Do not install unnecessary packages

defaults/main.yml

@@ -1,15 +1,3 @@
 ---
+common__basics__unnecessary_packages: false
 common__basics__additional_packages: []
-
-common__certbot__state: install
-common__certbot__run: true
-common__certbot__email: 'user@example.com'
-common__certbot__cert_name: 'example.com'
-common__certbot__cert_domains: ['example.com', 'www.example.com']
-common__certbot__post_hook: 'systemctl is-active nginx.service || systemctl start nginx.service'
-common__certbot__pre_hook: 'systemctl is-active nginx.service && systemctl stop nginx.service || true'
-
-common__nginx__state: null
-common__nginx__remove_default: true
-common__nginx__upstreams: []
-common__nginx__sites: []

files/nginx/syslog.conf

@@ -1,2 +0,0 @@
-access_log syslog:server=unix:/dev/log,facility=local7,severity=info,tag=nginx;
-error_log syslog:server=unix:/dev/log,facility=local7,severity=error,tag=nginx;

handlers/main.yml

@@ -4,9 +4,3 @@
     daemon_reload: true
     name: sshd
     state: restarted
-
-- name: common | Restart Nginx
-  systemd:
-    daemon_reload: true
-    name: nginx
-    state: restarted

meta/main.yml

@@ -17,8 +17,11 @@ galaxy_info:
       versions:
         - stretch  # Debian 9 Stretch
         - buster   # Debian 10 Buster
+        - bullseye # Debian 11 Bullseye
+        - bookworm # Debian 12 Bookworm
     - name: Ubuntu
       versions:
         - xenial  # Ubuntu 16.04 LTS Xenial Xerus
         - bionic  # Ubuntu 18.04 LTS Bionic Beaver
         - focal   # Ubuntu 20.04 LTS Focal Fossa
+        - jammy   # Ubuntu 22.04 LTS Jammy Jellyfish

tasks/basics.yml

@@ -10,14 +10,26 @@
       - gnupg
       - gnupg2
       - gzip
+      - htop
       - net-tools
       - pkg-config
       - procps
+      - psmisc
       - software-properties-common
       - unzip
       - wget
       - zip
 
+- name: Install unnecessary packages
+  when: common__basics__unnecessary_packages | bool
+  apt:
+    name:
+      - cowsay
+      - figlet
+      - lolcat
+      - neofetch
+      - toilet
+
 - name: Install additional packages
   apt:
     name: '{{ common__basics__additional_packages }}'

tasks/certbot/install.yml

@@ -1,86 +0,0 @@
----
-- name: Create Let's Encrypt system group
-  group:
-    name: '{{ common__certbot__group }}'
-    system: true
-
-- name: Install Certbot
-  apt:
-    name: certbot
-
-- name: Create directories for Let's Encrypt configuration
-  file:
-    state: directory
-    path: '{{ item }}'
-    mode: 'u=rwx,go=rx'
-    owner: root
-    group: root
-  with_items:
-    - '{{ common__certbot__conf_dir }}'
-    - '{{ common__certbot__archive_dir }}'
-    - '{{ common__certbot__archive_dir }}/{{ common__certbot__cert_name }}'
-    - '{{ common__certbot__live_dir }}'
-    - '{{ common__certbot__live_dir }}/{{ common__certbot__cert_name }}'
-
-- name: Install Let's Encrypt config
-  template:
-    src: templates/certbot/cli.ini
-    dest: '{{ common__certbot__conf_cli }}'
-    mode: 'u=rw,go=r'
-    owner: root
-    group: root
-
-- name: Install Nginx SSL options
-  template:
-    src: templates/certbot/options-ssl-nginx.conf
-    dest: '{{ common__certbot__conf_nginx }}'
-    mode: 'u=rw,go=r'
-    owner: root
-    group: root
-
-- name: Obtain Let's Encrypt certificate
-  command: 'certbot certonly'
-  register: common__certbot__result
-  when: common__certbot__run|bool
-  changed_when: >-
-    common__certbot__result.stdout is
-    not search('Certificate not yet due for renewal; no action taken.')
-
-- name: Find Let's Encrypt certificates and chains
-  register: certs_and_chains
-  find:
-    paths: '{{ common__certbot__archive_dir }}/{{ common__certbot__cert_name }}'
-    patterns:
-      - 'cert*.pem'
-      - 'chain*.pem'
-      - 'fullchain*.pem'
-
-- name: Find Let's Encrypt private keys
-  register: privkeys
-  find:
-    paths: '{{ common__certbot__archive_dir }}/{{ common__certbot__cert_name }}'
-    patterns: 'privkey*.pem'
-
-- name: Display Let's Encrypt certificates and chains
-  debug:
-    msg: "{{ certs_and_chains.files | map(attribute='path') | list }}"
-
-- name: Display Let's Encrypt private keys
-  debug:
-    msg: "{{ privkeys.files | map(attribute='path') | list }}"
-
-- name: Change group of Let's Encrypt certificates and chains
-  file:
-    path: '{{ item }}'
-    mode: 'u=rw,go=r'
-    owner: root
-    group: root
-  with_items: "{{ certs_and_chains.files | map(attribute='path') | list }}"
-
-- name: Change group of Let's Encrypt private keys
-  file:
-    path: '{{ item }}'
-    mode: 'u=rw,g=r,o='
-    owner: root
-    group: '{{ common__certbot__group }}'
-  with_items: "{{ privkeys.files | map(attribute='path') | list }}"

