prepare.yml

---
- name: Prepare host system for Lokal (security/user...)
  hosts: all
  tasks:
  - name: Wait for apt list lock (Known to cause issues sometimes)
    raw: while fuser /var/lib/apt/lists/lock >/dev/null 2>&1; do echo 'Waiting for apt list lock.' && sleep 10; done
    changed_when: False

  - name: Ensure packages are updated
    apt:
      update_cache: yes
      upgrade: dist
      autoclean: yes
      autoremove: yes

  - name: Install required packages on server
    package:
      name:
      - python3-passlib
      - python3-docker
      state: present

  - name: Ensure that the app user is present
    user:
      name: "{{ app_user }}"
      shell: /bin/bash
      groups: [sudo]
      append: yes
      createhome: yes

  - name: Ensure that the primary user's ssh directory exists
    file:
      path: "/home/{{ app_user }}/.ssh"
      state: directory
      owner: "{{ app_user }}"
      mode: 0700
      group: "{{ app_user }}"
    when: setup_ssh

  - name: Ensure authorized_keys file is initiated for primary user
    file:
      path: "/home/{{ app_user }}/.ssh/authorized_keys"
      state: touch
      owner: "{{ app_user }}"
      group: "{{ app_user }}"
      mode: 0600
    when: setup_ssh

  - name: Ensure authorized_keys file is initiated for primary user
    lineinfile:
      line: "{{ ssh_key }}"
      path: "/home/{{ app_user }}/.ssh/authorized_keys"
      state: present
    when: setup_ssh

# geerlingguy.docker MUST be placed after geerlingguy.firewall!
# geerlingguy.firewall drops INPUT and FORWARD tables that are
# manipulated by the docker daemon upon its (re)start
  - name: Install docker
    include_role:
      name: geerlingguy.docker
    vars:
      docker_users:
      - '{{ app_user }}'
      docker_service_state: restarted
      docker_install_compose: false  # do not install standalone docker-compose binary

  - name: Harden security
    include_role:
      name: geerlingguy.security
    vars:
      security_sudoers_passwordless:
      - '{{ app_user }}'
      security_ssh_permit_root_login: '{{ ssh_allow_root | default("no") }}'
      security_ssh_port: '{{ ssh_port | default("22")}}'
      security_fail2ban_enabled: "false" # we handle fail2ban on our own