Server management with Ansible on WSL2

First things first: install ansible!

sudo apt update -y
sudo apt install ansible -y

Oke that was easy!

Now, lets create a directory for ansible to store everything in there, and start up Visual Studio Code with ‘code .’ (assumed you have VS Code already installed: https://code.visualstudio.com + this extension: https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-wsl )

mkdir ~/ansible
cd ~/ansible
code .

Alright, so we now have ansible to manage our servers. But… we don’t have any servers yet. Let’s make some test servers at DigitalOcean (use this referral link to get $200 in credit over 60 days).

Go to Droplets > Create Droplet

• Choose the closest region (will be fastest to connect)
• Choose a Datacenter (doesn’t matter really, but some don’t have the cheaper options below)
• Choose an image (OS > Ubuntu > 22.10 x64)
• Choose Size (Shared CPU > Basic)
• Choose CPU options (Regular SSD > Cheapest > $0.006/hour)
• Choose Authentication Method (SSH Key > Select your key or click ‘New SSH Key’ and add your public SSH key. Haven’t got one yet: create one now!)
• Create Droplet (Remember to destroy the droplets once you have finished, so it won’t cost you any more money!)

Now repeat this process, so you have 2 droplets, and wait until the droplets are created. They will get an ip-addres when they have been created.

-img-

Now go back to your VS Code, create a file named ‘inventory’ and copy both ip-addresses from the new servers in there, with a group name ‘digitalocean’, like this:

[digitalocean]
159.223.7.103
159.223.237.218

Oke, so now we have the basics. You have 2 servers which are connectable with an SSH key. Now we want to do something with them. Let’s setup a firewall for both of them.

Create a file named ‘firewall.yml’ with the content below, this will enable the firewall and only allow incoming connections on the port 22. Note: if you want to enable this for only your ip-address, uncomment the IP in the part ‘from_ip: 80.80.80.80’ (and use your own ip-address).

- name: UFW Setup
  hosts: digitalocean
  gather_facts: no
  tasks:

    - name: Ensure latest UFW installation
      apt:
        name: ufw
        state: latest
        update_cache: yes

    # Don't reset UFW by default: it will temp disable the firewall and remove all rules, we don't want that on a production server!
    # So: only enable this once if something is messed up, run it, and directly comment it out again!
    # - name: Reset UFW
    #   ufw: 
    #     state: reset

    - name: Deny incoming
      ufw: 
        default: deny
        direction: incoming

    - name: Allow outgoing
      ufw: 
        default: allow
        direction: outgoing

    - name: Allow SSH
      ufw:
        rule: allow
        direction: in
        port: '22'
        proto: tcp
        #from_ip: 80.80.80.80
        comment: 'SSH connection'
        state: enabled

    - name: Enable firewall
      ufw: 
        state: enabled

Alright, now we have created an inventory (with your server ip-addresses) and a playbook which will setup a firewall. Now let’s run it on both servers, go to your WSL2 dir and type:

ansible-playbook -i inventory -l digitalocean firewall.yml

It will now run the ‘firewall.yml’ playbook on the group ‘digitalocean’ (your 2 servers) which are references in the file ‘inventory’. On the first time you connect you might see a message ‘The authenticity of host can’t be established, are you sure you want to continue connecting? (choose yes, for both servers).

-img-

In the bottom line you will see ‘changed=1’ for both servers, it now has set the SSH port (22) and enabled the firewall. You can login to both servers and check it ( ssh [email protected] )

ssh [email protected]
ufw status

-img-

You can change anything in the ‘firewall.yml’ file and just run the command again, it will update your preferences automatically and will let you know when something is changed or not.

The nice thing about this: you can just store these ansible files into a GIT repository! But for safety, we are not going to store the inventory, but just an example file. Otherwise if anyone (read: a hacker) should find your configuration files, they know exactly how the server is configured, also note to not store your current ip-address in the ‘firewall.yml’, only set it when you need it (or learn about using variables in the playbooks later on…).

# create an example inventory file
echo -e '[digitalocean]\n0.0.0.0\n0.0.0.1\n\n[digitalocean:vars]\nansible_user=root' > inventory.example

# add the real inventory to the gitignore file
echo 'inventory' > .gitignore

# init git repository, add all files and push it to an external host so you don't lose it
git init
git add .
git commit -m "ansible"
git remote add origin git@github.com:{your-username}/ansible.git
git push -u origin main

You now have your Ansible server management in version control !

( Don’t forget to remove your DigitalOcean servers if you have created them… )

Source: https://docs.ansible.com/ansible/2.9/modules/ufw_module.html