Skip to content

Instantly share code, notes, and snippets.

@dhet
Last active February 7, 2021 10:04
Show Gist options
  • Save dhet/59cc8c8c3f0ef7f5604bdf2af7f0b960 to your computer and use it in GitHub Desktop.
Save dhet/59cc8c8c3f0ef7f5604bdf2af7f0b960 to your computer and use it in GitHub Desktop.
An Ansible playbook for setting up a host which can run Docker Compose (including an unprivileged service account for deployments)
docker_username: dhetbot
docker_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
33383361346365316566663434303530346663636261653934316366323162616137343464656438
3032616265386530393237663533323834393064343531390a626233353961363632643661376164
65336635366130663266623861613834646232393766396462316365346665613065646638333534
6364373831346235610a366639393163666234643631396464643036623536396335666336343133
6561
- hosts: all
remote_user: root
gather_facts: false
vars:
users:
- name: david
groups: docker,appadmin
key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGJXMAnZGc8+qZYm1Vb2ZyPsyKoweoqFQ0PBzkd1ZiioBWIK185zgV4VvVHruTc+xozFZPXacM0WAxBQ7CE2fyD9ssyDPA/bB+JQ4C572GV9MDA0mIsRUF3DxXbUB0ROmvQ6VDxqT+mUn1tDyLmxVqZAxSLEobgaWV7c5K8IPdF47RU7/elOWjTHssfsyghztbhr7LYlO5JJRGuK/kv40mVrQWGWrcHqNEgnJLuCC2I8OaZqzGNynL6gymTdYs/JtZahO/0E0SNct+dk+/eiVzkl9RzbBmAZXTKGOxG/qCF0G2SEQU7joDTwO6Ohc2hvdBe+g+uUWh/Mcpiq0+0EMIB5fiRSEJo1AAzphbp/zjUemAWzGcjo6Vt+6NgQm0BhU1L2mgptom44hVxtNbQebKnPk+6uB0addJf09LMQ+6qKJluGFefwTmpk5+yrXNhgfl5UP+i32X4XI6ofcF+lCsjK/MAml00LCWRFpfnw7NuWtKfmkd+blK5rgzWBL/zVyx2voBVRAOWu3ydid22j2AYzwSiG6KGdcZGweftm5meCsaZtbnwCTYCDhwvp2rie2SjfkGiimhGOT+vkXYa3XDO0I3L2kr110lqiVahjtjzArZK25qRcf2RmVtg4xxuekAfjDGPm5XWMiGDlVuP8uuknAuU6gP+/8Ig2UGpEBwZQ== david
sudo: true
- name: automation
groups: docker,appadmin
key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCXdd1mM0+xynLjXJ5TcaU1J1EKNYBMc0TzG2hWaHRufklMwLo4ZdaDyXjeEovWi84ZQGV0ldjni+D6doN2EvhSgeEumC2wW0nX98j/317m++jNfZpjIr3ut/P3+zfGPDJBa7xqzrLpEleU47iebo+Hm/sTuf50SqSt7sr5k33E15B4xil9TKuR/SF753OO1VnQqJh/a84QrC9IGJrOSrsxLCe1Qs1Rs98lMmuToGQ7C5ZRmrw7KGHVFecDcSvknZ9uOUwRqWDXebnTbCebVbyY2CJ6ZeIco4bYkioWZGU45xOAh4iLT5CHXmGWCYS5rU16JH1Jmajz4Zz8vdMBmCrehh3eN1sMgecu2r+VTVtlL2fQzPnSdl2994y6P4zhUJCTpzvChM0QkTE/4DR5+Wi+n+fUWUh0Ek2mjXduOGoie/yMBHH8yOzAM3GtzNnLTr/Z6IZEsvHz684wwTV3bEQ9YEYq/tIHLPszOpery6scDgppLhKCoGjYh8mb7FvFPY2dMqWIqvTgaC4hx55EBKrKvVkk4rpri5I2Hxrjlbr7K2+8KWI+Nw88gSZiPQthNeEVVsdy/krFWrdpYNr828Zqv9p8dXcTiF7aP9cSfmhZuRW2G0lxhUaTz3+B/SaCtjRjSw1GYZf2yd++KJvDV6+0jl/KvMS9D/1+A1vpfSQt7Q== automation
sudo: true
vars_files:
- secrets.yaml
handlers:
- name: Restart ssh
service:
name: ssh
state: restarted
tasks:
- name: Install packages
apt:
name:
- ufw
- fail2ban
- vim
- htop
- jq
- unattended-upgrades
- docker
- docker.io
- docker-compose
state: present
update_cache: yes
cache_valid_time: 3600
- name: Upgrade packages
apt:
upgrade: safe
- name: Adjust update intervals
copy:
dest: /etc/apt/apt.conf.d/10periodic
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
- name: Setup firewall
ufw:
state: enabled
policy: deny
- name: Open ports
ufw:
rule: allow
port: "{{ item }}"
loop: [ "22", "80", "443"]
- name: Disallow password authentication
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
state: present
notify: Restart ssh
- name: Create appadmin group
group:
name: appadmin
state: present
- name: Add users
user:
name: "{{ item.name }}"
groups: "{{ item.groups }}"
shell: /bin/bash
loop: "{{ users }}"
- name: Configure SSH access
authorized_key:
user: "{{ item.name}}"
key: "{{ item.key }}"
loop: "{{ users }}"
- name: Configure sudoers
lineinfile:
dest: /etc/sudoers
regexp: "{{ item.name }} ALL"
line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
state: present
when: item.sudo
loop: "{{ users }}"
- name: Log users into Dockerhub
docker_login:
username: "{{ docker_username }}"
password: "{{ docker_password }}"
become_user: "{{ item.name }}"
loop: "{{ users }}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment