cleanup

ansible/max.yml

@@ -6,7 +6,19 @@
 
 - name: Start services
   hosts: max
+  pre_tasks:
+  - name: Create base service directory
+    file:
+      path: "{{ base_service_dir }}"
+      state: directory
+  - name: Delete externally managed environment file
+    shell:
+      cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
+    register: rm
+    changed_when: "rm.rc == 0"
+    failed_when: "false"
   roles:
+    - {role: 'setup-apt', tags: 'setup-apt'}
     - {role: 'watchtower', tags: 'watchtower'}
     - {role: 'forgejo', tags: 'forgejo'}
     - {role: 'syncthing', tags: 'syncthing'}

ansible/requirements.yml

@@ -1,3 +1,3 @@
-- name: cloudinit-wait
-  src: https://git.pim.kunis.nl/pim/ansible-role-cloudinit-wait
+- name: setup-apt
+  src: https://github.com/sunscrapers/ansible-role-apt.git
   scm: git

ansible/roles/common/tasks/main.yml

@@ -1,17 +0,0 @@
-- name: APT upgrade
-  apt:
-    autoremove: true
-    upgrade: yes
-    state: latest
-    update_cache: yes
-    cache_valid_time: 86400 # One day
-- name: Create base service directory
-  file:
-    path: "{{ base_service_dir }}"
-    state: directory
-- name: Delete externally managed environment file
-  shell:
-    cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
-  register: rm
-  changed_when: "rm.rc == 0"
-  failed_when: "false"

ansible/roles/cyberchef/meta/main.yml

@@ -1,4 +1,2 @@
 dependencies:
-  - role: common
-  - role: docker
-  
+  - role: traefik

ansible/roles/firewall/tasks/main.yml

@@ -1,16 +0,0 @@
-- name: Install firewalld
-  apt:
-    pkg:
-      - firewalld
-    state: latest
-    update_cache: true
-- name: Allow SSH
-  firewalld:
-    service: ssh
-    permanent: yes
-    state: enabled
-- name: Start firewalld
-  systemd:
-    enabled: true
-    name: sshd
-    state: started

ansible/roles/forgejo/meta/main.yml

@@ -1,4 +1,2 @@
 dependencies:
-  - role: common
-  - role: docker
   - role: traefik

ansible/roles/freshrss/meta/main.yml

@@ -1,4 +1,2 @@
 dependencies:
-  - role: common
-  - role: docker
   - role: traefik

ansible/roles/hedgedoc/meta/main.yml

@@ -1,4 +1,2 @@
 dependencies:
-  - role: common
-  - role: docker
   - role: traefik

ansible/roles/inbucket/meta/main.yml

@@ -1,4 +1,2 @@
 dependencies:
-  - role: common
   - role: docker
-  

ansible/roles/jitsi/meta/main.yml

@@ -1,4 +1,2 @@
 dependencies:
-  - role: common
-  - role: docker
   - role: traefik

ansible/roles/kms/meta/main.yml

@@ -1,4 +1,2 @@
 dependencies:
-  - role: common
   - role: docker
-  

ansible/roles/mastodon/meta/main.yml

@@ -1,4 +1,2 @@
 dependencies:
-  - role: common
-  - role: docker
   - role: traefik

ansible/roles/overleaf/meta/main.yml

@@ -1,4 +1,2 @@
 dependencies:
-  - role: common
-  - role: docker
   - role: traefik

ansible/roles/prometheus/meta/main.yml

@@ -1,3 +1,2 @@
 dependencies:
-  - role: common
   - role: docker

ansible/roles/radicale/meta/main.yml

@@ -1,4 +1,2 @@
 dependencies:
-  - role: common
-  - role: docker
   - role: traefik

ansible/roles/seafile/meta/main.yml

@@ -1,4 +1,2 @@
 dependencies:
-  - role: common
-  - role: docker
   - role: traefik

