diff --git a/inventory/vagrant.yml b/inventory/vagrant.yml index 9cb9a38..9534c38 100644 --- a/inventory/vagrant.yml +++ b/inventory/vagrant.yml @@ -1,7 +1,6 @@ pearl: hosts: 192.168.56.2: - ansible_ssh_port: 2222 ansible_ssh_user: vagrant ansible_ssh_private_key_file: '.vagrant/machines/pearl/virtualbox/private_key' debian_version: 'trixie' diff --git a/plays/pearl.yml b/plays/pearl.yml index e9aecbf..675cf46 100644 --- a/plays/pearl.yml +++ b/plays/pearl.yml @@ -4,17 +4,15 @@ become: true roles: - 'any.common.python' - - 'any.common.debian-user' - tags: first + tags: base - hosts: pearl become: true roles: - 'any.common.debian-repositories' + - 'any.common.debian-user' - 'any.tools.default' - - 'any.tools.ufw' + - 'any.tools.docker' - 'any.tools.restic' - 'any.tools.caddy' - - 'any.common.ssh' - - 'pearl.mounts' tags: base diff --git a/roles/any.common.ssh/files/sshd_config b/roles/any.common.ssh/files/sshd_config deleted file mode 100644 index 95a4f0f..0000000 --- a/roles/any.common.ssh/files/sshd_config +++ /dev/null @@ -1,126 +0,0 @@ -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -Include /etc/ssh/sshd_config.d/*.conf - -Port 2222 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -PermitRootLogin no -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -PubkeyAuthentication yes - -# Expect .ssh/authorized_keys2 to be disregarded by default in future. -#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication no -#PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -KbdInteractiveAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes -#GSSAPIKeyExchange no - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the KbdInteractiveAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via KbdInteractiveAuthentication may bypass -# the setting of "PermitRootLogin prohibit-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and KbdInteractiveAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes - -# Useful for tunneling local SSH ports -GatewayPorts yes - -X11Forwarding yes -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -PrintMotd no -#PrintLastLog yes -#TCPKeepAlive yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -# override default of no subsystems -Subsystem sftp /usr/lib/openssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server -UseDNS no -GSSAPIAuthentication no diff --git a/roles/any.common.ssh/handlers/main.yml b/roles/any.common.ssh/handlers/main.yml deleted file mode 100644 index 06ff1f3..0000000 --- a/roles/any.common.ssh/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: 'restart sshd' - ansible.builtin.service: - name: sshd - state: 'reloaded' diff --git a/roles/any.common.ssh/tasks/main.yml b/roles/any.common.ssh/tasks/main.yml deleted file mode 100644 index 1fcd06e..0000000 --- a/roles/any.common.ssh/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Ensure sshd config is present - ansible.builtin.copy: - src: 'sshd_config' - dest: '/etc/ssh/sshd_config' - owner: root - group: root - mode: '644' - notify: 'restart sshd' diff --git a/roles/any.tools.caddy/tasks/main.yml b/roles/any.tools.caddy/tasks/main.yml index b564163..f9a30e4 100644 --- a/roles/any.tools.caddy/tasks/main.yml +++ b/roles/any.tools.caddy/tasks/main.yml @@ -34,10 +34,3 @@ state: started enabled: true -- name: Open HTTP ports in firewall - community.general.ufw: - port: '{{ item }}' - rule: 'allow' - loop: - - 'http' - - 'https' diff --git a/roles/any.tools.default/tasks/main.yml b/roles/any.tools.default/tasks/main.yml index 139de19..1cdbcf5 100644 --- a/roles/any.tools.default/tasks/main.yml +++ b/roles/any.tools.default/tasks/main.yml @@ -32,7 +32,6 @@ - btrfs-progs - curl - - podman state: present - name: Ensure cron service is enabled diff --git a/roles/any.tools.ufw/tasks/main.yml b/roles/any.tools.ufw/tasks/main.yml deleted file mode 100644 index 6c00c98..0000000 --- a/roles/any.tools.ufw/tasks/main.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Ensure UFW is installed - apt: - name: ufw - state: present - -- name: Set default policy to deny - community.general.ufw: - default: 'deny' - -- name: Allow SSH connections - community.general.ufw: - port: 2222 - rule: 'allow' - -- name: Ensure UFW is enabled - community.general.ufw: - state: 'enabled' diff --git a/roles/pearl.mounts/tasks/main.yml b/roles/pearl.mounts/tasks/main.yml deleted file mode 100644 index e87a88b..0000000 --- a/roles/pearl.mounts/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Ensure block volume is mounted - ansible.posix.mount: - path: /mnt/data1 - src: "UUID=e51a43f8-d131-4c64-8bce-a206e5621483" - fstype: btrfs - state: mounted