ansible-homelab/debian-vps-setup.yml

---
- name: Provision a Debian server on a remote VPS
  hosts: remotes
  become: true
  tasks:
    - name: Update cache and all packages
      register: updatesys
      ansible.builtin.apt:
        upgrade: dist
        update_cache: true

    - name: Display the last line of the previous task to check the stats
      ansible.builtin.debug:
        msg: "{{updatesys.stdout_lines|last}}"

    - name: Install basic packages
      ansible.builtin.apt:
        update_cache: true
        name:
          - apt-file
          - apt-listchanges
          - apt-utils
          - bat
          - curl
          - fail2ban
          - firewalld
          - git
          - htop
          - jc
          - jq
          - less
          - man-db
          - manpages
          - pipx
          - python3-dev
          - python3-pip
          - rsync
          - unattended-upgrades
          - vim
          - wget
        state: present

    - name: Ensure man-db.timer is enabled
      ansible.builtin.systemd_service:
        name: man-db.timer
        enabled: true

    - name: Disable apt downloading translations
      ansible.builtin.lineinfile:
        path: /etc/apt/apt.conf.d/99translations
        create: true
        line: 'Acquire::Languages "none";'
        owner: root
        group: root
        mode: "0644"

    - name: Copy 20auto-upgrades
      ansible.builtin.copy:
        src: etc/apt/apt.conf.d/20auto-upgrades
        dest: /etc/apt/apt.conf.d/20auto-upgrades
        owner: root
        group: root
        mode: "0644"

    - name: Copy 50unattended-upgrades
      ansible.builtin.copy:
        src: etc/apt/apt.conf.d/50unattended-upgrades
        dest: /etc/apt/apt.conf.d/50unattended-upgrades
        owner: root
        group: root
        mode: "0644"

    - name: Ensure unattended-upgrades is enabled
      ansible.builtin.systemd_service:
        name: unattended-upgrades
        enabled: true
        state: started

    - name: Ensure /var/log/auth.log exists for fail2ban
      ansible.builtin.file:
        path: /var/log/auth.log
        state: touch
        owner: root
        group: root
        mode: "0644"

    - name: Ensure fail2ban is enabled
      ansible.builtin.systemd_service:
        name: fail2ban
        enabled: true
        state: started

    - name: Ensure firewalld is enabled
      ansible.builtin.systemd_service:
        name: firewalld
        enabled: true
        state: started

    - name: Ensure the user 'jas' exists
      ansible.builtin.user:
        name: jas
        shell: /bin/bash
        create_home: true

    - name: Ensure ~/.ssh exists for the user 'jas'
      ansible.builtin.file:
        path: /home/jas/.ssh
        state: directory
        owner: jas
        group: jas
        mode: "0700"

    - name: Ensure SSH authorized key exists for the user 'jas'
      ansible.builtin.copy:
        src: /root/.ssh/authorized_keys
        remote_src: true
        dest: /home/jas/.ssh/authorized_keys
        owner: jas
        group: jas
        mode: "0600"

    - name: Ensure sudo no password privileges for the user 'jas'
      ansible.builtin.lineinfile:
        path: /etc/sudoers.d/jas
        create: true
        state: present
        line: "jas ALL=(ALL) NOPASSWD: ALL"
        owner: root
        group: root
        mode: "0640"
        validate: /usr/sbin/visudo -csf %s

    - name: Check if reboot is required
      ansible.builtin.stat:
        path: /var/run/reboot-required
      register: reboot_required

    - name: Set is_reboot_required fact
      ansible.builtin.set_fact:
        is_reboot_required: "{{ True if reboot_required.stat.exists else False }}"

    - name: Reboot is needed
      ansible.builtin.reboot:
        reboot_timeout: 120
      when: is_reboot_required | bool

    - name: Post-reboot confirmation
      ansible.builtin.debug:
        msg: "{{ ansible_host }} is now back up and running"
      when: is_reboot_required | bool
Add debian-server.yml playbook 2024-06-27 09:13:03 +02:00			`---`
			`- name: Provision a Debian server on a remote VPS`
			`hosts: remotes`
			`become: true`
			`tasks:`
			`- name: Update cache and all packages`
			`register: updatesys`
			`ansible.builtin.apt:`
			`upgrade: dist`
			`update_cache: true`

			`- name: Display the last line of the previous task to check the stats`
			`ansible.builtin.debug:`
			`msg: "{{updatesys.stdout_lines\|last}}"`

