# First play is used to create a new linode with your Linode portal API Token as below play
- name: CREATE A NEW LINODE
hosts: localhost
tags: [ always, infra ] # those tags can be used for easy access to a particular play of the whole playbook
vars_files:
- ../vars/linode_wg.yml
tasks:
- name: Create a new Linode.
linode_v4:
label: "{{ hostname }}"
access_token: "{{ token }}"
type: "{{ type }}"
region: "{{ region }}"
image: "{{ image }}"
root_pass: "{{ password }}"
authorized_keys: "{{ ssh_keys }}"
group: "{{ gt }}"
tags: "{{ gt }}"
state: present
register: tyla
- name: Display info about my Linode instance # this task is used for the new Linode verificaiton
debug:
msg: "{{ hostname }} | {{ tyla.instance.id }} | {{ tyla.instance.ipv4[0] }}"
- name: Add new host to in-memory inventory # this task is used to add the Linode public IP to Ansible in-memory inventory along with its group name
add_host:
name: "{{ tyla.instance.ipv4[0] }}"
groups: linode_wg
changed_when: false
- name: Wait for Linode to listen on port 22 # ensure that the new Linode is running and ready to move on with the next play
wait_for:
state: started
host: "{{ tyla.instance.ipv4[0] }}"
port: 22
ဒီအပို်င်းမှာတော့ ဘာမှထွေထွေထူးထူး မရှိပါဘူး။ Linode ရဲ့ API ကိုအသုံးပြုပြီးတော့ VPS တစ်လုံးတည်ဆောက်တယ်၊ ပြီးရင် in-memory inventoy တည်ဆောက်တယ်၊ နောက်တော့ port 22 က Linode ချပေးတဲ့ public IP မှာ ready ဖြစ်ပြီလာဆိုတာကို စစ်ကြည့်တယ်။ VPS ကအားလုံး ready ဆိုတော့မှ နောက်အဆင့်ကို ထပ်ပြီးတော့သွားဖို့ အဆင့်သင့်ဖြစ်ပါတော့တယ်။ လိုအပ်တဲ့ variable တွေကိုတော့ vars folder အောက်က linode_wg.yml မှာအောက်ကအတိုင်းတွေ့ရမှာပါ။
ssh_keys: > ['<< Your SSH Public Key Here! >>', '~/.ssh/id_rsa.pub']
hostname: tyla-linode-wg01 # change the hostname as required
type: g6-nanode-1 # change Linode Plan as required. Here it uses the Linode's Shared CPU Nanode (RAM: 1 GB, CPUs: 1 & Storage: 25 GB) as my node
region: ap-south # change the region as required. Here it uses Singapore as my region
image: linode/ubuntu20.04 # change the image as required. Here it uses the Linode's Ubuntu20.04 as my base image
gt: tyla-linode-wg # it uses for group and tag names
wg_ip: '192.168.69.254' # wireguard server wg0 virtual interface IP
my_ip: '1.2.3.4' # your public IP for SSH remote access restriction
password: << Your "ansible-vault encrypt_string 'YourSecretHere' --name 'password'" Output Here! >> # root password used for the new Linode which is encrypted with ansible-vault for security
token: << Your "ansible-vault encrypt_string 'YourLinodeAPITokenHere' --name 'token'" Output Here! >> # Linode API Token created on your Linode portal which is encrypted with ansible-vault for securityဒုတိယအပိုင်းမှာတော့... ရလာတဲ့ VPS ကို လိုအပ်တဲ့ basic security configuration အတွက် အသုံးချထားပါတယ်။ code block ကို တချက်လောက်ကြည့်လိုက်ရအောင်။
# Second play is used for a standard initial configuration required on Ubuntu 20.04 Linux box
- name: INITIAL CONFIGURATION ON THE NEW LINODE
tags: init
hosts: linode_wg
user: root
vars_files:
- ../vars/linode_wg.yml
tasks:
- name: Initial Linode Configuration
tags: conf
block: # block is used here for controlling which set of tasks in each I want to execute. e.g., here I tag 'conf'
- name: Set hostname
hostname: name="{{ hostname }}"
- name: Update apt repo and cache
apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
- name: Upgrade all apt packages
apt: upgrade=dist force_apt_get=yes
- name: Check if a reboot is needed after apt upgrade
register: reboot
stat: path=/var/run/reboot-required get_md5=no
- name: Reboot the Ubuntu Linode
reboot:
msg: "Reboot initiated by Ansible due to kernel updates"
connect_timeout: 5
reboot_timeout: 300
pre_reboot_delay: 0
post_reboot_delay: 30
test_command: uptime
when: reboot.stat.exists
- name: Enable packet forwarding for IPv4 # this task is important for WireGuard to work correctly by allowing IP forwarding thru the node
sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: true
state: present
reload: true
- name: Configure SSH key authentication only # desired state of /etc/ssh/sshd_config is used to restrict ssh remote access
copy: src=../files/sshd_config dest=/etc/ssh/sshd_config
notify: Restart SSH
- name: Allow SSH in UFW
ufw:
rule: limit
port: ssh
proto: tcp
src: {{ my_ip }}
dest: 0.0.0.0/0
- name: Allow WireGuard in UFW
ufw:
rule: allow
port: '51820'
proto: udp
dest: 0.0.0.0/0
- name: Deny everything and enable UFW
ufw:
state: enabled
policy: deny
log: true
- name: Unit testing on initial configuration # unit testing to verify the system configured and tags are used to run specific block
tags: [ never, tests, conf_test ]
block:
- name: Get the output of /etc/sysctl.conf file
command: tail -1 /etc/sysctl.conf
register: sysctl
changed_when: false
- name: Test if /etc/sysctl.conf is configured correctly
assert:
that:
- "'net.ipv4.ip_forward=1' in sysctl.stdout_lines"
success_msg: "[PASS] IP Forwarding is configured correctly."
fail_msg: "[FAIL] IP Forwarding is not configured or misconfigred."
- name: Get the output of /etc/ssh/sshd_config
command: cat /etc/ssh/sshd_config
register: ssh
changed_when: false
- name: Test if /etc/ssh/sshd_config is configured correctly
assert:
that:
- "'PermitRootLogin prohibit-password' in ssh.stdout_lines"
- "'PubkeyAuthentication yes' in ssh.stdout_lines"
- "'PasswordAuthentication no' in ssh.stdout_lines"
- "'PermitEmptyPasswords no' in ssh.stdout_lines"
success_msg: "[PASS] SSH Daemon is configured correctly."
fail_msg: "[FAIL] IP Forwarding is not configured or misconfigred."
handlers:
- name: Restart SSH
systemd:
state: restarted
name: ssh
---
# This play is for destroying the running wireguard server on Linode. RUN IT CAREFULLY!
- name: Delete Linode
hosts: localhost
vars_files:
- ../vars/linode_wg.yml
tasks:
- name: Delete your Linode Instance.
linode_v4:
label: "{{ hostname }}"
access_token: "{{ token }}"
state: absent
