├── .gitignore ├── LICENSE ├── README.md ├── files ├── 10periodic └── 50unattended-upgrades ├── handlers └── main.yml ├── meta └── main.yml └── tasks └── main.yml /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | ._* 3 | .ideas 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2014 Servers For Hackers 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ansible-basic-server 2 | ==================== 3 | 4 | Basic Ubuntu Server Setup 5 | 6 | This installs basic software for Ubuntu servers. 7 | 8 | ### Unattended Upgrades 9 | 10 | This repository will enable unattented security updates. It will not allow the server to reboot itself, however. When you log in, you may receive messages saying the server requires a reboot. It would be good to reboot your server at those times. 11 | 12 | If this is an issue, you may wish to setup a configuration (load balancer with 2+ web nodes) that will allow for failover if you choose to restart your server(s) at this time. -------------------------------------------------------------------------------- /files/10periodic: -------------------------------------------------------------------------------- 1 | APT::Periodic::Update-Package-Lists "1"; 2 | APT::Periodic::Download-Upgradeable-Packages "0"; 3 | APT::Periodic::AutocleanInterval "7"; 4 | APT::Periodic::Unattended-Upgrade "1"; -------------------------------------------------------------------------------- /files/50unattended-upgrades: -------------------------------------------------------------------------------- 1 | // Automatically upgrade packages from these (origin:archive) pairs 2 | Unattended-Upgrade::Allowed-Origins { 3 | "${distro_id}:${distro_codename}-security"; 4 | // "${distro_id}:${distro_codename}-updates"; 5 | // "${distro_id}:${distro_codename}-proposed"; 6 | // "${distro_id}:${distro_codename}-backports"; 7 | }; 8 | 9 | // List of packages to not update (regexp are supported) 10 | Unattended-Upgrade::Package-Blacklist { 11 | // "vim"; 12 | // "libc6"; 13 | // "libc6-dev"; 14 | // "libc6-i686"; 15 | }; 16 | 17 | // This option allows you to control if on a unclean dpkg exit 18 | // unattended-upgrades will automatically run 19 | // dpkg --force-confold --configure -a 20 | // The default is true, to ensure updates keep getting installed 21 | //Unattended-Upgrade::AutoFixInterruptedDpkg "false"; 22 | 23 | // Split the upgrade into the smallest possible chunks so that 24 | // they can be interrupted with SIGUSR1. This makes the upgrade 25 | // a bit slower but it has the benefit that shutdown while a upgrade 26 | // is running is possible (with a small delay) 27 | //Unattended-Upgrade::MinimalSteps "true"; 28 | 29 | // Install all unattended-upgrades when the machine is shuting down 30 | // instead of doing it in the background while the machine is running 31 | // This will (obviously) make shutdown slower 32 | Unattended-Upgrade::InstallOnShutdown "false"; 33 | 34 | // Send email to this address for problems or packages upgrades 35 | // If empty or unset then no email is sent, make sure that you 36 | // have a working mail setup on your system. A package that provides 37 | // 'mailx' must be installed. E.g. "user@example.com" 38 | //Unattended-Upgrade::Mail "root"; 39 | 40 | // Set this value to "true" to get emails only on errors. Default 41 | // is to always send a mail if Unattended-Upgrade::Mail is set 42 | //Unattended-Upgrade::MailOnlyOnError "true"; 43 | 44 | // Do automatic removal of new unused dependencies after the upgrade 45 | // (equivalent to apt-get autoremove) 46 | //Unattended-Upgrade::Remove-Unused-Dependencies "false"; 47 | 48 | // Automatically reboot *WITHOUT CONFIRMATION* 49 | // if the file /var/run/reboot-required is found after the upgrade 50 | //Unattended-Upgrade::Automatic-Reboot "false"; 51 | 52 | // If automatic reboot is enabled and needed, reboot at the specific 53 | // time instead of immediately 54 | // Default: "now" 55 | //Unattended-Upgrade::Automatic-Reboot-Time "02:00"; 56 | 57 | // Use apt bandwidth limit feature, this example limits the download 58 | // speed to 70kb/sec 59 | //Acquire::http::Dl-Limit "70"; -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Start NTP 3 | service: name=ntp state=started enabled=yes 4 | 5 | - name: Restart Unattended Upgrades 6 | service: name=unattended-upgrades state=restarted -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: [] -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Perform Safe Upgrade 3 | apt: upgrade=safe update_cache=yes 4 | 5 | - name: Install Server Basics 6 | apt: pkg={{ item }} state=installed update_cache=true 7 | with_items: 8 | - acl 9 | - unattended-upgrades 10 | - policykit-1 11 | - ntp 12 | - wget 13 | - curl 14 | - vim 15 | - ack-grep 16 | - git 17 | - unzip 18 | - htop 19 | - tmux 20 | notify: 21 | - Start NTP 22 | 23 | - name: Add Periodic Configuration 24 | copy: src=10periodic dest=/etc/apt/apt.conf.d/10periodic owner=root group=root 25 | 26 | - name: Add Unattended Upgrade Configuration 27 | copy: src=50unattended-upgrades dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root 28 | notify: 29 | - Restart Unattended Upgrades --------------------------------------------------------------------------------