commited current state (new functions, may not work by now)

roles/system/defaults/main.yml

@@ -0,0 +1,3 @@
+use_docker_image_mirror: true
+docker_mirror_location: "SC"  # or "tinc" based on your preference
+docker_install_source: "official"

roles/system/files/motd

@@ -0,0 +1,15 @@
+  _   _                      _                                          _
+ | |_(_)_ __   ___          (_) ___ _ __            _ __  _ __ ___   __| |
+ | __| | '_ \ / __|  _____  | |/ __| '_ \   _____  | '_ \| '__/ _ \ / _` |
+ | |_| | | | | (__  |_____| | | (__| |_) | |_____| | |_) | | | (_) | (_| |
+  \__|_|_| |_|\___|         |_|\___| .__/          | .__/|_|  \___/ \__,_|
+                                   |_|             |_|
+ -----------------------------------------------------------------
+ * This server is managed by tinc. Please contact the            *
+ * support team at 'support@tinc.gmbh' for any issues.           *
+ -----------------------------------------------------------------
+ * WARNING - WARNING - WARNING - WARNING - WARNING - WARNING     *
+ * You are accessing a secured system and your actions will      *
+ * be logged along with identifying information. Disconnect      *
+ * immediately if you are not an authorized user of this system. *
+ -----------------------------------------------------------------

roles/system/handlers/main.yml

@@ -0,0 +1,28 @@
+- name: Reload systemd
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Restart SSH
+  systemd_service:
+      name: sshd
+      state: restarted
+
+- name: Restart Docker
+  systemd_service:
+    name: docker
+    state: restarted
+
+- name: Restart chronyd
+  ansible.builtin.systemd:
+    name: chronyd
+    state: restarted
+
+- name: Enable Docker
+  systemd_service:
+    name: docker
+    enabled: true
+
+- name: Start Docker
+  systemd_service:
+    name: docker
+    state: started

roles/system/tasks/install-basic-tools.yaml

@@ -0,0 +1,16 @@
+- name: Install basic system tools
+  ansible.builtin.package:
+    name:
+      - git
+      - curl
+      - wget
+      - vim
+      - htop
+      - net-tools
+      - unzip
+      - htop
+      - tcpdump
+      - bind9-dnsutils
+      - gnupg
+      - sudo
+    state: present

roles/system/tasks/install-docker-image-mirror.yaml

@@ -0,0 +1,64 @@
+- name: Create directory for Docker systemd override
+  ansible.builtin.file:
+    path: /etc/systemd/system/docker.service.d
+    state: directory
+    mode: '0755'
+
+- name: Setup Docker image mirror (SC)
+  when: use_docker_image_mirror | bool and docker_mirror_location == "SC"
+  block:
+    - name: Install CA certificate for Docker image mirror
+      ansible.builtin.get_url:
+        url: http://dim.servercow.com:3128/ca.crt
+        dest: /usr/local/share/ca-certificates/SCOW-DIM-CA.crt
+        mode: '0644'
+      register: sc_ca_cert
+
+    - name: Register CA certificate
+      ansible.builtin.command: update-ca-certificates
+      when: sc_ca_cert.changed
+
+    - name: Write Docker proxy configuration (SC)
+      ansible.builtin.copy:
+        dest: /etc/systemd/system/docker.service.d/http-proxy.conf
+        content: |
+          [Service]
+          Environment="HTTP_PROXY=http://dim.servercow.com:3128/"
+          Environment="HTTPS_PROXY=http://dim.servercow.com:3128/"
+        owner: root
+        group: root
+        mode: '0644'
+      notify: 
+        - Reload systemd
+        - Restart Docker
+      when: sc_ca_cert.changed
+  
+- name: Setup Docker Image Mirror (tinc)
+  when: use_docker_image_mirror | bool and docker_mirror_location == "tinc"
+  block:
+    - name: Install CA certificate for Docker image mirror
+      ansible.builtin.get_url:
+        url: http://mirror.tinc.gmbh:3128/ca.crt
+        dest: /usr/local/share/ca-certificates/TINC-DIM-CA.crt
+        mode: '0644'
+      register: tinc_ca_cert
+
+    - name: Register CA certificate
+      ansible.builtin.command: update-ca-certificates
+      when: tinc_ca_cert.changed
+
+
+    - name: Write Docker proxy configuration (tinc)
+      ansible.builtin.copy:
+        dest: /etc/systemd/system/docker.service.d/http-proxy.conf
+        content: |
+          [Service]
+          Environment="HTTP_PROXY=http://mirror.tinc.gmbh:3128/"
+          Environment="HTTPS_PROXY=http://mirror.tinc.gmbh:3128/"
+        owner: root
+        group: root
+        mode: '0644'
+      notify: 
+        - Reload systemd
+        - Restart Docker
+      when: tinc_ca_cert.changed

