--- # set hostname - name: Set a hostname specifying strategy ansible.builtin.hostname: name: "{{ inventory_hostname }}" use: systemd # docker - name: install dependencies apt: name: - apt-transport-https - ca-certificates - curl - gnupg-agent - software-properties-common - systemd-timesyncd state: latest update_cache: yes - name: enable systemd-timesyncd ansible.builtin.systemd_service: name: systemd-timesyncd state: restarted enabled: true daemon_reload: true - name: purge ntp apt: name: - ntp state: purged - name: docker GPG key apt_key: url: https://download.docker.com/linux/debian/gpg state: present - name: repository docker apt_repository: repo: deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable state: present - name: install docker apt: name: - docker-ce - docker-ce-cli - containerd.io state: latest update_cache: yes - name: enable docker ansible.builtin.systemd_service: name: docker state: restarted enabled: true daemon_reload: true - name: copy docker-compose@.service copy: src: ../files/docker-compose@.service dest: /etc/systemd/system/docker-compose@.service owner: root group: root mode: u=rw,g=r,o=r - name: ensure /etc/docker/compose exist file: path: /etc/docker/compose state: directory owner: root group: root mode: 0700 # SSH - name: Copy sshd_config copy: src: ../files/sshd_config dest: /etc/ssh/sshd_config owner: root group: root mode: u=rw,g=r,o=r - name: restart sshd service: name=sshd state=restarted enabled=yes # FIREWALL - name: install UFW apt: name=ufw state=latest - name: allow ssh from everywhere and enable ufw: rule: allow name: OpenSSH state: enabled - name: restart ufw service: name=ufw state=restarted enabled=yes # FAIL2BAN - name: install fail2ban apt: name=fail2ban state=latest - name: Copy jail.conf copy: src: ../files/jail.conf dest: /etc/fail2ban/jail.conf owner: root group: root mode: u=rw,g=r,o=r - name: restart fail2ban service: name=fail2ban state=restarted enabled=yes # DNS - name: install systemd-resolved apt: name=systemd-resolved state=latest - name: Check if systemd-resolved config exists ansible.builtin.stat: path: /etc/systemd/resolved.conf register: systemd_resolved_config check_mode: false - name: Update DNS servers for systemd-resolvd ansible.builtin.include_tasks: file: 'systemd-resolved.yml' when: systemd_resolved_config.stat.exists | bool - name: Check if systemd-resolved runs ansible.builtin.shell: pgrep systemd-resolve failed_when: false changed_when: false register: systemd_resolved_running check_mode: false