An Ansible playbook which runs a series of configuration steps to increase the security and usability of a new Centos 7 server, in order to provide a solid foundation for subsequent actions.
It borrows heavily from the work of: Bryan Kennedy, Ryan Eschinger,
It will perform the following:
- Create a new "super user" with root privileges and public key authentication
- Implement several SSH hardening techniques
- Configure a basic and rich firewall
- Configure the timezone and enable time synchronization
- Modify the hostname and hosts file
- Enable unattended upgrades
- Install Fail2Ban
Optional extras:
- Install New Relic Server monitoring
- Install customised shell with Zsh and oh-my-zsh
- Ansible installed locally on your machine
- Root SSH access to a new Centos 7 VPS
Clone the repo
$ git clone https://github.com/Adsizzlerlabs/initial-server-setup-centos-7.git
Modify the variables in vars/main.yml according to your needs:
user: the username for your new "super user"
password: a hashed sudo password
public_key: the local path to your public SSH key
fqdn: your chosen FQDN
hostname: your chosen hostname
timezone: the most appropriate timezone for your server
ssh_port: your chosen SSH port
enable_newrelic: change to no to disable installation of New Relic Server monitor, which requires a New Relic license key
newrelic_license_key: your New Relic license key
enable_custom_shell: change to no to disable installation of customised shell with Zsh and oh-my-zsh
A Vagrantfile is provided which allows the playbook to be tested locally.
You will need Vagrant and Virtualbox installed, and you should uncomment the following lines in ansible.cfg to makes things work nicely.
# private_key_file = ~/.vagrant.d/insecure_private_key
# host_key_checking = False
Then run $ vagrant up to generate your virtual machine.
And then run the playbook:
$ ansible-playbook test_server_setup.yml
Add your server's IP address to the hosts file
[production]
# e.g 192.168.1.1
# or host.example.com
Then run the playbook:
$ ansible-playbook initial_server_setup.yml --ask-pass
This repository inspired by https://github.com/lukeharvey/ansible-initial-server-setup