roles/system/tasks/install-docker.yaml

@@ -0,0 +1,76 @@
+- name: Install Docker from official repo
+  when: docker_install_source == "official"
+  block:
+    - name: Ensure Docker GPG key is dearmored and installed
+      ansible.builtin.get_url:
+        url: https://download.docker.com/linux/debian/gpg
+        dest: /tmp/docker.gpg
+        mode: '0644'
+
+    - name: Convert Docker GPG key to binary format (dearmor)
+      ansible.builtin.command:
+        cmd: gpg --dearmor -o /etc/apt/trusted.gpg.d/docker.gpg /tmp/docker.gpg
+      args:
+        creates: /etc/apt/trusted.gpg.d/docker.gpg
+
+    - name: Remove temporary Docker GPG key
+      ansible.builtin.file:
+        path: /tmp/docker.gpg
+        state: absent
+
+    - name: Add Docker APT repository (official)
+      ansible.builtin.copy:
+        dest: /etc/apt/sources.list.d/docker.list
+        content: |
+          deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.gpg] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable
+        mode: '0644'
+      register: docker_repo
+
+- name: Install Docker from tinc mirror
+  when: docker_install_source == "tinc"
+  block:
+
+    - name: Ensure Docker GPG key is dearmored and installed
+      ansible.builtin.get_url:
+        url: https://mirror.tinc.gmbh/docker/debian/gpg
+        dest: /tmp/docker.gpg
+        mode: '0644'
+
+    - name: Convert Docker GPG key to binary format (dearmor)
+      ansible.builtin.command:
+        cmd: gpg --dearmor -o /etc/apt/trusted.gpg.d/docker.gpg /tmp/docker.gpg
+      args:
+        creates: /etc/apt/trusted.gpg.d/docker.gpg
+
+    - name: Remove temporary Docker GPG key
+      ansible.builtin.file:
+        path: /tmp/docker.gpg
+        state: absent
+
+    - name: Add Docker APT repository (tinc)
+      ansible.builtin.copy:
+        dest: /etc/apt/sources.list.d/docker.list
+        content: |
+          deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.gpg] https://mirror.tinc.gmbh/docker/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable
+        mode: '0644'
+      register: docker_repo
+
+- name: Update APT cache
+  ansible.builtin.apt:
+    update_cache: yes
+  when: docker_repo.changed
+
+- name: Install Docker packages from mirror
+  ansible.builtin.apt:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-compose-plugin
+      - docker-buildx-plugin
+      - docker-ce-rootless-extras
+    state: present
+  notify:
+    - Enable Docker
+    - Start Docker
+  when: docker_repo.changed

roles/system/tasks/install-motd.yaml

@@ -0,0 +1,7 @@
+- name: Install custom MOTD
+  copy:
+    src: motd
+    dest: /etc/motd
+    owner: root
+    group: root
+    mode: '0644'

