Starting from scratch with new playbooks using different directory structure

2025-09-05 00:22:47 -04:00
parent 53cc3ddad3
commit 7ec74d7f95
4 changed files with 0 additions and 443 deletions
--- a/configure@vps.yml
+++ b/configure@vps.yml
@@ -1,139 +0,0 @@
---
- name: Configure virtual private servers
-  hosts: vps
-  gather_facts: yes
-  vars:
-    # # below is just to remind you to use '-u' instead 
-    # ansible_user: "{{ root_auths[0].username }}"
-    # # below is just to remind you to use '--ask-pass' instead
-    # ansible_password: "{{ root_auths[0].password }}"
-    FAMILY: "{{ ansible_facts['os_family'] }}"
-    CURRENT_HOST_IP4: "{{ ansible_facts['default_ipv4']['address'] }}"
-    CURRENT_HOST_IP6: "{{ ansible_facts['default_ipv6']['address'] }}"
-    FQDN: "{{ domain_name | default(inventory_hostname, true) }}"
-    acme_challenge: no
-
-  pre_tasks:
-    - name: Set timezone
-      become: yes
-      become_method: sudo
-      community.general.timezone:
-        name: "{{ tzone }}"
-      register: timezone_set
-      tags: ['baseconf', 'timezone_setting']
-    - name: Set hostname
-      become: yes
-      become_method: sudo
-      hostname:
-        name: "{{ hname }}"
-        use: "{{ FAMILY.lower() }}"
-      register: hostname_set
-      tags: ['baseconf', 'hostname_initialization']
-    - name: Add remote host alias to hosts file
-      become: yes
-      become_method: sudo
-      lineinfile:
-        path: /etc/hosts
-        search_string: "127.0.1.1"
-        line: "127.0.1.1       {{ hname }}"
-        state: present
-        create: yes
-      register: hosts_updated
-      tags: ['baseconf', 'hostsfile_update']
-    - name: Add remote host public address aliases to hosts file
-      become: yes
-      become_method: sudo
-      lineinfile:
-        path: /etc/hosts
-        search_string: "{{ CURRENT_HOST_IP4 }}"
-        line: "{{ CURRENT_HOST_IP4 }}       {{ FQDN }} {{ hname }}"
-        state: present
-        create: yes
-      register: hosts_updated
-      when: CURRENT_HOST_IP4 is defined
-      tags: ['baseconf', 'hostsfile_update']
-    - name: Add remote host public address aliases to hosts file
-      become: yes
-      become_method: sudo
-      lineinfile:
-        path: /etc/hosts
-        search_string: "{{ CURRENT_HOST_IP6 }}"
-        line: "{{ CURRENT_HOST_IP6 }}       {{ FQDN }} {{ hname }}"
-        state: present
-        create: yes
-      register: hosts_updated
-      when: CURRENT_HOST_IP6 is defined
-      tags: ['baseconf', 'hostsfile_update']
-    - name: Create a directory for client source code
-      file:
-        path: "{{ ansible_facts['user_dir'] }}/src/clients"
-        state: directory
-    - name: Create a directory for container service compose files
-      file:
-        path: "{{ compose_source_path }}"
-        state: directory
-    # - name: Create a directory for website or web server source code
-    #   file:
-    #     path: "{{ ansible_facts['user_dir'] }}/src/services/web"
-    #     state: directory
-
-  tasks:
-    - name: Configure core packages
-      include_role:
-        name: bootstrap
-        tasks_from: config@corepkgs.yml
-        defaults_from: main
-        vars_from: main
-      vars:
-        #@TODO improve filters for defining the two below variables
-        official_name: "{{ [admin.actual_name if admin.username == ansible_facts['user_id'] for admin in admin_auths][0] }}"
-        official_email: "{{ [admin.email if admin.username == ansible_facts['user_id'] for admin in admin_auths][0] }}"
-      register: pkgs_configured
-      tags: ['default', 'configure_pkgs']
-    - name: Configure DNS using Certbot
-      include_role:
-        name: bootstrap
-        tasks_from: configure_core/certbot.yml
-        defaults_from: options/certbot.yml
-        vars_from: options/certbot.yml
-      register: dns_challenge_made
-      when: acme_challenge
-      tags: ['default', 'with_porkbun_api']
-    - name: Import DNS certificates and keys
-      block:
-        - name: Create SSL certificate
-          become: yes
-          become_method: sudo
-          copy:
-            src: ssl/domain.cert.pem
-            dest: "{{ web_root  }}/domain.cert.pem"
-            force: yes
-            backup: yes
