Added playbook variables and tasks for podman image installations, created gocryptfs vault and ProFTPd users and directories, added recusrive bind mounts of gocryptfs vault and web source code

2025-07-23 15:43:03 -04:00
parent 7fffe801b0
commit 02d35f36fb
1 changed files with 196 additions and 1 deletions
--- a/extended@vps.yml
+++ b/extended@vps.yml
@@ -2,3 +2,198 @@
 - name: Additional tasks to do on the VPS
  hosts: vps
  gather_facts: yes
+  vars:
+    want_recc_cimages: yes
+    want_custom_cimages: no
+    source_repo: ~
+    # source_repo:
+    #   utility: git
+    #   url: senpai@ipv6.sukaato:repos/sukaato.git
+
+  tasks:
+    - name: Install core podman images
+      include_role:
+        name: bootstrap
+        tasks_from: core_installations@podman.yml
+        defaults_from: core_images@podman.yml
+      register: core_podman_images_installed
+      tags: [default, with_containers]
+    - name: Install additional recommended podman images
+      include_role:
+        name: bootstrap
+        tasks_from: extra_installations@podman.yml
+        defaults_from: core_images@podman.yml
+      register: recc_podman_images_installed
+      when: want_recc_cimages
+      tags: [default, with_containers]
+    - name: Get variable for custom podman image package list
+      include_vars:
+        file: "{{ roles_path }}/bootstrap/defaults/custom_images@podman.yml"
+        name: podman_cimages
+      tags: [default, with_containers]
+    - name: Install custom podman images
+      include_role:
+        name: bootstrap
+        tasks_from: extra_installations@podman.yml
+      vars:
+        recc_cimages: "{{ podman_cimages.my_cimages }}"
+      register: extra_podman_images_installed
+      when: want_custom_cimages
+      tags: [default, with_containers]
+    - name: Configure ProFTPd
+      include_role:
+        name: bootstrap
+        tasks_from: configure_core/proftpd.yml
+        defaults_from: options/proftpd.yml
+        vars_from: options/proftpd.yml
+      register: proftpd_configured
+      tags: [default, with_ftp]
+    - name: Create FTP root
+      become: yes
+      become_method: sudo
+      file:
+        path: "{{ ftp_root }}"
+        state: directory
+        owner: ftpd
+        group: nogroup
+      register: ftp_root_created
+      tags: [default, with_ftp]
+    - name: Create a directory for website or web server source code
+      file:
+        path: "{{ domain_source_path }}"
+        state: directory
+      tags: [default, with_webserver]
+      register: domain_srcdir_created
+    - name: Pull website source code
+      block:
+        - name: Git pull website git repository
+          become_user: git
+          become_method: sudo
+          git:
+            repo: "{{ source_repo.url }}"
+            dest: "{{ domain_source_path }}"
+            single_branch: yes
+            version: main
+          when: source_repo.utility == 'git'
+      register: website_src_available
+      when: source_repo is defined
+      tags: [default, with_webserver]
+    - name: Create fstab entry for rbind mount for web root
+      become: yes
+      become_method: sudo
+      ansible.posix.mount:
+        src: "{{ domain_source_path }}"
+        path: "{{ domain_root }}"
+        fstype: none
+        opts: rbind
+        state: mounted
+      register: webmount_created
+      tags: [default, with_webserver]
+    - name: Create a gocryptfs vault for mounting under FTP root
+      command:
+        argv: [/usr/bin/gocryptfs, -init, "{{ ansible_facts['user_dir'] }}/secrets"]
+        stdin: "{{ gocrypt_password }}"
+      register: secrets_masterkey_created
+      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
+    - name: Get gocryptfs decryption configuration file metadata
+      stat:
+        path: "{{ ansible_facts['user_dir'] }}/secrets"
+      register: secrets_vault
+      when: secrets_masterkey_created.rc == 0
+    - name: Create a file to store password for secrets gocryptfs vault
+      file:
+        path: "{{ ansible_facts['user_dir'] }}/config/.secrets_vault.key"
+        state: touch
+      register: secrets_passfile_created
+      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
+    - name: Put password in aforementioned file
+      lineinfile:
+        path: "{{ gcfs_passfile_created.path }}"
+        line: "{{ gocrypt_password }}"
+        state: present
+      when: secrets_passfile_created
+      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
+    - name: Copy gocryptfs decryption configuration of secrets vault to hidden directory
+      copy:
+        remote_src: "{{ ansible_facts['user_dir'] }}/secrets/gocryptfs.conf"
+        dest: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers/secrets.conf"
+        force: yes
+        backup: yes
+      register: secrets_conf_copied
+      when: secrets_vault.stat.exists and secrets_masterkey_created.rc == 0
+      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
+    - name: Remove gocryptfs decryption configuration from vault
+      file:
+        path: "{{ ansible_facts['user_dir'] }}/secrets/gocryptfs.conf"
+        state: absent
+      when: secrets_conf_copied
+      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
+    - name: Mount the gocryptfs secrets vault
+      ansible.posix.mount:
+        src: "{{ ansible_facts['user_dir'] }}/secrets"
+        path: "{{ ansible_facts['user_dir'] }}/.mnt/secrets.plain"
+        state: mounted
+        fstype: fuse./usr/bin/gocryptfs
+        opts: "nofail,passfile={{ secrets_passfile_created.path }},config={{ ansible_facts['user_dir'] }}/.fskeys/ciphers/secrets.conf"
+      register: secrets_mounted
+      when: secrets_vault.stat.exists and secrets_masterkey_created.rc == 0
+      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
+    #@TODO create handler that sends copy of gcfs_masterkey_created somehow
+    - name: Create users for ProFTPd
+      block:
+        - name: Create ProFTPd user webmaster for website
+          become: yes
+          become_method: sudo
+          command:
+            argv:
+              - /usr/local/bin/ftpasswd
+              - --passwd
+              - --file=/etc/proftpd/ftpd.passwd
+              - --name=webmaster
+              - "--home={{ domain_root }}/public"
+              - --shell=/bin/false
+              - --sha256
+              - --stdin
+            stdin: "{{ ftp_web_password }}"
+          register: proftpd_webmaster_created
+          tags: [with_webserver]
+        - name: Create home directory for ProFTPd user cybersmuggler
+          become: yes
+          become_method: sudo
+          file:
+            path: "{{ ftp_root }}/black_market"
+            state: directory
+            owner: "{{ ansible_facts['user_id'] }}"
+            group: "{{ ansible_facts['user_id'] }}"
+          register: cybersmuggler_home_created
+        - name: Create ProFTPd user cybersmuggler for file-sharing
+          become: yes
+          become_method: sudo
+          command:
+            argv:
+              - /usr/local/bin/ftpasswd
+              - --passwd
+              - --file=/etc/proftpd/ftpd.passwd
+              - --name=cybersmuggler
+              - --uid=1000
+              - "--home={{ ftp_root }}/black_market"
+              - --shell=/bin/false
+              - --sha256
+              - --stdin
+            stdin: "{{ ftp_password }}"
+          register: proftpd_cybersmuggler_created
+      register: proftpd_users_created
+      tags: [default, with_ftp]
+    - name: Create fstab entry for rbind mount for secrets decrypted vault
+      become: yes
+      become_method: sudo
+      ansible.posix.mount:
+        src: "{{ ansible_facts['user_dir'] }}/.mnt/secrets.plain"
+        path: "{{ ftp_root }}/black_market/secrets"
+        fstype: none
+        opts: rbind
+        state: mounted
+      when: secrets_mounted
+      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
+    #@TODO create tasks for setting up Caddy--maybe?
+