I've written before about the checklist I run through on every new server: a non-root user, key-only SSH, a default-deny firewall, Fail2ban, unattended upgrades. Doing that by hand takes under an hour and isn't hard. But "under an hour, by hand, for every server" adds up fast once you're managing more than two or three of them, and manual steps are exactly where small inconsistencies creep in, one server gets MaxAuthTries 3 and another doesn't, because whoever set it up that day was in a hurry.
The fix is turning the checklist into a playbook. Same steps, same order, every time, and idempotent enough that running it again on a server that's already configured changes nothing.
The playbook
---
- name: Baseline hardening for a new server
hosts: new_servers
become: true
vars:
admin_user: deploy
ssh_public_key: "{{ lookup('file', '~/.ssh/id_ed25519.pub') }}"
tasks:
- name: Create admin user
user:
name: "{{ admin_user }}"
groups: sudo
shell: /bin/bash
create_home: true
- name: Add SSH key for admin user
authorized_key:
user: "{{ admin_user }}"
key: "{{ ssh_public_key }}"
- name: Harden SSH config (overrides cloud-init defaults)
copy:
dest: /etc/ssh/sshd_config.d/99-hardening.conf
content: |
PermitRootLogin no
PasswordAuthentication no
MaxAuthTries 3
mode: '0644'
notify: restart sshd
- name: Install UFW and Fail2ban
apt:
name: [ufw, fail2ban]
state: present
update_cache: true
- name: Configure UFW defaults
ufw:
direction: "{{ item.direction }}"
policy: "{{ item.policy }}"
loop:
- { direction: incoming, policy: deny }
- { direction: outgoing, policy: allow }
- name: Allow required ports
ufw:
rule: allow
port: "{{ item }}"
proto: tcp
loop: ['22', '80', '443']
- name: Enable UFW
ufw:
state: enabled
- name: Enable Fail2ban
systemd:
name: fail2ban
enabled: true
state: started
- name: Install unattended-upgrades
apt:
name: unattended-upgrades
state: present
handlers:
- name: restart sshd
systemd:
name: ssh
state: restarted
Running it
A fresh server gets added to the inventory and the playbook runs against just that host:
ansible-playbook -i inventory.ini baseline.yml -l new-server-01 -u root
The first run must connect as root — it's the only user available on a fresh server. Once the playbook completes, root login is disabled and deploy is your entry point for every run after:
ansible-playbook -i inventory.ini baseline.yml -l new-server-01 -u deploy
The first run does all the work, creates the user, locks down SSH, sets up the firewall. The handler only restarts sshd if the config actually changed, so the very first run is the only one where that happens, every run after is a no-op confirmation that nothing has drifted.
Why idempotency is the actual point
The real value here isn't the time saved on day one, typing the commands manually isn't slow. It's that six months later, when I'm not sure whether a particular server got the full treatment or was set up in a rush during an incident, I can run the playbook again and find out. If everything's already in place, Ansible reports zero changes and I move on. If something's missing, it gets fixed on the spot, with no need to remember which of the four or five manual steps was skipped.
This playbook is intentionally small. It doesn't install application stacks or configure anything project-specific, it's the floor every server stands on before anything else gets layered on top. Keeping it separate from application playbooks means it stays stable, and a baseline that doesn't change often is one you can trust without re-reading it every time.
Originally published at irfanmiral.com
Need help with your infrastructure? See my services or get in touch.
Top comments (0)