131 lines
3.7 KiB
YAML
131 lines
3.7 KiB
YAML
---
|
|
- name: Debian-based server setup
|
|
hosts: new-debian-servers
|
|
gather_facts: true
|
|
become: true
|
|
vars:
|
|
created_username: ""
|
|
debian_stable_version: "bullseye"
|
|
|
|
tasks:
|
|
- name: Disable APT translations
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/apt/apt.conf.d/99translations
|
|
state: present
|
|
create: true
|
|
line: 'Acquire::Languages "none";'
|
|
|
|
- name: Update packages
|
|
ansible.builtin.apt:
|
|
name: "*"
|
|
state: latest
|
|
update_cache: true
|
|
|
|
- name: Update OS
|
|
ansible.builtin.apt:
|
|
upgrade: dist
|
|
update_cache: true
|
|
|
|
- name: Reboot the machine (Wait for 5 minutes)
|
|
tags: [reboot]
|
|
ansible.builtin.reboot:
|
|
reboot_timeout: 300
|
|
|
|
- name: Create a new user
|
|
ansible.builtin.user:
|
|
name: "{{ created_username }}"
|
|
state: present
|
|
create_home: true
|
|
|
|
- name: Set authorized key for remote user
|
|
ansible.posix.authorized_key:
|
|
user: "{{ created_username }}"
|
|
state: present
|
|
key: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/id_ed25519.pub') }}"
|
|
|
|
- name: Setup passwordless sudo for {{ created_username }}
|
|
ansible.builtin.lineinfile:
|
|
path: "/etc/sudoers.d/{{ created_username }}"
|
|
state: present
|
|
create: true
|
|
line: "{{ created_username }} ALL=(ALL) NOPASSWD: ALL"
|
|
validate: "/usr/sbin/visudo -cf %s"
|
|
|
|
- name: Disable password authentication for root
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
state: present
|
|
regexp: "^#?PermitRootLogin"
|
|
line: "PermitRootLogin prohibit-password"
|
|
|
|
- name: Disable password authentication for other users
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
state: present
|
|
regexp: "^#?PasswordAuthentication"
|
|
line: "PasswordAuthentication no"
|
|
|
|
- name: Enable pub key authentication for all users
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
state: present
|
|
regexp: "^#?PubkeyAuthentication"
|
|
line: "PubkeyAuthentication yes"
|
|
|
|
- name: Install essential packages
|
|
ansible.builtin.apt:
|
|
pkg:
|
|
- git
|
|
- git-core
|
|
- build-essential
|
|
- vim
|
|
- firewalld
|
|
- apt-listchanges
|
|
- unattended-upgrades
|
|
- atop
|
|
- bat
|
|
- exa
|
|
- fail2ban
|
|
- fd-find
|
|
- htop
|
|
- lynis
|
|
- mailutils
|
|
- ncdu
|
|
- nethogs
|
|
- ripgrep
|
|
- tldr
|
|
- tuptime
|
|
|
|
- name: Setup unattended-upgrades
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
state: present
|
|
regexp: "^#?//Unattended-Upgrade::Mail "
|
|
line: 'Unattended-Upgrade::Mail "{{ created_username }}";'
|
|
|
|
- name: Enable and start systemd services
|
|
ansible.builtin.systemd:
|
|
name: "{{ item }}"
|
|
state: started
|
|
enabled: true
|
|
with_items:
|
|
- atop.service
|
|
- atop-rotate.timer
|
|
- apt-daily.timer
|
|
- fail2ban.service
|
|
- firewalld.service
|
|
- tuptime.service
|
|
|
|
- name: Setup Tailscale repository
|
|
tags: [tailscale]
|
|
block:
|
|
- name: tailscale gpg
|
|
ansible.builtin.get_url:
|
|
url: "https://pkgs.tailscale.com/stable/debian/{{ debian_stable_version }}.noarmor.gpg"
|
|
dest: /usr/share/keyrings/tailscale-archive-keyring.gpg
|
|
|
|
- name: tailscale.list
|
|
ansible.builtin.apt_repository:
|
|
repo: "deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/debian {{ debian_stable_version }} main"
|
|
state: present
|