Seperate the long debian-server role to smaller tasks files.

---

- name: Copy btrfs backup script

  copy:

    dest: /usr/local/sbin/btrfs-backup

    group: root

    mode: preserve

    owner: root

    src: btrfs-backup

- name: Create btrfs scrub services

  # yamllint disable rule:line-length

  loop: &btrfs_devices |-

    {{ ansible_mounts|selectattr("fstype", "equalto", "btrfs")|map(attribute="device")|unique }}

  # yamllint enable rule:line-length

  ansible.builtin.template:

    dest: /etc/systemd/system/scrub{{ name }}.service

    mode: 0o0644

    src: scrub.service.j2

  vars: &btrfs_vars

    device: '{{ item }}'

    name: '{{ item|replace("/", "_") }}'

  tags: [scrub]

- name: Create btrfs scrub timers

  loop: *btrfs_devices

  ansible.builtin.template:

    dest: /etc/systemd/system/scrub{{ name }}.timer

    mode: 0o0644

    src: scrub.timer.j2

  vars: *btrfs_vars

  tags: [scrub]

- name: Enable the btrfs scrub timers

  loop: *btrfs_devices

  ansible.builtin.systemd:

    enabled: true

    name: scrub{{ name }}.timer

    state: started

  vars: *btrfs_vars

  tags: [scrub]

---

- name: Disable cgroup2 for Docker

  lineinfile:

    backup: true

    line: |-

      GRUB_CMDLINE_LINUX_DEFAULT="quiet systemd.unified_cgroup_hierarchy=0"

    path: /etc/default/grub

  notify:

    - Update GRUB

- name: Copy the script to start stopped container after a restart

  copy:

    dest: /usr/share/docker.io/restart-containers

    mode: preserve

    src: docker-restart

- name: Create a drop-in directory for the Docker service

  file:

    path: /etc/systemd/system/docker.service.d

    mode: 0o0755

    state: directory

- name: Restart stopped containers after a restart

  copy:

    content: |

      [Service]

      ExecStartPost=/usr/share/docker.io/restart-containers

    dest: /etc/systemd/system/docker.service.d/restart-containers.conf

    mode: 0o0644

  notify:

    - Systemd daemon reload

- name: Allow default Docker network access to local services

  community.general.ufw:

    direction: in

    interface: docker0

    rule: allow

- name: Set UID/GID mapping range

  loop:

    - /etc/subgid

    - /etc/subuid

  copy:

    content: |

      nimrod:100000:65536

    dest: |-

      {{ item }}

    group: root

    mode: 0o0644

    owner: root

- name: Allow unprivileged user namespaces

  ansible.posix.sysctl:

    name: kernel/unprivileged_userns_clone

    state: present

    value: "1"

      - ansible_distribution_major_version|int >= 10

      - ansible_service_mgr == "systemd"

- name: Disable cgroup2 for Docker

  lineinfile:

    backup: true

    line: |-

      GRUB_CMDLINE_LINUX_DEFAULT="quiet systemd.unified_cgroup_hierarchy=0"

    path: /etc/default/grub

  notify:

    - Update GRUB

- name: Enable the backports repo

  loop:

    - deb

      - ufw

    state: present

- name: Copy the script to start stopped container after a restart

  copy:

    dest: /usr/share/docker.io/restart-containers

    mode: preserve

    src: docker-restart

- name: Create a drop-in directory for the Docker service

  file:

    path: /etc/systemd/system/docker.service.d

    mode: 0o0755

    state: directory

- name: Restart stopped containers after a restart

  copy:

    content: |

      [Service]

      ExecStartPost=/usr/share/docker.io/restart-containers

    dest: /etc/systemd/system/docker.service.d/restart-containers.conf

    mode: 0o0644

  notify:

    - Systemd daemon reload

- name: Rate limit SSH

  community.general.ufw:

    rule: limit

    port: ssh

    proto: tcp

- name: Allow default Docker network access to local services

  community.general.ufw:

    direction: in

    interface: docker0

    rule: allow

- name: Enable UFW

  community.general.ufw:

    default: reject

    state: enabled

- name: Allow unprivileged user namespaces

  ansible.posix.sysctl:

    name: kernel/unprivileged_userns_clone

    state: present

    value: "1"

- name: Allow more inotify watches

  ansible.posix.sysctl:

    name: fs.inotify.max_user_watches

    regexp: swap

    state: absent

- name: Set UID/GID mapping range

  loop:

