initial-system-setup
Example:
# Basic initial server setup, incl. creating admin user, setting up firewall, etc. - initial-system-setup: admin_user: admin admin_password: $6$D86xex4X... admin_pub_keys: - ssh-rsa AAAAB3NzaC1yc2... freckles@think - ssh-rsa AAAAB3NzaC1yc2... other_user@whatever passwordless_sudo: true ssh_password_auth: false ssh_root_access: false ufw_enabled: true ufw_open_tcp_ports: - 80 - 443 - 9100 - 9090 - 3000 fail2ban_enabled: true auto_updates_enabled: true
Description
This frecklet can be used to harden a freshly installed server. It sets up an admin user account with password-less sudo enabled, disables password-auth and root login for ssh, and also optionally enables automatic update and mosh as an ssh alternative.
If no admin_password argument is provided, the created user won't be able do login via ssh via
password auth, and they won't be able to do sudo if passwordless sudo is not enabled for the user.
Variables
| Name | Type | Default | Description |
|---|---|---|---|
|
string | -- | This sets the admin password in plain text. The user input will be sha512-hashed before forwareded to the connector. If not provided, the user won't be able to login via password auth, and can't do sudo if passwordless sudo is not configured. |
|
list | -- | A list of public ssh keys for the admin user. |
|
string | admin | The name of the admin user. |
|
boolean | False | Whether to enable automatic updates. |
|
list | -- | A list of extra system packages to install. |
|
n/a | False | Whether to install and enable fail2ban. |
|
boolean | False | Whether to install and configure mosh. |
|
boolean | True | Whether to enable passwordless sudo for admin user. |
|
n/a | False | Whether to enable ssh password auth. |
|
n/a | False | Whether to enable ssh root access. |
|
boolean | False | Whether to install and enable the ufw firewall. |
|
list | -- | A list of tcp ports to open (if ufw enabled). |
|
list | -- | A list of udp ports to open (if ufw enabled). |
Examples
Example 1
Basic initial server setup, incl. creating admin user, setting up firewall, etc.
Code
- initial-system-setup: admin_user: admin admin_password: $6$D86xex4X... admin_pub_keys: - ssh-rsa AAAAB3NzaC1yc2... freckles@think - ssh-rsa AAAAB3NzaC1yc2... other_user@whatever passwordless_sudo: true ssh_password_auth: false ssh_root_access: false ufw_enabled: true ufw_open_tcp_ports: - 80 - 443 - 9100 - 9090 - 3000 fail2ban_enabled: true auto_updates_enabled: true
Description
Common server setup, incl. open firewall ports for a webserver and Prometheus monitoring.
Code
doc: short_help: Basic security setup for a new server, incl. setup of admin user." help: | This frecklet can be used to harden a freshly installed server. It sets up an admin user account with password-less sudo enabled, disables password-auth and root login for ssh, and also optionally enables automatic update and mosh as an ssh alternative. If no ``admin_password`` argument is provided, the created user won't be able do login via ssh via password auth, and they won't be able to do sudo if passwordless sudo is not enabled for the user. notes: - running this will disable root ssh login as well as password-based ssh-logins. Don't run it if that is not what you want! furter_reading: encrypt passwords: https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module examples: - title: Basic initial server setup, incl. creating admin user, setting up firewall, etc. desc: | Common server setup, incl. open firewall ports for a webserver and Prometheus monitoring. vars: admin_user: admin admin_password: $6$D86xex4X... admin_pub_keys: - ssh-rsa AAAAB3NzaC1yc2... freckles@think - ssh-rsa AAAAB3NzaC1yc2... other_user@whatever passwordless_sudo: true ssh_password_auth: false ssh_root_access: false ufw_enabled: true ufw_open_tcp_ports: - 80 - 443 - 9100 - 9090 - 3000 fail2ban_enabled: true auto_updates_enabled: true args: admin_user: doc: short_help: The name of the admin user. type: string required: true default: admin admin_password: doc: short_help: The admin password. help: | This sets the admin password in plain text. The user input will be sha512-hashed before forwareded to the connector. If not provided, the user won't be able to login via password auth, and can't do sudo if passwordless sudo is not configured. type: string coerce: sha512_crypt required: false secret: true cli: metavar: PWD admin_pub_keys: doc: short_help: A list of public ssh keys for the admin user. type: list schema: type: string