Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/common/defaults/main.yml
Pieter 171cbfbb32 WIP: Ansible base configuration - common role (#2) 
Progress on Issue #2: Ansible Base Configuration

Completed:
-  Ansible installed via pipx (isolated Python environment)
-  Hetzner Cloud dynamic inventory configured
-  Ansible configuration (ansible.cfg)
-  Common role for base system hardening:
  - SSH hardening (key-only, no root password)
  - UFW firewall configuration
  - Fail2ban for SSH protection
  - Automatic security updates
  - Timezone and system packages
-  Comprehensive Ansible README with setup guide

Architecture Updates:
- Added Decision #15: pipx for isolated Python environments
- Updated ADR changelog with pipx adoption

Still TODO for #2:
- Docker role
- Traefik role
- Setup playbook
- Deploy playbook
- Testing against live server

Files added:
- ansible/README.md - Complete Ansible guide
- ansible/ansible.cfg - Ansible configuration
- ansible/hcloud.yml - Hetzner dynamic inventory
- ansible/roles/common/* - Base hardening role

Partial progress on #2

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-27 14:00:22 +01:00

42 lines
949 B
YAML
Raw Blame History

---
# Default variables for common role
# Timezone
common_timezone: "Europe/Amsterdam"
# SSH Configuration
common_ssh_port: 22
common_ssh_permit_root_login: "prohibit-password"
common_ssh_password_authentication: "no"
common_ssh_pubkey_authentication: "yes"
# UFW Firewall
common_ufw_default_incoming: "deny"
common_ufw_default_outgoing: "allow"
common_ufw_allowed_ports:
- { port: "22", proto: "tcp", comment: "SSH" }
- { port: "80", proto: "tcp", comment: "HTTP" }
- { port: "443", proto: "tcp", comment: "HTTPS" }
# Automatic Updates
common_unattended_upgrades: true
common_auto_reboot: false # Manual control over reboots
# Fail2ban
common_fail2ban_enabled: true
common_fail2ban_bantime: 3600 # 1 hour
common_fail2ban_findtime: 600 # 10 minutes
common_fail2ban_maxretry: 5
# System packages
common_packages:
- curl
- wget
- git
- vim
- htop
- net-tools
- ufw
- fail2ban
- unattended-upgrades
- apt-listchanges
Reference in a new issue View git blame Copy permalink