Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/common/templates/50unattended-upgrades.j2
Pieter 171cbfbb32 WIP: Ansible base configuration - common role (#2) 
Progress on Issue #2: Ansible Base Configuration

Completed:
-  Ansible installed via pipx (isolated Python environment)
-  Hetzner Cloud dynamic inventory configured
-  Ansible configuration (ansible.cfg)
-  Common role for base system hardening:
  - SSH hardening (key-only, no root password)
  - UFW firewall configuration
  - Fail2ban for SSH protection
  - Automatic security updates
  - Timezone and system packages
-  Comprehensive Ansible README with setup guide

Architecture Updates:
- Added Decision #15: pipx for isolated Python environments
- Updated ADR changelog with pipx adoption

Still TODO for #2:
- Docker role
- Traefik role
- Setup playbook
- Deploy playbook
- Testing against live server

Files added:
- ansible/README.md - Complete Ansible guide
- ansible/ansible.cfg - Ansible configuration
- ansible/hcloud.yml - Hetzner dynamic inventory
- ansible/roles/common/* - Base hardening role

Partial progress on #2

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-27 14:00:22 +01:00

28 lines
889 B
Django/Jinja
Raw Blame History

// Automatic upgrade configuration
// Managed by Ansible - do not edit manually
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
};
// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
};
// Automatically reboot if needed
Unattended-Upgrade::Automatic-Reboot "{{ 'true' if common_auto_reboot else 'false' }}";
// Reboot time if automatic reboot is enabled
Unattended-Upgrade::Automatic-Reboot-Time "03:00";
// Email notification (disabled by default)
// Unattended-Upgrade::Mail "root";
// Remove unused dependencies
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically cleanup old kernels
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Reference in a new issue View git blame Copy permalink