required: false cli: param_decls: - --admin-pub-key - -k auto_updates_enabled: type: boolean required: false default: false doc: short_help: Whether to enable automatic updates. cli: is_flag: true ssh_password_auth: doc: short_help: Whether to enable ssh password auth. default: false required: false cli: is_flag: true show_default: true passwordless_sudo: doc: short_help: Whether to enable passwordless sudo for admin user. default: true type: boolean required: false cli: param_decls: - --passwordless-sudo/--no-passwordless-sudo show_default: true ssh_root_access: doc: short_help: Whether to enable ssh root access. default: false required: false cli: is_flag: true show_default: true ufw_enabled: doc: short_help: Whether to install and enable the ufw firewall. type: boolean default: false required: false cli: is_flag: true ufw_open_tcp_ports: doc: short_help: A list of tcp ports to open (if ufw enabled). type: list schema: type: integer required: false cli: param_decls: - --ufw-open-tcp-port - -t ufw_open_udp_ports: doc: short_help: A list of udp ports to open (if ufw enabled). type: list schema: type: integer required: false cli: param_decls: - --ufw-open-udp-port - -u mosh_enabled: doc: short_help: Whether to install and configure mosh. type: boolean default: false required: false cli: is_flag: true fail2ban_enabled: doc: short_help: Whether to install and enable fail2ban. default: false required: false cli: is_flag: true extra_packages: doc: short_help: A list of extra system packages to install. required: false type: list schema: type: string cli: param_decls: - --extra-package - -p meta: tags: - featured-frecklecutable - hardening - security - firewall - admin - ssh - fail2ban - ufw - mosh - sudo - passwordless-sudo frecklets: - packages-installed: packages: - ca-certificates - frecklet: name: freckfrackery.basic-security type: ansible-role resources: ansible-role: - freckfrackery.basic-security properties: elevated: true idempotent: true desc: references: "'freckfrackery.basic-security' Ansible role": https://gitlab.com/freckfrackery/freckfrackery.basic-security short: initial server setup task: become: true vars: basic_security_user_name: '{{:: admin_user ::}}' basic_security_user_pw: '{{:: admin_password ::}}' basic_security_enable_passwordless_sudo: '{{:: passwordless_sudo ::}}' basic_security_user_public_keys: '{{:: admin_pub_keys ::}}' basic_security_enable_ufw: '{{:: ufw_enabled ::}}' basic_security_tcp_ports: '{{:: ufw_open_tcp_ports ::}}' basic_security_udp_ports: '{{:: ufw_open_udp_ports ::}}' basic_security_disable_ssh_password_auth: '{{:: ssh_password_auth | negate ::}}' basic_security_disable_ssh_root_access: '{{:: ssh_root_access | negate ::}}' basic_security_use_mosh: '{{:: mosh_enabled ::}}' basic_security_autoupdate_enabled: '{{:: auto_updates_enabled ::}}' basic_security_enable_fail2ban: '{{:: fail2ban_enabled ::}}' basic_security_packages: '{{:: extra_packages ::}}'
frecklecute initial-system-setup --help Usage: frecklecute initial-system-setup [OPTIONS] This frecklet can be used to harden a freshly installed server. It sets up an admin user account with password-less sudo enabled, disables password- auth and root login for ssh, and also optionally enables automatic update and mosh as an ssh alternative. If no ``admin_password`` argument is provided, the created user won't be able do login via ssh via password auth, and they won't be able to do sudo if passwordless sudo is not enabled for the user. Options: --admin-password PWD The admin password. -k, --admin-pub-key ADMIN_PUB_KEYS A list of public ssh keys for the admin user. --admin-user ADMIN_USER The name of the admin user. --auto-updates-enabled / --no-auto-updates-enabled Whether to enable automatic updates. -p, --extra-package EXTRA_PACKAGES A list of extra system packages to install. --fail2ban-enabled Whether to install and enable fail2ban. [default: False] --mosh-enabled / --no-mosh-enabled Whether to install and configure mosh. --passwordless-sudo / --no-passwordless-sudo Whether to enable passwordless sudo for admin user. --ssh-password-auth Whether to enable ssh password auth. [default: False] --ssh-root-access Whether to enable ssh root access. [default: False] --ufw-enabled / --no-ufw-enabled Whether to install and enable the ufw firewall. -t, --ufw-open-tcp-port UFW_OPEN_TCP_PORTS A list of tcp ports to open (if ufw enabled). -u, --ufw-open-udp-port UFW_OPEN_UDP_PORTS A list of udp ports to open (if ufw enabled). --help Show this message and exit.
