v0.1 done: docker webhosts, smtp gateway

roles/common/tasks/apt.yaml

@@ -0,0 +1,37 @@
+---
+- name: "Remove Ubuntu bloatware"
+  apt: 
+    state: absent
+    name: ubutu-server
+    autoremove: yes
+
+- name: "Update machine"
+  apt:
+    update_cache: yes
+    upgrade: yes
+    autoclean: yes
+    autoremove: yes
+
+- name: "Install my favourite applications"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - tmux
+     - htop
+     - dnsutils
+     - needrestart
+     - curl
+     - wget
+     - netcat-openbsd
+     - tree
+     - net-tools
+     - nano
+     - psmisc
+     - python3
+     - python3-venv
+     - strace
+     - ifstat
+     - tcpdump
+     - xxd
+     - git

roles/common/tasks/clean-motd.yaml

@@ -0,0 +1,13 @@
+---
+- name: clean motd
+  file:
+    state: file
+    path: /etc/update-motd.d/{{ item }}
+    owner: root
+    group: root
+    mode: "0000"
+  with_items:
+    - 10-help-text
+    - 50-landscape-sysinfo
+    - 50-motd-news
+    - 91-release-upgrade

roles/common/tasks/disable-cloudinit.yaml

@@ -0,0 +1,13 @@
+---
+- name: disable cloudinit
+  copy:
+    content: ""
+    dest: /etc/cloud/cloud-init.disabled
+    force: no
+
+- name: disable network autoconfig
+  copy:
+    content: "network: {config: disabled}"
+    dest: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
+    force: no
+

roles/common/tasks/firewalld.yaml

@@ -0,0 +1,27 @@
+---
+- name: "Install Docker via apt"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - firewalld
+
+- name: Start and enable firewalld
+  service:
+    name: firewalld
+    state: restarted
+    enabled: yes
+
+- name: Permit traffic in public zone for https service
+  ansible.posix.firewalld:
+    zone: public
+    service: https
+    permanent: yes
+    state: enabled
+
+- name: Permit traffic in public zone for ssh service
+  ansible.posix.firewalld:
+    zone: public
+    service: ssh
+    permanent: yes
+    state: enabled

roles/common/tasks/remove-snap.yaml

@@ -0,0 +1,18 @@
+---
+- name: Remove snapd from Ubuntu
+  apt:
+    name: snapd
+    state: absent
+    purge: yes
+  when: ansible_distribution == "Ubuntu"
+
+- name: Remove snapd-related directories
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /snap
+    - /var/snap
+    - /var/lib/snapd
+    - "/home/{{ ansible_user }}/snap"
+  when: ansible_distribution == "Ubuntu"

roles/common/tasks/serivce-user.yaml

@@ -0,0 +1,7 @@
+---
+- name: "Add service user with docker group membership"
+  ansible.builtin.user:
+    name: service-user
+    comment: Service user
+    groups: docker
+    append: yes

roles/common/tasks/ssh-security-settings.yaml

@@ -0,0 +1,40 @@
+---
+- name: Disable password authentication
+  replace:
+    path: /etc/ssh/sshd_config
+    regexp: 'PasswordAuthentication yes'
+    replace: 'PasswordAuthentication no'
+
+- name: Disable root authentication
+  replace:
+    path: /etc/ssh/sshd_config
+    regexp: '#PermitRootLogin prohibit-password'
+    replace: 'PermitRootLogin no'
+
+- name: Disable X11 forwarding
+  replace:
+    path: /etc/ssh/sshd_config
+    regexp: 'X11Forwarding yes'
+    replace: 'X11Forwarding no'
+
+- name: Explicitly only listen on ipv4
+  replace:
+    path: /etc/ssh/sshd_config
+    regexp: '#AddressFamily any'
+    replace: 'AddressFamily inet'
+
+- name: Check if AllowUsers is defined
+  lineinfile:
+    state: absent
+    path: /etc/ssh/sshd_config
+    regexp: "^AllowUsers"
+  check_mode: true
+  changed_when: false
+  register: checkallowusers
+
+- name: Define AllowUsers if undefined
+  lineinfile:
+    state: present
+    path: /etc/ssh/sshd_config
+    line: "AllowUsers tormakris ansible service-user"
+  when: checkallowusers.found == 0

roles/common/tasks/static-networking.yaml

@@ -0,0 +1,16 @@
+---
+- name: "remove cloudinit config"
+  file:
+    path: /etc/netplan/50-cloud-init.yaml
+    state: absent
+
+- name: "remove installer config"
+  file:
+    path: /etc/netplan/00-installer-config.yaml
+    state: absent
+
+- name: "install static config"
+  template:
+    src: templates/netplan.yaml
+    dest: /etc/netplan/00-static.yaml
+  notify: netplanapply

roles/common/tasks/timesync.yaml

@@ -0,0 +1,18 @@
+---
+- name: Setup timesync config
+  template:
+    src: timesyncd.conf.template
+    dest: /etc/systemd/timesyncd.conf
+  notify: run Timedatectl
+  when: ansible_service_mgr == "systemd"
+
+- name: set Timezone
+  timezone: name={{ timedatectl_timezone }}
+  when: ansible_service_mgr == "systemd"
+
+- name: Reastart timesyncd to apply changes
+  when: ansible_service_mgr == "systemd"
+  ansible.builtin.systemd:
+    state: restarted
+    daemon_reload: yes
+    name: systemd-timesyncd