pradel · pradel · Nov 9, 2025 · Nov 9, 2025 · Nov 9, 2025 · Nov 9, 2025
diff --git a/ansible/docker/handlers/main.yml b/ansible/docker/handlers/main.yml
@@ -1,6 +1,6 @@
 ---
-- name: restart docker
-  service:
+- name: Restart docker
+  ansible.builtin.service:
     name: docker
     state: restarted
-    enabled: yes
+    enabled: true
diff --git a/ansible/docker/tasks/main.yml b/ansible/docker/tasks/main.yml
@@ -1,32 +1,52 @@
 ---
+# See: https://docs.docker.com/engine/install/ubuntu/
+
 - name: Ensure old versions of Docker are not installed
-  package:
+  ansible.builtin.apt:
     name:
+      - containerd
       - docker
-      - docker.io
+      - docker-compose
+      - docker-compose-v2
+      - docker-doc
       - docker-engine
+      - docker.io
+      - podman-docker
+      - runc
     state: absent
 
-- name: Add Docker apt key
-  get_url:
+- name: Create directory for Docker GPG key
+  ansible.builtin.file:
+    path: /etc/apt/keyrings
+    state: directory
+    mode: "0755"
+
+- name: Add Docker GPG apt key
+  ansible.builtin.get_url:
     url: "https://download.docker.com/linux/ubuntu/gpg"
-    dest: /etc/apt/trusted.gpg.d/docker.asc
-    mode: 0644
+    dest: /etc/apt/keyrings/docker.asc
+    mode: "0644"
     force: false
 
+- name: Get DEB architecture
+  shell: dpkg --print-architecture
+  register: deb_architecture
+
 - name: Add Docker repository
-  apt_repository:
-    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+  ansible.builtin.apt_repository:
+    repo: "deb [arch={{ deb_architecture.stdout }} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
     state: present
     filename: docker
     update_cache: true
 
 - name: Install Docker packages
-  package:
+  ansible.builtin.apt:
     name:
       - docker-ce
       - docker-ce-cli
       - containerd.io
+      - docker-buildx-plugin
+      - docker-compose-plugin
     state: present
   notify:
-    - restart docker
+    - Restart docker
diff --git a/ansible/firewall/tasks/main.yml b/ansible/firewall/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: Configure ufw defaults
-  ufw:
+  community.general.ufw:
     direction: "{{ item.direction }}"
     policy: "{{ item.policy }}"
   loop:
@@ -10,21 +10,21 @@
       policy: allow
 
 - name: Configure ufw rules
-  ufw:
+  community.general.ufw:
     rule: "{{ item.rule }}"
     port: "{{ item.port }}"
     proto: "{{ item.proto }}"
   loop:
-    - rule: 'limit'
-      port: '22'
-      proto: 'tcp'
-    - rule: 'allow'
-      port: '80'
-      proto: 'tcp'
-    - rule: 'allow'
-      port: '443'
-      proto: 'tcp'
+    - rule: "limit"
+      port: "22"
+      proto: "tcp"
+    - rule: "allow"
+      port: "80"
+      proto: "tcp"
+    - rule: "allow"
+      port: "443"
+      proto: "tcp"
 
 - name: Enable ufw
-  ufw:
+  community.general.ufw:
     state: enabled
diff --git a/ansible/packages/handlers/main.yml b/ansible/packages/handlers/main.yml
@@ -1,12 +1,12 @@
 ---
-- name: start ntp
-  service:
+- name: Start ntp
+  ansible.builtin.service:
     name: ntp
     state: started
-    enabled: yes
+    enabled: true
 
-- name: start fail2ban
-  service:
+- name: Start fail2ban
+  ansible.builtin.service:
     name: fail2ban
     state: started
-    enabled: yes
+    enabled: true
diff --git a/ansible/packages/tasks/main.yml b/ansible/packages/tasks/main.yml
@@ -1,16 +1,29 @@
 ---
+- name: Ensure apt key is not present in trusted.gpg.d
+  ansible.builtin.file:
+    path: /etc/apt/trusted.gpg.d/docker.asc
+    state: absent
+
+- name: Ensure the repo referencing the previous trusted.gpg.d key is not present
+  ansible.builtin.apt_repository:
+    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+    state: absent
+    filename: "docker"
+    update_cache: true
+
 - name: Upgrade packages
-  apt:
-    update_cache: yes
-    upgrade: yes
+  ansible.builtin.apt:
+    update_cache: true
+    upgrade: true
 