-        - name: Create private key
-          become: yes
-          become_method: sudo
-          copy:
-            src: ssl/private.key.pem
-            dest: "{{ web_root }}/private.key.pem"
-            force: yes
-            backup: yes
-        - name: Create public key
-          become: yes
-          become_method: sudo
-          copy:
-            src: ssl/public.key.pem
-            dest: "{{ web_root }}/public.key.pem"
-            force: yes
-            backup: yes
-      when: not acme_challenge
-      tags: ['default']
-
-  post_tasks:
-    - name: Do a system upgrade
-      include_role:
-        name: bootstrap
-        tasks_from: "upgrade@{{ FAMILY }}.yml"
-      vars:
-        upgrade_type: dist
-      register: system_initialized
-      tags: ['default', 'initial_system_upgrade']
--- a/extended@vps.yml
+++ b/extended@vps.yml
@@ -1,199 +0,0 @@
---
- name: Additional tasks to do on the VPS
-  hosts: vps
-  gather_facts: yes
-  vars:
-    want_recc_cimages: yes
-    want_custom_cimages: no
-    source_repo: ~
-    # source_repo:
-    #   utility: git
-    #   url: senpai@ipv6.sukaato:repos/sukaato.git
-
-  tasks:
-    - name: Install core podman images
-      include_role:
-        name: bootstrap
-        tasks_from: core_installations@podman.yml
-        defaults_from: core_images@podman.yml
-      register: core_podman_images_installed
-      tags: [default, with_containers]
-    - name: Install additional recommended podman images
-      include_role:
-        name: bootstrap
-        tasks_from: extra_installations@podman.yml
-        defaults_from: core_images@podman.yml
-      register: recc_podman_images_installed
-      when: want_recc_cimages
-      tags: [default, with_containers]
-    - name: Get variable for custom podman image package list
-      include_vars:
-        file: "{{ roles_path }}/bootstrap/defaults/custom_images@podman.yml"
-        name: podman_cimages
-      tags: [default, with_containers]
-    - name: Install custom podman images
-      include_role:
-        name: bootstrap
-        tasks_from: extra_installations@podman.yml
-      vars:
-        recc_cimages: "{{ podman_cimages.my_cimages }}"
-      register: extra_podman_images_installed
-      when: want_custom_cimages
-      tags: [default, with_containers]
-    - name: Configure ProFTPd
-      include_role:
-        name: bootstrap
-        tasks_from: configure_core/proftpd.yml
-        defaults_from: options/proftpd.yml
-        vars_from: options/proftpd.yml
-      register: proftpd_configured
-      tags: [default, with_ftp]
-    - name: Create FTP root
-      become: yes
-      become_method: sudo
-      file:
-        path: "{{ ftp_root }}"
-        state: directory
-        owner: ftpd
-        group: nogroup
-      register: ftp_root_created
-      tags: [default, with_ftp]
-    - name: Create a directory for website or web server source code
-      file:
-        path: "{{ domain_source_path }}"
-        state: directory
-      tags: [default, with_webserver]
-      register: domain_srcdir_created
-    - name: Pull website source code
-      block:
-        - name: Git pull website git repository
-          become_user: git
-          become_method: sudo
-          git:
-            repo: "{{ source_repo.url }}"
-            dest: "{{ domain_source_path }}"
-            single_branch: yes
-            version: main
-          when: source_repo.utility == 'git'
-      register: website_src_available
-      when: source_repo is defined
-      tags: [default, with_webserver]
-    - name: Create fstab entry for rbind mount for web root
-      become: yes
-      become_method: sudo
-      ansible.posix.mount:
-        src: "{{ domain_source_path }}"
-        path: "{{ domain_root }}"
-        fstype: none
-        opts: rbind
-        state: mounted
-      register: webmount_created
-      tags: [default, with_webserver]
-    - name: Create a gocryptfs vault for mounting under FTP root
-      command:
-        argv: [/usr/bin/gocryptfs, -init, "{{ ansible_facts['user_dir'] }}/secrets"]
-        stdin: "{{ gocrypt_password }}"
-      register: secrets_masterkey_created
-      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
-    - name: Get gocryptfs decryption configuration file metadata
