linderhof/playbooks/bootstrap.yml

---
- name: Bootstrap Ubuntu server
  hosts: all
  become: true

  pre_tasks:
    - name: Ensure apt cache is up to date
      apt:
        update_cache: true
        cache_valid_time: 3600

  tasks:
    - name: Set timezone
      timezone:
        name: "{{ timezone }}"

    - name: Create admin user
      user:
        name: "{{ admin_user }}"
        groups: sudo
        shell: "{{ admin_shell }}"
        append: true
        create_home: true

    - name: Authorize SSH key for admin user
      authorized_key:
        user: "{{ admin_user }}"
        key: "{{ admin_ssh_key }}"

    - name: Disable root SSH login
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PermitRootLogin'
        line: 'PermitRootLogin no'
      notify: restart ssh

    - name: Disable password authentication
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^PasswordAuthentication'
        line: 'PasswordAuthentication no'
      notify: restart ssh

    - name: Install base packages
      apt:
        name:
          - ca-certificates
          - curl
          - git
          - tmux
          - neovim
          - ripgrep
          - fd-find
          - zsh
          - ufw
          - fail2ban
          - rclone
          - bat
          - lsb-release
          - rsync
        state: present

    - name: Enable UFW
      ufw:
        state: enabled
        policy: deny

    - name: Allow SSH
      ufw:
        rule: allow
        port: 22
        proto: tcp

    - name: Enable fail2ban
      systemd:
        name: fail2ban
        enabled: true
        state: started

  handlers:
    - name: restart ssh
      service:
        name: ssh
        state: restarted

  roles:
    - role: docker
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`---`
			`- name: Bootstrap Ubuntu server`
			`hosts: all`
			`become: true`

			`pre_tasks:`
			`- name: Ensure apt cache is up to date`
			`apt:`
			`update_cache: true`
			`cache_valid_time: 3600`

			`tasks:`
			`- name: Set timezone`
			`timezone:`
			`name: "{{ timezone }}"`

			`- name: Create admin user`
			`user:`
			`name: "{{ admin_user }}"`
			`groups: sudo`
			`shell: "{{ admin_shell }}"`
			`append: true`
			`create_home: true`

			`- name: Authorize SSH key for admin user`
			`authorized_key:`
			`user: "{{ admin_user }}"`
			`key: "{{ admin_ssh_key }}"`

			`- name: Disable root SSH login`
			`lineinfile:`
			`path: /etc/ssh/sshd_config`
			`regexp: '^PermitRootLogin'`
			`line: 'PermitRootLogin no'`
			`notify: restart ssh`

			`- name: Disable password authentication`
			`lineinfile:`
			`path: /etc/ssh/sshd_config`
			`regexp: '^PasswordAuthentication'`
			`line: 'PasswordAuthentication no'`
			`notify: restart ssh`

			`- name: Install base packages`
			`apt:`
			`name:`
			`- ca-certificates`
			`- curl`
			`- git`
			`- tmux`
			`- neovim`
			`- ripgrep`
			`- fd-find`
			`- zsh`
			`- ufw`
			`- fail2ban`
			`- rclone`
			`- bat`
			`- lsb-release`
			`- rsync`
			`state: present`

			`- name: Enable UFW`
			`ufw:`
			`state: enabled`
			`policy: deny`

			`- name: Allow SSH`
			`ufw:`
			`rule: allow`
			`port: 22`
			`proto: tcp`

			`- name: Enable fail2ban`
			`systemd:`
			`name: fail2ban`
			`enabled: true`
			`state: started`

			`handlers:`
			`- name: restart ssh`
			`service:`
			`name: ssh`
			`state: restarted`

			`roles:`
			`- role: docker`