AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible on Debian 12 Bookworm Automation Complete Guide

By Luca Berton · Published 2024-01-01 · Category: installation

Automate Debian 12 (Bookworm) servers with Ansible: APT, AppArmor, UFW, systemd, Docker, Kubernetes, hardening, unattended security upgrades, patching.

Debian 12 (Bookworm) was released on June 10, 2023. With Linux kernel 6.1 LTS, OpenSSH 9.2, Python 3.11, systemd 252, and apt 2.6, it remains an extremely stable baseline for servers, containers, and embedded devices in 2026. Standard support runs through June 2026, and LTS support extends to June 2028 via the Debian LTS team. This guide is the master overview for automating Bookworm with Ansible.

Debian 12 release facts

| Item | Value | |---|---| | Code name | Bookworm | | Release | 2023-06-10 | | Standard support | until 2026-06 | | LTS | until 2028-06 | | Default kernel | 6.1 LTS | | Default Python | 3.11 | | Default OpenSSH | 9.2p1 | | systemd | 252 |

See also: Ansible on Debian 13 Trixie Automation Complete Guide

Ansible-core compatibility

Use ansible-core 2.18 LTS with ansible_python_interpreter=/usr/bin/python3 (Python 3.11 ships by default).

Inventory

[debian12]
db-01.example.com
db-02.example.com

[debian12:vars]
ansible_user=admin
ansible_python_interpreter=/usr/bin/python3

See also: Ansible on Ubuntu 22.04 LTS Jammy Jellyfish Automation Complete Guide

Baseline playbook

---
- name: Debian 12 Bookworm baseline
  hosts: debian12
  become: true
  tasks:
    - name: Update apt cache
      ansible.builtin.apt:
        update_cache: true
        cache_valid_time: 3600

- name: Install baseline packages
      ansible.builtin.apt:
        name:
          - vim
          - curl
          - htop
          - chrony
          - ufw
          - fail2ban
          - apparmor
          - apparmor-utils
          - unattended-upgrades
        state: present


- name: Enable AppArmor
      ansible.builtin.service: { name: apparmor, enabled: true, state: started }


- name: Configure unattended-upgrades
      ansible.builtin.copy:
        dest: /etc/apt/apt.conf.d/50unattended-upgrades
        owner: root
        mode: "0644"
        content: |
          Unattended-Upgrade::Origins-Pattern {
              "origin=Debian,codename=${distro_codename},label=Debian-Security";
          };
          Unattended-Upgrade::Automatic-Reboot "false";


- name: Enable periodic upgrades
      ansible.builtin.copy:
        dest: /etc/apt/apt.conf.d/20auto-upgrades
        owner: root
        mode: "0644"
        content: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Unattended-Upgrade "1";

OpenSSH hardening

- name: SSH hardening on Bookworm
  hosts: debian12
  become: true
  handlers:
    - name: restart sshd
      ansible.builtin.service: { name: ssh, state: restarted }
  tasks:
    - name: Drop hardened SSH config
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/10-hardened.conf
        mode: "0644"
        content: |
          PasswordAuthentication no
          PermitRootLogin no
          KbdInteractiveAuthentication no
          MaxAuthTries 3
          ClientAliveInterval 300
        validate: 'sshd -tf %s'
      notify: restart sshd

See also: How to install Ansible on Raspberry Pi OS (Bookworm)

UFW firewall

- name: Configure UFW on Bookworm
  hosts: debian12
  become: true
  tasks:
    - name: Default deny incoming
      community.general.ufw: { default: deny, direction: incoming }

- name: Allow SSH (rate-limited)
      community.general.ufw: { rule: limit, port: '22', proto: tcp }


- name: Allow HTTPS
      community.general.ufw: { rule: allow, port: '443', proto: tcp }


- name: Enable UFW
      community.general.ufw: { state: enabled, logging: 'on' }

Docker CE on Debian 12

- name: Install Docker CE on Bookworm
  hosts: debian12
  become: true
  tasks:
    - name: Add Docker GPG key
      ansible.builtin.get_url:
        url: https://download.docker.com/linux/debian/gpg
        dest: /etc/apt/keyrings/docker.asc
        mode: "0644"

- name: Add Docker apt repo
      ansible.builtin.apt_repository:
        repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian bookworm stable"
        state: present
        filename: docker


- name: Install Docker engine
      ansible.builtin.apt:
        name:
          - docker-ce
          - docker-ce-cli
          - containerd.io
          - docker-compose-plugin
        state: present
        update_cache: true

Patching with serial rollouts

- name: Patch Debian 12 fleet
  hosts: debian12
  become: true
  serial: 25%
  tasks:
    - name: Apply security upgrades
      ansible.builtin.apt:
        upgrade: dist
        update_cache: true
        autoremove: true

- name: Reboot if a new kernel is staged
      ansible.builtin.reboot:
      when: ansible_facts['kernel'] is search('^6\\.1\\..*')

Best practices

• Prefer /etc/ssh/sshd_config.d/ drop-ins for SSH hardening. • Use unattended-upgrades with automatic reboot disabled and orchestrate reboots from Ansible. • Add the apparmor package and stick to the targeted profile model. • Always pass validate: 'sshd -tf %s' and validate: '/usr/sbin/visudo -cf %s' to avoid breakage.

Conclusion

Debian 12 Bookworm is a rock-solid Linux baseline for 2026. Pair ansible-core 2.18 with ansible.builtin, ansible.posix, and community.general to ship hardened Bookworm servers, container hosts, and Kubernetes nodes from a single playbook.

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home