tasks/certbot/purge.yml

@@ -1,11 +0,0 @@
----
-- name: Purge Certbot
-  apt:
-    name: certbot
-    state: absent
-    purge: true
-
-- name: Delete Certbot configuration
-  file:
-    state: absent
-    path: '{{ common__certbot__conf_dir }}'

tasks/certbot/remove.yml

@@ -1,6 +0,0 @@
----
-- name: Uninstall Certbot
-  apt:
-    name: certbot
-    state: absent
-    purge: false

tasks/main.yml

@@ -3,31 +3,3 @@
 - include_tasks: usability.yml
 - include_tasks: ssh.yml
 - meta: flush_handlers
-
-- fail:
-    msg: 'Invalid `common__certbot__state`: {{ common__certbot__state }}'
-  when: (common__certbot__state != None) and
-        (common__certbot__state != 'purge') and
-        (common__certbot__state != 'remove') and
-        (common__certbot__state != 'install')
-- include_tasks: certbot/purge.yml
-  when: common__certbot__state == 'purge'
-- include_tasks: certbot/remove.yml
-  when: common__certbot__state == 'remove'
-- include_tasks: certbot/install.yml
-  when: common__certbot__state == 'install'
-- meta: flush_handlers
-
-- fail:
-    msg: 'Invalid `common__nginx__state`: {{ common__nginx__state }}'
-  when: (common__nginx__state != None) and
-        (common__nginx__state != 'purge') and
-        (common__nginx__state != 'remove') and
-        (common__nginx__state != 'install')
-- include_tasks: nginx/purge.yml
-  when: common__nginx__state == 'purge'
-- include_tasks: nginx/remove.yml
-  when: common__nginx__state == 'remove'
-- include_tasks: nginx/install.yml
-  when: common__nginx__state == 'install'
-- meta: flush_handlers

tasks/nginx/install.yml

@@ -1,81 +0,0 @@
----
-- name: Install Nginx
-  apt:
-    name: nginx
-
-- name: Create directories for Nginx configuration
-  file:
-    state: directory
-    path: '{{ item }}'
-    mode: 'u=rwx,go=rx'
-    owner: root
-    group: root
-  with_items:
-    - '{{ common__nginx__conf_dir }}'
-    - '{{ common__nginx__confd_dir }}'
-    - '{{ common__nginx__available_dir }}'
-    - '{{ common__nginx__enabled_dir }}'
-    - '{{ common__nginx__snippets_dir }}'
-  notify: common | Restart Nginx
-
-- name: Disable Nginx access log
-  lineinfile:
-    path: '{{ common__nginx__conf_dir }}/nginx.conf'
-    regexp: '^(\s*)#?\s*access_log\s+\S+\s*;\s*$'
-    line: '\1#access_log /var/log/nginx/access.log;'
-    backrefs: true
-  notify: common | Restart Nginx
-
-- name: Disable Nginx error log
-  lineinfile:
-    path: '{{ common__nginx__conf_dir }}/nginx.conf'
-    regexp: '^(\s*)#?\s*error_log\s+\S+\s*;\s*$'
-    line: '\1#error_log /var/log/nginx/error.log;'
-    backrefs: true
-  notify: common | Restart Nginx
-
-- name: Install Nginx log config
-  copy:
-    src: 'files/nginx/syslog.conf'
-    dest: '{{ common__nginx__confd_dir }}/syslog.conf'
-    mode: 'u=rw,go=r'
-    owner: root
-    group: root
-  notify: common | Restart Nginx
-
-- name: Remove Nginx default site
-  file:
-    state: absent
-    path: '{{ common__nginx__enabled_dir }}/default'
-  when: common__nginx__remove_default|bool
-  notify: common | Restart Nginx
-
-- name: Add Nginx upstreams
-  template:
-    src: 'templates/nginx/upstream.conf'
-    dest: '{{ common__nginx__confd_dir }}/upstream-{{ item.name }}.conf'
-    mode: 'u=rw,go=r'
-    owner: root
-    group: root
-  with_items: '{{ common__nginx__upstreams }}'
-  notify: common | Restart Nginx
-
-- name: Add Nginx sites
-  template:
-    src: 'templates/nginx/{{ item.type }}.conf'
-    dest: '{{ common__nginx__available_dir }}/{{ item.domain }}.conf'
-    mode: 'u=rw,go=r'
-    owner: root
-    group: root
-  with_items: '{{ common__nginx__sites }}'
-  notify: common | Restart Nginx
-
-- name: Enable Nginx sites
-  file:
-    state: link
-    src: '{{ common__nginx__available_dir }}/{{ item.domain }}.conf'
-    dest: '{{ common__nginx__enabled_dir }}/{{ item.domain }}.conf'
-    owner: root
-    group: root
-  with_items: '{{ common__nginx__sites }}'
-  notify: common | Restart Nginx