roles/system/tasks/setup-timeserver.yaml

@@ -0,0 +1,26 @@
+- name: Purge systemd-timesyncd
+  ansible.builtin.apt:
+    name: systemd-timesyncd
+    state: absent
+    purge: true
+
+- name: Setup Chrony
+  ansible.builtin.apt:
+    name: chrony
+    state: present
+    update_cache: yes
+
+- name: Configure Chrony
+  ansible.builtin.copy:
+    dest: /etc/chrony/chrony.conf
+    content: |
+      server ntp.as208016.net iburst
+      pool de.pool.ntp.org iburst
+      driftfile /var/lib/chrony/drift
+      makestep 1.0 3
+      rtcsync
+    owner: root
+    group: root
+    mode: '0644'
+  notify: 
+    - Restart chronyd

roles/system/tasks/special-admin-create.yaml

@@ -0,0 +1,52 @@
+---
+  - name: User "{{ admin_user }}" anlegen
+    ansible.builtin.user:
+      name: "{{ admin_user }}"
+      shell: /bin/bash
+      state: present
+    register: admin_user_result
+
+  - name: .ssh‑Verzeichnis anlegen
+    ansible.builtin.file:
+      path: "/home/{{ admin_user }}/.ssh"
+      state: directory
+      owner: "{{ admin_user }}"
+      group: "{{ admin_user }}"
+      mode: "0700"
+    when: admin_user_result.changed
+
+  - name: Public‑Keys von URL holen
+    ansible.builtin.uri:
+      url: "{{ admin_ssh_pub_key_url }}"
+      return_content: yes
+    delegate_to: localhost
+    register: fetched_keys
+
+  - name: Liste der einzelnen Keys erstellen
+    ansible.builtin.set_fact:
+      key_list: "{{ fetched_keys.content.splitlines() }}"
+
+  - name: authorized_keys anlegen (falls nicht vorhanden)
+    ansible.builtin.file:
+      path: "/home/{{ admin_user }}/.ssh/authorized_keys"
+      state: touch
+      owner: "{{ admin_user }}"
+      group: "{{ admin_user }}"
+      mode: "0600"
+
+  - name: Jeden Key einzeln mit authorized_key hinzufügen
+    ansible.builtin.authorized_key:
+      user: "{{ admin_user }}"
+      key: "{{ item | trim }}"
+      state: present
+    loop: "{{ key_list }}"
+    when: item | trim != ""
+
+  - name: Passwordless‑sudo für alle Befehle konfigurieren
+    ansible.builtin.copy:
+      dest: "/etc/sudoers.d/{{ admin_user }}"
+      content: |
+        {{ admin_user }} ALL=(ALL) NOPASSWD: ALL
+      owner: root
+      group: root
+      mode: "0440"

roles/system/tasks/ssh-hardening.yaml

@@ -0,0 +1,36 @@
+- name: Public‑Keys von URL holen
+  ansible.builtin.uri:
+    url: "{{ ssh_pub_key_url }}"
+    return_content: yes
+  delegate_to: localhost
+  register: fetched_keys
+
+- name: Liste der einzelnen Keys erstellen
+  ansible.builtin.set_fact:
+    key_list: "{{ fetched_keys.content.splitlines() }}"
+
+- name: authorized_keys anlegen (falls nicht vorhanden)
+  ansible.builtin.file:
+    path: "/root/.ssh/authorized_keys"
+    state: touch
+    owner: "root"
+    group: "root"
+    mode: "0600"
+
+- name: Jeden Key einzeln mit authorized_key hinzufügen
+  ansible.builtin.authorized_key:
+    user: "root"
+    key: "{{ item | trim }}"
+    state: present
+  loop: "{{ key_list }}"
+  when: item | trim != ""
+
+- name: Harden SSH configuration
+  ansible.builtin.template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - Restart SSH

roles/system/templates/sshd_config.j2

@@ -0,0 +1,44 @@
+Include /etc/ssh/sshd_config.d/*.conf
+
+Port 22
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 2m
+PermitRootLogin without-password
+MaxAuthTries 6
+
+PubkeyAuthentication yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+X11Forwarding yes
+PrintMotd no
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem       sftp    /usr/lib/openssh/sftp-server