			`- name: Install basic packages`
			`ansible.builtin.apt:`
			`update_cache: true`
			`name:`
			`- apt-file`
			`- apt-listchanges`
			`- apt-utils`
Add debian-vps-setup.yml; update inventory.yml 2024-06-27 17:43:40 +02:00			`- bat`
Add debian-server.yml playbook 2024-06-27 09:13:03 +02:00			`- curl`
			`- fail2ban`
			`- firewalld`
			`- git`
			`- htop`
Add debian-vps-setup.yml; update inventory.yml 2024-06-27 17:43:40 +02:00			`- jc`
			`- jq`
Add debian-server.yml playbook 2024-06-27 09:13:03 +02:00			`- less`
			`- man-db`
			`- manpages`
			`- pipx`
			`- python3-dev`
			`- python3-pip`
			`- rsync`
			`- unattended-upgrades`
			`- vim`
			`- wget`
			`state: present`

			`- name: Ensure man-db.timer is enabled`
			`ansible.builtin.systemd_service:`
			`name: man-db.timer`
			`enabled: true`

			`- name: Disable apt downloading translations`
			`ansible.builtin.lineinfile:`
			`path: /etc/apt/apt.conf.d/99translations`
			`create: true`
			`line: 'Acquire::Languages "none";'`
			`owner: root`
			`group: root`
			`mode: "0644"`

Add debian-vps-setup.yml; update inventory.yml 2024-06-27 17:43:40 +02:00			`- name: Copy 20auto-upgrades`
			`ansible.builtin.copy:`
			`src: etc/apt/apt.conf.d/20auto-upgrades`
			`dest: /etc/apt/apt.conf.d/20auto-upgrades`
			`owner: root`
			`group: root`
			`mode: "0644"`

			`- name: Copy 50unattended-upgrades`
			`ansible.builtin.copy:`
			`src: etc/apt/apt.conf.d/50unattended-upgrades`
			`dest: /etc/apt/apt.conf.d/50unattended-upgrades`
			`owner: root`
			`group: root`
			`mode: "0644"`

			`- name: Ensure unattended-upgrades is enabled`
			`ansible.builtin.systemd_service:`
			`name: unattended-upgrades`
			`enabled: true`
			`state: started`

Add debian-server.yml playbook 2024-06-27 09:13:03 +02:00			`- name: Ensure /var/log/auth.log exists for fail2ban`
			`ansible.builtin.file:`
			`path: /var/log/auth.log`
			`state: touch`
			`owner: root`
			`group: root`
			`mode: "0644"`

Add debian-vps-setup.yml; update inventory.yml 2024-06-27 17:43:40 +02:00			`- name: Ensure fail2ban is enabled`
			`ansible.builtin.systemd_service:`
			`name: fail2ban`
			`enabled: true`
			`state: started`

Add debian-server.yml playbook 2024-06-27 09:13:03 +02:00			`- name: Ensure firewalld is enabled`
			`ansible.builtin.systemd_service:`
			`name: firewalld`
			`enabled: true`
			`state: started`

			`- name: Ensure the user 'jas' exists`
			`ansible.builtin.user:`
			`name: jas`
			`shell: /bin/bash`
			`create_home: true`

			`- name: Ensure ~/.ssh exists for the user 'jas'`
			`ansible.builtin.file:`
			`path: /home/jas/.ssh`
			`state: directory`
			`owner: jas`
			`group: jas`
			`mode: "0700"`

			`- name: Ensure SSH authorized key exists for the user 'jas'`
			`ansible.builtin.copy:`
			`src: /root/.ssh/authorized_keys`
			`remote_src: true`
			`dest: /home/jas/.ssh/authorized_keys`
			`owner: jas`
			`group: jas`
			`mode: "0600"`

			`- name: Ensure sudo no password privileges for the user 'jas'`
			`ansible.builtin.lineinfile:`
			`path: /etc/sudoers.d/jas`
			`create: true`
			`state: present`
			`line: "jas ALL=(ALL) NOPASSWD: ALL"`
			`owner: root`
			`group: root`
			`mode: "0640"`
			`validate: /usr/sbin/visudo -csf %s`

			`- name: Check if reboot is required`
			`ansible.builtin.stat:`
			`path: /var/run/reboot-required`
			`register: reboot_required`

			`- name: Set is_reboot_required fact`
			`ansible.builtin.set_fact:`
			`is_reboot_required: "{{ True if reboot_required.stat.exists else False }}"`

			`- name: Reboot is needed`
			`ansible.builtin.reboot:`
			`reboot_timeout: 120`
			`when: is_reboot_required \| bool`

			`- name: Post-reboot confirmation`
			`ansible.builtin.debug:`
			`msg: "{{ ansible_host }} is now back up and running"`
			`when: is_reboot_required \| bool`