ansible-host

Description

Provide a well-configured Fedora system, suitable for production usage, via Ansible.

This is used as a base image for selfhosting-labs.

Dependencies

• Fedora 30 x86_64 target machine.
• Ansible.
• Ruby >= 2.6 if you wish to run the test suite.
• Bundler

---

Quick start

If you want to spin a quick environment up in Vagrant, it is enough to run the following:

bundle install
bundle exec kitchen converge vagrant
bundle exec kitchen verify vagrant
bundle exec kitchen login vagrant

Alternatively, you can do the same using Docker instead:

bundle install
bundle exec kitchen converge docker
bundle exec kitchen verify docker
bundle exec kitchen login docker

Caveat for Docker users: The Docker environment is designed to simulate a virtual machine but does not have quite the same functionality. Certain features are not enabled when running in Docker.

---

Features

• Create administrator user accounts.
• Security updates are automatically applied.
• DNS configuration.
• Create swap file.
• NTP configuration.
• Tuning.
• Install a bunch of useful utility tools.
• Additional custom tools

---

Configuration

Admins

A user group admin is created which is granted sudo access via /etc/sudoers.d/admin.

To create administrator users you can simply add them to the admins variable like this:

admins:
  - name: <USER NAME>
    key: 'ssh-rsa <SSH PUBLIC KEY>'

By default, the users are granted passwordless sudo access. You can change this by setting admin_passwordless_sudo: false.

Security updates

Automatic security updates are provided by dnf-automatic. You can review the status of the updates by running systemctl status dnf-automatic.timer.

The job will first run 1 hour after booting, and then every 24 hours after that.

DNS configuration

By default, DNS is configured automatically by Network Manager based on DHCP settings.

This role offers optional configuration of DNS to instead use Cloudflare and Google providers.

These providers offer fast, highly available, secure public DNS resolution but you can configure a different set if you have privacy concerns or want to use your own nameservers.

You can also set a search domain, which allows you to resolve non-FQDN hostnames in DNS. This defaults to simply using the host's currently configured domain.

nameservers:
  - 1.1.1.1
  - 8.8.8.8
  - 8.8.4.4

search_domains:
  - selfhosting-lab.com

To enable this feature simply set enable_custom_dns: True.

Swapfile

A swapfile is created at /var/cache/swap to provide additional swap resource. Although hosts should be configured appropriately for their workload, it can be good to have a temporary resource that memory can be swapped to.

By default this is sized the same as your memory by looking up the ansible_memory_mb.real.total variable. You can set the size to something else by setting swapfile_size to an amount in MiB.

Using swap is enabled by default but can be turned off by setting enable_swap: False.

You can also adjust the swappiness of the system by setting swappiness to a value between 0 and 100. The default swappiness is 10 which provides good performance, only using swap when necessary.

NTP configuration

NTP is provided using the chronyd daemon and should be something you should never have to manage. By default it synchronises time from the public pool.ntp.org pool, which should automatically find the best time server for the host. If for some reason you want to set this manually you can set ntp_pool: pool.ntp.org.

You can also optionally set your prefered timezone using the appropriate tz database name for your preferred timezone by setting timezone: Europe/London or similar. You may not want to do this if you'd prefer your host to use it's local timezone that was configured at installation time.

Tuning

A few opinionated system tweaks are applied to optimise performance. These are applied using the [[Tuned](Tuned project https://tuned-project.org) profile atomic-guest.

If, for your specific hardware configuration, you'd like to use an alternative profile you can set tuned_profile.

Additional utilities

A few additional utilities are installed for your convience, primarily for troubleshooting and system visibility.

List of tools installed:

• Bash Completion - Programmable completion for the Bash shell.
• Bind Utils - Collection of utilities for querying DNS.
• cURL - Command-line tool for transferring data with URLs.
• Git - The distributed revision control system.
• htop - Better version of top.
• htpasswd - Tool to create and update usernames and password for basic authentication.
• iotop - top-like utility for disk I/O.
• Iperf - Measurement tool for TCP/UDP bandwith performance.
• jq - Command-line JSON processor.
• kexec - Utility to quickly load new kernels.
• lsof - Utility to list open files.
• Ncat - Bidirectional data relay for TCP connections.
• NFS Utils - NFS utilities and supporting clients and daemons.
• Perf - Tool for performance monitoring of the Linux kernel.
• PV (Pipe Viewer) - Nifty tool for monitoring the progress of data through a pipe.
• realmd - Used to interact with and join LDAP realms.
• Socat - Bidirectional data relay for Unix sockets.
• Stress-ng - Stress testing tool
• Tcpdump - Network traffic monitoring tool and packet analyser.
• Tmux - Terminal multiplexer that supports multiple logins on one terminal.
• Vim - Powerful text editor.
• Wget - Tool for retreiving files using HTTP or FTP.

Custom tools

For quality of life, a few custom tools have been added which are installed by default.

shl-reboot

shl-reboot allows you to quickly reboot a system when a new kernel is available, minimising the amount of downtime on the system. It works using kexec to swap the kernel out while the system is still running, meaning POST and BIOS stages of the boot process are skipped. On enterprise-grade hardware this can sometimes save minutes due to extensive POST checks.

If there is no new kernel, the tool will simply exit with a 1 exit status. If a new kernel is installed but not currently active the tool will inform you.

You can then reboot the system by running shl-reboot apply. After sleeping for 3 seconds, the system will reboot.

shl-reload

shl-reload allows you to restart currently running services which have updates available, minimising the frequency of reboots required to pick up software updates. It looks at which SystemD units are associated with updated software, and restarts those units, including SystemD itself. In theory this reduces the frequency at which you need to reboot your system down to only kernel updates, meaning security updates can be applied more frequently.

You can choose to run the tasks required to reload the system by running shl-reload apply.

Restarting services can be disruptive, for example restarting active user sessions will kick out currently logged in users, but the impact is minimised to only those services which need updating. It should be treated as a situational alternative to reboots as it cannot guarantee that there will be no impact to services which you rely on, and therefore cannot provide a zero-downtime update process.

---

Privacy

The use of this repository will modify your target machine to perform certain outbound connections which may be of concern to more privacy-focused users. In the interest of transparency we'd like to make users fully aware of all endpoints we have added, as you may wish to consider changing these in your own implementation.

All necessary packages are installed using the predefined repositories on the target system, which are assumed to be the official Fedora repositories unless you modify your repolist to use private repositories.

By default NTP and DNS use publicly available endpoints, which you can read more about above in the NTP Configuration and DNS Configuration documentation respectively.

During testing, github.com is looked up via DNS in order to test the DNS configuration.