04.08.25

roles/docker/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: Install required packages
+  apt:
+    name: [ "apt-transport-https", "ca-certificates", "curl", "software-properties-common" ]
+    update_cache: true
+
+- name: Add Docker GPG key
+  apt_key:
+    url: https://download.docker.com/linux/ubuntu/gpg
+    state: present
+
+- name: Add Docker repository
+  apt_repository:
+    repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable
+
+- name: Install Docker
+  apt:
+    name: [ "docker-ce", "docker-compose" ]
+    state: latest
+    update_cache: true
+
+- name: Enable Docker service
+  systemd:
+    name: docker
+    enabled: true
+    state: started
+

roles/fail2ban/defaults/main.yml

@@ -0,0 +1,9 @@
+fail2ban_sshd_enabled: true
+fail2ban_nginx_enabled: true
+
+fail2ban_sshd_maxretry: 5
+fail2ban_sshd_bantime: 3600
+
+fail2ban_nginx_maxretry: 5
+fail2ban_nginx_bantime: 3600
+

roles/fail2ban/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: Restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted
+

roles/fail2ban/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: Install fail2ban
+  apt:
+    name: fail2ban
+    state: present
+    update_cache: true
+
+- name: Configure jail.local
+  template:
+    src: jail.local.j2
+    dest: /etc/fail2ban/jail.local
+    mode: 0644
+  notify: Restart fail2ban
+
+- name: Configure nginx filter
+  template:
+    src: nginx.conf.j2
+    dest: /etc/fail2ban/filter.d/nginx-http-auth.conf
+    mode: 0644
+  when: fail2ban_nginx_enabled
+
+- name: Ensure fail2ban is running
+  service:
+    name: fail2ban
+    state: started
+    enabled: true
+

roles/fail2ban/templates/jail.local.j2

@@ -0,0 +1,14 @@
+[sshd]
+enabled = {{ 'true' if fail2ban_sshd_enabled else 'false' }}
+port = ssh
+logpath = %(sshd_log)s
+maxretry = {{ fail2ban_sshd_maxretry }}
+bantime = {{ fail2ban_sshd_bantime }}
+
+[nginx-http-auth]
+enabled = {{ 'true' if fail2ban_nginx_enabled else 'false' }}
+port = http,https
+logpath = /var/log/nginx/error.log
+maxretry = {{ fail2ban_nginx_maxretry }}
+bantime = {{ fail2ban_nginx_bantime }}
+

roles/fail2ban/templates/nginx.conf.j2

@@ -0,0 +1,4 @@
+[Definition]
+failregex = no user/password was provided for basic authentication.*client: <HOST>
+ignoreregex =
+

roles/firewall/tasks/main.yml

@@ -0,0 +1,23 @@
+- name: Install ufw
+  apt:
+    name: ufw
+    state: present
+
+- name: Allow SSH
+  ufw:
+    rule: allow
+    port: 22
+
+- name: Allow HTTP/HTTPS
+  ufw:
+    rule: allow
+    port: "{{ item }}"
+  loop:
+    - 80
+    - 443
+
+- name: Deny all others
+  ufw:
+    state: enabled
+    policy: deny
+

roles/rsync/defaults/main.yml

@@ -0,0 +1,3 @@
+rsync_packages:
+  - rsync
+

roles/rsync/tasks/main.yml

@@ -0,0 +1,6 @@
+- name: Install rsync
+  apt:
+    name: "{{ rsync_packages }}"
+    state: present
+    update_cache: true
+