first commit

roles/defaults/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- name: Update apt cache & install sudo
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: 3600
+    name:
+      - sudo
+
+- name: Add user "{{ user['name'] }}"
+  ansible.builtin.user:
+    name: "{{ user['name'] }}"
+    password: "{{ user['password'] }}"
+    shell: /bin/bash
+    groups: sudo
+
+- name: Configure SSH
+  ansible.builtin.import_tasks: ssh-config.yml
+
+- name: Install & Configure unattended upgrades
+  ansible.builtin.import_tasks: unattended-upgrades.yml
+
+- name: Install & Configure Postfix
+  ansible.builtin.import_tasks: postfix.yml

roles/defaults/tasks/postfix.yml

@@ -0,0 +1,66 @@
+---
+- name: Update /etc/hostname
+  become: true
+  ansible.builtin.hostname:
+    name: '{{ hostname }}'
+
+- name: Update /etc/hosts
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/hosts
+    regexp: '^127.0.1.1'
+    line: '127.0.1.1 {{ hostname }}.{{ domain }} {{ hostname }}'
+
+- name: Update /etc/aliases | set email adress
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/aliases
+    regexp: '^root:'
+    line: 'root: {{ email_reports }}'
+  notify: New aliases
+
+- name: Ensure postfix is installed
+  become: true
+  ansible.builtin.package:
+    name: postfix
+    state: present
+
+- name: Update Postfix configuration
+  become: true
+  ansible.builtin.lineinfile:
+    dest: "{{ postfix_config_file }}"
+    line: "{{ item.name }} = {{ item.value }}"
+    regexp: "^{{ item.name }} ="
+    mode: '0644'
+  with_items:
+    - name: inet_protocols
+      value: "{{ postfix_inet_protocols }}"
+    - name: relayhost
+      value: "{{ postfix_relayhost }}"
+    - name: myhostname
+      value: "{{ hostname }}.{{ domain }}"
+    - name: smtp_sasl_auth_enable
+      value: "{{ smtp_sasl_enable }}"
+    - name: smtp_sasl_password_maps
+      value: "{{ smtp_sasl_file }}"
+    - name: smtp_sasl_security_options
+      value: "{{ smtp_sasl_options }}"
+
+- name: Copy relay_passwd
+  ansible.builtin.template:
+    src: "../templates/relay_passwd.j2"
+    dest: /etc/postfix/relay_passwd
+    owner: root
+    group: root
+    mode: '0644'
+
+  notify:
+    - Postmap relay_passwd
+    - Restart postfix
+
+- name: Ensure postfix is started and enabled at boot
+  become: true
+  ansible.builtin.service:
+    name: postfix
+    state: "{{ postfix_service_state }}"
+    enabled: "{{ postfix_service_enabled }}"

roles/defaults/tasks/ssh-config.yml

@@ -0,0 +1,23 @@
+---
+- name: Add Authorized Keys
+  ansible.posix.authorized_key:
+    user: "{{ user['name'] }}"
+    state: present
+    key: "{{ lookup('file', 'simon_win11.pub') }}"
+
+- name: Harden SSH Config
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+    validate: 'sshd -T -f %s'
+    mode: '0644'
+  with_items:
+    - regexp: "^PasswordAuthentication"
+      line: "PasswordAuthentication no"
+    - regexp: "^Port"
+      line: "Port {{ ssh_port }}"
+    - regexp: "^PermitRootLogin"
+      line: "PermitRootLogin without-password"
+  notify: Restart ssh

roles/defaults/tasks/unattended-upgrades.yml

@@ -0,0 +1,18 @@
+---
+- name: Install unattended-upgrades
+  ansible.builtin.apt:
+    name: unattended-upgrades
+    state: present
+  when: ansible_os_family == 'Debian'
+
+- name: Configure unattended-upgrades
+  ansible.builtin.template:
+    src: "../templates/{{ item }}.j2"
+    dest: "/etc/apt/apt.conf.d/{{ item }}"
+    owner: root
+    group: root
+    mode: '0644'
+  with_items:
+    - 20auto-upgrades
+    - 50unattended-upgrades
+  when: ansible_os_family == 'Debian'