Nik Afiq
83f46c9748
feat(gitea): create PersistentVolume and PersistentVolumeClaim for Gitea feat(gitea): add script to create Gitea runner registration token secret feat(gitea): deploy Gitea Actions runner with Docker socket access feat(media): deploy JDownloader with Ingress configuration feat(media): set up Jellyfin media server with NFS and Ingress feat(media): configure qBittorrent deployment with Ingress feat(monitoring): add Grafana Loki datasource ConfigMap feat(monitoring): create Grafana admin credentials secret feat(monitoring): define PersistentVolumes for monitoring stack feat(network): implement DDNS CronJob for Porkbun DNS updates feat(network): create secret for Porkbun DDNS API credentials feat(network): set up Glances service and Ingress for Debian node fix(network): patch Pi-hole DNS services with external IPs feat(network): configure Traefik dashboard Ingress with Authentik auth feat(network): set up Watch Party service and Ingress for Mac Mini refactor(values): update Helm values files for various services
78 lines
2.0 KiB
YAML
78 lines
2.0 KiB
YAML
---
|
|
# Part of role: common
|
|
# Called by: ansible/playbooks/bootstrap-minisforum.yaml
|
|
# Description: Sets timezone, installs base packages, creates user, hardens SSH, configures UFW, and creates data directories.
|
|
|
|
- name: Set timezone
|
|
community.general.timezone:
|
|
name: "{{ timezone }}"
|
|
|
|
- name: Install base packages
|
|
ansible.builtin.apt:
|
|
name: "{{ base_packages }}"
|
|
state: present
|
|
update_cache: true
|
|
|
|
- name: Create primary user
|
|
ansible.builtin.user:
|
|
name: "{{ username }}"
|
|
groups: sudo
|
|
shell: /bin/bash
|
|
create_home: true
|
|
state: present
|
|
|
|
- name: Set up authorized SSH key for user
|
|
ansible.posix.authorized_key:
|
|
user: "{{ username }}"
|
|
state: present
|
|
key: "{{ lookup('file', '~/.ssh/id_ed25519-nik-macbookair.pub') }}"
|
|
|
|
- name: Harden SSH — disable password auth
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
loop:
|
|
- { regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication no' }
|
|
- { regexp: '^#?PermitRootLogin', line: 'PermitRootLogin no' }
|
|
- { regexp: '^#?PubkeyAuthentication', line: 'PubkeyAuthentication yes' }
|
|
- { regexp: '^#?Port ', line: 'Port 430' }
|
|
notify: Restart sshd
|
|
|
|
- name: Install UFW
|
|
ansible.builtin.apt:
|
|
name: ufw
|
|
state: present
|
|
|
|
- name: Set UFW default deny incoming
|
|
community.general.ufw:
|
|
default: deny
|
|
direction: incoming
|
|
|
|
- name: Set UFW default allow outgoing
|
|
community.general.ufw:
|
|
default: allow
|
|
direction: outgoing
|
|
|
|
- name: Allow required ports
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ item.port }}"
|
|
proto: "{{ item.proto }}"
|
|
comment: "{{ item.comment }}"
|
|
loop: "{{ ufw_allowed_ports }}"
|
|
|
|
- name: Enable UFW
|
|
community.general.ufw:
|
|
state: enabled
|
|
|
|
- name: Create persistent data directories
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: "{{ username }}"
|
|
group: "{{ username }}"
|
|
mode: "0755"
|
|
loop: "{{ data_dirs }}"
|