tasks/nginx/purge.yml

@@ -1,14 +0,0 @@
----
-- name: Purge Nginx
-  apt:
-    state: absent
-    purge: true
-    name:
-      - nginx
-      - nginx-common
-      - nginx-core
-
-- name: Delete Nginx configuration
-  file:
-    state: absent
-    path: '{{ common__nginx__conf_dir }}'

tasks/nginx/remove.yml

@@ -1,9 +0,0 @@
----
-- name: Uninstall Nginx
-  apt:
-    state: absent
-    purge: false
-    name:
-      - nginx
-      - nginx-common
-      - nginx-core

tasks/ssh.yml

@@ -27,6 +27,6 @@
     - regexp: '^#?X11Forwarding '
       line: 'X11Forwarding no'
     - regexp: '^#?TCPKeepAlive '
-      line: 'TCPKeepAlive no'
+      line: 'TCPKeepAlive yes'
     - regexp: '^#?UseDNS '
       line: 'UseDNS no'

templates/certbot/cli.ini

@@ -1,17 +0,0 @@
-# see https://certbot.eff.org/docs/using.html#certbot-command-line-options
-agree-tos = true
-cert-name = {{ common__certbot__cert_name }}
-domains = {{ common__certbot__cert_domains | join(',') }}
-email = {{ common__certbot__email }}
-max-log-backups = 0
-no-eff-email = true
-non-interactive = true
-{% if common__certbot__post_hook %}
-post-hook = {{ common__certbot__post_hook }}
-{% endif %}
-{% if common__certbot__pre_hook %}
-pre-hook = {{ common__certbot__pre_hook }}
-{% endif %}
-redirect = true
-rsa-key-size = 4096
-standalone = true

templates/certbot/options-ssl-nginx.conf

@@ -1,14 +0,0 @@
-# This file contains important security parameters. If you modify this file
-# manually, Certbot will be unable to automatically provide future security
-# updates. Instead, Certbot will print and log an error message with a path to
-# the up-to-date file that you will need to refer to when manually updating
-# this file.
-
-ssl_session_cache shared:le_nginx_SSL:10m;
-ssl_session_timeout 1440m;
-ssl_session_tickets off;
-
-ssl_protocols TLSv1.2 TLSv1.3;
-ssl_prefer_server_ciphers off;
-
-ssl_ciphers "{{ common__certbot__nginx_ssl_ciphers | join(':') }}";

templates/nginx/listing.conf

@@ -1,27 +0,0 @@
-server {
-  listen 80;
-  listen [::]:80;
-
-  server_name {{ item.domain }};
-
-  return 301 https://$host$request_uri;
-}
-
-server {
-  listen 443 ssl;
-  listen [::]:443 ssl;
-
-  server_name {{ item.domain }};
-
-  ssl_certificate     {{ item.cert }};
-  ssl_certificate_key {{ item.key }};
-
-  include {{ item.ssl_conf }};
-
-  root {{ item.root }};
-
-  try_files $uri $uri/ =404;
-
-  charset utf-8;
-  autoindex on;
-}

templates/nginx/origin.conf

@@ -1,53 +0,0 @@
-server {
-  listen 80;
-  listen [::]:80;
-
-  server_name {{ item.domain }};
-
-  return 301 https://$host$request_uri;
-}
-
-server {
-  listen 443 ssl;
-  listen [::]:443 ssl;
-
-  server_name {{ item.domain }};
-
-  ssl_certificate     {{ item.cert }};
-  ssl_certificate_key {{ item.key }};
-
-  include {{ item.ssl_conf }};
-
-  root {{ item.root }};
-
-  try_files $uri/index.html $uri @origin;
-
-  location @origin {
-    proxy_cache_bypass $http_upgrade;
-    proxy_http_version 1.1;
-    proxy_redirect     off;
-
-{% if item.external %}
-    proxy_set_header Connection        "upgrade";
-    proxy_set_header HOST              $host;
-    proxy_set_header Upgrade           $http_upgrade;
-    proxy_set_header X-Forwarded-For   $remote_addr;
-    proxy_set_header X-Forwarded-Host  $host;
-    proxy_set_header X-Forwarded-Port  $server_port;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header X-Real-IP         $remote_addr;
-{% else %}
-    proxy_set_header Connection        "upgrade";
-    proxy_set_header HOST              $http_host;
-    proxy_set_header Upgrade           $http_upgrade;
-    proxy_set_header X-Forwarded-For   $http_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-{% endif %}
-
-    proxy_pass http://{{ item.upstream }};
-  }
-
-  error_page 500 502 503 504 /500.html;
-  client_max_body_size 4G;
-  keepalive_timeout 10;
-}

