Last active
November 24, 2023 20:16
-
-
Save Stakecraft/2adad277977d988f8df93bd0c2bba9d8 to your computer and use it in GitHub Desktop.
run: ansible-playbook -i new-server.ini new-server-setup-ubuntu-22.yaml, node_exporter.service.j2 should be placed in templates directory
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [servers] | |
| YOUR-IP | |
| [all:vars] | |
| ansible_ssh_common_args='-o StrictHostKeyChecking=no' | |
| ansible_python_interpreter='/usr/bin/python3' | |
| prometheus_source_ip='PROMETHEUS-IP' | |
| systemd_path='/etc/systemd/system' | |
| default_ssh_user='ubuntu' | |
| default_ssh_port='22' | |
| sshd_config_port='12345' | |
| prometheus_port='9100' | |
| node_exporter_version='1.4.0' | |
| go_arch='amd64' | |
| _node_exporter_binary_install_dir='/usr/local/bin' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Unit] | |
| Description=Node Exporter | |
| After=network.target | |
| [Service] | |
| Type=simple | |
| ExecStart=/usr/local/bin/node_exporter | |
| [Install] | |
| WantedBy=multi-user.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - hosts: all | |
| become: yes | |
| vars: | |
| ansible_ssh_user: '{{ default_ssh_user }}' | |
| ansible_ssh_port: '{{ default_ssh_port }}' | |
| sudo_user: | |
| # password must be generated through "mkpasswd" command from 'whois' package | |
| - login: '{{ ansible_user }}' | |
| group: '{{ ansible_user }}' | |
| tasks: | |
| ### AGX1000 scripts ### | |
| - name: Download hwdata.sh | |
| get_url: | |
| url: https://gist.githubusercontent.com/AGx10k/bebd6297c7d8a8bd856a55ad2f2393a5/raw/b42b5d9d3edc2c9be1fe36d1518f4a68eb46f2ad/hwdata.sh | |
| dest: /root/hwdata.sh | |
| mode: 'u+rwx' | |
| - name: Download netdata.sh | |
| get_url: | |
| url: https://gist.githubusercontent.com/AGx10k/bebd6297c7d8a8bd856a55ad2f2393a5/raw/c72fe59642c34622b8014a4888bcf9734197815c/netdata.sh | |
| dest: /root/hwdata.sh | |
| mode: 'u+rwx' | |
| - name: Adding the scripts in the profile file | |
| lineinfile: | |
| dest: '~/.profile' | |
| line: '~/hwdata.sh && ~/netdata.sh' | |
| insertafter: 'EOF' | |
| state: present | |
| - name: export env vars | |
| shell: "export DEBIAN_FRONTEND=noninteractive" | |
| ### install packages ### | |
| - name: Install required system packages | |
| apt: | |
| name: ['cpufrequtils', 'moreutils', 'ntp', 'iptables-persistent', 'software-properties-common', 'aptitude', 'git', 'curl', 'lm-sensors','moreutils', 'cpufrequtils', 'liblz4-tool', 'zip', 'unzip', 'jq', 'wget', 'nano', 'htop', 'smartmontools', 'tmux', 'net-tools', 'bash-completion', 'pciutils', 'ethtool', 'ufw', 'mc', 'python3', 'python3-dev', 'python3-virtualenv', 'python3-venv', 'python3-dev', 'libffi-dev', 'apt-transport-https', 'tzdata', 'ca-certificates', 'build-essential', 'libboost-all-dev', 'automake', 'autoconf', 'pkg-config', 'libcurl4-openssl-dev', 'libjansson-dev', 'libssl-dev', 'libgmp-dev', 'make', 'autotools-dev', 'libtool', 'psmisc', 'bsdmainutils', 'libminiupnpc-dev', 'libevent-dev', 'cmake', 'screen', 'atop', 'ncdu', 'fail2ban', 'ntp'] | |
| state: latest | |
| update_cache: yes | |
| ###ssh configuration manipulation ### | |
| - name: sshd config file update | |
| blockinfile: | |
| path: /etc/ssh/sshd_config | |
| insertbefore: BOF # Beginning of the file | |
| marker: "# {mark} ANSIBLE MANAGED BLOCK BY LINUX-ADMIN" | |
| block: | | |
| Port {{ sshd_config_port }} | |
| UsePAM yes | |
| PermitRootLogin no | |
| PubkeyAuthentication yes | |
| PermitEmptyPasswords no | |
| PasswordAuthentication no | |
| ChallengeResponseAuthentication no | |
| backup: yes | |