# -*- coding: utf-8 -*- # # module path: pycklets.initial_system_setup.InitialSystemSetup # from dataclasses import dataclass from pyckles import AutoPycklet from typing import * # noqa @dataclass class InitialSystemSetup(AutoPycklet): """This frecklet can be used to harden a freshly installed server. It sets up an admin user account with password-less sudo enabled, disables password-auth and root login for ssh, and also optionally enables automatic update and mosh as an ssh alternative. If no ``admin_password`` argument is provided, the created user won't be able do login via ssh via password auth, and they won't be able to do sudo if passwordless sudo is not enabled for the user. Args: admin_password: The admin password. admin_pub_keys: A list of public ssh keys for the admin user. admin_user: The name of the admin user. auto_updates_enabled: Whether to enable automatic updates. extra_packages: A list of extra system packages to install. fail2ban_enabled: Whether to install and enable fail2ban. mosh_enabled: Whether to install and configure mosh. passwordless_sudo: Whether to enable passwordless sudo for admin user. ssh_password_auth: Whether to enable ssh password auth. ssh_root_access: Whether to enable ssh root access. ufw_enabled: Whether to install and enable the ufw firewall. ufw_open_tcp_ports: A list of tcp ports to open (if ufw enabled). ufw_open_udp_ports: A list of udp ports to open (if ufw enabled). """ FRECKLET_ID = "initial-system-setup" admin_password: str = None admin_pub_keys: List = None admin_user: str = None auto_updates_enabled: bool = None extra_packages: List = None fail2ban_enabled: str = None mosh_enabled: bool = None passwordless_sudo: bool = None ssh_password_auth: str = None ssh_root_access: str = None ufw_enabled: bool = None ufw_open_tcp_ports: List = None ufw_open_udp_ports: List = None def __post_init__(self): super(InitialSystemSetup, self).__init__(var_names=["admin_password", "admin_pub_keys", "admin_user", "auto_updates_enabled", "extra_packages", "fail2ban_enabled", "mosh_enabled", "passwordless_sudo", "ssh_password_auth", "ssh_root_access", "ufw_enabled", "ufw_open_tcp_ports", "ufw_open_udp_ports"]) frecklet_class = InitialSystemSetup
# -*- coding: utf-8 -*- # # module path: pycklets.initial_system_setup.InitialSystemSetup # from pyckles import AutoPycklet class InitialSystemSetup(AutoPycklet): """This frecklet can be used to harden a freshly installed server. It sets up an admin user account with password-less sudo enabled, disables password-auth and root login for ssh, and also optionally enables automatic update and mosh as an ssh alternative. If no ``admin_password`` argument is provided, the created user won't be able do login via ssh via password auth, and they won't be able to do sudo if passwordless sudo is not enabled for the user. Args: admin_password: The admin password. admin_pub_keys: A list of public ssh keys for the admin user. admin_user: The name of the admin user. auto_updates_enabled: Whether to enable automatic updates. extra_packages: A list of extra system packages to install. fail2ban_enabled: Whether to install and enable fail2ban. mosh_enabled: Whether to install and configure mosh. passwordless_sudo: Whether to enable passwordless sudo for admin user. ssh_password_auth: Whether to enable ssh password auth. ssh_root_access: Whether to enable ssh root access. ufw_enabled: Whether to install and enable the ufw firewall. ufw_open_tcp_ports: A list of tcp ports to open (if ufw enabled). ufw_open_udp_ports: A list of udp ports to open (if ufw enabled). """ FRECKLET_ID = "initial-system-setup" def __init__(self, admin_password=None, admin_pub_keys=None, admin_user="admin", auto_updates_enabled=None, extra_packages=None, fail2ban_enabled=None, mosh_enabled=None, passwordless_sudo=True, ssh_password_auth=None, ssh_root_access=None, ufw_enabled=None, ufw_open_tcp_ports=None, ufw_open_udp_ports=None): super(InitialSystemSetup, self).