templates/nginx/proxy.conf

@@ -1,59 +0,0 @@
-server {
-  listen 80;
-  listen [::]:80;
-
-  server_name {{ item.domain }};
-
-  return 301 https://$host$request_uri;
-}
-
-server {
-  listen 443 ssl;
-  listen [::]:443 ssl;
-
-  server_name {{ item.domain }};
-
-  ssl_certificate     {{ item.cert }};
-  ssl_certificate_key {{ item.key }};
-
-  include {{ item.ssl_conf }};
-
-  ssl_verify_client optional;
-  ssl_client_certificate {{ item.clnt_ca }};
-
-  proxy_cache_bypass $http_upgrade;
-  proxy_http_version 1.1;
-  proxy_redirect     off;
-
-  proxy_set_header Connection        "upgrade";
-  proxy_set_header HOST              $host;
-  proxy_set_header Upgrade           $http_upgrade;
-  proxy_set_header X-Forwarded-For   $remote_addr;
-  proxy_set_header X-Forwarded-Host  $host;
-  proxy_set_header X-Forwarded-Port  $server_port;
-  proxy_set_header X-Forwarded-Proto $scheme;
-  proxy_set_header X-Real-IP         $remote_addr;
-
-  location / {
-    recursive_error_pages on;
-
-    error_page 418 = @no_crt;
-    error_page 419 = @with_crt;
-
-    if ($ssl_client_verify != SUCCESS) {
-      return 418;
-    }
-
-    if ($ssl_client_verify = SUCCESS) {
-      return 419;
-    }
-  }
-
-  location @no_crt {
-    proxy_pass https://{{ item.no_crt }};
-  }
-
-  location @with_crt {
-    proxy_pass https://{{ item.with_crt }};
-  }
-}

templates/nginx/raw.conf

@@ -1 +0,0 @@
-{{ item.content }}

templates/nginx/redirect.conf

@@ -1,22 +0,0 @@
-server {
-  listen 80;
-  listen [::]:80;
-
-  server_name {{ item.domain }};
-
-  return 301 https://$host$request_uri;
-}
-
-server {
-  listen 443 ssl;
-  listen [::]:443 ssl;
-
-  server_name {{ item.domain }};
-
-  ssl_certificate     {{ item.cert }};
-  ssl_certificate_key {{ item.key }};
-
-  include {{ item.ssl_conf }};
-
-  return 301 https://{{ item.redir_to }}$request_uri;
-}

templates/nginx/upstream.conf

@@ -1,5 +0,0 @@
-upstream {{ item.name }} {
-{% for server in item.servers %}
-  server {{ server }};
-{% endfor %}
-}

vars/main.yml

@@ -1,23 +0,0 @@
----
-common__certbot__group: 'letsencrypt'
-common__certbot__conf_dir: '/etc/letsencrypt'
-common__certbot__conf_cli: '{{ common__certbot__conf_dir }}/cli.ini'
-common__certbot__conf_nginx: '{{ common__certbot__conf_dir }}/options-ssl-nginx.conf'
-common__certbot__archive_dir: '{{ common__certbot__conf_dir }}/archive'
-common__certbot__live_dir: '{{ common__certbot__conf_dir }}/live'
-
-common__nginx__conf_dir: '/etc/nginx'
-common__nginx__confd_dir: '{{ common__nginx__conf_dir }}/conf.d'
-common__nginx__available_dir: '{{ common__nginx__conf_dir }}/sites-available'
-common__nginx__enabled_dir: '{{ common__nginx__conf_dir }}/sites-enabled'
-common__nginx__snippets_dir: '{{ common__nginx__conf_dir }}/snippets'
-
-common__certbot__nginx_ssl_ciphers:
-  - 'ECDHE-ECDSA-AES128-GCM-SHA256'
-  - 'ECDHE-RSA-AES128-GCM-SHA256'
-  - 'ECDHE-ECDSA-AES256-GCM-SHA384'
-  - 'ECDHE-RSA-AES256-GCM-SHA384'
-  - 'ECDHE-ECDSA-CHACHA20-POLY1305'
-  - 'ECDHE-RSA-CHACHA20-POLY1305'
-  - 'DHE-RSA-AES128-GCM-SHA256'
-  - 'DHE-RSA-AES256-GCM-SHA384'