-      stat:
-        path: "{{ ansible_facts['user_dir'] }}/secrets"
-      register: secrets_vault
-      when: secrets_masterkey_created.rc == 0
-    - name: Create a file to store password for secrets gocryptfs vault
-      file:
-        path: "{{ ansible_facts['user_dir'] }}/config/.secrets_vault.key"
-        state: touch
-      register: secrets_passfile_created
-      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
-    - name: Put password in aforementioned file
-      lineinfile:
-        path: "{{ gcfs_passfile_created.path }}"
-        line: "{{ gocrypt_password }}"
-        state: present
-      when: secrets_passfile_created
-      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
-    - name: Copy gocryptfs decryption configuration of secrets vault to hidden directory
-      copy:
-        remote_src: "{{ ansible_facts['user_dir'] }}/secrets/gocryptfs.conf"
-        dest: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers/secrets.conf"
-        force: yes
-        backup: yes
-      register: secrets_conf_copied
-      when: secrets_vault.stat.exists and secrets_masterkey_created.rc == 0
-      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
-    - name: Remove gocryptfs decryption configuration from vault
-      file:
-        path: "{{ ansible_facts['user_dir'] }}/secrets/gocryptfs.conf"
-        state: absent
-      when: secrets_conf_copied
-      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
-    - name: Mount the gocryptfs secrets vault
-      ansible.posix.mount:
-        src: "{{ ansible_facts['user_dir'] }}/secrets"
-        path: "{{ ansible_facts['user_dir'] }}/.mnt/secrets.plain"
-        state: mounted
-        fstype: fuse./usr/bin/gocryptfs
-        opts: "nofail,passfile={{ secrets_passfile_created.path }},config={{ ansible_facts['user_dir'] }}/.fskeys/ciphers/secrets.conf"
-      register: secrets_mounted
-      when: secrets_vault.stat.exists and secrets_masterkey_created.rc == 0
-      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
-    #@TODO create handler that sends copy of gcfs_masterkey_created somehow
-    - name: Create users for ProFTPd
-      block:
-        - name: Create ProFTPd user webmaster for website
-          become: yes
-          become_method: sudo
-          command:
-            argv:
-              - /usr/local/bin/ftpasswd
-              - --passwd
-              - --file=/etc/proftpd/ftpd.passwd
-              - --name=webmaster
-              - "--home={{ domain_root }}/public"
-              - --shell=/bin/false
-              - --sha256
-              - --stdin
-            stdin: "{{ ftp_web_password }}"
-          register: proftpd_webmaster_created
-          tags: [with_webserver]
-        - name: Create home directory for ProFTPd user cybersmuggler
-          become: yes
-          become_method: sudo
-          file:
-            path: "{{ ftp_root }}/black_market"
-            state: directory
-            owner: "{{ ansible_facts['user_id'] }}"
-            group: "{{ ansible_facts['user_id'] }}"
-          register: cybersmuggler_home_created
-        - name: Create ProFTPd user cybersmuggler for file-sharing
-          become: yes
-          become_method: sudo
-          command:
-            argv:
-              - /usr/local/bin/ftpasswd
-              - --passwd
-              - --file=/etc/proftpd/ftpd.passwd
-              - --name=cybersmuggler
-              - --uid=1000
-              - "--home={{ ftp_root }}/black_market"
-              - --shell=/bin/false
-              - --sha256
-              - --stdin
-            stdin: "{{ ftp_password }}"
-          register: proftpd_cybersmuggler_created
-      register: proftpd_users_created
-      tags: [default, with_ftp]
-    - name: Create fstab entry for rbind mount for secrets decrypted vault
-      become: yes
-      become_method: sudo
-      ansible.posix.mount:
-        src: "{{ ansible_facts['user_dir'] }}/.mnt/secrets.plain"
-        path: "{{ ftp_root }}/black_market/secrets"
-        fstype: none
-        opts: rbind
-        state: mounted
-      when: secrets_mounted
-      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
-    #@TODO create tasks for setting up Caddy--maybe?