 - name: Install packages
-  apt:
+  ansible.builtin.apt:
     name:
       - apt-transport-https
       - build-essential
       - ca-certificates
       - curl
+      - duf
       - fail2ban
       - git
       - gnupg
@@ -22,9 +35,17 @@
       # Used by stacks-blockchain-docker to download big files faster during initial sync
       - aria2
     state: latest
-    update_cache: yes
-    autoremove: yes
-    autoclean: yes
+    update_cache: true
+    autoremove: true
+    autoclean: true
   notify:
-    - start ntp
-    - start fail2ban
+    - Start ntp
+    - Start fail2ban
+
+- name: Remove snap
+  ansible.builtin.apt:
+    name:
+      - snapd
+      - snap
+    state: absent
+    purge: true
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
@@ -4,9 +4,13 @@
   strategy: free
   vars:
     ssh_key_path: "/path/to/your/local/id_rsa.pub"
+    # Whether to reboot when needed during unattended upgrades.
+    security_autoupdate_reboot: "false"
+    # The time to trigger a reboot, when needed, if security_autoupdate_reboot is set to true. In 24h "hh:mm" clock format.
+    security_autoupdate_reboot_time: "03:00"
   roles:
     - packages
     - docker
     - firewall
-    - ssh
-    - snap
+    - security
+    - reboot_if_needed
diff --git a/ansible/reboot_if_needed/tasks/main.yml b/ansible/reboot_if_needed/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Check if reboot is required
+  ansible.builtin.stat:
+    path: /var/run/reboot-required
+  register: reboot_required_file
+
+- name: Reboot the machine if needed
+  ansible.builtin.reboot:
+  when: reboot_required_file.stat.exists == true
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
@@ -0,0 +1,3 @@
+---
+collections:
+  - community.general
diff --git a/ansible/security/handlers/main.yml b/ansible/security/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart ssh
+  ansible.builtin.service:
+    name: ssh
+    state: restarted
diff --git a/ansible/security/tasks/main.yml b/ansible/security/tasks/main.yml
@@ -0,0 +1,50 @@
+---
+- name: Ensure the user directory exists
+  file:
+    path: /root/.ssh
+    state: directory
+    mode: "0700"
+
+- name: Copy SSH key from local machine to the server
+  copy:
+    src: "{{ ssh_key_path }}"
+    dest: /root/.ssh/authorized_keys
+    mode: "0600"
+
+- name: Update SSH configuration to be more secure
+  ansible.builtin.lineinfile:
+    dest: "/etc/ssh/sshd_config"
+    regexp: "^(#)?{{ item.key }}"
+    line: "{{ item.key }} {{ item.value }}"
+    state: present
+    validate: "sshd -T -f %s"
+    mode: "0644"
+  loop:
+    - { key: "PasswordAuthentication", value: "no" }
+    - { key: "PermitRootLogin", value: "prohibit-password" }
+    - { key: "Port", value: "22" }
+    - { key: "UseDNS", value: "no" }
+    - { key: "PermitEmptyPasswords", value: "no" }
+    - { key: "ChallengeResponseAuthentication", value: "no" }
+    - { key: "GSSAPIAuthentication", value: "no" }
+    - { key: "X11Forwarding", value: "no" }
+  notify:
+    - Restart ssh
+
+- name: Update unattended-upgrades configuration to be more secure
+  ansible.builtin.lineinfile:
+    dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
+    regexp: "^(\/\/)?{{ item.key }} "
+    line: '{{ item.key }} "{{ item.value }}";'
+    state: present
+    mode: "0644"
+  loop:
+    - {
+        key: "Unattended-Upgrade::Automatic-Reboot",
+        value: "{{ security_autoupdate_reboot }}",
+      }
+    - {
+        key: "Unattended-Upgrade::Automatic-Reboot-Time",
+        value: "{{ security_autoupdate_reboot_time }}",
+      }
+  when: security_autoupdate_reboot == "true"
diff --git a/ansible/snap/tasks/main.yml b/ansible/snap/tasks/main.yml
diff --git a/ansible/ssh/handlers/main.yml b/ansible/ssh/handlers/main.yml
diff --git a/ansible/ssh/tasks/main.yml b/ansible/ssh/tasks/main.yml