playbook.yml

- hosts: all
  tasks:
    - name: Ensure SSH Key is authorized
      authorized_key:
        user: pi
        state: present
        key: https://github.com/benbalter.keys
    - name: update and upgrade apt packages
      become: true
      ansible.builtin.apt:
        upgrade: dist
        update_cache: true
    - name: set timezone
      community.general.timezone:
        name: America/New_York
      become: true
    - name: install unattended upgrades
      become: true
      ansible.builtin.apt:
        name: unattended-upgrades
        state: present
    - name: Setup unattended upgrades
      ansible.builtin.debconf:
        name: unattended-upgrades
        question: unattended-upgrades/enable_auto_updates
        vtype: boolean
        value: "true"
    - name: install ntp
      become: true
      ansible.builtin.apt:
        name: ntp
        state: present
    - name: enable ntp
      ansible.builtin.service:
        name: ntp
        state: started
        enabled: true
    - name: install ufw
      become: true
      ansible.builtin.apt:
        name: ufw
        state: present
    - name: limit ssh
      become: true
      community.general.ufw:
        rule: limit
        port: ssh
        proto: tcp
    - name: Allow all access to port 22
      become: true
      community.general.ufw:
        rule: allow
        app: '{{ item }}'
      loop:
        - SSH
    - name: enable ufw and default to deny
      become: true
      community.general.ufw:
        state: enabled
        default: deny
    - name: install fail2ban
      become: true
      ansible.builtin.apt:
        name: fail2ban
        state: present
    - name: Install dependencies
      become: true
      ansible.builtin.apt:
        name: "{{ item }}"
        state: present
        update_cache: true
      loop:
        - python3-dev
        - python3-pip
        - git
    - name: Ensure deploy key is present
      community.crypto.openssh_keypair:
        path: "~/.ssh/id_github"
        type: ed25519
      register: deploy_key
    - name: Ensure deploy key is authorized
      community.general.github_deploy_key:
        key: "{{ deploy_key.public_key }}"
        name: Raspberry Pi
        state: present
        read_only: false
        owner: benbalter
        repo: meeting-matrix
        token: "{{ lookup('community.general.onepassword', 'Raspberry pi', field='GitHub Token') }}"
    - name: Clone benbalter/meeting-matrix
      ansible.builtin.git:
        repo: git@github.com:benbalter/meeting-matrix.git
        dest: /home/pi/meeting-matrix/
        clone: true
        update: true
        key_file: ~/.ssh/id_github
        accept_hostkey: true
    - name: Install docker dependencies
      become: true
      ansible.builtin.apt:
        name: "{{ item }}"
        state: present
        update_cache: true
      loop:
        - apt-transport-https
        - ca-certificates
        - curl
        - gnupg
        - lsb-release
    - name: add Docker GPG key
      become: true
      ansible.builtin.apt_key:
        url: https://download.docker.com/linux/debian/gpg
        state: present
    - name: add docker repository to apt
      become: true
      ansible.builtin.apt_repository:
        repo: deb [arch=arm64] https://download.docker.com/linux/debian bullseye stable
        state: present
    - name: install docker
      become: true
      ansible.builtin.apt:
        name: "{{ item }}"
        state: present
      loop:
        - docker-ce
        - docker-ce-cli
        - containerd.io
    - name: Add user to docker group
      become: true
      ansible.builtin.user:
        name: pi
        groups: docker
        append: true
    - name: Enable & Start Docker service
      become: true
      ansible.builtin.service:
        name: docker
        enabled: true
        state: started
    - name: Install docker compose
      ansible.builtin.pip:
        executable: pip3
        name:
          - docker
          - docker-compose
    - name: Init Docker container
      community.docker.docker_compose:
        project_src: /home/pi/meeting-matrix/
        pull: true
        build: true
        remove_orphans: true
      register: output