main.yml

---
- hosts: all
  become: true
  gather_facts: true
  collections:
    - devsec.hardening
    - debops.debops
    - debops.roles01
    - debops.roles02
    - debops.roles03
    - community.general
    - ansible.posix
  roles:
    - core
    - locales
    - apt_preferences
    - apt_install
    - keyring
    - python
    - unattended_upgrades
    - ntp
    - ferm
    - fail2ban
    - geerlingguy.docker
    - geerlingguy.certbot
    - ouroboros
    - docker_mailserver
    - ssh_hardening
    - os_hardening
  vars:
    docker_mailserver_container_name: "mailserver"
    # geerlingguy.docker
    docker_add_repo: true
    docker_install_compose: true
    docker_daemon_options:
      features:
        buildkit: true
    # geerlingguy.certbot
    certbot_create_if_missing: true
    certbot_create_method: standalone
    certbot_create_standalone_stop_services: []
    # debops
    python__v3: true
    python__v2: false
    python__packages3:
      - python3-dev
      - python-is-python3
      - python3-pip
      - python3-setuptools
      - python3-docker
    apt_install__packages:
      - micro
      - cron
    apt_install__default_alternatives:
      - name: 'editor'
        path: '/usr/bin/micro'
    apt__install_recommends: false
    apt__install_suggests: false
    apt__nonfree: false
    ntp__timezone: 'Etc/UTC'
    locales__system_lang: 'en_US.UTF-8'
    ferm__rules:
      - name: 'ssh'
        rules:
          - dport: '22'
            accept_any: true
      - name: 'mailserver'
        rules:
          - dport: '25'
            accept_any: true
          - dport: '110'
            accept_any: true
          - dport: '143'
            accept_any: true
          - dport: '465'
            accept_any: true
          - dport: '587'
            accept_any: true
          - dport: '993'
            accept_any: true
          - dport: '995'
            accept_any: true
      - name: 'certbot'
        rules:
          - dport: '80'
            accept_any: true
    ferm__mark_portscan: true
    # dev-sec
    sysctl_overwrite:
      net.ipv6.conf.all.disable_ipv6: 0
      net.ipv6.conf.all.forwarding: 1
      net.ipv4.conf.all.forwarding: 1
    ufw_manage_defaults: false
    sftp_enabled: true