Configure your Server

The following guide uses an Ubuntu 18.04 Bionic virtual machine and turns it to an Ansible server. It is possible to use any other linux operating system as well, but you will then required to translate the setup instruction yourself.

Install Ansible

If you don't have already, you should create an ansible user on your Ansible server to run all the playbooks

$ sudo useradd -m -s /bin/bash ansible

Now end sudo password prompts for user ansible. Execute

$ sudo visudo -f /etc/sudoers.d/custom-users

and type

ansible ALL=(ALL) NOPASSWD:ALL

We now just change to that ansible user:

$ sudo su - ansible

Next, prepare for Ansible.

$ sudo apt-get update
$ sudo add-apt-repository universe
$ sudo apt install -y python3-pip

It is good to install Ansible in user space. Because when we install Ansible it is shipped with many python modules and dependencies, so it won't affect system wide.

$ pip3 install ansible --user
$ echo 'export PATH=$PATH:$HOME/.local/bin' >> ~/.bashrc
$ source .bashrc
$ ansible --version
ansible 2.9.4
  config file = None
  configured module search path = ['/home/trendmicro/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/trendmicro/.local/lib/python3.6/site-packages/ansible
  executable location = /home/trendmicro/.local/bin/ansible
  python version = 3.6.9 (default, Nov  7 2019, 10:44:02) [GCC 8.3.0]

Next, you create an .ansible.cfg in your home directory. Set the following variables in /home/ansible/.ansible.cfg within the [defaults]-chapter at the beginning of the file:

$ wget https://raw.githubusercontent.com/ansible/ansible/devel/examples/ansible.cfg -O .ansible.cfg
$ vi ~/.ansible.cfg

stdout_callback = yaml
display_skipped_hosts = False
force_valid_group_names = ignore

Now install jq, the "Swiss Army Knife" for JSON.

$ sudo apt-get install jq

Create a .ssh directory if it is not already existing

$ mkdir -p ~/.ssh
$ chmod 700 ~/.ssh

Generate ssh-keys without setting a passphrase

$ ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/home/ansible/.ssh/id_rsa):
Created directory '/home/ansible/.ssh'.
Enter passphrase (empty for no passphrase): <DON'T SET A PASSPHRASE HERE>
Enter same passphrase again:
Your identification has been saved in /home/ansible/.ssh/id_rsa.
Your public key has been saved in /home/ansible/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:1gzgC5QR+tSX6YQsQvBiZKEi4+Ez04b7k5sMwGen7Yk ansible@devops
The key's randomart image is:
+---[RSA 2048]----+
|.=o ++.          |
|+o o.+ o o       |
|*o+ + = *        |
|Bo++ o = +       |
|.O =... S o      |
|. O +  .         |
| o ...           |
|  +o+ .          |
|   Eoo           |
+----[SHA256]-----+

There will be two new files within the /home/ansible/.ssh-directory, the private and the public part of the keypair just generated.

Ansible Vault

For all credentials, the ansible-vault is used. Create a file called .vault-pass.txt in the home directory of the ansibleuser with a secret password.

$ echo '<YOUR VERY STRONG PASSWORD>' > ~/.vault-pass.txt
$ chmod 600 ~/.vault-pass.txt

Install python modules

The module netaddr is a Python library for representing and manipulating network addresses. The module pywinrm is required for Windows remote management. Do

$ pip3 install netaddr --user
$ sudo apt install -y libffi6 libffi-dev libssl-dev
$ pip3 install pywinrm --user --no-binary :all:

Clone MOADSD-NG

Being logged in as user ansible clone the MOADSD-NG repo

$ git clone https://github.com/mawinkler/moadsd-ng.git
$ cd moadsd-ng

StrictHostKeyChecking

To ease handling with ssh-keys and get rid of WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!, you can disable StrictHostKeyChecking in your ssh_config. You should do this only in non-productive environments, of course.