---
- name: Bootstrap and harden servers
hosts: all
become: true
pre_tasks:
- name: Update and upgrade
ansible.builtin.apt:
update_cache: true
upgrade: dist
- name: Install base packages
ansible.builtin.apt:
name:
- curl
- htop
- git
state: present
- name: Create deploy user
ansible.builtin.user:
name: "{{ deploy_user }}"
shell: /bin/bash
create_home: true
- name: Authorize SSH key for deploy user
ansible.posix.authorized_key:
user: "{{ deploy_user }}"
key: "{{ lookup('file', ssh_pub_key_path) }}"
state: present
roles:
- devsec.hardening.os_hardening
- devsec.hardening.ssh_hardening
- geerlingguy.docker
- geerlingguy.firewall
- robertdebock.fail2ban
- hifis.toolkit.unattended_upgrades
tasks:
- name: Restart Docker to restore iptables rules after firewall
ansible.builtin.systemd:
name: docker
state: restarted
- name: Add deploy user to docker group
ansible.builtin.user:
name: "{{ deploy_user }}"
groups: docker
append: true
- name: Ensure Docker is running
ansible.builtin.systemd:
name: docker
state: started
enabled: true
- name: Create Docker CLI plugins directory
ansible.builtin.file:
path: /usr/libexec/docker/cli-plugins
state: directory
owner: root
group: root
mode: "0755"
- name: Install docker-rollout plugin
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/wowu/docker-rollout/main/docker-rollout
dest: /usr/libexec/docker/cli-plugins/docker-rollout
owner: root
group: root
mode: "0755"
- name: Log in to GHCR
community.docker.docker_login:
registry: ghcr.io
username: flow-industries
password: "{{ ghcr_token }}"
- name: Create Caddy sites directory
ansible.builtin.file:
path: "{{ deploy_dir }}/caddy/sites"
state: directory
owner: "{{ deploy_user }}"
group: "{{ deploy_user }}"
mode: "0755"
- name: Create base Caddyfile
ansible.builtin.copy:
dest: "{{ deploy_dir }}/caddy/Caddyfile"
content: "import /etc/caddy/sites/*\n"
owner: "{{ deploy_user }}"
group: "{{ deploy_user }}"
mode: "0644"
force: false