102 lines
2.2 KiB
YAML
102 lines
2.2 KiB
YAML
---
|
|
# Common-Rolle für grundlegende Systemeinstellungen
|
|
|
|
- name: Setze globale Variablen
|
|
set_fact:
|
|
deploy_root: "{{ deploy_root | default('/var/www/michaelschiemer') }}"
|
|
deploy_user: "{{ deploy_user | default(ansible_user) }}"
|
|
app_domain: "{{ app_domain | default('localhost') }}"
|
|
tags: [always]
|
|
|
|
- name: Aktualisiere Paketindex
|
|
apt:
|
|
update_cache: yes
|
|
cache_valid_time: 3600
|
|
tags: [always]
|
|
|
|
- name: Installiere grundlegende Pakete
|
|
apt:
|
|
name:
|
|
- sudo
|
|
- vim
|
|
- htop
|
|
- git
|
|
- zip
|
|
- unzip
|
|
- curl
|
|
- wget
|
|
- net-tools
|
|
- rsync
|
|
- python3-pip
|
|
- ufw
|
|
- fail2ban
|
|
state: present
|
|
tags: [system, packages]
|
|
|
|
- name: Setze Zeitzone auf Europe/Berlin
|
|
timezone:
|
|
name: Europe/Berlin
|
|
tags: [system, timezone]
|
|
|
|
# Benutzer und Berechtigungen
|
|
- name: Stelle sicher, dass Deploy-Benutzer existiert
|
|
user:
|
|
name: "{{ deploy_user }}"
|
|
shell: /bin/bash
|
|
groups: sudo
|
|
append: yes
|
|
createhome: yes
|
|
state: present
|
|
when: deploy_user != 'root' and ansible_connection != 'local'
|
|
tags: [system, user]
|
|
|
|
- name: Stelle sicher, dass SSH-Verzeichnis existiert
|
|
file:
|
|
path: "/home/{{ deploy_user }}/.ssh"
|
|
state: directory
|
|
owner: "{{ deploy_user }}"
|
|
group: "{{ deploy_user }}"
|
|
mode: '0700'
|
|
when: deploy_user != 'root' and ansible_connection != 'local'
|
|
tags: [system, user]
|
|
|
|
- name: Konfiguriere passwordless sudo für deploy-Benutzer
|
|
lineinfile:
|
|
path: "/etc/sudoers.d/{{ deploy_user }}"
|
|
line: "{{ deploy_user }} ALL=(ALL) NOPASSWD: ALL"
|
|
state: present
|
|
create: yes
|
|
mode: '0440'
|
|
validate: 'visudo -cf %s'
|
|
become: true
|
|
when: deploy_user != 'root' and ansible_connection != 'local'
|
|
tags: [system, user]
|
|
|
|
# Firewall
|
|
- name: Öffne Ports in Firewall
|
|
ufw:
|
|
rule: allow
|
|
port: "{{ item }}"
|
|
proto: tcp
|
|
loop:
|
|
- '22' # SSH
|
|
- '80' # HTTP
|
|
- '443' # HTTPS
|
|
tags: [system, firewall]
|
|
|
|
- name: Aktiviere Firewall
|
|
ufw:
|
|
state: enabled
|
|
policy: deny
|
|
tags: [system, firewall]
|
|
|
|
# Verzeichnisse
|
|
- name: Erstelle deploy_root-Verzeichnis
|
|
file:
|
|
path: "{{ deploy_root }}"
|
|
state: directory
|
|
owner: "{{ deploy_user }}"
|
|
group: "{{ deploy_user }}"
|
|
mode: '0755'
|
|
tags: [system, directories]
|