Tutorial

How to Use Ansible to Automate Initial Server Setup on Ubuntu 20.04

How to Use Ansible to Automate Initial Server Setup on Ubuntu 20.04
Not using Ubuntu 20.04?Choose a different version or distribution.
Ubuntu 20.04

Introduction

Server automation now plays an essential role in systems administration, due to the disposable nature of modern application environments. Configuration management tools such as Ansible are typically used to streamline the process of automating server setup by establishing standard procedures for new servers while also reducing human error associated with manual setups.

Ansible offers a simple architecture that doesn’t require special software to be installed on nodes. It also provides a robust set of features and built-in modules which facilitate writing automation scripts.

This guide explains how to use Ansible to automate the steps contained in our Initial Server Setup Guide for Ubuntu 20.04 servers.

Prerequisites

In order to execute the automated setup provided by the playbook in this guide, you’ll need:

  • One Ansible control node: an Ubuntu 20.04 machine with Ansible installed and configured to connect to your Ansible hosts using SSH keys. Make sure the control node has a regular user with sudo permissions and a firewall enabled, as explained in our Initial Server Setup guide. To set up Ansible, please follow our guide on How to Install and Configure Ansible on Ubuntu 20.04.
  • One remote server with a clean install of Ubuntu 20.04: no prior setup is required on this server, but you must have SSH access to this server from the Ansible control node mentioned above. This server will become an Ansible host remote server, which is targeted for automated provisioning by the Ansible control node.

What Does this Playbook Do?

This Ansible playbook provides an alternative to manually running through the procedure outlined in the Ubuntu 20.04 initial server setup guide and the guide on setting up SSH keys on Ubuntu 20.04 every time you boot up a server. Set up your playbook once, and use it for every server after.

Running this playbook will perform the following actions on your Ansible hosts:

  1. Install aptitude, which is preferred by Ansible as an alternative to the apt package manager.

  2. Create a new sudo user and set up passwordless sudo.

  3. Copy a local SSH public key and include it in the authorized_keys file for the new administrative user on the remote host.

  4. Disable password-based authentication for the root user.

  5. Install system packages.

  6. Configure the UFW firewall to only allow SSH connections and deny any other requests.

Once the playbook has finished running, you’ll have a new user which you can use to log in to the server.

To begin, log into a sudo enabled user on your Ansible control node server.

Step 1 — Preparing your Ansible control node

On your Ansible control node server, add your Ansible host remote server’s IP to your Ansible inventory file. Using your preferred text editor:

  1. sudo nano /etc/ansible/hosts

This will open your Ansible inventory file. Add your Ansible host remote server’s IP to the [servers] block:

/etc/ansible/hosts
[servers]
server1 ansible_host=your_remote_server_ip

. . .

Now you’ll test and authenticate your SSH connection between this Ansible control node and your Ansible host remote server:

  1. ssh root@your_remote_server_ip

Accept the authentication request, and enter your password if prompted. Once you’ve verified the SSH connection, hit CTRL+D to close the connection and return to your control node.

Step 2 — Preparing your Playbook

The playbook.yml file is where all your tasks are defined. A task is the smallest unit of action you can automate using an Ansible playbook. But first, create your playbook file using your preferred text editor:

  1. nano playbook.yml

This will open an empty YAML file. Before diving into adding tasks to your playbook, start by adding the following:

playbook.yml
---
- hosts: all
  become: true
  vars:
    created_username: sammy

Feel free to replace the username with one of your choosing.

Almost every playbook you come across will begin with declarations similar to this. hosts declares which servers the Ansible control node will target with this playbook. become states whether all commands will be done with escalated root privileges.

vars allows you to store data in variables. If you decide to change this username in the future, you will only have to edit this single line in your file.

Note: If you want to see the playbook file in its final finished state, jump to Step 8. YAML files can be particular with their indentation structure, so you may want to double-check your playbook once you’ve added all your tasks.

Step 3 — Adding an Aptitude Installation Task to your Playbook

By default, tasks are executed synchronously by Ansible in order from top to bottom in your playbook. This means task ordering is important, and you can safely assume one task will finish executing before the next task begins.

All tasks in this playbook can stand alone and be re-used in your other playbooks.

