f8cd37ac8c
Includes: API (Express/TypeScript), Astro site, Python workers, document generators, FCC compliance tools, Canada CRTC formation, Ansible infrastructure, and deployment scripts. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
122 lines
3.3 KiB
YAML
122 lines
3.3 KiB
YAML
---
|
|
- name: Update apt cache
|
|
ansible.builtin.apt:
|
|
update_cache: true
|
|
cache_valid_time: 3600
|
|
|
|
- name: Upgrade all packages
|
|
ansible.builtin.apt:
|
|
upgrade: safe
|
|
|
|
- name: Install common packages
|
|
ansible.builtin.apt:
|
|
name: "{{ common_packages }}"
|
|
state: present
|
|
|
|
- name: Create deploy user
|
|
ansible.builtin.user:
|
|
name: "{{ deploy_user }}"
|
|
shell: /bin/bash
|
|
groups: sudo
|
|
append: true
|
|
create_home: true
|
|
state: present
|
|
|
|
- name: Set authorized key for deploy user
|
|
ansible.posix.authorized_key:
|
|
user: "{{ deploy_user }}"
|
|
key: "{{ lookup('file', '~/.ssh/id_ed25519.pub') }}"
|
|
state: present
|
|
|
|
- name: Allow deploy user passwordless sudo
|
|
ansible.builtin.copy:
|
|
content: "{{ deploy_user }} ALL=(ALL) NOPASSWD:ALL\n"
|
|
dest: "/etc/sudoers.d/{{ deploy_user }}"
|
|
mode: "0440"
|
|
validate: "visudo -cf %s"
|
|
|
|
- name: Deploy hardened sshd_config
|
|
ansible.builtin.template:
|
|
src: sshd_config.j2
|
|
dest: /etc/ssh/sshd_config
|
|
owner: root
|
|
group: root
|
|
mode: "0600"
|
|
validate: "sshd -t -f %s"
|
|
notify: Restart sshd
|
|
|
|
- name: Configure UFW defaults - deny incoming
|
|
community.general.ufw:
|
|
direction: incoming
|
|
policy: deny
|
|
|
|
- name: Configure UFW defaults - allow outgoing
|
|
community.general.ufw:
|
|
direction: outgoing
|
|
policy: allow
|
|
|
|
- name: Allow SSH on custom port
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ ssh_port }}"
|
|
proto: tcp
|
|
comment: "SSH custom port"
|
|
|
|
- name: Enable UFW
|
|
community.general.ufw:
|
|
state: enabled
|
|
|
|
- name: Enable and start chrony
|
|
ansible.builtin.systemd:
|
|
name: chrony
|
|
enabled: true
|
|
state: started
|
|
|
|
- name: Configure unattended-upgrades — origins
|
|
ansible.builtin.copy:
|
|
content: |
|
|
// Automatically install security updates and stable updates
|
|
Unattended-Upgrade::Origins-Pattern {
|
|
"origin=Debian,codename=${distro_codename},label=Debian";
|
|
"origin=Debian,codename=${distro_codename},label=Debian-Security";
|
|
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
|
|
"origin=Debian,codename=${distro_codename}-updates,label=Debian";
|
|
};
|
|
|
|
// Auto-remove unused kernel packages and dependencies
|
|
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
|
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
|
|
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
|
|
|
// Reboot at 4 AM if a kernel update requires it
|
|
Unattended-Upgrade::Automatic-Reboot "true";
|
|
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
|
|
|
|
// Email notification (optional — only if mail is configured)
|
|
// Unattended-Upgrade::Mail "root";
|
|
|
|
// Log to syslog
|
|
Unattended-Upgrade::SyslogEnable "true";
|
|
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
|
|
- name: Configure auto-update schedule
|
|
ansible.builtin.copy:
|
|
content: |
|
|
// Run apt update and unattended-upgrade daily
|
|
APT::Periodic::Update-Package-Lists "1";
|
|
APT::Periodic::Unattended-Upgrade "1";
|
|
APT::Periodic::Download-Upgradeable-Packages "1";
|
|
APT::Periodic::AutocleanInterval "7";
|
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
|
|
- name: Enable and start unattended-upgrades
|
|
ansible.builtin.systemd:
|
|
name: unattended-upgrades
|
|
enabled: true
|
|
state: started
|