Ansible playbooks and roles to bootstrap Ubuntu servers: users, packages, Docker/Nginx/Certbot, GitLab Runner, SSH hardening, swap, Fail2ban, UFW, and a final reboot.
There are nine roles. The playbook runs them in two stages (see playbook/config.yml): first through SSH configuration (with a handler flush so sshd restarts before the rest), then swap, Fail2ban, firewall, and reboot.
| Order | Role | What it does |
|---|---|---|
| 1 | user_config | Creates the managed user, adds sudo access (passwordless sudo as configured in the role). |
| 2 | manage_packages | apt update/upgrade, then a script for unattended security updates and removal of a few legacy packages. |
| 3 | install_deps | Nginx, Certbot, Docker CE, Docker Compose plugin, and related packages. |
| 4 | gitlab_runner | Adds the GitLab Runner apt repo (keyring-based), installs Runner (with a binary fallback if apt fails), registers once if /etc/gitlab-runner/config.toml is missing, then sudo rules for gitlab-runner as in the role. |
| 5 | ssh_config | Deploys authorized_keys, copies sshd_config, sets SSH port from ssh_port in group_vars, restarts the SSH service when config changes. |
| 6 | swap_config | 4G swap file (adjust size in the role tasks if needed); fallocate with dd fallback. |
| 7 | fail2ban | Installs Fail2ban; SSH jail port matches ssh_port from group_vars. |
| 8 | firewall | UFW: allow HTTP/HTTPS and your SSH port, then ufw --force enable. |
| 9 | reboot | Reboots the host (waits for it to come back). |
- Replace
roles/ssh_config/files/sshd_configwith your own file if you need different SSH policy; keepPortconsistent withssh_portinplaybook/group_vars/all.yml(the role also forces the port line). - Secrets: use real values locally for
password,ssh_public_key, andgitlab_runner_registration_token. Do not commit secrets; prefer Ansible Vault or a private vars file for production.
The banner image in the introduction may still point at assets from the older repo name on GitHub; clone URL below matches Server-Auto-Config.
sample.video.mp4
- Ansible on your control machine (installation options).
- Target OS: Ubuntu (roles use
aptand Ubuntu-style service names, e.g. SSH service asssh).
git clone https://github.com/adel-bz/Server-Auto-Config.git
cd Server-Auto-ConfigEdit playbook/group_vars/all.yml (e.g. ssh_port, user, password, ssh_public_key, GitLab URL and runner token). Variables in playbook/group_vars/ are loaded automatically when you run the playbook from the playbook/ directory.
Edit playbook/inventory.cnf and list your hosts under [servers]. You can use hostnames that match ~/.ssh/config, or see Ansible inventory docs.
Edit playbook/config.yml and comment out any role you do not need.
From the playbook/ directory:
ansible-playbook -i inventory.cnf config.ymlIf SSH or sudo needs a password interactively:
ansible-playbook -i inventory.cnf config.yml -kKAfter a successful run, if you changed the SSH port, the next connection from Ansible must use that port (configure inventory or ansible_ssh_port / SSH config accordingly). A failure to connect on port 22 can mean the new port is in effect.
- SSH port changed: reconnect using the new port; “connection refused” on 22 alone may be expected.
- No errors: playbook finishes green for all tasks.
- Fork the repository.
- Create a branch:
git checkout -b feature-name - Commit and push:
git commit -m "Describe your change"thengit push origin feature-name - Open a pull request.
Please keep commits focused and avoid committing secrets or real inventory hostnames.