--- - name: Bootstrap Ubuntu server hosts: all become: true vars: ansible_user: root pre_tasks: - name: Ensure apt cache is up to date apt: update_cache: true cache_valid_time: 3600 tasks: - name: Set timezone timezone: name: "{{ timezone }}" - name: Set root password ansible.builtin.user: name: root password: "{{ root_password | password_hash('sha512') }}" - name: Create admin user ansible.builtin.user: name: "{{ admin_user }}" password: "{{ admin_password | password_hash('sha512') }}" groups: sudo shell: "{{ admin_shell }}" append: true create_home: true - name: Grant admin user passwordless sudo lineinfile: path: /etc/sudoers.d/{{ admin_user }} line: "{{ admin_user }} ALL=(ALL) NOPASSWD:ALL" create: true mode: "0440" validate: visudo -cf %s # BUG: ansible.posix.authorized_key emits a deprecation warning — this is a known upstream bug: # https://github.com/ansible-collections/ansible.posix/issues/695 - name: Authorize SSH key for admin user ansible.posix.authorized_key: user: "{{ admin_user }}" key: "{{ admin_ssh_key }}" - name: Disable root SSH login lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitRootLogin' line: 'PermitRootLogin no' notify: restart ssh - name: Disable password authentication lineinfile: path: /etc/ssh/sshd_config regexp: '^PasswordAuthentication' line: 'PasswordAuthentication no' notify: restart ssh - name: Install base packages apt: name: - ca-certificates - curl - git - tmux - neovim - ripgrep - fd-find - zsh - ufw - fail2ban - rclone - bat - lsb-release - rsync state: present - name: Enable UFW ufw: state: enabled policy: deny - name: Allow SSH ufw: rule: allow port: 22 proto: tcp - name: Enable fail2ban systemd: name: fail2ban enabled: true state: started handlers: - name: restart ssh service: name: ssh state: restarted roles: - role: docker