Matthias Johnson
b38cd94fc8
- Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's requirement for at least one account on first boot - Add failed_when: false to mail user/alias list tasks (files don't exist on first run) - Add forgejo_runner_version (was undefined); default to 12 - Create /srv/forgejo/data/gitea/conf before deploying app.ini - Decouple goaccess sync from restic: new enable_goaccess_sync flag with its own goaccess_sync_* variables - Move Docker installation to bootstrap exclusively; rename docker.yml to networks.yml (runs docker_network role only) - Add radicale_password to vault template and setup.sh - Fix goaccess sync tasks gated on enable_goaccess_sync - Add upstream bug comment to authorized_key deprecation warning - Update CLAUDE.md and README.md throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
105 lines
2.4 KiB
YAML
105 lines
2.4 KiB
YAML
---
|
|
- name: Bootstrap Ubuntu server
|
|
hosts: all
|
|
become: true
|
|
vars:
|
|
ansible_user: root
|
|
|
|
pre_tasks:
|
|
- name: Ensure apt cache is up to date
|
|
apt:
|
|
update_cache: true
|
|
cache_valid_time: 3600
|
|
|
|
tasks:
|
|
- name: Set timezone
|
|
timezone:
|
|
name: "{{ timezone }}"
|
|
|
|
- name: Set root password
|
|
ansible.builtin.user:
|
|
name: root
|
|
password: "{{ root_password | password_hash('sha512') }}"
|
|
|
|
- name: Create admin user
|
|
ansible.builtin.user:
|
|
name: "{{ admin_user }}"
|
|
password: "{{ admin_password | password_hash('sha512') }}"
|
|
groups: sudo
|
|
shell: "{{ admin_shell }}"
|
|
append: true
|
|
create_home: true
|
|
|
|
- name: Grant admin user passwordless sudo
|
|
lineinfile:
|
|
path: /etc/sudoers.d/{{ admin_user }}
|
|
line: "{{ admin_user }} ALL=(ALL) NOPASSWD:ALL"
|
|
create: true
|
|
mode: "0440"
|
|
validate: visudo -cf %s
|
|
|
|
# BUG: ansible.posix.authorized_key emits a deprecation warning — this is a known upstream bug:
|
|
# https://github.com/ansible-collections/ansible.posix/issues/695
|
|
- name: Authorize SSH key for admin user
|
|
ansible.posix.authorized_key:
|
|
user: "{{ admin_user }}"
|
|
key: "{{ admin_ssh_key }}"
|
|
|
|
- name: Disable root SSH login
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^PermitRootLogin'
|
|
line: 'PermitRootLogin no'
|
|
notify: restart ssh
|
|
|
|
- name: Disable password authentication
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^PasswordAuthentication'
|
|
line: 'PasswordAuthentication no'
|
|
notify: restart ssh
|
|
|
|
- name: Install base packages
|
|
apt:
|
|
name:
|
|
- ca-certificates
|
|
- curl
|
|
- git
|
|
- tmux
|
|
- neovim
|
|
- ripgrep
|
|
- fd-find
|
|
- zsh
|
|
- ufw
|
|
- fail2ban
|
|
- rclone
|
|
- bat
|
|
- lsb-release
|
|
- rsync
|
|
state: present
|
|
|
|
- name: Enable UFW
|
|
ufw:
|
|
state: enabled
|
|
policy: deny
|
|
|
|
- name: Allow SSH
|
|
ufw:
|
|
rule: allow
|
|
port: 22
|
|
proto: tcp
|
|
|
|
- name: Enable fail2ban
|
|
systemd:
|
|
name: fail2ban
|
|
enabled: true
|
|
state: started
|
|
|
|
handlers:
|
|
- name: restart ssh
|
|
service:
|
|
name: ssh
|
|
state: restarted
|
|
|
|
roles:
|
|
- role: docker
|