Skip to content
Snippets Groups Projects
Select Git revision
1 result Searching

Makefile

Blame
  • main.yml 3.54 KiB
    ---
    - name: Verify assertions
      assert:
        that:
          - ansible_distribution == "Debian"
          - ansible_distribution_major_version|int >= 10
    
    - name: Enable the backports repo
      loop:
        - deb
        - deb-src
      apt_repository:
        # yamllint disable-line rule:line-length
        repo: '{{ item }} http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main contrib non-free'
        state: present
        update_cache: true
    
    - name: Set normal priority for the backports repo
      copy:
        content: |
          Package: *
          Pin: release  o=Debian Backports
          Pin-Priority: 500
        dest: /etc/apt/preferences.d/backports
        group: root
        mode: 0o644
        owner: root
    
    - name: Install packages
      apt:
        cache_valid_time: 3600
        name:
          - amd64-microcode
          - btrfs-progs
          - cryptsetup
          - docker.io
          - fwupd
          - intel-microcode
          - libpam-mount-bin
          - python3-cryptography
          - rsync
          - tmux
          - ufw
        state: present
    
    - name: Rate limit SSH
      community.general.ufw:
        rule: limit
        port: ssh
        proto: tcp
    
    - name: Enable UFW
      community.general.ufw:
        default: reject
        state: enabled
    
    - name: Allow unprivileged user namespaces
      ansible.posix.sysctl:
        name: kernel/unprivileged_userns_clone
        state: present
        value: "1"
    
    - name: Allow more inotify watches
      ansible.posix.sysctl:
        name: fs.inotify.max_user_watches
        state: present
        value: "640000"
    
    - name: Secure SSH
      with_dict: