initial-system-setup

Example:

# Basic initial server setup, incl. creating admin user, setting up firewall, etc.
- initial-system-setup:
    admin_user: admin
    admin_password: $6$D86xex4X...
    admin_pub_keys:
    - ssh-rsa AAAAB3NzaC1yc2... freckles@think
    - ssh-rsa AAAAB3NzaC1yc2... other_user@whatever
    passwordless_sudo: true
    ssh_password_auth: false
    ssh_root_access: false
    ufw_enabled: true
    ufw_open_tcp_ports:
    - 80
    - 443
    - 9100
    - 9090
    - 3000
    fail2ban_enabled: true
    auto_updates_enabled: true

Description

This frecklet can be used to harden a freshly installed server. It sets up an admin user account with password-less sudo enabled, disables password-auth and root login for ssh, and also optionally enables automatic update and mosh as an ssh alternative.

If no admin_password argument is provided, the created user won't be able do login via ssh via password auth, and they won't be able to do sudo if passwordless sudo is not enabled for the user.

Variables

Name Type Default Description

admin_password

string --

This sets the admin password in plain text. The user input will be sha512-hashed before forwareded to the connector.

If not provided, the user won't be able to login via password auth, and can't do sudo if passwordless sudo is not configured.

admin_pub_keys

list --

A list of public ssh keys for the admin user.

admin_user

string admin

The name of the admin user.

auto_updates_enabled

boolean False

Whether to enable automatic updates.

extra_packages

list --

A list of extra system packages to install.

fail2ban_enabled

n/a False

Whether to install and enable fail2ban.

mosh_enabled

boolean False

Whether to install and configure mosh.

passwordless_sudo

boolean True

Whether to enable passwordless sudo for admin user.

ssh_password_auth

n/a False

Whether to enable ssh password auth.

ssh_root_access

n/a False

Whether to enable ssh root access.

ufw_enabled

boolean False

Whether to install and enable the ufw firewall.

ufw_open_tcp_ports

list --

A list of tcp ports to open (if ufw enabled).

ufw_open_udp_ports

list --

A list of udp ports to open (if ufw enabled).

Examples

Example 1

Basic initial server setup, incl. creating admin user, setting up firewall, etc.

Code
- initial-system-setup:
    admin_user: admin
    admin_password: $6$D86xex4X...
    admin_pub_keys:
    - ssh-rsa AAAAB3NzaC1yc2... freckles@think
    - ssh-rsa AAAAB3NzaC1yc2... other_user@whatever
    passwordless_sudo: true
    ssh_password_auth: false
    ssh_root_access: false
    ufw_enabled: true
    ufw_open_tcp_ports:
    - 80
    - 443
    - 9100
    - 9090
    - 3000
    fail2ban_enabled: true
    auto_updates_enabled: true
Description

Common server setup, incl. open firewall ports for a webserver and Prometheus monitoring.

Command-line

frecklecute initial-system-setup --help

Usage: frecklecute initial-system-setup [OPTIONS]

  This frecklet can be used to harden a freshly installed server. It sets up
  an admin user account with password-less sudo enabled, disables password-
  auth and root login for ssh, and also optionally enables automatic update
  and mosh as an ssh alternative.

  If no ``admin_password`` argument is provided, the created user won't be
  able do login via ssh via password auth, and they won't be able to do sudo
  if passwordless sudo is not enabled for the user.

Options:
  --admin-password PWD            The admin password.
  --admin-pub-keys ADMIN_PUB_KEYS
                                  A list of public ssh keys for the admin
                                  user.
  --admin-user ADMIN_USER         The name of the admin user.  [default:
                                  admin]
  --auto-updates-enabled / --no-auto-updates-enabled
                                  Whether to enable automatic updates.
  --extra-packages EXTRA_PACKAGES
                                  A list of extra system packages to install.
  --fail2ban-enabled              Whether to install and enable fail2ban.
                                  [default: False]
  --mosh-enabled / --no-mosh-enabled
                                  Whether to install and configure mosh.
  --passwordless-sudo / --no-passwordless-sudo
                                  Whether to enable passwordless sudo for
                                  admin user.
  --ssh-password-auth             Whether to enable ssh password auth.
                                  [default: False]
  --ssh-root-access               Whether to enable ssh root access.
                                  [default: False]
  --ufw-enabled / --no-ufw-enabled
                                  Whether to install and enable the ufw
                                  firewall.
  --ufw-open-tcp-ports UFW_OPEN_TCP_PORTS
                                  A list of tcp ports to open (if ufw
                                  enabled).
  --ufw-open-udp-ports UFW_OPEN_UDP_PORTS
                                  A list of udp ports to open (if ufw
                                  enabled).
  --help                          Show this message and exit.