Select Git revision
main.yml 3.54 KiB
---
- name: Verify assertions
assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int >= 10
- name: Enable the backports repo
loop:
- deb
- deb-src
apt_repository:
# yamllint disable-line rule:line-length
repo: '{{ item }} http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main contrib non-free'
state: present
update_cache: true
- name: Set normal priority for the backports repo
copy:
content: |
Package: *
Pin: release o=Debian Backports
Pin-Priority: 500
dest: /etc/apt/preferences.d/backports
group: root
mode: 0o644
owner: root
- name: Install packages
apt:
cache_valid_time: 3600
name:
- amd64-microcode
- btrfs-progs
- cryptsetup
- docker.io
- fwupd
- intel-microcode
- libpam-mount-bin
- python3-cryptography
- rsync
- tmux
- ufw
state: present
- name: Rate limit SSH
community.general.ufw:
rule: limit
port: ssh
proto: tcp
- name: Enable UFW
community.general.ufw:
default: reject
state: enabled
- name: Allow unprivileged user namespaces
ansible.posix.sysctl:
name: kernel/unprivileged_userns_clone
state: present
value: "1"
- name: Allow more inotify watches
ansible.posix.sysctl:
name: fs.inotify.max_user_watches
state: present
value: "640000"
- name: Secure SSH
with_dict: