fsfe-system-hackers/baseline
17
1
Fork 0
Code Issues 8 Pull Requests 1 Activity
298 Commits 5 Branches 0 Tags
master
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Tobias Diekershoff 244137b567
All checks were successful
continuous-integration/drone/push Build is passing
Details
make linter happy
2026-03-03 12:21:49 +01:00
group_vars
Move unattended upgrade to icinga2_server group vars
2026-02-26 10:18:05 +01:00
host_vars
Move unattended upgrade to icinga2_server group vars
2026-02-26 10:18:05 +01:00
inventory @ 539e56b8c3
bump inventory
2026-01-08 13:01:06 +01:00
LICENSES
reduce reuse files
2021-07-16 17:34:36 +02:00
roles
make linter happy
2026-03-03 12:21:49 +01:00
.drone.yml
drone.yml: rename pipeline
2025-11-12 13:43:54 +00:00
.gitignore
fix licensing issues
2021-07-22 13:19:05 +02:00
.gitmodules
.gitmodules: license inline
2025-11-03 14:43:21 +01:00
ansible.cfg
added ability to store secrets in vault
2021-06-03 14:44:21 +02:00
open_the_vault.sh
revert e5cb0dc301
2026-01-08 12:04:59 +00:00
playbook.yml
added fsfe-baseconfig rule
2026-03-03 12:06:50 +01:00
README.md
added fsfe-baseconfig rule
2026-03-03 12:06:50 +01:00
REUSE.toml
license vault_passphrase.gpg in REUSE.toml
2025-11-03 14:45:29 +01:00
vault_passphrase.gpg
Re-encrypt to tobiasd
2023-06-28 11:57:59 +02:00

README.md

Baseline Playbook

in docs.fsfe.org REUSE status Build Status

Ansible playbook to create a baseline configuration after provisioning a new VM

Table of Contents

Background

Traditionally, when a new host was provisioned, several playbooks were usually needed to configure things like monitoring and backups. needed. This playbook repository serves the purpose of unifying this the changes needed on most new hosts. It uses to following roles to achieve this task:

Security

This playbook repository contains secrets that are encrypted using the Ansible vault. The passphrase to decrypt the vault lives in the GPG-encrypted file vault_passphrase.gpg. If you need access to the encrypted parts of this playbook or you want to be able to encrypt variables whilst setting up a new host, simply create an issue in this repository and we will review your request.

Install

You need a host that runs at least Debian 10 and an up-to-date version of our inventory, the latter of which can be attained by running:

git clone --recurse-submodules git@git.fsfe.org:fsfe-system-hackers/baseline.git

or when you have already cloned the repository without recursing into submodules:

git submodule update --remote inventory

To use this repository to provision a new host, you need to activate the virtual environment using pipenv which you can install via pip or your favourite package manager. Then, simply run

Next, you obviously need Ansible (at least version 2.10). The easiest way to install Ansible is pipx. After installing it, you can simply run:

pipx install --include-deps ansible

Usage

In order to configure a new host, you need to do the following:

  1. Apply the label baseline to the desired host in the inventory.
  2. Add a host configuration file in host_vars. Take a look at this example to get an idea.
  3. Then, simply run
ansible-playbook playbook.yml

If you just want to run certain parts of the playbook, take a look at the available tags and then simply limit the playbook run tasks with those tags.

ansible-playbook playbook.yml -t hardening

Available tags are:

  • hardening
  • sshd
  • fail2ban
  • unattended-upgrades
  • monitoring
  • backup
  • baseconfig

Example: add/change configuration of client monitoring

In order to add a new server to the monitoring, or update it's client plugins, and including the necessary change on the monitoring server, run:

ansible-playbook playbook.yml -l example.fsfeurope.org -t monitoring

You won't have to define the icinga2 server, the playbook integrates it on its own.

Also read the detailed wiki entry on how to add a new server to the monitoring and adding client plugins if you're interested.

Gotchas

Note that if you run this for multiple servers at once, please add -f 1 as a parameter. Otherwise, rewriting the authorized_keys file that happens during backup initialisation on the remote storage might cause issues if accessed by multiple processes at once.

Configuration

To configure the behaviour of the roles for the host in question take a look at group_vars/all.yml. This file specifies the default configuration for our hosts.

If you want to change those variables for a new host, say example.fsfeurope.org, simply copy the relevant entries from above to the relevant file in host_vars (e.g. example.fsfeurope.org.yml) and amend them as you see fit. For more information on which variables take precedence over others, refer to Ansible documentation

Reference in New Issue View Git Blame Copy Permalink
Description
Ansible playbook to create a baseline configuration after provisioning a new VM
ansiblereuse
Readme 482 KiB
Languages
Shell 51.2%
Jinja 30.9%
Python 17.9%