--- # Part of role: common # Called by: ansible/playbooks/bootstrap-minisforum.yaml # Description: Sets timezone, installs base packages, creates user, hardens SSH, configures UFW, and creates data directories. - name: Set timezone community.general.timezone: name: "{{ timezone }}" - name: Install base packages ansible.builtin.apt: name: "{{ base_packages }}" state: present update_cache: true - name: Create primary user ansible.builtin.user: name: "{{ username }}" groups: sudo shell: /bin/bash create_home: true state: present - name: Set up authorized SSH key for user ansible.posix.authorized_key: user: "{{ username }}" state: present key: "{{ lookup('file', '~/.ssh/id_ed25519-nik-macbookair.pub') }}" - name: Harden SSH — disable password auth ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present loop: - { regexp: "^#?PasswordAuthentication", line: "PasswordAuthentication no" } - { regexp: "^#?PermitRootLogin", line: "PermitRootLogin no" } - { regexp: "^#?PubkeyAuthentication", line: "PubkeyAuthentication yes" } - { regexp: "^#?Port ", line: "Port 430" } notify: Restart sshd - name: Install UFW ansible.builtin.apt: name: ufw state: present - name: Set UFW default deny incoming community.general.ufw: default: deny direction: incoming - name: Set UFW default allow outgoing community.general.ufw: default: allow direction: outgoing - name: Allow required ports community.general.ufw: rule: allow port: "{{ item.port }}" proto: "{{ item.proto }}" comment: "{{ item.comment }}" loop: "{{ ufw_allowed_ports }}" - name: Enable UFW community.general.ufw: state: enabled - name: Create persistent data directories ansible.builtin.file: path: "{{ item }}" state: directory owner: "{{ username }}" group: "{{ username }}" mode: "0755" loop: "{{ data_dirs }}" - name: Set inotify limits ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: /etc/sysctl.d/99-inotify.conf reload: true loop: - { name: fs.inotify.max_user_instances, value: 512 } - { name: fs.inotify.max_user_watches, value: 524288 }