--- - name: Bootstrap Infrastructure hosts: all become: yes gather_facts: yes vars: # 基础软件包 base_packages: - curl - wget - git - vim - htop - tree - unzip - jq - python3 - python3-pip - apt-transport-https - ca-certificates - gnupg - lsb-release # Docker 配置 docker_users: - "{{ ansible_user }}" # 系统配置 timezone: "Asia/Shanghai" tasks: - name: Update package cache apt: update_cache: yes cache_valid_time: 3600 when: ansible_os_family == "Debian" - name: Install base packages package: name: "{{ base_packages }}" state: present - name: Set timezone timezone: name: "{{ timezone }}" - name: Create system users user: name: "{{ ansible_user }}" groups: sudo shell: /bin/bash create_home: yes when: ansible_user != "root" - name: Configure SSH lineinfile: path: /etc/ssh/sshd_config regexp: "{{ item.regexp }}" line: "{{ item.line }}" backup: yes loop: - { regexp: '^#?PermitRootLogin', line: 'PermitRootLogin no' } - { regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication no' } - { regexp: '^#?PubkeyAuthentication', line: 'PubkeyAuthentication yes' } notify: restart ssh when: ansible_user != "root" - name: Install Docker block: - name: Add Docker GPG key apt_key: url: https://download.docker.com/linux/ubuntu/gpg state: present - name: Add Docker repository apt_repository: repo: "deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" state: present - name: Install Docker package: name: - docker-ce - docker-ce-cli - containerd.io - docker-compose-plugin state: present - name: Add users to docker group user: name: "{{ item }}" groups: docker append: yes loop: "{{ docker_users }}" - name: Start and enable Docker systemd: name: docker state: started enabled: yes - name: Install Docker Compose (standalone) get_url: url: "https://github.com/docker/compose/releases/latest/download/docker-compose-linux-x86_64" dest: /usr/local/bin/docker-compose mode: '0755' - name: Configure firewall ufw: rule: "{{ item.rule }}" port: "{{ item.port }}" proto: "{{ item.proto | default('tcp') }}" loop: - { rule: 'allow', port: '22' } - { rule: 'allow', port: '80' } - { rule: 'allow', port: '443' } notify: enable ufw - name: Create application directories file: path: "{{ item }}" state: directory owner: "{{ ansible_user }}" group: "{{ ansible_user }}" mode: '0755' loop: - /opt/apps - /opt/data - /opt/logs - /opt/backups - /opt/scripts - name: Install monitoring tools package: name: - htop - iotop - nethogs - ncdu - tmux state: present - name: Configure system limits pam_limits: domain: '*' limit_type: "{{ item.type }}" limit_item: "{{ item.item }}" value: "{{ item.value }}" loop: - { type: 'soft', item: 'nofile', value: '65536' } - { type: 'hard', item: 'nofile', value: '65536' } - { type: 'soft', item: 'nproc', value: '32768' } - { type: 'hard', item: 'nproc', value: '32768' } - name: Configure sysctl sysctl: name: "{{ item.name }}" value: "{{ item.value }}" state: present reload: yes loop: - { name: 'vm.max_map_count', value: '262144' } - { name: 'fs.file-max', value: '2097152' } - { name: 'net.core.somaxconn', value: '32768' } handlers: - name: restart ssh systemd: name: ssh state: restarted - name: enable ufw ufw: state: enabled