--- # Ansible playbook for post-VM configuration # Works on both local KVM/QEMU VMs and production OVH instances - name: Configure YDN VPS hosts: all become: yes gather_facts: yes vars: app_user: "ydn" app_dir: "/opt/ydn" docker_compose_version: "2.23.0" cloudron_domain: "{{ ansible_default_ipv4.address }}.nip.io" handlers: - name: Restart Docker service: name: docker state: restarted - name: Restart Nginx service: name: nginx state: restarted tasks: # System Hardening - name: Update system packages apt: update_cache: yes upgrade: dist cache_valid_time: 3600 - name: Install system dependencies apt: name: - curl - wget - git - vim - ufw - fail2ban - htop - python3-pip state: present - name: Configure firewall ufw: rule: allow name: OpenSSH state: enabled - name: Allow HTTP/HTTPS ufw: rule: allow port: "{{ item }}" proto: tcp loop: - "80" - "443" - "8080" - name: Set timezone to UTC timezone: name: UTC # User Management - name: Create application user user: name: "{{ app_user }}" shell: /bin/bash home: "/home/{{ app_user }}" create_home: yes - name: Add sudo privileges for app user lineinfile: path: /etc/sudoers.d/{{ app_user }} line: "{{ app_user }} ALL=(ALL) NOPASSWD: ALL" create: yes mode: '0440' validate: 'visudo -cf %s' # Docker Installation - name: Add Docker GPG key apt_key: url: https://download.docker.com/linux/debian/gpg state: present - name: Add Docker repository apt_repository: repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable state: present - name: Install Docker apt: name: - docker-ce - docker-ce-cli - containerd.io - docker-compose-plugin state: present update_cache: yes notify: Restart Docker - name: Add app user to docker group user: name: "{{ app_user }}" groups: docker append: yes - name: Enable and start Docker service: name: docker enabled: yes state: started # Docker Compose Installation - name: Install Docker Compose get_url: url: "https://github.com/docker/compose/releases/download/v{{ docker_compose_version }}/docker-compose-linux-x86_64" dest: /usr/local/bin/docker-compose mode: '0755' # Cloudron Installation - name: Check if Cloudron is installed stat: path: /etc/cloudron/cloudron.conf register: cloudron_installed - name: Install Cloudron shell: | curl -sSL https://get.cloudron.io | bash args: warn: false when: not cloudron_installed.stat.exists # Application Setup - name: Create application directory file: path: "{{ app_dir }}" state: directory owner: "{{ app_user }}" group: "{{ app_user }}" mode: '0755' - name: Create logs directory file: path: /var/log/ydn state: directory owner: "{{ app_user }}" group: "{{ app_user }}" mode: '0755' # Security Hardening - name: Configure fail2ban template: src: ../templates/fail2ban.local.j2 dest: /etc/fail2ban/jail.local owner: root group: root mode: '0644' notify: Restart fail2ban - name: Enable fail2ban service: name: fail2ban enabled: yes state: started # Monitoring Setup - name: Install monitoring agents apt: name: - prometheus-node-exporter state: present - name: Enable node exporter service: name: prometheus-node-exporter enabled: yes state: started # Final Cleanup - name: Clean apt cache apt: autoclean: yes autoremove: yes - name: Display completion message debug: msg: | VPS configuration complete! IP Address: {{ ansible_default_ipv4.address }} SSH User: {{ app_user }} Docker Version: {{ docker_version.stdout }}