Clone this repo recursive, roles are included as submoduls:
$git clone --recursive https://github.com/MVladislav/ansible-env-setup.git
# load
$git submodule update --init --recursive
# update
$git submodule update --recursive --remoteInstall ansible on host to run the playbook:
$sudo apt install python3 python3-pip python3-venv libssl-dev sshpass
$python3 -m venv .venv && source .venv/bin/activate
$python3 -m pip install ansible-core ansible-lint yamllint
$ansible-galaxy collection install --upgrade -r requirements.yml$python3 -m pip install molecule molecule-plugins[docker]
Copy the inventory template inventory/inventory-example.yml as inventory/inventory.yml:
$cp inventory/inventory-example.yml inventory/inventory.ymlCopy vars default playbooks/vars/default-example.yml as playbooks/vars/default.yml
which holds the ssh-keys for setup in pre-tasks.yml defined by clients in inventory.yml:
clients are identified in
playbooks/vars/default.ymlby key with"{{ ansible_user }}-{{ ansible_host }}"insideinventory.ymlyou can define inansible_ssh_private_key_filethe related ssh-key
$cp playbooks/vars/default-example.yml playbooks/vars/default.ymlUpdate inventory/inventory.yml with your own configuration as you need.
By default multiple playbooks are pre defined. Use and update them as you need.
Following are some main playbooks to install clients or servers:
- base
- playbook-sec-short.yml
- clients
- playbook-client.yml
- playbook-client-vm.yml
- playbook-client-dev.yml
- playbook-client-pentest.yml
- servers
- playbook-server-minimal.yml
- playbook-server-dev.yml
- playbook-server-cluster.yml
-k=> will use ssh with a password, as a fresh setup has no ssh-key installed if ssh-key is installed on target you not need to inclide-k
Example to run playbook-sec-short:
$ansible-playbook playbooks/playbook-sec-short.yml -i inventory/inventory-example-server.yml --ask-become-pass -k
# or with less output information
$ansible-playbook playbooks/playbook-sec-short.yml -i inventory/inventory-example-server.yml --ask-become-pass -k | grep -v "started TASK\|included: "
In general following playbooks/roles/tasks are run by each client playbook with its specific configuration:
- playbook-s-cis
Harden the client by CIS rules
- ansible-cis-ubuntu-2204
- cis aide env extender
- playbook-s-pre-install
some pre installs and configs
- pre-tasks
- ansible-updater
- community.general.ufw
- ansible-ssh
- ansible-netplan
- playbook-s-pre-mailing
- ansible-postfix
- nullmailer
- playbook-s-hardening
some more general client hardenings
- ansible-security
- ansible-install-server
install tools/service for server usage, which also useful for clients
- ansible-install-client
install tools/service for client usage
- playbook-s-container
- ansible-docker
install docker with CIS harden
- ansible-kubernetes
- ansible-docker
- servers:
- s1: default (TODO)
- s2: minimal
- s3: dev
- s4: cluster
- clients:
- c1: default
- c2: vm
- c3: dev
- c4: pentest
| apps | s1 | s2 | s3 | s4 | c1 | c2 | c3 | c4 |
|---|---|---|---|---|---|---|---|---|
| apt_base | x | x | x | x | x | x | x | |
| apt_exa | ||||||||
| apt_eza | x | x | x | x | x | x | x | |
| apt_bat | x | x | x | x | x | x | x | |
| apt_ncdu | ||||||||
| apt_auth_priv | x | x | x | x | x | |||
| apt_cert | x | x | x | x | x | x | x | |
| apt_archive | x | x | x | x | ||||
| apt_dev | x | x | x | x | ||||
| apt_build | x | x | ||||||
| apt_libs | x | x | ||||||
| apt_php | ||||||||
| apt_lua | ||||||||
| apt_java_jre_headless | x | |||||||
| apt_java_jdk | ||||||||
| apt_java_ant | ||||||||
| apt_java_maven | ||||||||
| apt_java_gradle | ||||||||
| apt_snap | x | x | x | x | x | |||
| apt_qemu_guest_agent | x | x | x | x | x | |||
| apt_rasp_pi_pkg | ||||||||
| apt_vpn_resolvconf | ||||||||
| apt_vpn_wireguard | ||||||||
| apt_vpn_openvpn | ||||||||
| apt_vpn_openconnect | ||||||||
| apt_latex | x | x | x | |||||
| apt_pandoc | x | x | x | |||||
