add server_bootstrap role

roles/global/install_docker/tasks/main.yml

@@ -0,0 +1,50 @@
+---
+- name: Ensure Docker and related packages are removed
+  ansible.builtin.apt:
+    name:
+      - docker.io
+      - docker-doc
+      - docker-compose
+      - podman-docker
+      - containerd
+      - runc
+    state: absent
+
+- name: Install requirements
+  ansible.builtin.apt:
+    name:
+      - ca-certificates
+      - curl
+      - gnupg
+    state: present
+    cache_valid_time: 3600
+
+- name: Create directory for Docker's official GPG key
+  ansible.builtin.file:
+    path: /etc/apt/keyrings
+    state: directory
+    mode: '0755'
+
+- name: Add Docker's official GPG key
+  ansible.builtin.get_url:
+    url: https://download.docker.com/linux/debian/gpg
+    dest: /etc/apt/keyrings/docker.asc
+    mode: '0644'
+
+- name: Add Docker repository to Apt sources
+  ansible.builtin.apt_repository:
+    repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
+    state: present
+    filename: docker
+    update_cache: true
+
+- name: Install Docker CE and related packages
+  ansible.builtin.apt:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-buildx-plugin
+      - docker-compose-plugin
+    state: present
+    update_cache: true

roles/global/install_ssh/defaults/main.yml

@@ -0,0 +1,9 @@
+---
+install_ssh_ssh_port: 22
+install_ssh_permit_root_login: "yes"
+install_ssh_password_authentication: "yes"
+install_ssh_ssh_log_level: "INFO"
+install_ssh_ssh_login_grace_time: "2m"
+install_ssh_ssh_max_auth_tries: 6
+install_ssh_ssh_max_sessions: 10
+install_ssh_ssh_max_startups: "10:30:100"

roles/global/install_ssh/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart SSH
+  ansible.builtin.service:
+    name: ssh
+    state: restarted

roles/global/install_ssh/meta/main.yml

@@ -0,0 +1,18 @@
+---
+galaxy_info:
+  author: Kevin Heyer
+  description: Role to install and configure SSH on Debian systems
+  company: Skull-IT Kevin Heyer
+  license: MIT
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Debian
+      versions:
+        - buster
+        - bullseye
+  galaxy_tags:
+    - ssh
+    - debian
+    - security
+
+dependencies: []

roles/global/install_ssh/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: Ensure OpenSSH server is installed
+  ansible.builtin.apt:
+    name: openssh-server
+    state: present
+    update_cache: true
+    cache_valid_time: 3600
+
+- name: Ensure OpenSSH server is enabled and started
+  ansible.builtin.service:
+    name: ssh
+    enabled: true
+    state: started
+
+- name: Deploy SSH configuration
+  ansible.builtin.template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: '0600'
+  notify: Restart SSH

roles/global/install_ssh/templates/sshd_config.j2

@@ -0,0 +1,70 @@
+# This file is managed by Ansible.
+# Any manual changes will be overwritten.
+
+Port {{ install_ssh_ssh_port }}
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+SyslogFacility AUTH
+LogLevel {{ install_ssh_ssh_log_level }}
+
+LoginGraceTime {{ install_ssh_ssh_login_grace_time }}
+PermitRootLogin {{ install_ssh_permit_root_login }}
+StrictModes yes
+
+MaxAuthTries {{ install_ssh_ssh_max_auth_tries }}
+MaxSessions {{ install_ssh_ssh_max_sessions }}
+
+PubkeyAuthentication yes
+
+AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/ssh_authorized_keys
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication {{ install_ssh_password_authentication }}
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+AllowAgentForwarding yes
+AllowTcpForwarding yes
+GatewayPorts no
+X11Forwarding no
+
+# Default value for MaxStartups is 10:30:100
+MaxStartups {{ install_ssh_ssh_max_startups }}
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem sftp /usr/lib/openssh/sftp-server

roles/global/server_bootstrap/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+# Default variables for logrotate configuration
+server_bootstrap_logrotate_frequency: weekly
+server_bootstrap_logrotate_rotate_count: 4
+server_bootstrap_logrotate_compress: false

roles/global/server_bootstrap/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart logrotate
+  ansible.builtin.service:
+    name: logrotate
+    state: restarted

roles/global/server_bootstrap/meta/main.yml

@@ -0,0 +1,18 @@
+---
+galaxy_info:
+  author: Kevin Heyer
+  description: Role to install and configure logrotate on Debian systems
+  company: Kevin Heyer
+  license: MIT
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Debian
+      versions:
+        - buster
+        - bullseye
+  galaxy_tags:
+    - logrotate
+    - debian
+    - logging
+
+dependencies: []

roles/global/server_bootstrap/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Install default packages
+  ansible.builtin.apt:
+    name: gnupg
+    state: present
+
+- name: Ensure logrotate is installed
+  ansible.builtin.apt:
+    name: logrotate
+    state: present
+
+- name: Deploy logrotate configuration
+  ansible.builtin.template:
+    src: logrotate.conf.j2
+    dest: /etc/logrotate.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart logrotate

roles/global/server_bootstrap/templates/logrotate.conf.j2

@@ -0,0 +1,40 @@
+# This file is managed by Ansible.
+# Any manual changes will be overwritten.
+
+# see "man logrotate" for details
+# rotate log files weekly
+{{ server_bootstrap_logrotate_frequency }}
+
+# keep 4 weeks worth of backlogs
+rotate {{ server_bootstrap_logrotate_rotate_count }}
+
+# create new (empty) log files after rotating old ones
+create
+
+# use date as a suffix of the rotated file
+dateext
+
+{% if server_bootstrap_logrotate_compress %}
+# compress the rotated files
+compress
+{% endif %}
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# no packages own wtmp and btmp -- we'll rotate them here
+/var/log/wtmp {
+    missingok
+    monthly
+    create 0664 root utmp
+    rotate 1
+}
+
+/var/log/btmp {
+    missingok
+    monthly
+    create 0660 root utmp
+    rotate 1
+}
+
+# system-specific logs may be also be configured here