AnsibleでUbuntuの設定を行う
プレイブックの実行
1
2
3
| ansible-playbook unattended-upgrades.yml -i hosts
ansible-playbook install-ubuntu-packages.yml -i hosts
ansible-playbook ufw.yml -i hosts
|
インベントリファイル「hosts」
初期設定を行うinitグループを設定する。
- ansible_user/ansible_passwordは対象Ubuntuのログインユーザ、パスワード
- ansible_become_passwordはsudo時のパスワード
1
2
3
4
5
6
7
8
| [ubuntu]
target
[ubuntu:vars]
ansible_python_interpreter=/usr/bin/python3
ansible_port=※カスタマイズしたポート※
ansible_user=※ansible用ユーザ名※
ansible_ssh_private_key_file=~/.ssh/id_rsa
|
プレイブック「unattended-upgrades.yml」
セキュリティパッチや推奨パッチを自動インストールするUnattended-upgradesを設定する。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
| ---
- hosts: ubuntu
vars:
gather_facts: no
become: true
tasks:
- name: Configure debconf
debconf: name=unattended-upgrades question=unattended-upgrades/enable_auto_updates vtype=boolean value='true'
- name: Install unattended-upgrades
apt: name=unattended-upgrades
- name: Configure unattended-upgrades
command:
cmd: dpkg-reconfigure -f noninteractive unattended-upgrades
creates: /etc/apt/apt.conf.d/20auto-upgrades
- name: Enable periodic for download and clean
lineinfile:
dest: /etc/apt/apt.conf.d/20auto-upgrades
line: "{{ item }}"
with_items:
- 'APT::Periodic::Download-Upgradeable-Packages "1";'
- 'APT::Periodic::AutocleanInterval "7";'
- name: Enable upgrade recommend updates
lineinfile:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '^//\t+\"\${distro_id}\:\${distro_codename}-updates\";'
line: "\t\"${distro_id}:${distro_codename}-updates\";"
- name: Enable automatic reboot
lineinfile:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '^//Unattended-Upgrade::Automatic-Reboot \"false\";'
line: "Unattended-Upgrade::Automatic-Reboot \"true\";"
- name: Set automatic reboot time
lineinfile:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '^//Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";'
line: "Unattended-Upgrade::Automatic-Reboot-Time \"04:00\";"
- name: Enable remove unused kernel packages
lineinfile:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '^//Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";'
line: "Unattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";"
- name: Enable remove unused dependencies
lineinfile:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '^//Unattended-Upgrade::Remove-Unused-Dependencies \"false\";'
line: "Unattended-Upgrade::Remove-Unused-Dependencies \"true\";"
- name: Reboot the machine (Wait for 5 min)
reboot:
reboot_timeout: 300
|
プレイブック「install-ubuntu-packages.yml」
パッケージを追加する。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| ---
- hosts: ubuntu
vars:
gather_facts: no
become: true
tasks:
- name: Install net-tools
apt:
update_cache: yes
name:
- net-tools
- name: Install curl
apt:
update_cache: yes
name:
- curl
- name: Install tree
apt:
update_cache: yes
name:
- tree
- name: Install htop
apt:
update_cache: yes
name:
- htop
|
プレイブック「ufw.yml」
ファイアウォールを有効化する。
デフォルトDENYでポート番号を変更したSSHポートのみ許可する
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| ---
- hosts: ubuntu
vars:
- sshd_port: "{{ lookup('env', 'SSHD_PORT') }}"
gather_facts: no
become: true
tasks:
- name: Deny all access from any
ufw:
default: deny
direction: incoming
- name: Allow all access to port {{ sshd_port }} (SSH)
ufw:
rule: allow
proto: tcp
port: "{{ sshd_port }}"
- name: Enable firewall
ufw:
state: enabled
|