| apt_apt_john_the_ripper | x | |||||||
| apt_nmap | x | x | x | |||||
| snap_john_the_ripper | ||||||||
| snap_nmap | x | |||||||
| snap_juju | ||||||||
| snap_maas | ||||||||
| snap_microk8s | ||||||||
| snap_kubectl | ||||||||
| snap_helm | ||||||||
| snap_multipass | ||||||||
| snap_btop | x | x | x | x | x | |||
| snap_glow | x | x | ||||||
| snap_go | ||||||||
| snap_httpie | x | |||||||
| snap_node | x | |||||||
| snap_ruby | ||||||||
| snap_rust | ||||||||
| snap_openjdk | ||||||||
| snap_openjfx | ||||||||
| inst_git_conf | x | x | x | x | x | x | x | |
| inst_fonts | x | x | x | x | x | x | ||
| inst_zsh_conf | x | x | x | x | x | x | ||
| inst_tmux_conf | x | x | x | x | x | |||
| inst_nvim_conf | x | x | x | x | x | |||
| apt_python | x | x | x | x | x | |||
| apt_python_pip | x | x | x | x | x | |||
| apt_python_venv | x | x | x | x | x | |||
| apt_python_dev | x | x | x | x | ||||
| pip_s_tui | x | x | x | x | x | |||
| pip_virtualenv | ||||||||
| pip_autopep8 | x | x | x | x | ||||
| pip_black | x | x | x | x | ||||
| pip_mypy | x | x | x | x | ||||
| pip_pre_commit | x | x | x | x | ||||
| pip_openconnect_sso | ||||||||
| pip_ansible | x | x | x | |||||
| go_kompose | ||||||||
| go_act |
| services/tools | default | dev | pentest | vm |
|---|---|---|---|---|
| dev | x | x | x | x |
| fonts | x | x | x | x |
| gnome additional's | x | x | x | x |
| gnome dep. | ||||
| gnome ext. | x | x | x | x |
| gnome ext. ubuntu tiling | ||||
| gnome ext. caffeine | ||||
| gnome ext. sound | ||||
| gnome ext. blur shell | x | x | x | x |
| gnome ext. burn window | ||||
| gnome ext. dash to panel | x | x | x | x |
| gnome ext. ui tune | ||||
| gnome keybinding | ||||
| gnome overlay | x | x | x | x |
| gnome terminal overlay | x | x | x | x |
| apps | default | vm | dev | pentest |
|---|---|---|---|---|
| base | x | x | x | x |
| auth_priv | x | x | x | x |
| ubuntu | x | x | x | x |
| archive | x | x | x | |
| codec | ||||
| gnome | ||||
| snap | x | x | x | x |
| flatpak | x | x | x | x |
| texmaker | ||||
| logitech_unifying_solaar | ||||
| mpv | ||||
| vpn_resolvconf | ||||
| vpn_l2tp | ||||
| vpn_openvpn | ||||
| vpn_openconnect | ||||
| vpn_wireguard | ||||
| gnome_boxes | ||||
| virt_viewer | x | |||
| veracrypt | x | x | x | x |
| veracrypt_cli | ||||
| virtualbox | ||||
| 1password_cli | ||||
| portmaster | ||||
| parsec | ||||
| brim | x | |||
| logseq | x | x | x | |
| ultimaker | x | |||
| 1password | ||||
| keepassxc | ||||
| yubioath | ||||
| chromium | x | x | x | |
| denaro | ||||
| firefox | x | x | x | x |
| flameshot | ||||
| foliate | ||||
| libreoffice | ||||
| newsflash | ||||
| okular | ||||
| onlyoffice | x | x | x | x |
| thunderbird | x | x | ||
| xournalpp | ||||
| zoom | ||||
| discord | ||||
| jdownloader | ||||
| signal | x | x | ||
| telegram | x | x | ||
| blender | ||||
| darktable | x | |||
| drawio | x | x | x | |
| gimp | x | x | ||
| inkscape | x | x | x | |
| krita | ||||
| lunacy | x | |||
| upscayl | x | x | ||
| amberol | ||||
| haruna | x | x | x | x |
| obs | ||||
| parabolic | ||||
| video_trimmer | ||||
| vlc | ||||
| moosync | ||||
| spotify | x | x | ||
| steam | ||||
| android_studio | x | |||
| beekeeper_studio | x | |||
| code | x | x | x | |
| dbeaver | x | |||
| insomnia | x | |||
| postman | ||||
| remmina | x | x | x | |
| rpi_imager | ||||
| ghidra | x | |||
| zaproxy | x | |||
| mqtt_explorer | x | |||
| UBports | ||||
| fbreader | ||||
| pixelfx | ||||
| cryptomator | x | |||
| flatseal | x | x | x | x |
| pika_backup | ||||
| ausweisapp2 | ||||
| easy_effects | x | |||
| extension_manager | ||||
| filezilla | ||||
| missioncenter | ||||
| planify | ||||
| warp | x | |||
| threemaqt | ||||
| conjure | ||||
| peek | ||||
| girens | ||||
| lutris | ||||
| arduinoide | ||||
| betaflightconfigurator | ||||
| fritzing | ||||
| mongodb_compass | ||||
| sublimetext | ||||
| wireshark |