feat: update pearl play

inventory/vagrant.yml

@@ -1,6 +1,7 @@
 pearl:
   hosts:
     192.168.56.2:
+      ansible_ssh_port: 2222
       ansible_ssh_user: vagrant
       ansible_ssh_private_key_file: '.vagrant/machines/pearl/virtualbox/private_key'
       debian_version: 'trixie'

plays/pearl.yml

@@ -4,15 +4,17 @@
   become: true
   roles:
     - 'any.common.python'
-  tags: base
+    - 'any.common.debian-user'
+  tags: first
 
 - hosts: pearl
   become: true
   roles:
     - 'any.common.debian-repositories'
-    - 'any.common.debian-user'
     - 'any.tools.default'
-    - 'any.tools.docker'
+    - 'any.tools.ufw'
     - 'any.tools.restic'
     - 'any.tools.caddy'
+    - 'any.common.ssh'
+    - 'pearl.mounts'
   tags: base

roles/any.common.ssh/files/sshd_config

@@ -0,0 +1,126 @@
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+Port 2222
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+
+# Useful for tunneling local SSH ports
+GatewayPorts yes
+
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server
+UseDNS no
+GSSAPIAuthentication no

roles/any.common.ssh/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: 'restart sshd'
+  ansible.builtin.service:
+    name: sshd
+    state: 'reloaded'

roles/any.common.ssh/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Ensure sshd config is present
+  ansible.builtin.copy:
+    src: 'sshd_config'
+    dest: '/etc/ssh/sshd_config'
+    owner: root
+    group: root
+    mode: '644'
+  notify: 'restart sshd'

roles/any.tools.caddy/tasks/main.yml

@@ -34,3 +34,10 @@
     state: started
     enabled: true
 
+- name: Open HTTP ports in firewall
+  community.general.ufw:
+    port: '{{ item }}'
+    rule: 'allow'
+  loop:
+    - 'http'
+    - 'https'

roles/any.tools.default/tasks/main.yml

@@ -32,6 +32,7 @@
       - btrfs-progs
 
       - curl
+      - podman
     state: present
 
 - name: Ensure cron service is enabled

roles/any.tools.ufw/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+- name: Ensure UFW is installed
+  apt:
+    name: ufw
+    state: present
+
+- name: Set default policy to deny
+  community.general.ufw:
+    default: 'deny'
+
+- name: Allow SSH connections
+  community.general.ufw:
+    port: 2222
+    rule: 'allow'
+
+- name: Ensure UFW is enabled
+  community.general.ufw:
+    state: 'enabled'

roles/pearl.mounts/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Ensure block volume is mounted
+  ansible.posix.mount:
+    path: /mnt/data1
+    src: "UUID=e51a43f8-d131-4c64-8bce-a206e5621483"
+    fstype: btrfs
+    state: mounted