packages.wenpai.net/deploy/ansible/roles/server/tasks/main.yml

---
- name: Update apt cache
  apt:
    update_cache: yes
    cache_valid_time: 3600

- name: Install base packages
  apt:
    name:
      - git
      - curl
      - unzip
      - acl
      - ufw
      - fail2ban
      - sqlite3
      - software-properties-common
    state: present

- name: Set timezone to UTC
  timezone:
    name: UTC

- name: Create deploy user
  user:
    name: deploy
    shell: /bin/bash
    create_home: yes
    groups: www-data
    append: yes

- name: Allow deploy user passwordless sudo
  copy:
    content: "deploy ALL=(ALL) NOPASSWD:ALL\n"
    dest: /etc/sudoers.d/deploy
    owner: root
    group: root
    mode: "0440"
    validate: "visudo -cf %s"

- name: Add SSH keys from GitHub
  authorized_key:
    user: deploy
    key: "https://github.com/{{ item }}.keys"
  loop: "{{ users }}"

- name: Add local public keys
  authorized_key:
    user: deploy
    key: "{{ lookup('file', item) }}"
  with_fileglob:
    - "{{ playbook_dir }}/public_keys/*.pub"
  ignore_errors: yes

- name: Configure UFW defaults
  ufw:
    direction: incoming
    policy: deny

- name: Allow SSH
  ufw:
    rule: allow
    port: "22"

- name: Allow HTTP
  ufw:
    rule: allow
    port: "80"

- name: Allow HTTPS
  ufw:
    rule: allow
    port: "443"

- name: Enable UFW
  ufw:
    state: enabled

- name: Enable fail2ban
  service:
    name: fail2ban
    state: started
    enabled: yes

- name: Create app directory
  file:
    path: "{{ app_root }}"
    state: directory
    owner: deploy
    group: www-data
    mode: "0775"

- name: Install Litestream
  apt:
    deb: https://github.com/benbjohnson/litestream/releases/download/v{{ litestream_version }}/litestream-{{ litestream_version }}-linux-x86_64.deb

- name: Enable unattended-upgrades
  apt:
    name: unattended-upgrades
    state: present