| validate: /usr/sbin/sshd -T -f %s | |
| ### tweak limits ### | |
| - name: change security limits | |
| shell: | | |
| cp /etc/security/limits.conf /etc/security/limits.bak | |
| echo '* hard nproc 1550000' | sudo tee -a /etc/security/limits.conf | |
| echo '* soft nproc 1550000' | sudo tee -a /etc/security/limits.conf | |
| echo '* hard nofile 1550000' | sudo tee -a /etc/security/limits.conf | |
| echo '* soft nofile 1550000' | sudo tee -a /etc/security/limits.conf | |
| echo 'root hard nproc 1550000' | sudo tee -a /etc/security/limits.conf | |
| echo 'root soft nproc 1550000' | sudo tee -a /etc/security/limits.conf | |
| echo 'root hard nofile 1550000' | sudo tee -a /etc/security/limits.conf | |
| echo 'root soft nofile 1550000' | sudo tee -a /etc/security/limits.conf | |
| - name: change systemd params | |
| shell: | | |
| echo 'DefaultLimitNOFILE=1000000' | sudo tee -a /etc/systemd/system.conf | |
| echo 'DefaultLimitNOFILE=1000000' | sudo tee -a /etc/systemd/user.conf | |
| - name: change systemd params | |
| shell: | | |
| cp /etc/sysctl.conf /etc/sysctl.bak | |
| echo 'fs.file-max = 1550000' | sudo tee -a /etc/sysctl.conf | |
| echo 'vm.max_map_count=1550000' | sudo tee -a /etc/sysctl.conf | |
| echo always > /sys/kernel/mm/transparent_hugepage/enabled | |
| echo 'vm.nr_hugepages=128' | sudo tee -a /etc/sysctl.conf | |
| sysctl -p | |
| bash -c "cat >/etc/sysctl.d/20-solana-udp-buffers.conf <<EOF | |
| net.core.rmem_default = 134217728 | |
| net.core.rmem_max = 134217728 | |
| net.core.wmem_default = 134217728 | |
| net.core.wmem_max = 134217728 | |
| EOF" | |
| sysctl -p /etc/sysctl.d/20-solana-udp-buffers.conf | |
| - name: change fail2ban params | |
| shell: | | |
| cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local | |
| sed -i 's/bantime = 10m/bantime = 60m/' /etc/fail2ban/jail.local | |
| sed -i 's/#mode = normal/enabled = true \nmode = normal/' /etc/fail2ban/jail.local | |
| - name: change auto-upgrades params | |
| shell: | | |
| sed -i 's/Unattended-Upgrade "1"/Unattended-Upgrade "0"/' /etc/apt/apt.conf.d/20auto-upgrades | |
| echo 'SystemMaxUse=300M' | tee -a /etc/systemd/journald.conf | |
| echo 'SystemMaxFileSize=100M' | tee -a /etc/systemd/journald.conf | |
| - name: clean apt cache and install updates | |
| shell: | | |
| apt-get clean | |
| purge-old-kernels -qy | |
| apt update | |
| apt autoremove -y; apt autoclean -y | |
| - name: Checking if blacklist-hetzner.conf file exists | |
| stat: | |
| path: /etc/modprobe.d/blacklist-hetzner.conf | |
| register: hetzner_file | |
| - name: change hetzner blacklist | |
| shell: | | |
| sed -i 's/blacklist mei/#blacklist mei/' /etc/modprobe.d/blacklist-hetzner.conf | |
| sed -i 's/blacklist mei-me/#blacklist mei-me/' /etc/modprobe.d/blacklist-hetzner.conf | |
| when: hetzner_file.stat.exists | |
| - name: tweak cpu params | |
| shell: | | |
| echo -e 'ENABLE="true"\nGOVERNOR="performance"' > /etc/default/cpufrequtils | |
| ### setup iptables ### | |
| - name: setup iptables rules, block bogon nets etcetera | |
| shell: | | |
| iptables -A OUTPUT -p tcp -s 0/0 -d 10.0.0.0/8 -j DROP | |
| iptables -A OUTPUT -p tcp -s 0/0 -d 100.64.0.0/10 -j DROP | |
| iptables -A OUTPUT -p tcp -s 0/0 -d 169.254.0.0/16 -j DROP | |
| iptables -A OUTPUT -p tcp -s 0/0 -d 192.0.0.0/24 -j DROP | |
| iptables -A OUTPUT -p tcp -s 0/0 -d 192.0.2.0/24 -j DROP | |
| iptables -A OUTPUT -p tcp -s 0/0 -d 192.88.99.0/24 -j DROP | |
| iptables -A OUTPUT -p tcp -s 0/0 -d 198.18.0.0/15 -j DROP | |
| iptables -A OUTPUT -p tcp -s 0/0 -d 198.51.100.0/24 -j DROP | |
