tiararodney/bugzilla
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

init

Browse source
This commit is contained in:
Tiara Rodney 2026-03-14 05:38:45 +01:00
commit 883f31932e
No known key found for this signature in database
GPG key ID: 5CD8EC1D46106723
169 changed files with 5676 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

13
ansible/roles/host/tasks/main.yml Normal file
View file

@ -0,0 +1,13 @@
---
-
name: Load OS-specific variables
ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"
-
name: Set up admin user
ansible.builtin.include_tasks: setup-admin.yml
when: ssh_pubkey_dir is defined
-
name: Set up base system
ansible.builtin.include_tasks: setup-base.yml

35
ansible/roles/host/tasks/setup-admin.yml Normal file
View file

@ -0,0 +1,35 @@
---
-
name: Create admin user
user:
name: "{{ admin_user }}"
shell: "{{ admin_shell }}"
groups: sudo
append: yes
create_home: yes
-
name: Allow admin user passwordless sudo
copy:
dest: "/etc/sudoers.d/{{ admin_user }}"
content: "{{ admin_user }} ALL=(ALL) NOPASSWD:ALL\n"
mode: "0440"
validate: "visudo -cf %s"
-
name: Find SSH public keys
find:
paths: "{{ ssh_pubkey_dir }}"
patterns: "*.pub"
delegate_to: localhost
become: no
register: ssh_pubkeys
-
name: Deploy SSH authorized keys
authorized_key:
user: "{{ admin_user }}"
key: "{{ lookup('file', item.path) }}"
loop: "{{ ssh_pubkeys.files }}"
loop_control:
label: "{{ item.path | basename }}"

69
ansible/roles/host/tasks/setup-base.yml Normal file
View file

@ -0,0 +1,69 @@
---
-
name: Update apt cache
apt:
update_cache: yes
cache_valid_time: 0
-
name: Install base packages
apt:
name: "{{ host_base_packages }}"
state: present
-
name: Disable SSH password authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^#?PasswordAuthentication"
line: "PasswordAuthentication no"
notify: restart sshd
-
name: Disable SSH root login
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^#?PermitRootLogin"
line: "PermitRootLogin no"
notify: restart sshd
-
name: Allow SSH through UFW
community.general.ufw:
rule: allow
port: "22"
proto: tcp
-
name: Allow additional UFW ports
community.general.ufw:
rule: allow
port: "{{ item.port }}"
proto: "{{ item.proto | default('tcp') }}"
from_ip: "{{ item.from | default('any') }}"
loop: "{{ ufw_allow | default([]) }}"
-
name: Enable UFW with default deny
community.general.ufw:
state: enabled
default: deny
direction: incoming
-
name: Configure fail2ban backend
copy:
dest: /etc/fail2ban/jail.local
content: |
[DEFAULT]
backend = {{ fail2ban_backend }}
owner: root
group: root
mode: "0644"
-
name: Ensure fail2ban is running
service:
name: fail2ban
state: restarted
enabled: yes

37
ansible/roles/host/tasks/setup-swap.yml Normal file
View file

@ -0,0 +1,37 @@
---
-
name: Ensure swap exists
command: fallocate -l {{ swap_size | default('2G') }} /swapfile
args:
creates: /swapfile
-
name: Set swap permissions
file:
path: /swapfile
mode: '0600'
-
name: Make swap
command: mkswap /swapfile
args:
creates: /swapfile.swap
-
name: Mark swapfile as initialized
file:
path: /swapfile.swap
state: touch
-
name: Enable swap
command: swapon /swapfile
register: swap_on
failed_when: false
-
name: Add swap to fstab
lineinfile:
path: /etc/fstab
line: "/swapfile none swap sw 0 0"
state: present

37
ansible/roles/host/tasks/setup-zram.yml Normal file
View file

@ -0,0 +1,37 @@
---
-
name: Install zram-tools
apt:
name: zram-tools
state: present
-
name: Configure zram
copy:
dest: /etc/default/zramswap
content: |
ALGO={{ zram_algorithm | default('zstd') }}
PERCENT={{ zram_percent | default(50) }}
PRIORITY={{ zram_priority | default(100) }}
mode: '0644'
notify: restart zramswap
-
name: Enable zramswap service
systemd:
name: zramswap
enabled: true
state: started
-
name: Disable file-backed swap if present
command: swapoff /swapfile
failed_when: false
changed_when: false
-
name: Remove file-backed swap from fstab
lineinfile:
path: /etc/fstab
line: "/swapfile none swap sw 0 0"
state: absent