Update to use actual RPis (raspbian)

2023-10-15 22:55:26 -04:00 · 2023-10-15 22:55:26 -04:00 · a9b2823a13
parent 8257b0b4a7
commit a9b2823a13
7 changed files with 5 additions and 135 deletions
--- a/roles/apt/tasks/main.yml
+++ b/roles/apt/tasks/main.yml
@ -13,8 +13,3 @@
      - ca-certificates
      - gnupg
    state: present
-
- name: Ensure unattended-upgrades is runing
-  service:
-    name: unattended-upgrades
-    enabled: true
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -1,12 +1,12 @@
 ---
 - name: Add apt key for docker
  apt_key:
-    url: https://download.docker.com/linux/ubuntu/gpg
+    url: https://download.docker.com/linux/debian/gpg
    state: present

 - name: Add docker repository into sources list
  apt_repository:
-    repo: deb https://download.docker.com/linux/ubuntu jammy stable
+    repo: deb https://download.docker.com/linux/debian bullseye stable
    state: present

 - name: Install docker packages
@ -15,5 +15,6 @@
      - docker-ce
      - docker-ce-cli
      - containerd.io
+      - docker-buildx-plugin
      - docker-compose-plugin
    state: present
--- a/roles/firewall/handlers/main.yml
+++ b/roles/firewall/handlers/main.yml
@ -1,3 +0,0 @@
- name: Persist iptables
-  shell:
-    cmd: iptables-save > /etc/iptables/rules.v4
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@ -1,97 +0,0 @@
---
- name: Install iptables packages
-  apt:
-    name: iptables-persistent
-    state: present
-
-# TURN IT OFF
- name: Turn iptables off for now
-  service:
-    name: iptables
-    state: stopped
-    enabled: no
-
- name: Allow all loopback traffic
-  iptables:
-    chain: INPUT
-    in_interface: lo
-    jump: ACCEPT
-  notify: Persist iptables
-
- name: Allow port ping traffic
-  iptables:
-    chain: INPUT
-    jump: ACCEPT
-    protocol: icmp
-  notify: Persist iptables
-
- name: Allow related and established connections
-  iptables:
-    chain: INPUT
-    ctstate: ESTABLISHED,RELATED
-    jump: ACCEPT
-  notify: Persist iptables
-
- name: Allow SSH
-  iptables:
-    chain: INPUT
-    destination_port: 22
-    jump: ACCEPT
-    protocol: tcp
-  notify: Persist iptables
-
- name: Allow web
-  iptables:
-    chain: INPUT
-    protocol: tcp
-    destination_port: 80
-    jump: ACCEPT
-  notify: Persist iptables
-
- name: Allow admin web (nginx proxy)
-  iptables:
-    chain: INPUT
-    protocol: tcp
-    destination_port: 81
-    jump: ACCEPT
-  notify: Persist iptables
-
- name: Allow dns
-  iptables:
-    chain: INPUT
-    protocol: tcp
-    destination_port: 53
-    jump: ACCEPT
-  notify: Persist iptables
-
- name: Allow dns (udp)
-  iptables:
-    chain: INPUT
-    protocol: udp
-    destination_port: 53
-    jump: ACCEPT
-  notify: Persist iptables
-
- name: Allow related and established connections
-  ansible.builtin.iptables:
-    chain: INPUT
-    ctstate: ESTABLISHED,RELATED
-    jump: ACCEPT
-
- name: Set the policy for the INPUT chain to DROP
-  iptables:
-    chain: INPUT
-    policy: DROP
-  notify: Persist iptables
-
- name: Set the policy for the FORWARD chain to DROP
-  iptables:
-    chain: FORWARD
-    policy: DROP
-  notify: Persist iptables
-
- name: Set the policy for the OUTPUT chain to ACCEPT
-  iptables:
-    chain: OUTPUT
-    policy: ACCEPT
-  notify: Persist iptables
--- a/roles/nginx-proxy-manager/files/docker-compose.yml
+++ b/roles/nginx-proxy-manager/files/docker-compose.yml
@ -1,7 +1,7 @@
 version: "3"
 services:
  app:
-    image: jc21/nginx-proxy-manager:2.9.22
+    image: jc21/nginx-proxy-manager:latest
    restart: unless-stopped
    ports:
      - 80:80 # Public HTTP Port
@ -10,8 +10,5 @@ services:
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
-      - ./default.conf:/etc/nginx/conf.d/default.conf
-      # hack to avoid sed on default.conf
-      - /dev/null:/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh
    environment:
      - AWS_CONFIG_FILE=/etc/letsencrypt/credentials/credentials-6
--- a/roles/ssh/tasks/main.yml
+++ b/roles/ssh/tasks/main.yml
@ -9,28 +9,6 @@
  with_items:
    - regexp: '^PasswordAuthentication'
      line: 'PasswordAuthentication no'
-    - regexp: '^PermitRootLogin'
+    - regexp: '^#PermitRootLogin'
      line: 'PermitRootLogin no'
  notify: Restart ssh
-
- name: Install fail2ban
-  apt:
-    name: fail2ban
-    state: present
-
- name: Configure fail2ban
-  blockinfile:
-    path: /etc/fail2ban/jail.local
-    create: yes
-    mode: 0644
-    block: |
-      [sshd]
-      enabled = true
-      filter = sshd
-      #  notify: Restart fail2ban
-
- name: Turn fail2ban off for now
-  service:
-    name: fail2ban
-    enabled: false
-    state: stopped
--- a/site.yml
+++ b/site.yml
@ -10,7 +10,6 @@
    - role: instance
      tags: instance
    - role: apt
-    - role: firewall
    - role: administrators
    - role: ssh
 - hosts: dns