This repository has been archived by the owner on Sep 20, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
bootstrap.yml
120 lines (104 loc) · 2.84 KB
/
bootstrap.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
---
- hosts: all
become: yes
become_user: root
roles:
- role: jnv.unattended-upgrades
# Default ubuntu pattern is security only
unattended_mail_only_on_error: true
unattended_automatic_reboot: true
unattended_mail: [email protected]
- role: geerlingguy.docker
docker_users:
- ubuntu
docker_install_compose: true
docker_service_state: started
docker_service_enabled: true
docker_restart_handler_state: restarted
docker_package_state: present
# For some reason, this isn't detected automatically; we manually specify
# the architecture here otherwise the install will fail.
docker_apt_arch: arm64
docker_apt_release_channel: stable
tasks:
- name: Update apt package cache
apt: update_cache=yes
- name: apt dist-upgrade
apt:
upgrade: dist
# Root and password SSH access should already be prohibited by cloud-init
- name: Prohibit root SSH access
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
state: present
notify: restart ssh
- name: Prohibit SSH password auth
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^PasswordAuthentication'
line: 'PasswordAuthentication no'
state: present
notify: restart ssh
- name: Prohibit SSH challenge-response auth
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^ChallengeResponseAuthentication'
line: 'ChallengeResponseAuthentication no'
state: present
notify: restart ssh
- name: Install packages
apt:
pkg:
- ufw
- python3-pip
- name: Configure ufw to allow ssh
ufw:
rule: limit
port: '22'
proto: tcp
- name: Configure ufw for apps
ufw: rule=allow port={{ item }}
with_items:
# Refer to docker-compose.yml
- '3478'
- '10001'
- '8443'
- '53'
- '67'
- '80'
- '443'
- '7742'
- '6789'
- name: Enable ufw
ufw:
state: enabled
policy: deny
# Needed for the docker-compose task
- name: Install Docker bindings for Python
pip:
name:
- docker
- docker-compose
- name: Copy docker-compose.yml to pi
copy:
src: docker-compose.yml
dest: /home/ubuntu/docker-compose.yml
owner: ubuntu
group: ubuntu
mode: 0644
- name: Stop all services
docker_compose:
project_src: /home/ubuntu
stopped: yes
- name: Provision containers
docker_compose:
project_src: /home/ubuntu
project_name: serv
state: present
handlers:
- name: restart ssh
service:
name: ssh
state: restarted