Host Bootstrap Bundle
Ansible playbook for bootstrapping new servers with a secure user and hardened SSH configuration. Designed to be built with ansible-bundler and distributed via CI/CD.
Features
- Creates a user with SSH key authentication
- Configures passwordless sudo (optional)
- Hardens SSH with secure defaults (no root login, no password auth)
- Works with Debian, Ubuntu, RHEL/CentOS, Arch Linux
Usage
Direct with Ansible
ansible-playbook bootstrap.yml -i "host," -e user_name=operator \
-e 'user_pubkey="ssh-ed25519 AAAA..."'
With Bundled Version
# Download and verify
curl -sL https://your-server/bootstrap.run -o /tmp/bootstrap.run
curl -sL https://your-server/bootstrap.run.sha256 -o /tmp/bootstrap.run.sha256
cd /tmp && sha256sum -c bootstrap.run.sha256
# Run
chmod +x /tmp/bootstrap.run
./bootstrap.run -e user_name=operator \
-e 'user_pubkey="ssh-ed25519 AAAA..."' \
-e user_password=changeme
Variables
Required
| Variable | Description |
|---|---|
user_name |
Username to create |
user_pubkey |
SSH public key (or use user_pubkey_file / user_pubkey_url) |
Optional
| Variable | Default | Description |
|---|---|---|
user_password |
- | Password for the user |
user_shell |
/bin/bash |
User's login shell |
user_home |
/home/{user} |
Home directory |
user_sudo_enabled |
true |
Enable sudo access |
user_sudo_nopasswd |
true |
Passwordless sudo |
user_pubkey_exclusive |
true |
Replace existing authorized_keys |
ssh_server_ports |
["22"] |
SSH port(s) |
ssh_permit_root_login |
"no" |
Allow root SSH login |
ssh_allow_users |
- | Restrict SSH to specific users |
See bootstrap.example.yml for all options.
Building
pip install ansible ansible-bundler
ansible-bundler bootstrap.yml -o bootstrap.run
sha256sum bootstrap.run > bootstrap.run.sha256
CI/CD
The included Gitea Actions workflow (.gitea/workflows/build.yml) automatically builds and publishes the bundle on push to main.
Required secret: DEPLOY_TOKEN - Gitea token with write:package scope.
License
MIT