2026-06-06 18:48:35 +02:00
|
|
|
---
|
2026-06-14 16:54:23 +02:00
|
|
|
# `apply: tags:` propagates the concern tag to the INCLUDED tasks — without it a tag on
|
|
|
|
|
# a dynamic include_tasks only selects the include itself, not its contents, so
|
|
|
|
|
# `--tags <concern>` would run nothing (Ansible gotcha).
|
2026-06-06 18:57:44 +02:00
|
|
|
- name: Configure host firewall (nftables)
|
2026-06-14 16:54:23 +02:00
|
|
|
ansible.builtin.include_tasks:
|
|
|
|
|
file: firewall.yml
|
|
|
|
|
apply:
|
|
|
|
|
tags: [firewall]
|
2026-06-06 18:57:44 +02:00
|
|
|
tags: [firewall]
|
2026-06-14 16:42:56 +02:00
|
|
|
|
|
|
|
|
- name: SSH hardening
|
2026-06-14 16:54:23 +02:00
|
|
|
ansible.builtin.include_tasks:
|
|
|
|
|
file: ssh.yml
|
|
|
|
|
apply:
|
|
|
|
|
tags: [hardening]
|
2026-06-14 16:42:56 +02:00
|
|
|
tags: [hardening]
|
|
|
|
|
|
|
|
|
|
- name: Fail2ban intrusion deterrence
|
2026-06-14 16:54:23 +02:00
|
|
|
ansible.builtin.include_tasks:
|
|
|
|
|
file: fail2ban.yml
|
|
|
|
|
apply:
|
|
|
|
|
tags: [hardening]
|
2026-06-14 16:42:56 +02:00
|
|
|
tags: [hardening]
|
2026-06-17 16:04:46 +02:00
|
|
|
|
2026-06-18 21:36:31 +02:00
|
|
|
- name: AI-worker operational access (sudoers drop-in)
|
|
|
|
|
ansible.builtin.include_tasks:
|
|
|
|
|
file: operational_access.yml
|
|
|
|
|
apply:
|
|
|
|
|
tags: [users]
|
|
|
|
|
tags: [users]
|
|
|
|
|
|
2026-06-17 16:04:46 +02:00
|
|
|
- name: NetBird mesh enrollment
|
|
|
|
|
ansible.builtin.include_tasks:
|
|
|
|
|
file: mesh.yml
|
|
|
|
|
apply:
|
|
|
|
|
tags: [mesh]
|
|
|
|
|
when: base__mesh_enabled | bool
|
|
|
|
|
tags: [mesh]
|