Add your first task of installing aptitude, a tool for interfacing with the Linux package manager:

playbook.yml
  tasks:
    - name: Install aptitude
      apt:
        name: aptitude
        state: latest
        update_cache: true

Here, you’re using the apt Ansible built-in module to direct Ansible to install aptitude. Modules in Ansible are shortcuts to execute operations that you would otherwise have to run as raw bash commands. Ansible safely falls back onto apt for installing packages if aptitude is not available. So while this step is technically optional, Ansible has historically preferred aptitude.

Step 4 — Adding Sudo User Setup Tasks to your Playbook

It is good practice to avoid extensive use of the root user. You can automate the creation of a user that is granted sudo privileges by adding:

playbook.yml
    - name: Setup passwordless sudo
      lineinfile:
        path: /etc/sudoers
        state: present
        regexp: '^%sudo'
        line: '%sudo ALL=(ALL) NOPASSWD: ALL'
        validate: '/usr/sbin/visudo -cf %s' 

    - name: Create a new regular user with sudo privileges
      user:
        name: "{{ created_username }}"
        state: present
        groups: sudo
        append: true
        create_home: true

You’re using the lineinfile Ansible module to target and replace a specific line in a file. In this case, you’re using regex to target a specific line in the sudoers file then modifying it to allow passwordless use of sudo. You also use visudo to validate your changes to prevent anything from breaking.

In order to take advantage of this, you’re adding a new user with the user module. Ansible will ensure this user is created if not already in existence, that the user belongs to the sudo group while not being removed from other groups, and a home directory is created.

Note: Make sure you include the quotes around the curly braces that indicate a variable. Omission of these quotes is a very common Ansible syntax error.

Step 5 — Adding SSH Key Setup and Disabling Root Password Tasks to your Playbook

Ansible operates under the assumption that you’re using SSH keys. It is strongly recommended and generally good practice to pair SSH key usage with disabling root password authentication. To automate this, add:

playbook.yml
    - name: Set authorized key for remote user
      ansible.posix.authorized_key:
        user: "{{ created_username }}"
        state: present
        key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"

    - name: Disable password authentication for root
      lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: '^#?PermitRootLogin'
        line: 'PermitRootLogin prohibit-password'

The authorized_key module can be used if you supply the username and the location of the key. Here, the path towards your key is built using Ansible’s lookup function.

The lineinfile module is used to search and replace a line in sshd_config in order to disable password authentication for root, limiting access to its privileges for heightened security.

Step 6 — Adding a Package Installation Task to your Playbook

Ansible can ensure certain packages are always installed on your server. Rather than call apt install on each individual package, or break it into multiple tasks, you can list out all your desired packages:

playbook.yml
    - name: Update apt and install required system packages
      apt:
        pkg:
          - curl
          - vim
          - git
          - ufw
        state: latest
        update_cache: true

You can add or remove packages to your liking. This will ensure all packages are not only present, but on the latest version, and done after an update with apt is called.

Step 7 — Adding a Firewall Setup Task to your Playbook

A firewall is indispensable to any server facing the internet. You can have Ansible ensure UFW (Uncomplicated Firewall) is properly configured by adding:

playbook.yml
    - name: UFW - Allow SSH connections
      community.general.ufw:
        rule: allow
        name: OpenSSH

    - name: UFW - Enable and deny by default
      community.general.ufw:
        state: enabled
        default: deny

The ufw module first ensures SSH access is allowed through. Then, this module enables your firewall while defaulting to denying all other traffic to your server.

Step 8 — Reviewing your Complete Playbook

Your playbook should look roughly like the following, with minor differences depending on your customizations:

playbook.yml
---
- hosts: all
  become: true
  vars:
    created_username: sammy

  tasks:
    - name: Install aptitude
      apt:
        name: aptitude
        state: latest
        update_cache: true

    - name: Setup passwordless sudo
      lineinfile:
        path: /etc/sudoers
        state: present
        regexp: '^%sudo'
        line: '%sudo ALL=(ALL) NOPASSWD: ALL'
        validate: '/usr/sbin/visudo -cf %s'

    - name: Create a new regular user with sudo privileges
      user:
        name: "{{ created_username }}"
        state: present
        groups: sudo
        append: true
        create_home: true

    - name: Set authorized key for remote user
      ansible.posix.authorized_key:
        user: "{{ created_username }}"
        state: present
        key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"