| iptables -A OUTPUT -p tcp -s 0/0 -d 203.0.113.0/24 -j DROP | |
| iptables -A OUTPUT -p tcp -s 0/0 -d 224.0.0.0/4 -j DROP | |
| iptables -A OUTPUT -p tcp -s 0/0 -d 240.0.0.0/4 -j DROP | |
| iptables -A OUTPUT -p udp -s 0/0 -d 10.0.0.0/8 -j DROP | |
| iptables -A OUTPUT -p udp -s 0/0 -d 100.64.0.0/10 -j DROP | |
| iptables -A OUTPUT -p udp -s 0/0 -d 169.254.0.0/16 -j DROP | |
| iptables -A OUTPUT -p udp -s 0/0 -d 192.0.0.0/24 -j DROP | |
| iptables -A OUTPUT -p udp -s 0/0 -d 192.0.2.0/24 -j DROP | |
| iptables -A OUTPUT -p udp -s 0/0 -d 192.88.99.0/24 -j DROP | |
| iptables -A OUTPUT -p udp -s 0/0 -d 198.18.0.0/15 -j DROP | |
| iptables -A OUTPUT -p udp -s 0/0 -d 198.51.100.0/24 -j DROP | |
| iptables -A OUTPUT -p udp -s 0/0 -d 203.0.113.0/24 -j DROP | |
| iptables -A OUTPUT -p udp -s 0/0 -d 224.0.0.0/4 -j DROP | |
| iptables -A OUTPUT -p udp -s 0/0 -d 240.0.0.0/4 -j DROP | |
| netfilter-persistent save | |
| iptables -A OUTPUT -p tcp -s 0/0 -d 192.168.0.0/16 -j DROP | |
| iptables -A OUTPUT -p udp -s 0/0 -d 192.168.0.0/16 -j DROP | |
| ### setup ufw ### | |
| - name: ufw rule for custom ssh port | |
| ufw: | |
| rule: allow | |
| port: '{{ sshd_config_port }}' | |
| proto: tcp | |
| comment: allow sshd port | |
| - name: ufw rule for prometheus_node_exporter | |
| ufw: | |
| rule: allow | |
| src: '{{ prometheus_source_ip }}' | |
| port: '{{ prometheus_port }}' | |
| proto: tcp | |
| comment: allow from prometheus host | |
| - name: Enable UFW | |
| ufw: | |
| state: enabled | |
| policy: deny | |
| ### setup time on the server ### | |
| - name: configure time sync | |
| shell: | | |
| timedatectl set-ntp false | |
| ntpq -p | |
| ### node_exporter ### | |
| - name: Install node_exporter systemd unit file | |
| template: | |
| src: node_exporter.service.j2 | |
| dest: "{{ systemd_path }}/node_exporter.service" | |
| mode: '0600' | |
| - name: Download node_exporter binary to local folder and unpack | |
| ansible.builtin.unarchive: | |
| src: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-{{ go_arch }}.tar.gz" | |
| dest: /tmp | |
| remote_src: yes | |
| - name: Propagate node_exporter binaries | |
| copy: | |
| src: "/tmp/node_exporter-{{ node_exporter_version }}.linux-{{ go_arch }}/node_exporter" | |
| dest: "{{ _node_exporter_binary_install_dir }}/node_exporter" | |
| remote_src: yes | |
| mode: 0755 | |
| owner: root | |
| group: root | |
| ### create sudo group ### | |
| - name: Make sure we have a 'sudo' group | |
| group: | |
| name: sudo | |
| state: present | |
| - name: Change group sudo to passwordless | |
| lineinfile: | |
| path: /etc/sudoers | |
| state: present | |
| regexp: '^%sudo' | |
| line: '%sudo ALL=(ALL) NOPASSWD: ALL' | |
| validate: 'visudo -cf %s' | |
| ### systemd manipulations ### | |
| - name: restart cpufrequtils service | |
| systemd: | |
| name: cpufrequtils | |
| state: restarted | |
| - name: enable netfilter service | |
| systemd: | |
| name: netfilter-persistent | |
| enabled: yes | |
| - name: start node_exporter service | |
| systemd: | |
| name: node_exporter | |
| state: started | |
| enabled: yes | |
| - name: restart fail2ban service | |
| systemd: | |
| name: fail2ban | |
| state: restarted | |
| - name: restart sshd service | |
| systemd: | |
| name: sshd | |
| state: restarted | |
| # - name: Creating a file hosts.allow file | |
| # copy: | |
| # dest: "/etc/hosts.allow" | |
| # content: | | |
| # sshd : localhost : allow | |
| # sshd : YOUR-IP1 : allow | |
| # sshd : YOUR-IP1 : allow | |
| # sshd : ALL : deny |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment