How to Use Ansible to Automate Initial Server Setup on Ubuntu 22.04

Server automation now plays an essential role in systems administration, due to the disposable nature of modern application environments. Configuration management tools such as Ansible are typically used to streamline the process of automating server setup by establishing standard procedures for new servers while also reducing human error associated with manual setups.

Ansible offers a simple architecture that doesn’t require special software to be installed on nodes. It also provides a robust set of features and built-in modules which facilitate writing automation scripts.

This guide explains how to use Ansible to automate the steps contained in our Initial Server Setup Guide for Ubuntu 22.04 servers.

In order to execute the automated setup provided by the playbook in this guide, you’ll need:

• One Ansible control node: an Ubuntu 22.04 machine with Ansible installed and configured to connect to your Ansible hosts using SSH keys. Make sure the control node has a regular user with sudo permissions and a firewall enabled, as explained in our Initial Server Setup guide. To set up Ansible, please follow our guide on How to Install and Configure Ansible on Ubuntu 22.04.
• One remote server with a clean install of Ubuntu 22.04: no prior setup is required on this server, but you must have SSH access to this server from the Ansible control node mentioned above. This server will become an Ansible host remote server, which is targeted for automated provisioning by the Ansible control node.

This Ansible playbook provides an alternative to manually running through the procedure outlined in the Ubuntu 22.04 initial server setup guide and the guide on setting up SSH keys on Ubuntu 22.04 every time you boot up a server. Set up your playbook once, and use it for every server after.

Running this playbook will perform the following actions on your Ansible hosts:

1. Install aptitude, which is preferred by Ansible as an alternative to the apt package manager.

2. Create a new sudo user and set up passwordless sudo.

3. Copy a local SSH public key and include it in the authorized_keys file for the new administrative user on the remote host.

4. Disable password-based authentication for the root user.

5. Install system packages.

6. Configure the UFW firewall to only allow SSH connections and deny any other requests.

Once the playbook has finished running, you’ll have a new user which you can use to log in to the server.

To begin, log into a sudo enabled user on your Ansible control node server.

On your Ansible control node server, add your Ansible host remote server’s IP to your Ansible inventory file. Using your preferred text editor:

sudo nano /etc/ansible/hosts

This will open your Ansible inventory file. Add your Ansible host remote server’s IP to the [servers] block:

[servers]
server1 ansible_host=your_remote_server_ip

. . .

Now you’ll test and authenticate your SSH connection between this Ansible control node and your Ansible host remote server:

ssh root@your_remote_server_ip

Accept the authentication request, and enter your password if prompted. Once you’ve verified the SSH connection, hit CTRL+D to close the connection and return to your control node.

The playbook.yml file is where all your tasks are defined. A task is the smallest unit of action you can automate using an Ansible playbook. But first, create your playbook file using your preferred text editor:

nano playbook.yml

This will open an empty YAML file. Before diving into adding tasks to your playbook, start by adding the following:

---
- hosts: all
  become: true
  vars:
    created_username: sammy

Feel free to replace the username with one of your choosing.

Almost every playbook you come across will begin with declarations similar to this. hosts declares which servers the Ansible control node will target with this playbook. become states whether all commands will be done with escalated root privileges.

vars allows you to store data in variables. If you decide to change this username in the future, you will only have to edit this single line in your file.

By default, tasks are executed synchronously by Ansible in order from top to bottom in your playbook. This means task ordering is important, and you can safely assume one task will finish executing before the next task begins.

All tasks in this playbook can stand alone and be re-used in your other playbooks.

Add your first task of installing aptitude, a tool for interfacing with the Linux package manager:

  tasks:
    - name: Install aptitude
      apt:
        name: aptitude
        state: latest
        update_cache: true

Here, you’re using the apt Ansible built-in module to direct Ansible to install aptitude. Modules in Ansible are shortcuts to execute operations that you would otherwise have to run as raw bash commands. Ansible safely falls back onto apt for installing packages if aptitude is not available. So while this step is technically optional, Ansible has historically preferred aptitude.

It is good practice to avoid extensive use of the root user. You can automate the creation of a user that is granted sudo privileges by adding:

    - name: Setup passwordless sudo
      lineinfile:
        path: /etc/sudoers
        state: present
        regexp: '^%sudo'
        line: '%sudo ALL=(ALL) NOPASSWD: ALL'
        validate: '/usr/sbin/visudo -cf %s'

    - name: Create a new regular user with sudo privileges
      user:
        name: "{{ created_username }}"
        state: present
        groups: sudo
        append: true
        create_home: true

You’re using the lineinfile Ansible module to target and replace a specific line in a file. In this case, you’re using regex to target a specific line in the sudoers file then modifying it to allow passwordless use of sudo. You also use visudo to validate your changes to prevent anything from breaking.

In order to take advantage of this, you’re adding a new user with the user module. Ansible will ensure this user is created if not already in existence, that the user belongs to the sudo group while not being removed from other groups, and a home directory is created.