    - name: Disable password authentication for root
      lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: '^#?PermitRootLogin'
        line: 'PermitRootLogin prohibit-password'

    - name: Update apt and install required system packages
      apt:
        pkg:
          - curl
          - vim
          - git
          - ufw
        state: latest
        update_cache: true

    - name: UFW - Allow SSH connections
      community.general.ufw:
        rule: allow
        name: OpenSSH

    - name: UFW - Enable and deny by default
      community.general.ufw:
        state: enabled
        default: deny

Note: This is a gentle reminder to be mindful of your indentations. If you run into an error, this is very likely the culprit. YAML suggests using 2 spaces as an indent, as was done in this example.

Once you’re satisfied with your playbook, you can exit your text editor and save.

Step 9 — Running your Playbook for the First Time

You’re now ready to run this playbook on one or more servers. Most playbooks are configured to be executed on every server in your inventory by default, but you’ll specify your server this time.

To execute the playbook only on server1, connecting as root, you can use the following command:

  1. ansible-playbook playbook.yml -l server1 -u root -k

The -l flag specifies your server and the -u flag specifies which user to log into on the remote server. Since you’ve yet to setup your remote server, root is your only option. The -k flag is very important on your first playbook run, since it allows you to enter your SSH password.

You will get output similar to this:

Output
. . . TASK [UFW - Allow SSH connections] *************************************************************************************************************************************************************************************************************************** changed: [server1] TASK [UFW - Enable and deny by default] ********************************************************************************************************************************************************************************************************************** changed: [server1] PLAY RECAP *************************************************************************************************************************************************************************************************************************************************** server1 : ok=9 changed=8 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

This indicates your server setup is complete! Your output doesn’t have to be exactly the same, but it is important that you have zero failures.

Now that you’ve done the first setup for your playbook, all subsequent ansible calls can be done with user sammy and without the -k flag:

  1. ansible-playbook playbook.yml -l server1 -u sammy

You’ll also be able to log in to the server with:

  1. ssh sammy@your_remote_server_ip

Remember to replace sammy with the user defined by the created_username variable, and server_host_or_IP with your server’s hostname or IP address.

After logging in to the server, you can check the UFW firewall’s active rules to confirm that it’s properly configured:

  1. sudo ufw status

You should get output similar to this:

Output
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6)

This means that the UFW firewall has successfully been enabled. Since this was the last task in the playbook, it confirms that the playbook was fully executed on this server.

Conclusion

Automating the initial server setup can save you time, while also making sure your servers will follow a standard configuration that can be improved and customized to your needs. With the distributed nature of modern applications and the need for more consistency between different staging environments, automation like this becomes a necessity.

In this guide, you demonstrated how to use Ansible for automating the initial tasks that should be executed on a fresh server, such as creating a non-root user with sudo access, enabling UFW and disabling remote password-based root login.

For more information on how to run Ansible playbooks, check out our Ansible Cheat Sheet Guide.

If you’d like to include new tasks in this playbook to further customize your initial server setup, please refer to our introductory Ansible guide Configuration Management 101: Writing Ansible Playbooks. You can also check out our guide on How to Use Ansible Roles to Abstract your Infrastructure Environment.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors
Default avatar
Tony Tran

author


Default avatar

Developer Advocate

Dev/Ops passionate about open source, PHP, and Linux.


Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
3 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Awesome tutorials! Very much helped me get more than a bit started :-) https://github.com/CrustyBarnacle/ansible-learning

I had 3 errors but I finally got the playbook to install on my host node! All the commands should be run on the Control node not Host node.

Error #1: ERROR! couldn’t resolve module/action ‘community.general.ufw’. This often indicates a misspelling, missing collection, or incorrect module path.

Solution: $ansible-galaxy collection install community.general

Error #2: ERROR! couldn’t resolve module/action ‘ansible.posix.authorized_key’. This often indicates a misspelling, missing collection, or incorrect module path.

Solution: $ansible-galaxy collection install ansible.posix

ERROR #3: fatal: [baconBits]: FAILED! => {“msg”: “to use the ‘ssh’ connection type with passwords, you must install the sshpass program”}

Solution: $sudo apt install sshpass

Worth mentioning the droplet can also be created in ansible, collection

But is there a way to create a droplet from a snapshot (in Ansible)?

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more