    - /etc/subgid

    - /etc/subuid

  copy:

    content: |

      nimrod:100000:65536

    dest: |-

      {{ item }}

    group: root

    mode: 0o0644

    owner: root

- name: Create my www directory

  file:

    group: www-data

    mode: 0o0755

    owner: www-data

    path: /var/www

    state: directory

- name: Create an SSL directory under /var

  file:

    group: root

    mode: 0o0755

    owner: root

    path: /var/ssl

    state: directory

# I know that I can use Ansible modules instead of calling OpenSSL directly, but

# with the command module I can easily skip the task if the private key or the

# certificate already exist. The point is to create an SSL and self-signed

# certificate only as a bootstrap step. Once there is an existing (and assumed

# valid) certificate, don't overwrite it.

- name: Create private SSL key

  command:

    cmd: openssl genrsa -out /var/ssl/site.key 4096

    creates: /var/ssl/site.key

- name: Make sure the private key is accessible

  file:

    mode: 0o0444

    path: /var/ssl/site.key

    state: file

- name: Create SSL certificate

  command:

    cmd: >-

      openssl

      req

      -x509

      -out /var/ssl/site.crt

      -nodes

      -key /var/ssl/site.key

      -batch

    creates: /var/ssl/site.crt

- name: Create Diffie-Hellman Parameters file

  community.crypto.openssl_dhparam:

    force: false

    mode: 0o0644

    path: /var/ssl/dhparams

    size: 4096

    state: present

- name: Copy btrfs backup script

  copy:

    dest: /usr/local/sbin/btrfs-backup

    group: root

    mode: preserve

    owner: root

    src: btrfs-backup

- name: Mail aliases

  loop:

    - root

    name: update.timer

    state: started

- name: Create btrfs scrub services

  # yamllint disable rule:line-length

  loop: &btrfs_devices |-

    {{ ansible_mounts|selectattr("fstype", "equalto", "btrfs")|map(attribute="device")|unique }}

  # yamllint enable rule:line-length

  ansible.builtin.template:

    dest: /etc/systemd/system/scrub{{ name }}.service

    mode: 0o0644

    src: scrub.service.j2

  vars: &btrfs_vars

    device: '{{ item }}'

    name: '{{ item|replace("/", "_") }}'

  tags: [scrub]

- name: Include Docker tasks

  ansible.builtin.include_tasks:

    file: docker.yml

- name: Create btrfs scrub timers

  loop: *btrfs_devices

  ansible.builtin.template:

    dest: /etc/systemd/system/scrub{{ name }}.timer

    mode: 0o0644

    src: scrub.timer.j2

  vars: *btrfs_vars

  tags: [scrub]

- name: Include web tasks

  ansible.builtin.include_tasks:

    file: web.yml

- name: Enable the btrfs scrub timers

  loop: *btrfs_devices

  ansible.builtin.systemd:

    enabled: true

    name: scrub{{ name }}.timer

    state: started

  vars: *btrfs_vars

  tags: [scrub]

- name: Include btrfs tasks

  ansible.builtin.include_tasks:

    file: btrfs.yml

---

- name: Create my www directory

  file:

    group: www-data

    mode: 0o0755

    owner: www-data

    path: /var/www

    state: directory

- name: Create an SSL directory under /var

  file:

    group: root

    mode: 0o0755

    owner: root

    path: /var/ssl

    state: directory

# I know that I can use Ansible modules instead of calling OpenSSL directly, but

# with the command module I can easily skip the task if the private key or the

# certificate already exist. The point is to create an SSL and self-signed

# certificate only as a bootstrap step. Once there is an existing (and assumed

# valid) certificate, don't overwrite it.

- name: Create private SSL key

  command:

    cmd: openssl genrsa -out /var/ssl/site.key 4096

    creates: /var/ssl/site.key

- name: Make sure the private key is accessible

  file:

    mode: 0o0444

    path: /var/ssl/site.key

    state: file

- name: Create SSL certificate

  command:

    cmd: >-

      openssl

      req

      -x509

      -out /var/ssl/site.crt

      -nodes

      -key /var/ssl/site.key

      -batch

    creates: /var/ssl/site.crt

- name: Create Diffie-Hellman Parameters file

  community.crypto.openssl_dhparam:

    force: false

    mode: 0o0644

    path: /var/ssl/dhparams

    size: 4096

    state: present