Ansible operates under the assumption that you’re using SSH keys. It is strongly recommended and generally good practice to pair SSH key usage with disabling root password authentication. To automate this, add:

    - name: Set authorized key for remote user
      ansible.posix.authorized_key:
        user: "{{ created_username }}"
        state: present
        key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"

    - name: Disable password authentication for root
      lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: '^#?PermitRootLogin'
        line: 'PermitRootLogin prohibit-password'

The authorized_key module can be used if you supply the username and the location of the key. Here, the path towards your key is built using Ansible’s lookup function.

The lineinfile module is used to search and replace a line in sshd_config in order to disable password authentication for root, limiting access to its privileges for heightened security.

Ansible can ensure certain packages are always installed on your server. Rather than call apt install on each individual package, or break it into multiple tasks, you can list out all your desired packages:

    - name: Update apt and install required system packages
      apt:
        pkg:
          - curl
          - vim
          - git
          - ufw
        state: latest
        update_cache: true

You can add or remove packages to your liking. This will ensure all packages are not only present, but on the latest version, and done after an update with apt is called.

A firewall is indispensable to any server facing the internet. You can have Ansible ensure UFW (Uncomplicated Firewall) is properly configured by adding:

    - name: UFW - Allow SSH connections
      community.general.ufw:
        rule: allow
        name: OpenSSH

    - name: UFW - Enable and deny by default
      community.general.ufw:
        state: enabled
        default: deny

The ufw module first ensures SSH access is allowed through. Then, this module enables your firewall while defaulting to denying all other traffic to your server.

Your playbook should look roughly like the following, with minor differences depending on your customizations:

---
- hosts: all
  become: true
  vars:
    created_username: sammy

  tasks:
    - name: Install aptitude
      apt:
        name: aptitude
        state: latest
        update_cache: true

    - name: Setup passwordless sudo
      lineinfile:
        path: /etc/sudoers
        state: present
        regexp: '^%sudo'
        line: '%sudo ALL=(ALL) NOPASSWD: ALL'
        validate: '/usr/sbin/visudo -cf %s'

    - name: Create a new regular user with sudo privileges
      user:
        name: "{{ created_username }}"
        state: present
        groups: sudo
        append: true
        create_home: true

    - name: Set authorized key for remote user
      ansible.posix.authorized_key:
        user: "{{ created_username }}"
        state: present
        key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"

    - name: Disable password authentication for root
      lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: '^#?PermitRootLogin'
        line: 'PermitRootLogin prohibit-password'

    - name: Update apt and install required system packages
      apt:
        pkg:
          - curl
          - vim
          - git
          - ufw
        state: latest
        update_cache: true

    - name: UFW - Allow SSH connections
      community.general.ufw:
        rule: allow
        name: OpenSSH

    - name: UFW - Enable and deny by default
      community.general.ufw:
        state: enabled
        default: deny

Once you’re satisfied with your playbook, you can exit your text editor and save.

You’re now ready to run this playbook on one or more servers. Most playbooks are configured to be executed on every server in your inventory by default, but you’ll specify your server this time.

To execute the playbook only on server1, connecting as root, you can use the following command:

ansible-playbook playbook.yml -l server1 -u root -k

The -l flag specifies your server and the -u flag specifies which user to log into on the remote server. Since you’ve yet to setup your remote server, root is your only option. The -k flag is very important on your first playbook run, since it allows you to enter your SSH password.

You will get output similar to this:

Output
. . .

TASK [UFW - Allow SSH connections] ***************************************************************************************************************************************************************************************************************************
changed: [server1]

TASK [UFW - Enable and deny by default] **********************************************************************************************************************************************************************************************************************
changed: [server1]

PLAY RECAP ***************************************************************************************************************************************************************************************************************************************************
server1                    : ok=9    changed=8    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

This indicates your server setup is complete! Your output doesn’t have to be exactly the same, but it is important that you have zero failures.

Now that you’ve done the first setup for your playbook, all subsequent ansible calls can be done with user sammy and without the -k flag:

ansible-playbook playbook.yml -l server1 -u sammy

You’ll also be able to log in to the server with:

ssh sammy@your_remote_server_ip

Remember to replace sammy with the user defined by the created_username variable, and server_host_or_IP with your server’s hostname or IP address.

After logging in to the server, you can check the UFW firewall’s active rules to confirm that it’s properly configured:

sudo ufw status

You should get output similar to this:

Output
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             

This means that the UFW firewall has successfully been enabled. Since this was the last task in the playbook, it confirms that the playbook was fully executed on this server.

Automating the initial server setup can save you time, while also making sure your servers will follow a standard configuration that can be improved and customized to your needs. With the distributed nature of modern applications and the need for more consistency between different staging environments, automation like this becomes a necessity.

In this guide, you demonstrated how to use Ansible for automating the initial tasks that should be executed on a fresh server, such as creating a non-root user with sudo access, enabling UFW and disabling remote password-based root login.

For more information on how to run Ansible playbooks, check out our Ansible Cheat Sheet Guide.

If you’d like to include new tasks in this playbook to further customize your initial server setup, please refer to our introductory Ansible guide Configuration Management 101: Writing Ansible Playbooks. You can also check out our guide on How to Use Ansible Roles to Abstract your Infrastructure Environment.