Getting started with Ansible for configuration management (Tutorial)

Ansible tutorial: Getting started with configuration management

In this Ansible tutorial for beginners, we’ll cover getting started with Ansible as a configuration management tool for setting up a bare CentOS, Debian, and Ubuntu server with more secure SSH settings and a few tools to make your life a little easier.

Our goals:

  1. Set up a non-root user
  2. Give the new user sudo access
  3. Disable password-based logins
  4. Disable root logins
  5. Use SSH keys for logins

Prerequisites for this Ansible configuration management tutorial

  • A newly-provisioned or rebuilt server running any of our OS options—CentOS, Debian, or Ubuntu.

8 Year Anniversary Sale—> 16GB RAM from $9.99/mo!

It’s been 8 years since we launched our all-SSD VPS cloud. To celebrate, we’re offering amazing deals on all of our most popular plans– like a 16GB RAM SSD VPS loaded with resources for as little as $9.99/month!

Get limited-time deals!⚡

Step 1: Install Ansible on your local machine

To get started using Ansible for configuration management, you first need to install it on your local machine. Ansible’s documenation gives installation instructions for a variety of platforms, including various *nix distributions and OS X.

Step 2: Edit the Ansible hosts file

To connect Ansible to your VPS, you need to specify its IP address within Ansible’s hosts file. On Linux and OS X machines, that can be found at /etc/ansible/hosts.

The beginning of the file should look like this:

# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
#   - Comments begin with the '#' character
#   - Blank lines are ignored
#   - Groups of hosts are delimited by [header] elements
#   - You can enter hostnames or ip addresses
#   - A hostname/ip can be a member of multiple groups

# Ex 1: Ungrouped hosts, specify before any group headers.

## green.example.com
## blue.example.com
## 192.168.100.1
## 192.168.100.10

To enable your VPS, simply add the IP address anywhere in this file underneath an [ssdnodes] grouping.

There should be no other symbols—like the # comment—in the line.

[ssdnodes]
123.45.67.89

Now, test out your configuration by pinging your VPS. For now, you have to use -u root to ensure you’re trying to connect via the root account.

$ ansible all -m ping -u root

If it’s successful, you’ll see the following output:

123.45.67.89 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

Step 3: Getting started with Ansible playbooks

To get started using Ansible to manage server configurations, we need to create an Ansible playbook. A playbook is the core component of any Ansible configuration.

The playbook will define the tasks that need to be completed to configure your servers. The ability to create and run Playbooks is the key reason that it’s so powerful to use Ansible for configuration management.

The Ansible playbook is in the common .yaml language.

$ mkdir ansible && cd ansible
$ touch create_user.yaml
$ nano create_user.yaml

And here is a basic playbook example that accomplishes our goals.

Note: This playbook is meant to run on a bare CentOS 7 server. If you want to run this on an Ubuntu/Debian server, simply change the yum line to apt.

---
- hosts: ssdnodes
  remote_user: root

  vars_prompt:

    - name: "user_name"
      prompt: "Enter a name for the new user"
      private: no
      confirm: yes

    - name: "user_password"
      prompt: "Enter a password for the new user"
      private: yes
      encrypt: "sha512_crypt"
      confirm: yes
      salt_size: 7

  tasks:

    - name: Check to make sure we have a 'wheel' group
      group:
        name: wheel
        state: present

    - name: Install the 'sudo' package
      yum:
        name: sudo
        state: latest

    - name: Create the non-root user
      user:
        name: ""
        password: ""
        shell: "/bin/bash"
        groups: "wheel"

    - name: Add local public key for key-based SSH authentication
      authorized_key:
        user: ""
        key: "{{item}}"
      with_file:
        - ~/.ssh/id_rsa.pub

    - name: Restrict root SSH logins
      lineinfile:
        dest: /etc/ssh/sshd_config
        state: present
        regexp: '^#PermitRootLogin'
        line: 'PermitRootLogin no'

    - name: Restrict SSH logins to keys only
      lineinfile:
        dest: /etc/ssh/sshd_config
        state: present
        regexp: '^#PasswordAuthentication'
        line: 'PasswordAuthentication no'

    - name: Restart sshd
      systemd:
        state: restarted
        daemon_reload: yes
        name: sshd

Before we go into how you run this command, let’s walk through what some of these lines do in practice.

- hosts: ssdnodes
  remote_user: root

These two lines dictate which host group we’re going to work with—in this case, the ssdnodes group we created earlier—and specify that we’re using the root login (just this once) to complete our steps.

vars_prompt:

  - name: "user_name"
    prompt: "Enter a name for the new user"
    private: no
    confirm: yes

  - name: "user_password"
    prompt: "Enter a password for the new user"
    private: yes
    encrypt: "sha512_crypt"
    confirm: yes
    salt_size: 7

These two vars_prompt commands will ask for user input to define which username and password they would like to associate with the newly-created account.

Beyond this, each nested block of script that begins with - name: defines a new task that Ansible will complete in sequential order, once the previous task has completed successfully. Failed tasks will cause the entire playbook to stop running.

If you follow along with each of the tasks, you can see that we’re installing sudo, creating our new user, adding your SSH public key to the server, and putting some basic restrictions on sshd before restarting it.

Step 4: Run the Ansible playbook

Running this Ansible playbook is fairly straightforward. Here’s the command we’ll use:

ansible-playbook create_user.yaml --ask-pass

We need to include --ask-pass so that Ansible uses a password to log into the server rather than try to use an SSH key that isn’t there.

Once you run the command, you’ll be asked to enter the SSH password:. This is the root login for your server—that password can be found in your SSD Nodes dashboard.

Once you’ve entered the root password, you’ll be prompted to specify and confirm a username and password. Once that’s done, Ansible will get to work!

With any luck, Ansible runs smoothly, and you’ll see the following in your terminal:

 ____________
< PLAY RECAP >
 ------------
           ^__^
           (oo)_______
            (__)       )/
                ||----w |
                ||     ||

123.45.67.89               : ok=8    changed=6    unreachable=0    failed=0  

At this point, you’ll be able to log into your new user account using your SSH key.

More resources on Ansible for configuration management:

You’re now ready to get started using Ansible to manage the configuration of new servers with ease, and with an eye toward security.

For a deeper dive into getting started with Ansible, including in-depth explanations of all the components and terminology, check out our “Step by step guide to Ansible” tutorial.

To get more concrete playbook examples aimed toward maximizing security– to help you harden your SSH, fend off brute force attacks, and more– check out our 2-part series:

Ansible playbook for a more secure VPS (part 1)
A More Secure Ansible Playbook (Part 2)

And finally, for more information about how to use Ansible for automated server hardening, check out one these resources:

[cta text2=”You’re 90 seconds away from running Ansible on an SSD Nodes cloud server!” button=”Ansible all the things!”]

cheap_vps_16GB

cheap_vps_16gb