init

2026-03-14 05:38:45 +01:00 · 2026-03-14 05:38:45 +01:00 · 883f31932e
commit 883f31932e
169 changed files with 5676 additions and 0 deletions
--- a/ansible/roles/host/defaults/main.yml
+++ b/ansible/roles/host/defaults/main.yml
@ -0,0 +1,3 @@
+---
+admin_user: tiara
+admin_shell: /bin/bash
--- a/ansible/roles/host/handlers/main.yml
+++ b/ansible/roles/host/handlers/main.yml
@ -0,0 +1,11 @@
+---
+-
+    name: restart sshd
+    service:
+        name: sshd
+        state: restarted
+-
+    name: restart zramswap
+    systemd:
+        name: zramswap
+        state: restarted
--- a/ansible/roles/host/meta/main.yml
+++ b/ansible/roles/host/meta/main.yml
@ -0,0 +1,2 @@
+---
+dependencies: []
--- a/ansible/roles/host/tasks/main.yml
+++ b/ansible/roles/host/tasks/main.yml
@ -0,0 +1,13 @@
+---
+-
+    name: Load OS-specific variables
+    ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"
+
+-
+    name: Set up admin user
+    ansible.builtin.include_tasks: setup-admin.yml
+    when: ssh_pubkey_dir is defined
+
+-
+    name: Set up base system
+    ansible.builtin.include_tasks: setup-base.yml
--- a/ansible/roles/host/tasks/setup-admin.yml
+++ b/ansible/roles/host/tasks/setup-admin.yml
@ -0,0 +1,35 @@
+---
+-
+    name: Create admin user
+    user:
+        name: "{{ admin_user }}"
+        shell: "{{ admin_shell }}"
+        groups: sudo
+        append: yes
+        create_home: yes
+
+-
+    name: Allow admin user passwordless sudo
+    copy:
+        dest: "/etc/sudoers.d/{{ admin_user }}"
+        content: "{{ admin_user }} ALL=(ALL) NOPASSWD:ALL\n"
+        mode: "0440"
+        validate: "visudo -cf %s"
+
+-
+    name: Find SSH public keys
+    find:
+        paths: "{{ ssh_pubkey_dir }}"
+        patterns: "*.pub"
+    delegate_to: localhost
+    become: no
+    register: ssh_pubkeys
+
+-
+    name: Deploy SSH authorized keys
+    authorized_key:
+        user: "{{ admin_user }}"
+        key: "{{ lookup('file', item.path) }}"
+    loop: "{{ ssh_pubkeys.files }}"
+    loop_control:
+        label: "{{ item.path | basename }}"
--- a/ansible/roles/host/tasks/setup-base.yml
+++ b/ansible/roles/host/tasks/setup-base.yml
@ -0,0 +1,69 @@
+---
+-
+    name: Update apt cache
+    apt:
+        update_cache: yes
+        cache_valid_time: 0
+
+-
+    name: Install base packages
+    apt:
+        name: "{{ host_base_packages }}"
+        state: present
+
+-
+    name: Disable SSH password authentication
+    lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: "^#?PasswordAuthentication"
+        line: "PasswordAuthentication no"
+    notify: restart sshd
+
+-
+    name: Disable SSH root login
+    lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: "^#?PermitRootLogin"
+        line: "PermitRootLogin no"
+    notify: restart sshd
+
+-
+    name: Allow SSH through UFW
+    community.general.ufw:
+        rule: allow
+        port: "22"
+        proto: tcp
+
+-
+    name: Allow additional UFW ports
+    community.general.ufw:
+        rule: allow
+        port: "{{ item.port }}"
+        proto: "{{ item.proto | default('tcp') }}"
+        from_ip: "{{ item.from | default('any') }}"
+    loop: "{{ ufw_allow | default([]) }}"
+
+-
+    name: Enable UFW with default deny
+    community.general.ufw:
+        state: enabled
+        default: deny
+        direction: incoming
+
+-
+    name: Configure fail2ban backend
+    copy:
+        dest: /etc/fail2ban/jail.local
+        content: |
+            [DEFAULT]
+            backend = {{ fail2ban_backend }}
+        owner: root
+        group: root
+        mode: "0644"
+
+-
+    name: Ensure fail2ban is running
+    service:
+        name: fail2ban
+        state: restarted
+        enabled: yes
--- a/ansible/roles/host/tasks/setup-swap.yml
+++ b/ansible/roles/host/tasks/setup-swap.yml
@ -0,0 +1,37 @@
+---
+-
+    name: Ensure swap exists
+    command: fallocate -l {{ swap_size | default('2G') }} /swapfile
+    args:
+        creates: /swapfile
+
+-
+    name: Set swap permissions
+    file:
+        path: /swapfile
+        mode: '0600'
+
+-
+    name: Make swap
+    command: mkswap /swapfile
+    args:
+        creates: /swapfile.swap
+
+-
+    name: Mark swapfile as initialized
+    file:
+        path: /swapfile.swap
+        state: touch
+
+-
+    name: Enable swap
+    command: swapon /swapfile
+    register: swap_on
+    failed_when: false
+
+-
+    name: Add swap to fstab
+    lineinfile:
+        path: /etc/fstab
+        line: "/swapfile none swap sw 0 0"
+        state: present
--- a/ansible/roles/host/tasks/setup-zram.yml
+++ b/ansible/roles/host/tasks/setup-zram.yml
@ -0,0 +1,37 @@
+---
+-
+    name: Install zram-tools
+    apt:
+        name: zram-tools
+        state: present
+
+-
+    name: Configure zram
+    copy:
+        dest: /etc/default/zramswap
+        content: |
+            ALGO={{ zram_algorithm | default('zstd') }}
+            PERCENT={{ zram_percent | default(50) }}
+            PRIORITY={{ zram_priority | default(100) }}
+        mode: '0644'
+    notify: restart zramswap
+
+-
+    name: Enable zramswap service
+    systemd:
+        name: zramswap
+        enabled: true
+        state: started
+
+-
+    name: Disable file-backed swap if present
+    command: swapoff /swapfile
+    failed_when: false
+    changed_when: false
+
+-
+    name: Remove file-backed swap from fstab
+    lineinfile:
+        path: /etc/fstab
+        line: "/swapfile none swap sw 0 0"
+        state: absent
--- a/ansible/roles/host/vars/Debian.yml
+++ b/ansible/roles/host/vars/Debian.yml
@ -0,0 +1,9 @@
+---
+host_base_packages:
+    - fail2ban
+    - unattended-upgrades
+    - ufw
+    - vim
+    - curl
+    - rsync
+fail2ban_backend: systemd