Move files to this submodule

files/etc/apt/apt.conf.d/20auto-upgrades

@@ -0,0 +1,2 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";

files/etc/ssh/sshd_config

@@ -0,0 +1,18 @@
+Port 22
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+SyslogFacility AUTH
+PermitRootLogin without-password
+MaxAuthTries 4
+PubkeyAuthentication yes
+AuthorizedKeysFile	.ssh/authorized_keys
+IgnoreRhosts yes
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+UsePAM yes
+X11Forwarding no
+PrintMotd no
+AcceptEnv LANG LC_*
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+ClientAliveInterval 120

tasks/config.yml

@@ -0,0 +1,21 @@
+- name: copy base configs
+  copy:
+    src: etc/apt/apt.conf.d/20auto-upgrades
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+
+- name: set local timezone
+  file:
+    state: link
+    src: /usr/share/zoneinfo/Europe/Berlin
+    dest: /etc/localtime
+
+- name: Ensure the US locale exists
+  community.general.locale_gen:
+    name: en_US.UTF-8
+    state: present
+
+- name: Ensure the DE locale exists
+  community.general.locale_gen:
+    name: de_DE.UTF-8
+    state: present
+

tasks/customs.yml

@@ -0,0 +1,19 @@
+- name: Add azlux.fr GPG apt key
+  apt_key:
+    url: https://azlux.fr/repo.gpg.key
+    state: present
+
+- name: Add azlux.fr repository
+  apt_repository:
+    repo: deb http://packages.azlux.fr/debian bookworm main
+    state: present
+
+- name: install ctop package from azlux.fr
+  tags: [apt]
+  apt:
+    autoremove: yes
+    update_cache: yes
+    cache_valid_time: 3600
+    state: present
+    name:
+      - docker-ctop

tasks/main.yml

@@ -0,0 +1,15 @@
+- name: base config
+  import_tasks: config.yml
+
+- name: install packages
+  import_tasks: packages.yml
+
+- name: install custom software
+  import_tasks: customs.yml
+
+- name: openssh settings
+  import_tasks: openssh.yml
+
+- name: performance optimisation
+  import_tasks: performance.yml
+

tasks/openssh.yml

@@ -0,0 +1,15 @@
+- name: Add hardened SSH config
+  copy:
+    src: etc/ssh/sshd_config
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0600
+  register: config_change
+
+- name: Reload SSH daemon after config change
+  systemd:
+    name: ssh.service
+    daemon_reload: yes
+    state: reloaded
+  when: config_change.changed

tasks/packages.yml

@@ -0,0 +1,33 @@
+
+- name: install software packages
+  tags: [apt]
+  apt:
+    autoremove: yes
+    update_cache: yes
+    cache_valid_time: 3600
+    state: present
+    name:
+      - cron
+      - curl
+      - ca-certificates
+      - gnupg
+      - dnsutils
+      - htop
+      - iftop
+      - iperf3
+      - iputils-ping
+      - iotop
+      - sysstat
+      - jq
+      - rsync
+      - tcpdump
+      - tmux
+      - unattended-upgrades
+      - vim
+      - wget
+      - lsb-release
+      - qemu-guest-agent
+      - nload
+      - sysstat
+      - needrestart
+      - ncat

tasks/performance.yml

@@ -0,0 +1,5 @@
+- name: run fstrim
+  ansible.builtin.cron:
+    name: "fstrim"
+    special_time: weekly
+    job: "/sbin/fstrim --all"

tasks/swap.yml

@@ -0,0 +1,37 @@
+
+- name: Check whether swap is already enabled or not
+  shell: cat /etc/sysctl.conf
+  register: swap_enabled
+  check_mode: false
+  changed_when: false
+
+- block:
+  - name: create swap file
+    command: dd if=/dev/zero of=/swapfile bs=1G count=4
+
+  - name: change permission type
+    file: path=/swapfile mode=600 state=file
+
+  - name: setup swap
+    command: mkswap /swapfile
+
+  - name: create swap
+    command: swapon /swapfile
+
+  - name: Add to fstab
+    action: lineinfile dest=/etc/fstab regexp="swapfile" line="/swapfile none swap sw 0 0" state=present
+
+  - name: start swap
+    command: swapon -a
+
+  - name: set swapiness
+    sysctl:
+      name: vm.swappiness
+      value: "10"
+
+  - name: set swapiness
+    sysctl:
+      name: vm.vfs_cache_pressure
+      value: "50"
+
+  when: swap_enabled.stdout.find('swappiness') == -1