__init__(var_names=["admin_password", "admin_pub_keys", "admin_user", "auto_updates_enabled", "extra_packages", "fail2ban_enabled", "mosh_enabled", "passwordless_sudo", "ssh_password_auth", "ssh_root_access", "ufw_enabled", "ufw_open_tcp_ports", "ufw_open_udp_ports"]) self._admin_password = admin_password self._admin_pub_keys = admin_pub_keys self._admin_user = admin_user self._auto_updates_enabled = auto_updates_enabled self._extra_packages = extra_packages self._fail2ban_enabled = fail2ban_enabled self._mosh_enabled = mosh_enabled self._passwordless_sudo = passwordless_sudo self._ssh_password_auth = ssh_password_auth self._ssh_root_access = ssh_root_access self._ufw_enabled = ufw_enabled self._ufw_open_tcp_ports = ufw_open_tcp_ports self._ufw_open_udp_ports = ufw_open_udp_ports @property def admin_password(self): return self._admin_password @admin_password.setter def admin_password(self, admin_password): self._admin_password = admin_password @property def admin_pub_keys(self): return self._admin_pub_keys @admin_pub_keys.setter def admin_pub_keys(self, admin_pub_keys): self._admin_pub_keys = admin_pub_keys @property def admin_user(self): return self._admin_user @admin_user.setter def admin_user(self, admin_user): self._admin_user = admin_user @property def auto_updates_enabled(self): return self._auto_updates_enabled @auto_updates_enabled.setter def auto_updates_enabled(self, auto_updates_enabled): self._auto_updates_enabled = auto_updates_enabled @property def extra_packages(self): return self._extra_packages @extra_packages.setter def extra_packages(self, extra_packages): self._extra_packages = extra_packages @property def fail2ban_enabled(self): return self._fail2ban_enabled @fail2ban_enabled.setter def fail2ban_enabled(self, fail2ban_enabled): self._fail2ban_enabled = fail2ban_enabled @property def mosh_enabled(self): return self._mosh_enabled @mosh_enabled.setter def mosh_enabled(self, mosh_enabled): self._mosh_enabled = mosh_enabled @property def passwordless_sudo(self): return self._passwordless_sudo @passwordless_sudo.setter def passwordless_sudo(self, passwordless_sudo): self._passwordless_sudo = passwordless_sudo @property def ssh_password_auth(self): return self._ssh_password_auth @ssh_password_auth.setter def ssh_password_auth(self, ssh_password_auth): self._ssh_password_auth = ssh_password_auth @property def ssh_root_access(self): return self._ssh_root_access @ssh_root_access.setter def ssh_root_access(self, ssh_root_access): self._ssh_root_access = ssh_root_access @property def ufw_enabled(self): return self._ufw_enabled @ufw_enabled.setter def ufw_enabled(self, ufw_enabled): self._ufw_enabled = ufw_enabled @property def ufw_open_tcp_ports(self): return self._ufw_open_tcp_ports @ufw_open_tcp_ports.setter def ufw_open_tcp_ports(self, ufw_open_tcp_ports): self._ufw_open_tcp_ports = ufw_open_tcp_ports @property def ufw_open_udp_ports(self): return self._ufw_open_udp_ports @ufw_open_udp_ports.setter def ufw_open_udp_ports(self, ufw_open_udp_ports): self._ufw_open_udp_ports = ufw_open_udp_ports frecklet_class = InitialSystemSetup