Bootstrap is an Ansible playbook that you can use to set up and immediately secure a brand new server, such as a fresh Linode. This playbook is inspired and largely based off of Bryan Kennedy's excellent post My First 5 Minutes On A Server; Or, Essential Security for Linux Servers. There's also some stuff from Linode's own Getting Started and Securing Your Server guides.
- You're running this on a fresh VPS.
- Debian 7 or an equivalent Linux distribution. (You can use whatever distro you want, but deviating from Debian will require more tweaks to the playbooks. See Ansible's different packaging modules.)
- I can confirm that is also works as-is for Ubuntu 14.04 x64.
First, make sure you've got Ansible installed.
When creating a fresh linode (or whatever) I make sure to set a good root password right from the Linode (or web) Manager. You can also change the root password from the command line:
passwd
The playbook will create a 'deploy' user so that you aren't using root anymore. It will also disable sshing into your server as root once the playbook has finished. Since this is a brand new server, the playbook will need to run as root which means you should install sshpass using Homebrew.
Read Install sshpass Using Homebrew for more on why this is necessary.
brew install https://raw.github.com/eugeneoden/homebrew/eca9de1/Library/Formula/sshpass.rb
On Mac/Linux run the command:
ssh-keygen
Follow the onscreen instructions to generate your SSH key pairs on your desktop computer. By default, the ssh-keygen utility will save your private key to '/.ssh/id_rsa' and the public key to '/.ssh/id_rsa.pub'. If you don't want to use a passphrase simply press 'Enter' when prompted.
Copy the entire contents of the public key file (~/.ssh/id_rsa.pub) and paste it in /roles/bootstrap/files/id_rsa.pub, replacing the TODO line. Even if you saved your key to a different name than id-rsa, you do not need to change this filename.
Don't forget to add the newly created key or you will experience a Permission denied (publickey)
error later on. If you entered a passphrase in the previous step you will need to enter that when prompted also.
ssh-add ~/.ssh/id_rsa
Modify the settings in /vars/user.yml to your liking. If you want to see how they're used in context, just search for the corresponding string.
For the 'deploy' user you can generate a password hash using the openssl passwd command:
openssl passwd -salt <salt> -1 <plaintext>
From the directory where you've cloned this project:
ansible-playbook -i ./hosts bootstrap.yml --user root --ask-pass
I would recommend you check out Alex Payne's Sovereign project on Github if you want to set up your own mail server and personal cloud.
If you improve upon this playbook or add an exciting new one, send a pull request. Everyone benefits.
Original content is "GPLv3":http://gplv3.fsf.org, same as Ansible. All files and templates based on third-party software should be considered under their respective licenses.