blob: 6d2296cd4c5d40725f1477cdd2a13efa78c2d5df (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
---
# set hostname
- name: Set a hostname specifying strategy
ansible.builtin.hostname:
name: "{{ inventory_hostname }}"
use: systemd
# docker
- name: install dependencies
apt:
name:
- apt-transport-https
- ca-certificates
- curl
- gnupg-agent
- software-properties-common
- systemd-timesyncd
state: latest
update_cache: yes
- name: enable systemd-timesyncd
ansible.builtin.systemd_service:
name: systemd-timesyncd
state: restarted
enabled: true
daemon_reload: true
- name: purge ntp
apt:
name:
- ntp
state: absent
- name: docker GPG key
apt_key:
url: https://download.docker.com/linux/debian/gpg
state: present
- name: repository docker
apt_repository:
repo: deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable
state: present
- name: install docker
apt:
name:
- docker-ce
- docker-ce-cli
- containerd.io
state: latest
update_cache: yes
- name: enable docker
ansible.builtin.systemd_service:
name: docker
state: restarted
enabled: true
daemon_reload: true
- name: copy docker-compose@.service
copy:
src: ../files/docker-compose@.service
dest: /etc/systemd/system/docker-compose@.service
owner: root
group: root
mode: u=rw,g=r,o=r
- name: ensure /etc/docker/compose exist
file:
path: /etc/docker/compose
state: directory
owner: root
group: root
mode: 0700
# SSH
- name: Copy sshd_config
copy:
src: ../files/sshd_config
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: u=rw,g=r,o=r
- name: restart sshd
service: name=sshd state=restarted enabled=yes
# FIREWALL
- name: install UFW
apt: name=ufw state=latest
- name: allow ssh from everywhere and enable
ufw:
rule: allow
name: OpenSSH
state: enabled
- name: restart ufw
service: name=ufw state=restarted enabled=yes
# FAIL2BAN
- name: install fail2ban
apt: name=fail2ban state=latest
- name: Copy jail.conf
copy:
src: ../files/jail.conf
dest: /etc/fail2ban/jail.conf
owner: root
group: root
mode: u=rw,g=r,o=r
- name: restart fail2ban
service: name=fail2ban state=restarted enabled=yes
# DNS
- name: install systemd-resolved
apt: name=systemd-resolved state=latest
- name: Check if systemd-resolved config exists
ansible.builtin.stat:
path: /etc/systemd/resolved.conf
register: systemd_resolved_config
check_mode: false
- name: Update DNS servers for systemd-resolvd
ansible.builtin.include_tasks:
file: 'systemd-resolved.yml'
when: systemd_resolved_config.stat.exists | bool
- name: Check if systemd-resolved runs
ansible.builtin.shell: pgrep systemd-resolve
failed_when: false
changed_when: false
register: systemd_resolved_running
check_mode: false
|
