/{{ ansible_ssh_user }}/.ssh/known_hosts
  #debug: msg="I didn't find the {{ inventory_hostname }} in known_hosts and will add it"
  when: check_known_hosts.rc != 0
  - ssh
- name: add local public key to remote server
  authorized_key: key="{{ lookup('file', '/home/te/.ssh/') }}" user={{ ansible_ssh_user }}
  - ssh
- name: disallow root SSH access
    lineinfile: dest=/etc/ssh/sshd_config regexp="^PermitRootLogin" line="PermitRootLogin no" state=present
      - restart sshd
  - name: disallow SSH password authentication
    lineinfile: dest=/etc/ssh/sshd_config regexp="^PasswordAuthentication" line="PasswordAuthentication no" state=present
      - restart sshd
  - name: disallow SSH GSS API authentication
    lineinfile: dest=/etc/ssh/sshd_config regexp="^GSSAPIAuthentication" line="GSSAPIAuthentication no" state=present
      - restart sshd

And in the handler section of the role:

  - name: restart sshd
    service: name=sshd state=restarted

Install frequently used packages in fresh Ubuntu using Ansible

There is always need for installing frequently used packages in a freshly installed Ubuntu Linux. I personally use this when I get new laptop, but it can be changed to manage server or virtual machine instances. My main goal is to play with ansible and use it in something practical for me.

  • Install ansible
$ sudo apt-get install ansible ansible-doc
  • Add localhost to ansible hosts file

The file /etc/ansible/hosts should have the following added:

  • Ping the server

Ping the server to make sure configuration is good. SSH will ask to localhost to known_hosts file.

$ ansible all -m ping
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is d2:79:49:f4:c4:8d:13:83:50:ce:6c:94:5a:1b:d3:31.
Are you sure you want to continue connecting (yes/no)? yes | success >> {
"changed": false,
"ping": "pong"
  • Write the basic-packages.yml file

Write YAML file containing ansible command to install the packages, the file name is basic-packages.yml and contains the following*:

- name: install packages on a fresh Ubuntu
  hosts: local
  user: "{{ username }}"
  sudo: yes
    - name: install all packages
    apt: name={{ item }} state=present
    - apache2
    - nginx-full
    - gnupg
    - ansible-doc
    - apache2
    - audacity
    - avidemux
    - awscli
    - checkbox-gui
    - cheese
    - compizconfig-settings-manager
    - compiz-plugins-extra
    - curl
    - cvs
    - dos2unix
    - ec2-api-tools
    - enigmail
    - exfat-fuse
    - exfat-utils
    - ffmpeg
    - filezilla
    - fonts-arabeyes
    - fonts-droid
    - gcc
    - geoip-bin
    - gimp
    - google-chrome-stable
    - gpac
    - hunspell-ar
    - hunspell-en-ca
    - language-pack-ar-base
    - language-pack-gnome-ar-base
    - libavcodec-extra
    - libjs-jquery
    - libnss-myhostname
    - mysql-server
    - nautilus-dropbox
    - nautilus-image-converter
    - nmap
    - openjdk-7-jdk
    - openssh-server
    - php5-cli
    - php5-mysql
    - python-apport
    - python-lockfile
    - python-requests
    - rdesktop
    - seahorse-nautilus
    - subversion
    - thunderbird-locale-ar
    - thunderbird-locale-en-gb
    - traceroute
    - ttf-mscorefonts-installer
    - ubuntu-restricted-extras
    - ubuntu-session
    - unity-control-center
    - unity-tweak-tool
    - unrar
    - vim
    - virtualbox-4.3
    - vlc
    - vpnc
    - whois

So ansible will attempt to install the above packages on the fresh Ubuntu Desktop.

* Get list of manually installed package explained here

  • Dry run ansible playbook

Run the ansible playbook to make sure the configuration doesn’t have any syntax issues and ansible can run the module correctly:

$ ansible-playbook --check basic-packages.yml -e username=myusername --ask-sudo-pass
sudo password:
PLAY [install packages on a fresh Ubuntu] *************************************
GATHERING FACTS ***************************************************************
ok: []
TASK: [install all packages] **************************************************
changed: [] => (item=apache2,nginx-full,gnupg,ansible-doc,apache2,audacity,avidemux,awscli,checkbox-gui,cheese,compizconfig-settings-manager,compiz-plugins-extra,curl,cvs,dos2unix,ec2-api-tools,enigmail,exfat-fuse,exfat-utils,ffmpeg,filezilla,fonts-arabeyes,fonts-droid,gcc,geoip-bin,gimp,google-chrome-stable,gpac,hunspell-ar,hunspell-en-ca,language-pack-ar-base,language-pack-gnome-ar-base,libavcodec-extra,libjs-jquery,libnss-myhostname,mysql-client,mysql-server,nautilus-dropbox,nautilus-image-converter,nmap,openjdk-7-jdk,openssh-server,php5-cli,php5-mysql,python-apport,python-lockfile,python-requests,rdesktop,seahorse-nautilus,subversion,thunderbird-locale-ar,thunderbird-locale-en-gb,traceroute,ttf-mscorefonts-installer,ubuntu-restricted-extras,ubuntu-session,unity-control-center,unity-tweak-tool,unrar,vim,virtualbox-4.3,vlc,vpnc,whois)
PLAY RECAP ******************************************************************** : ok=2 changed=1 unreachable=0 failed=0

I use –ask-sudo-pass to pass sudo user password to ansible on remote (local in this case).

  • How to use it

On a new installed Ubuntu, install ansible, cope the playbook file to the machine, and run the playbook.

This can be extended of course to changing configuration files using ansible Jinja2 templates.