linderhof/playbooks/bootstrap.yml

---
- name: Bootstrap Ubuntu server
  hosts: all
  become: true
  vars:
    ansible_user: root

  pre_tasks:
    - name: Ensure apt cache is up to date
      apt:
        update_cache: true
        cache_valid_time: 3600

  tasks:
    - name: Set timezone
      timezone:
        name: "{{ timezone }}"

    - name: Set root password
      ansible.builtin.user:
        name: root
        password: "{{ root_password | password_hash('sha512') }}"

    - name: Create admin user
      ansible.builtin.user:
        name: "{{ admin_user }}"
        password: "{{ admin_password | password_hash('sha512') }}"
        groups: sudo
        shell: "{{ admin_shell }}"
        append: true
        create_home: true

    - name: Grant admin user passwordless sudo
      lineinfile:
        path: /etc/sudoers.d/{{ admin_user }}
        line: "{{ admin_user }} ALL=(ALL) NOPASSWD:ALL"
        create: true
        mode: "0440"
        validate: visudo -cf %s

    # BUG: ansible.posix.authorized_key emits a deprecation warning — this is a known upstream bug:
    # https://github.com/ansible-collections/ansible.posix/issues/695
    - name: Authorize SSH key for admin user
      ansible.posix.authorized_key:
        user: "{{ admin_user }}"
        key: "{{ admin_ssh_key }}"

    - name: Disable root SSH login
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PermitRootLogin'
        line: 'PermitRootLogin no'
      notify: restart ssh

    - name: Disable password authentication
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PasswordAuthentication'
        line: 'PasswordAuthentication no'
      notify: restart ssh

    - name: Install base packages
      apt:
        name:
          - ca-certificates
          - curl
          - git
          - tmux
          - neovim
          - ripgrep
          - fd-find
          - zsh
          - ufw
          - fail2ban
          - rclone
          - bat
          - lsb-release
          - rsync
        state: present

    - name: Enable UFW
      ufw:
        state: enabled
        policy: deny

    - name: Allow SSH
      ufw:
        rule: allow
        port: 22
        proto: tcp

    - name: Enable fail2ban
      systemd:
        name: fail2ban
        enabled: true
        state: started

  handlers:
    - name: restart ssh
      service:
        name: ssh
        state: restarted

  roles:
    - role: docker
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`---`
			`- name: Bootstrap Ubuntu server`
			`hosts: all`
			`become: true`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`vars:`
			`ansible_user: root`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00
			`pre_tasks:`
			`- name: Ensure apt cache is up to date`
			`apt:`
			`update_cache: true`
			`cache_valid_time: 3600`

			`tasks:`
			`- name: Set timezone`
			`timezone:`
			`name: "{{ timezone }}"`

Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`- name: Set root password`
			`ansible.builtin.user:`
			`name: root`
			`password: "{{ root_password \| password_hash('sha512') }}"`

initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`- name: Create admin user`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`ansible.builtin.user:`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`name: "{{ admin_user }}"`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`password: "{{ admin_password \| password_hash('sha512') }}"`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`groups: sudo`
			`shell: "{{ admin_shell }}"`
			`append: true`
			`create_home: true`

Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`- name: Grant admin user passwordless sudo`
			`lineinfile:`
			`path: /etc/sudoers.d/{{ admin_user }}`
			`line: "{{ admin_user }} ALL=(ALL) NOPASSWD:ALL"`
			`create: true`
			`mode: "0440"`
			`validate: visudo -cf %s`

			`# BUG: ansible.posix.authorized_key emits a deprecation warning — this is a known upstream bug:`
			`# https://github.com/ansible-collections/ansible.posix/issues/695`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`- name: Authorize SSH key for admin user`
Fix fresh-deploy blockers and clean up architecture - Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-28 00:51:16 -07:00			`ansible.posix.authorized_key:`
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`user: "{{ admin_user }}"`
			`key: "{{ admin_ssh_key }}"`

			`- name: Disable root SSH login`
			`lineinfile:`
			`path: /etc/ssh/sshd_config`
			`regexp: '^PermitRootLogin'`
			`line: 'PermitRootLogin no'`
			`notify: restart ssh`

			`- name: Disable password authentication`
			`lineinfile:`
			`path: /etc/ssh/sshd_config`
			`regexp: '^PasswordAuthentication'`
			`line: 'PasswordAuthentication no'`
			`notify: restart ssh`

			`- name: Install base packages`
			`apt:`
			`name:`
			`- ca-certificates`
			`- curl`
			`- git`
			`- tmux`
			`- neovim`
			`- ripgrep`
			`- fd-find`
			`- zsh`
			`- ufw`
			`- fail2ban`
			`- rclone`
			`- bat`
			`- lsb-release`
			`- rsync`
			`state: present`

			`- name: Enable UFW`
			`ufw:`
			`state: enabled`
			`policy: deny`

			`- name: Allow SSH`
			`ufw:`
			`rule: allow`
			`port: 22`
			`proto: tcp`

			`- name: Enable fail2ban`
			`systemd:`
			`name: fail2ban`
			`enabled: true`
			`state: started`

			`handlers:`
			`- name: restart ssh`
			`service:`
			`name: ssh`
			`state: restarted`

			`roles:`
			`- role: docker`