From 97f5caa7e0110729589c722e7645a101e2a9b4a2 Mon Sep 17 00:00:00 2001 From: Jeffrey Serio <23226432+hyperreal64@users.noreply.github.com> Date: Thu, 27 Jun 2024 02:13:03 -0500 Subject: [PATCH] Add debian-server.yml playbook --- debian-server.yml | 119 ++++++++++++++++++++++++++++++++++++++++++++++ inventory.yml | 7 +++ 2 files changed, 126 insertions(+) create mode 100644 debian-server.yml diff --git a/debian-server.yml b/debian-server.yml new file mode 100644 index 0000000..09c08d7 --- /dev/null +++ b/debian-server.yml @@ -0,0 +1,119 @@ +--- +- name: Provision a Debian server on a remote VPS + hosts: remotes + become: true + tasks: + - name: Update cache and all packages + register: updatesys + ansible.builtin.apt: + upgrade: dist + update_cache: true + + - name: Display the last line of the previous task to check the stats + ansible.builtin.debug: + msg: "{{updatesys.stdout_lines|last}}" + + - name: Install basic packages + ansible.builtin.apt: + update_cache: true + name: + - apt-file + - apt-listchanges + - apt-utils + - curl + - fail2ban + - firewalld + - git + - htop + - less + - man-db + - manpages + - pipx + - python3-dev + - python3-pip + - rsync + - unattended-upgrades + - vim + - wget + state: present + + - name: Ensure man-db.timer is enabled + ansible.builtin.systemd_service: + name: man-db.timer + enabled: true + + - name: Disable apt downloading translations + ansible.builtin.lineinfile: + path: /etc/apt/apt.conf.d/99translations + create: true + line: 'Acquire::Languages "none";' + owner: root + group: root + mode: "0644" + + - name: Ensure /var/log/auth.log exists for fail2ban + ansible.builtin.file: + path: /var/log/auth.log + state: touch + owner: root + group: root + mode: "0644" + + - name: Ensure firewalld is enabled + ansible.builtin.systemd_service: + name: firewalld + enabled: true + state: started + + - name: Ensure the user 'jas' exists + ansible.builtin.user: + name: jas + shell: /bin/bash + create_home: true + + - name: Ensure ~/.ssh exists for the user 'jas' + ansible.builtin.file: + path: /home/jas/.ssh + state: directory + owner: jas + group: jas + mode: "0700" + + - name: Ensure SSH authorized key exists for the user 'jas' + ansible.builtin.copy: + src: /root/.ssh/authorized_keys + remote_src: true + dest: /home/jas/.ssh/authorized_keys + owner: jas + group: jas + mode: "0600" + + - name: Ensure sudo no password privileges for the user 'jas' + ansible.builtin.lineinfile: + path: /etc/sudoers.d/jas + create: true + state: present + line: "jas ALL=(ALL) NOPASSWD: ALL" + owner: root + group: root + mode: "0640" + validate: /usr/sbin/visudo -csf %s + + - name: Check if reboot is required + ansible.builtin.stat: + path: /var/run/reboot-required + register: reboot_required + + - name: Set is_reboot_required fact + ansible.builtin.set_fact: + is_reboot_required: "{{ True if reboot_required.stat.exists else False }}" + + - name: Reboot is needed + ansible.builtin.reboot: + reboot_timeout: 120 + when: is_reboot_required | bool + + - name: Post-reboot confirmation + ansible.builtin.debug: + msg: "{{ ansible_host }} is now back up and running" + when: is_reboot_required | bool diff --git a/inventory.yml b/inventory.yml index 4195817..88b1263 100644 --- a/inventory.yml +++ b/inventory.yml @@ -13,3 +13,10 @@ homelab: ansible_user: jas ansible_host: 10.0.0.12 ansible_python_interpreter: /usr/bin/python3 + +remotes: + hosts: + bsky.hyperreal.coffee: + ansible_user: root + ansible_host: 172.234.24.234 + ansible_python_interpreter: /usr/bin/python3