--- - name: Verify assertions assert: that: - ansible_distribution == "Debian" - ansible_distribution_major_version|int >= 10 - name: Disable cgroup2 for Docker lineinfile: backup: true line: |- GRUB_CMDLINE_LINUX_DEFAULT="quiet systemd.unified_cgroup_hierarchy=0" path: /etc/default/grub notify: - Update GRUB - name: Enable the backports repo loop: - deb - deb-src apt_repository: # yamllint disable-line rule:line-length repo: '{{ item }} http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main contrib non-free' state: present update_cache: true - name: Set normal priority for the backports repo copy: content: | Package: * Pin: release o=Debian Backports Pin-Priority: 500 dest: /etc/apt/preferences.d/backports group: root mode: 0o644 owner: root - name: Install packages apt: cache_valid_time: 3600 name: - amd64-microcode - btrfs-progs - cryptsetup - curl - docker.io - fwupd - git - intel-microcode - libpam-mount-bin - make - python3-cryptography - rsync - tmux - ufw state: present - name: Copy the script to start stopped container after a restart copy: dest: /usr/share/docker.io/restart-containers mode: preserve src: docker-restart - name: Create a drop-in directory for the Docker service file: path: /etc/systemd/system/docker.service.d mode: 0o0755 state: directory - name: Restart stopped containers after a restart copy: content: | [Service] ExecStartPost=/usr/share/docker.io/restart-containers dest: /etc/systemd/system/docker.service.d/restart-containers.conf mode: 0o0644 notify: - Systemd daemon reload - name: Rate limit SSH community.general.ufw: rule: limit port: ssh proto: tcp - name: Allow default Docker network access to local services community.general.ufw: direction: in interface: docker0 rule: allow - name: Enable UFW community.general.ufw: default: reject state: enabled - name: Allow unprivileged user namespaces ansible.posix.sysctl: name: kernel/unprivileged_userns_clone state: present value: "1" - name: Allow more inotify watches ansible.posix.sysctl: name: fs.inotify.max_user_watches state: present value: "640000" - name: Secure SSH with_dict: PermitRootLogin: !!str no PasswordAuthentication: !!str no lineinfile: backup: true line: |- {{ item.key }} {{ item.value }} path: /etc/ssh/sshd_config regexp: |- {{ item.key }} state: present validate: sshd -Tf %s - name: Make /tmp a tmpfs mount ansible.posix.mount: fstype: tmpfs name: /tmp src: none opts: "defaults,nosuid,nodev" state: present - name: Disable swap lineinfile: backup: true path: /etc/fstab regexp: swap state: absent - name: Set UID/GID mapping range loop: - /etc/subgid - /etc/subuid copy: content: | nimrod:100000:65536 dest: |- {{ item }} group: root mode: 0o0644 owner: root - name: Create my www directory file: group: www-data mode: 0o0755 owner: www-data path: /var/www state: directory - name: Create an SSL directory under /var file: group: root mode: 0o0755 owner: root path: /var/ssl state: directory # I know that I can use Ansible modules instead of calling OpenSSL directly, but # with the command module I can easily skip the task if the private key or the # certificate already exist. The point is to create an SSL and self-signed # certificate only as a bootstrap step. Once there is an existing (and assumed # valid) certificate, don't overwrite it. - name: Create private SSL key command: cmd: openssl genrsa -out /var/ssl/site.key 4096 creates: /var/ssl/site.key - name: Make sure the private key is accessible file: mode: 0o0444 path: /var/ssl/site.key state: file - name: Create SSL certificate command: cmd: >- openssl req -x509 -out /var/ssl/site.crt -nodes -key /var/ssl/site.key -batch creates: /var/ssl/site.crt - name: Create Diffie-Hellman Parameters file community.crypto.openssl_dhparam: force: false mode: 0o0644 path: /var/ssl/dhparams size: 4096 state: present - name: Copy btrfs copy script copy: dest: /usr/local/sbin/btrfs-backup group: root mode: preserve owner: root src: btrfs-backup