180 lines
4.4 KiB
YAML
180 lines
4.4 KiB
YAML
---
|
|
|
|
- name: Import debian-upgrade.yaml if not bookworm
|
|
ansible.builtin.import_tasks:
|
|
file: debian-upgrade.yaml
|
|
when: ansible_facts['distribution_release'] != "bookworm"
|
|
tags: [ debian-upgrade, never ]
|
|
|
|
- name: Apt config and sources.list
|
|
ansible.builtin.template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
mode: "{{ item.mode | default('0644') }}"
|
|
owner: "{{ item.owner | default('root') }}"
|
|
group: "{{ item.group | default('root') }}"
|
|
with_items:
|
|
- { src: "apt.conf.j2", dest: "/etc/apt/apt.conf" }
|
|
- { src: "sources.list.j2", dest: "/etc/apt/sources.list" }
|
|
- { src: "apt-auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" }
|
|
- { src: "apt-unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" }
|
|
register: aptconfig
|
|
when:
|
|
- ansible_os_family == "Debian"
|
|
tags:
|
|
- sourceslist
|
|
|
|
- name: Update authorized_keys
|
|
ansible.builtin.template:
|
|
src: authorized_keys.j2
|
|
dest: /root/.ssh/authorized_keys
|
|
mode: 0600
|
|
when: root_access is defined and root_access
|
|
tags: authorized_keys
|
|
|
|
- name: Import network tasks
|
|
ansible.builtin.import_tasks:
|
|
file: network.yaml
|
|
tags: network
|
|
|
|
- name: Import node-exporter
|
|
ansible.builtin.import_tasks:
|
|
file: node-exporter.yaml
|
|
tags: node-exporter
|
|
|
|
- name: Import vm tasks
|
|
ansible.builtin.import_tasks:
|
|
file: vm.yaml
|
|
tags:
|
|
- vm
|
|
- guestagent
|
|
|
|
- name: Remove debian-packages we don't want
|
|
ansible.builtin.apt:
|
|
state: absent
|
|
autoremove: true
|
|
pkg: "{{ debian_packages_unwanted|default([]) }}"
|
|
|
|
- name: Install standard packages
|
|
ansible.builtin.apt:
|
|
cache_valid_time: 3600
|
|
update_cache: "{{ aptconfig.changed | bool | default(false) }}"
|
|
pkg:
|
|
- curl
|
|
- fzf
|
|
- ack
|
|
- etckeeper
|
|
- git
|
|
- htop
|
|
- jq
|
|
- net-tools
|
|
- netcat-openbsd
|
|
- ripgrep
|
|
- rsync
|
|
- tree
|
|
- neovim
|
|
- vim
|
|
- unattended-upgrades
|
|
- apt-listchanges
|
|
|
|
- name: Configure FZF for Bash
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/bash.bashrc
|
|
insertafter: EOF
|
|
regexp: "^source /usr/share/doc/fzf/examples/key-bindings.bash"
|
|
line: "source /usr/share/doc/fzf/examples/key-bindings.bash # Managed by Ansible"
|
|
|
|
- name: Configure FZF for Bash (Bookworm)
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/bash.bashrc
|
|
insertafter: EOF
|
|
regexp: "^source /usr/share/doc/fzf/examples/completion.bash"
|
|
state: absent
|
|
|
|
- name: Shorten Grub timeout
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/default/grub
|
|
regexp: '^GRUB_TIMEOUT='
|
|
line: "GRUB_TIMEOUT=1 # Managed by Ansible"
|
|
notify: update grub
|
|
|
|
- name: Configure cron email
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/crontab
|
|
insertafter: '^PATH'
|
|
line: 'MAILTO={{ notify_email }}'
|
|
|
|
- name: Configure SSH
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
validate: "/usr/sbin/sshd -t -f %s"
|
|
with_items:
|
|
- regexp: '^#?Port'
|
|
line: 'Port {{ ssh_port }}'
|
|
- regexp: '^#?PasswordAuthentication'
|
|
line: 'PasswordAuthentication no'
|
|
- regexp: '^#?DebianBanner'
|
|
line: 'DebianBanner no'
|
|
when: manage_sshd_config | default(true)
|
|
notify: reload sshd
|
|
|
|
- name: Allow SSH
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: "{{ ssh_port }}"
|
|
ctstate: NEW
|
|
jump: ACCEPT
|
|
ip_version: "{{ item }}"
|
|
with_items:
|
|
- ipv4
|
|
- ipv6
|
|
notify: persist iptables
|
|
when: not nft | bool
|
|
|
|
- name: Allow ICMP
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: "{{ item.proto }}"
|
|
jump: ACCEPT
|
|
ip_version: "{{ item.ip }}"
|
|
with_items:
|
|
- { ip: ipv4, proto: icmp }
|
|
- { ip: ipv6, proto: ipv6-icmp }
|
|
notify: persist iptables
|
|
when: not nft | bool
|
|
|
|
- name: Allow related and established connections
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
ctstate: ESTABLISHED,RELATED
|
|
jump: ACCEPT
|
|
ip_version: "{{ item }}"
|
|
with_items:
|
|
- ipv4
|
|
- ipv6
|
|
notify: persist iptables
|
|
when: not nft | bool
|
|
|
|
- name: Allow local connections
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
source: "{{ item.cidr }}"
|
|
jump: ACCEPT
|
|
ip_version: "{{ item.v }}"
|
|
with_items: "{{ trusted_ranges }}"
|
|
notify: persist iptables
|
|
when: not nft | bool
|
|
|
|
- name: Deny inbound connections
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
policy: DROP
|
|
ip_version: "{{ item }}"
|
|
with_items:
|
|
- ipv4
|
|
- ipv6
|
|
notify: persist iptables
|
|
when: not nft | bool
|