initial commit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

playbooks/bootstrap.yml

@@ -0,0 +1,87 @@
+---
+- name: Bootstrap Ubuntu server
+  hosts: all
+  become: true
+
+  pre_tasks:
+    - name: Ensure apt cache is up to date
+      apt:
+        update_cache: true
+        cache_valid_time: 3600
+
+  tasks:
+    - name: Set timezone
+      timezone:
+        name: "{{ timezone }}"
+
+    - name: Create admin user
+      user:
+        name: "{{ admin_user }}"
+        groups: sudo
+        shell: "{{ admin_shell }}"
+        append: true
+        create_home: true
+
+    - name: Authorize SSH key for admin user
+      authorized_key:
+        user: "{{ admin_user }}"
+        key: "{{ admin_ssh_key }}"
+
+    - name: Disable root SSH login
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^PermitRootLogin'
+        line: 'PermitRootLogin no'
+      notify: restart ssh
+
+    - name: Disable password authentication
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^PasswordAuthentication'
+        line: 'PasswordAuthentication no'
+      notify: restart ssh
+
+    - name: Install base packages
+      apt:
+        name:
+          - ca-certificates
+          - curl
+          - git
+          - tmux
+          - neovim
+          - ripgrep
+          - fd-find
+          - zsh
+          - ufw
+          - fail2ban
+          - rclone
+          - bat
+          - lsb-release
+          - rsync
+        state: present
+
+    - name: Enable UFW
+      ufw:
+        state: enabled
+        policy: deny
+
+    - name: Allow SSH
+      ufw:
+        rule: allow
+        port: 22
+        proto: tcp
+
+    - name: Enable fail2ban
+      systemd:
+        name: fail2ban
+        enabled: true
+        state: started
+
+  handlers:
+    - name: restart ssh
+      service:
+        name: ssh
+        state: restarted
+
+  roles:
+    - role: docker