summaryrefslogtreecommitdiff
path: root/roles/common/tasks/main.yml
blob: 0250ef388dae748dbedd13cb34a194d166336807 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123

---

# set hostname
- name: Set a hostname specifying strategy
  ansible.builtin.hostname:
    name: "{{ inventory_hostname }}"
    use: systemd

# docker
- name: install dependencies
  apt:
    name:
      - apt-transport-https
      - ca-certificates
      - curl
      - gnupg-agent
      - software-properties-common
      - sudo
      - systemd-timesyncd
    state: latest
    update_cache: yes

- name: Update and upgrade apt packages
  become: true
  apt:
    upgrade: yes
    update_cache: yes
    cache_valid_time: 86400 #One day

- name: enable systemd-timesyncd
  ansible.builtin.systemd_service: 
    name: systemd-timesyncd 
    state: restarted 
    enabled: true 
    daemon_reload: true

- name: purge ntp
  apt:
    name:
      - ntp
    state: absent

- name: docker GPG key
  apt_key:
    url: https://download.docker.com/linux/debian/gpg
    state: present

- name: repository docker
  apt_repository:
    repo: deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable
    state: present 

- name: install docker
  apt:
    name:
      - docker-ce
      - docker-ce-cli
      - containerd.io
    state: latest
    update_cache: yes

- name: enable docker
  ansible.builtin.systemd_service: 
    name: docker 
    state: restarted 
    enabled: true 
    daemon_reload: true

- name: copy docker-compose@.service
  copy:
    src: ../files/docker-compose@.service
    dest: /etc/systemd/system/docker-compose@.service
    owner: root
    group: root
    mode: u=rw,g=r,o=r

- name: ensure /etc/docker/compose exist
  file:
    path: /etc/docker/compose
    state: directory
    owner: root
    group: root
    mode: 0700

# SSH
- name: Copy sshd_config
  copy:
    src: ../files/sshd_config
    dest: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: u=rw,g=r,o=r

- name: restart sshd
  service: name=sshd state=restarted enabled=yes

# FIREWALL
- name: install UFW
  apt: name=ufw state=latest

- name: allow ssh from everywhere and enable
  ufw:
    rule: allow
    name: OpenSSH
    state: enabled

- name: restart ufw
  service: name=ufw state=restarted enabled=yes

# FAIL2BAN
- name: install fail2ban
  apt: name=fail2ban state=latest

- name: Copy jail.conf
  copy:
    src: ../files/jail.conf
    dest: /etc/fail2ban/jail.conf
    owner: root
    group: root
    mode: u=rw,g=r,o=r

- name: restart fail2ban
  service: name=fail2ban state=restarted enabled=yes
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-09-21 18:46:37 +0000