ansible/roles/ssh/files/ssh_config

@@ -1,54 +0,0 @@
-# This is the ssh client system-wide configuration file.  See
-# ssh_config(5) for more information.  This file provides defaults for
-# users, and the values can be changed in per-user configuration files
-# or on the command line.
-
-# Configuration data is parsed as follows:
-#  1. command line options
-#  2. user-specific file
-#  3. system-wide file
-# Any configuration value is only changed the first time it is set.
-# Thus, host-specific definitions should be at the beginning of the
-# configuration file, and defaults at the end.
-
-# Site-wide defaults for some commonly used options.  For a comprehensive
-# list of available options, their meanings and defaults, please see the
-# ssh_config(5) man page.
-
-Include /etc/ssh/ssh_config.d/*.conf
-
-Host *
-#   ForwardAgent no
-#   ForwardX11 no
-#   ForwardX11Trusted yes
-#   PasswordAuthentication yes
-#   HostbasedAuthentication no
-#   GSSAPIAuthentication no
-#   GSSAPIDelegateCredentials no
-#   GSSAPIKeyExchange no
-#   GSSAPITrustDNS no
-#   BatchMode no
-#   CheckHostIP yes
-#   AddressFamily any
-#   ConnectTimeout 0
-#   StrictHostKeyChecking ask
-#   IdentityFile ~/.ssh/id_rsa
-#   IdentityFile ~/.ssh/id_dsa
-#   IdentityFile ~/.ssh/id_ecdsa
-#   IdentityFile ~/.ssh/id_ed25519
-#   Port 22
-#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
-#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
-#   EscapeChar ~
-#   Tunnel no
-#   TunnelDevice any:any
-#   PermitLocalCommand no
-#   VisualHostKey no
-#   ProxyCommand ssh -q -W %h:%p gateway.example.com
-#   RekeyLimit 1G 1h
-#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
-    SendEnv LANG LC_*
-
-#   set HashKnownHosts to no to make known_hosts human readable and reviewable. 
-#    HashKnownHosts yes
-#    GSSAPIAuthentication yes

ansible/roles/ssh/files/sshd_config

@@ -1,41 +0,0 @@
-Include /etc/ssh/sshd_config.d/*.conf
-
-HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-HostKeyAlgorithms ssh-ed25519
-CASignatureAlgorithms ssh-ed25519
-HostbasedAcceptedKeyTypes ssh-ed25519
-HostKeyAlgorithms ssh-ed25519
-KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
-Ciphers chacha20-poly1305@openssh.com
-MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
-
-# To disable tunneled clear text passwords, change to no here!
-PasswordAuthentication no
-PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-KbdInteractiveAuthentication no
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the KbdInteractiveAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via KbdInteractiveAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and KbdInteractiveAuthentication to 'no'.
-UsePAM yes
-
-X11Forwarding yes
-PrintMotd no
-
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-
-# override default of no subsystems
-Subsystem sftp	/usr/lib/openssh/sftp-server
-

ansible/roles/ssh/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: common

ansible/roles/ssh/tasks/main.yml

@@ -1,16 +0,0 @@
-- name: Copy sshd config
-  copy:
-    src: "{{ role_path }}/files/sshd_config"
-    dest: /etc/ssh/sshd_config
-  register: sshd_config
-- name: Copy ssh config
-  copy:
-    src: "{{ role_path }}/files/ssh_config"
-    dest: /etc/ssh/ssh_config
-  register: ssh_config
-- name: Restart SSH service
-  systemd:
-    enabled: true
-    name: sshd
-    state: reloaded
-  when: sshd_config.changed

ansible/roles/static/meta/main.yml

@@ -1,4 +1,2 @@
 dependencies:
-  - role: common
-  - role: docker
   - role: traefik

ansible/roles/syncthing/meta/main.yml

@@ -1,3 +1,2 @@
 dependencies:
-  - role: common
   - role: docker

ansible/roles/traefik/meta/main.yml

@@ -1,3 +1,2 @@
 dependencies:
-  - role: common
   - role: docker

ansible/roles/watchtower/meta/main.yml

@@ -1,4 +1,2 @@
 dependencies:
-  - role: common
   - role: docker
-