171cbfbb32
Progress on Issue #2: Ansible Base Configuration Completed: - ✅ Ansible installed via pipx (isolated Python environment) - ✅ Hetzner Cloud dynamic inventory configured - ✅ Ansible configuration (ansible.cfg) - ✅ Common role for base system hardening: - SSH hardening (key-only, no root password) - UFW firewall configuration - Fail2ban for SSH protection - Automatic security updates - Timezone and system packages - ✅ Comprehensive Ansible README with setup guide Architecture Updates: - Added Decision #15: pipx for isolated Python environments - Updated ADR changelog with pipx adoption Still TODO for #2: - Docker role - Traefik role - Setup playbook - Deploy playbook - Testing against live server Files added: - ansible/README.md - Complete Ansible guide - ansible/ansible.cfg - Ansible configuration - ansible/hcloud.yml - Hetzner dynamic inventory - ansible/roles/common/* - Base hardening role Partial progress on #2 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
28 lines
751 B
YAML
28 lines
751 B
YAML
---
|
|
# UFW firewall configuration
|
|
|
|
- name: Reset UFW to default state
|
|
community.general.ufw:
|
|
state: reset
|
|
when: ansible_facts['distribution'] == 'Ubuntu'
|
|
|
|
- name: Set UFW default policies
|
|
community.general.ufw:
|
|
direction: "{{ item.direction }}"
|
|
policy: "{{ item.policy }}"
|
|
loop:
|
|
- { direction: 'incoming', policy: '{{ common_ufw_default_incoming }}' }
|
|
- { direction: 'outgoing', policy: '{{ common_ufw_default_outgoing }}' }
|
|
|
|
- name: Allow specified ports through UFW
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ item.port }}"
|
|
proto: "{{ item.proto }}"
|
|
comment: "{{ item.comment }}"
|
|
loop: "{{ common_ufw_allowed_ports }}"
|
|
|
|
- name: Enable UFW
|
|
community.general.ufw:
|
|
state: enabled
|
|
logging: 'on'
|