-    
--- a/fortify@vps.yml
+++ b/fortify@vps.yml
@@ -1,46 +0,0 @@
---
- name: Bootstrap virtual private servers
-  hosts: vps
-  gather_facts: yes
-  vars:
-    # # below is just to remind you to use '-u' instead 
-    # ansible_user: "{{ root_auths[0].username }}"
-    # # below is just to remind you to use '--ask-pass' instead
-    # ansible_password: "{{ root_auths[0].password }}"
-    FAMILY: "{{ ansible_facts['os_family'] }}"
-
-  tasks:
-    - name: Create users
-      include_role:
-        name: bootstrap
-        tasks_from: "users@{{ FAMILY  }}.yml"
-      vars:
-        admins: "{{ admin_auths }}"
-        guests: "{{ guest_auths }}"
-        users: "{{ user_auths }}"
-      register: accts_created
-      tags: ['default', 'userbase_creation']
-    - name: Require authorized keys for SSH access to accounts
-      include_role:
-        name: bootstrap
-        tasks_from: auth@ssh.yml
-        defaults_from: options/ssh.yml
-        vars_from: options/ssh.yml
-      register: ssh_authorized
-      tags: ['default', 'ssh_uthorization']
-    - name: Disable SSH login for this account
-      include_role:
-        name: bootstrap
-        tasks_from: denyroot@ssh.yml
-        defaults_from: options/ssh.yml
-        vars_from: options/ssh.yml
-      register: sshroot_disabled
-      tags: ['default', 'root_denial']
-      when: not ssh_root_login
-    - name: Disable root account
-      include_role:
-        name: bootstrap
-        tasks_from: denyroot.yml
-        defaults_from: options/ssh.yml
-        vars_from: options/ssh.yml
-
--- a/install@vps.yml
+++ b/install@vps.yml
@@ -1,59 +0,0 @@
---
- name: Install packages
-  hosts: vps
-  gather_facts: yes
-  vars:
-    # # below is just to remind you to use '-u' instead 
-    # ansible_user: "{{ admin_auths[0].username }}"
-    # # below is just to remind you to use '--ask-pass' instead
-    # ansible_password: "{{ admin_auths[0].password }}"
-    FAMILY: "{{ ansible_facts['os_family'] }}"
-    CORE_PKGS: "core_pkgs@{{ ansible_facts['os_family'] }}.yml"
-    want_extra_pkgs: no
-    porkbun_certbot_plugin: yes
-
-  tasks:
-    - name: Install core packages
-      become: yes
-      become_method: sudo
-      block:
-        - name: Install native packages
-          include_role:
-            name: bootstrap
-            tasks_from: "core_installations.yml"
-            defaults_from: "{{ CORE_PKGS }}"
-          tags: ['native_pkgs']
-        - name: Install foreign packages
-          include_role:
-            name: bootstrap
-            tasks_from: "core_installations@{{ FAMILY }}.yml"
-            defaults_from: "{{ CORE_PKGS }}"
-            handlers_from: "update@{{ family }}.yml"
-          tags: ['foreign_pkgs']
-      register: core_done
-      tags: ['default', 'core']
-    - name: Install additional packages
-      become: yes
-      become_method: sudo
-      include_role:
-        tasks_from: extra_installations.yml
-        defaults_from: "custom_pkgs@{{ FAMILY }}.yml"
-      register: extra_pkgs_done
-      when: want_extra_pkgs
-      tags: ['default', 'extra_pkgs']
-    - name: Install a Porkbun API plugin for Certbot
-      become: yes
-      become_method: sudo
-      pip:
-        name: 'git+https://github.com/infinityofspace/certbot_dns_porkbun.git'
-        state: present
-      when: porkbun_certbot_plugin
-      tags: ['default', 'with_porkbun_api']
-    - name: Get ftpasswd utility for ProFTPd
-      become: yes
-      become_method: sudo
-      get_url:
-        url: http://www.castaglia.org/proftpd/contrib/ftpasswd
-        dest: /usr/local/bin/ftpasswd
-        mode: "0755"
-      tags: ['default', 'with_ftp']