gildesmarais / ansible-5-minutes-server Goto Github PK

This comes in handy on small servers with not so much memory available.

• setup /swapfile of 1GB
• automount with fstab entry
• set sysctl to low swappiness

fallocate -l 1G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
swapon --show

echo "/swapfile none swap sw 0 0" >> /etc/fstab

# set swappiness
echo 'vm.swappiness = 15' >> /etc/sysctl.conf
sudo sysctl -p

To send mails without a heavy mail server, e.g. with ssmtp.

Add some basic sysadmin tools

• lsof
• ncdu
• rg
• fzf

• use no_log: true on tasks using secrets

• create home dir
• add ssh-key to authorized_keys
• allow configuration of groups

Sample snippet

sudo useradd -m deploy

# add to more groups afterwards
sudo usermod -a -G rvm deploy
sudo usermod -a -G docker deploy

• add apt repository
• use default configuration with provided user/pass/url credentials

depends on gildesmarais/Ansible-My-First-5-Minutes-On-A-Server#1 for sending informative emails.
only install security upgrades.

See https://github.com/guillaumevincent/Ansible-My-First-5-Minutes-On-A-Server/pull/1/files#diff-d83d6ad0c2daa8bfabef7a09ae4c919d88bc5201c0dc60fedb61f83428f94aae for possible reusable code

• rotate interval
• compress logs

Currently there's one ADMIN user.

This could encourage to share this admin user across organisations which is bad (e.g. can't audit who really logged in).

• secrets: remove ADMIN_*
• check if there's an existing playbook for user and key management - prefer to use that, if popular
• make ADMINS an array taking a hash like this (pseudo/draft code):

  ADMINS:
    - username: foo
      email: [email protected]
      public_key: a/path/to/id_rsa.pub

• implement the creation and ssh key uploading in the role. (proper key management - needs to remove keys, when removed from ADMINS config)
• research if a go-to rolebook for that case exists in the ansible universe

follow-up to #22