Post-Tyranny-Tech-Infrastru.../ansible/roles/common/defaults/main.yml

---
# Default variables for common role

# Timezone
common_timezone: "Europe/Amsterdam"

# SSH Configuration
common_ssh_port: 22
common_ssh_permit_root_login: "prohibit-password"
common_ssh_password_authentication: "no"
common_ssh_pubkey_authentication: "yes"

# UFW Firewall
common_ufw_default_incoming: "deny"
common_ufw_default_outgoing: "allow"
common_ufw_allowed_ports:
  - { port: "22", proto: "tcp", comment: "SSH" }
  - { port: "80", proto: "tcp", comment: "HTTP" }
  - { port: "443", proto: "tcp", comment: "HTTPS" }

# Automatic Updates
common_unattended_upgrades: true
common_auto_reboot: false  # Manual control over reboots

# Fail2ban
common_fail2ban_enabled: true
common_fail2ban_bantime: 3600  # 1 hour
common_fail2ban_findtime: 600  # 10 minutes
common_fail2ban_maxretry: 5

# System packages
common_packages:
  - curl
  - wget
  - git
  - vim
  - htop
  - net-tools
  - ufw
  - fail2ban
  - unattended-upgrades
  - apt-listchanges
WIP: Ansible base configuration - common role (#2) Progress on Issue #2: Ansible Base Configuration Completed: - ✅ Ansible installed via pipx (isolated Python environment) - ✅ Hetzner Cloud dynamic inventory configured - ✅ Ansible configuration (ansible.cfg) - ✅ Common role for base system hardening: - SSH hardening (key-only, no root password) - UFW firewall configuration - Fail2ban for SSH protection - Automatic security updates - Timezone and system packages - ✅ Comprehensive Ansible README with setup guide Architecture Updates: - Added Decision #15: pipx for isolated Python environments - Updated ADR changelog with pipx adoption Still TODO for #2: - Docker role - Traefik role - Setup playbook - Deploy playbook - Testing against live server Files added: - ansible/README.md - Complete Ansible guide - ansible/ansible.cfg - Ansible configuration - ansible/hcloud.yml - Hetzner dynamic inventory - ansible/roles/common/* - Base hardening role Partial progress on #2 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-27 14:00:22 +01:00			`---`
			`# Default variables for common role`

			`# Timezone`
			`common_timezone: "Europe/Amsterdam"`

			`# SSH Configuration`
			`common_ssh_port: 22`
			`common_ssh_permit_root_login: "prohibit-password"`
			`common_ssh_password_authentication: "no"`
			`common_ssh_pubkey_authentication: "yes"`

			`# UFW Firewall`
			`common_ufw_default_incoming: "deny"`
			`common_ufw_default_outgoing: "allow"`
			`common_ufw_allowed_ports:`
			`- { port: "22", proto: "tcp", comment: "SSH" }`
			`- { port: "80", proto: "tcp", comment: "HTTP" }`
			`- { port: "443", proto: "tcp", comment: "HTTPS" }`

			`# Automatic Updates`
			`common_unattended_upgrades: true`
			`common_auto_reboot: false # Manual control over reboots`

			`# Fail2ban`
			`common_fail2ban_enabled: true`
			`common_fail2ban_bantime: 3600 # 1 hour`
			`common_fail2ban_findtime: 600 # 10 minutes`
			`common_fail2ban_maxretry: 5`

			`# System packages`
			`common_packages:`
			`- curl`
			`- wget`
			`- git`
			`- vim`
			`- htop`
			`- net-tools`
			`- ufw`
			`- fail2ban`
			`- unattended-upgrades`
			`- apt-listchanges`