--- - name: Import debian-upgrade.yaml if not bookworm ansible.builtin.import_tasks: file: debian-upgrade.yaml when: ansible_facts['distribution_release'] != "bookworm" tags: [ debian-upgrade, never ] - name: Apt config and sources.list ansible.builtin.template: src: "{{ item.src }}" dest: "{{ item.dest }}" mode: "{{ item.mode | default('0644') }}" owner: "{{ item.owner | default('root') }}" group: "{{ item.group | default('root') }}" with_items: - { src: "apt.conf.j2", dest: "/etc/apt/apt.conf" } - { src: "sources.list.j2", dest: "/etc/apt/sources.list" } - { src: "apt-auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" } - { src: "apt-unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" } register: aptconfig when: - ansible_os_family == "Debian" tags: - sourceslist - name: Update authorized_keys ansible.builtin.template: src: authorized_keys.j2 dest: /root/.ssh/authorized_keys mode: 0600 when: root_access is defined and root_access tags: authorized_keys - name: Import network tasks ansible.builtin.import_tasks: file: network.yaml tags: network - name: Import node-exporter ansible.builtin.import_tasks: file: node-exporter.yaml tags: node-exporter - name: Import vm tasks ansible.builtin.import_tasks: file: vm.yaml tags: - vm - guestagent - name: Remove debian-packages we don't want ansible.builtin.apt: state: absent autoremove: true pkg: "{{ debian_packages_unwanted|default([]) }}" - name: Install standard packages ansible.builtin.apt: cache_valid_time: 3600 update_cache: "{{ aptconfig.changed | bool | default(false) }}" pkg: - curl - fzf - ack - etckeeper - git - htop - jq - net-tools - netcat-openbsd - ripgrep - rsync - tree - neovim - vim - unattended-upgrades - apt-listchanges - name: Configure FZF for Bash ansible.builtin.lineinfile: path: /etc/bash.bashrc insertafter: EOF regexp: "^source /usr/share/doc/fzf/examples/key-bindings.bash" line: "source /usr/share/doc/fzf/examples/key-bindings.bash # Managed by Ansible" - name: Configure FZF for Bash (Bookworm) ansible.builtin.lineinfile: path: /etc/bash.bashrc insertafter: EOF regexp: "^source /usr/share/doc/fzf/examples/completion.bash" state: absent - name: Shorten Grub timeout ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_TIMEOUT=' line: "GRUB_TIMEOUT=1 # Managed by Ansible" notify: update grub - name: Configure cron email ansible.builtin.lineinfile: path: /etc/crontab insertafter: '^PATH' line: 'MAILTO={{ notify_email }}' - name: Configure SSH ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "{{ item.regexp }}" line: "{{ item.line }}" validate: "/usr/sbin/sshd -t -f %s" with_items: - regexp: '^#?Port' line: 'Port {{ ssh_port }}' - regexp: '^#?PasswordAuthentication' line: 'PasswordAuthentication no' - regexp: '^#?DebianBanner' line: 'DebianBanner no' notify: reload sshd - name: Allow SSH ansible.builtin.iptables: chain: INPUT protocol: tcp destination_port: "{{ ssh_port }}" ctstate: NEW jump: ACCEPT ip_version: "{{ item }}" with_items: - ipv4 - ipv6 notify: persist iptables when: not nft | bool - name: Allow ICMP ansible.builtin.iptables: chain: INPUT protocol: "{{ item.proto }}" jump: ACCEPT ip_version: "{{ item.ip }}" with_items: - { ip: ipv4, proto: icmp } - { ip: ipv6, proto: ipv6-icmp } notify: persist iptables when: not nft | bool - name: Allow related and established connections ansible.builtin.iptables: chain: INPUT ctstate: ESTABLISHED,RELATED jump: ACCEPT ip_version: "{{ item }}" with_items: - ipv4 - ipv6 notify: persist iptables when: not nft | bool - name: Allow local connections ansible.builtin.iptables: chain: INPUT source: "{{ item.cidr }}" jump: ACCEPT ip_version: "{{ item.v }}" with_items: "{{ trusted_ranges }}" notify: persist iptables when: not nft | bool - name: Deny inbound connections ansible.builtin.iptables: chain: INPUT policy: DROP ip_version: "{{ item }}" with_items: - ipv4 - ipv6 notify: persist iptables when: not nft | bool