From 7ec74d7f95dbe17b40deaf71b5c4cf5e4473d7da Mon Sep 17 00:00:00 2001 From: Alex Tavarez Date: Fri, 5 Sep 2025 00:22:47 -0400 Subject: [PATCH] Starting from scratch with new playbooks using different directory structure --- configure@vps.yml | 139 -------------------------------- extended@vps.yml | 199 ---------------------------------------------- fortify@vps.yml | 46 ----------- install@vps.yml | 59 -------------- 4 files changed, 443 deletions(-) delete mode 100644 configure@vps.yml delete mode 100644 extended@vps.yml delete mode 100644 fortify@vps.yml delete mode 100644 install@vps.yml diff --git a/configure@vps.yml b/configure@vps.yml deleted file mode 100644 index d51c882..0000000 --- a/configure@vps.yml +++ /dev/null @@ -1,139 +0,0 @@ ---- -- name: Configure virtual private servers - hosts: vps - gather_facts: yes - vars: - # # below is just to remind you to use '-u' instead - # ansible_user: "{{ root_auths[0].username }}" - # # below is just to remind you to use '--ask-pass' instead - # ansible_password: "{{ root_auths[0].password }}" - FAMILY: "{{ ansible_facts['os_family'] }}" - CURRENT_HOST_IP4: "{{ ansible_facts['default_ipv4']['address'] }}" - CURRENT_HOST_IP6: "{{ ansible_facts['default_ipv6']['address'] }}" - FQDN: "{{ domain_name | default(inventory_hostname, true) }}" - acme_challenge: no - - pre_tasks: - - name: Set timezone - become: yes - become_method: sudo - community.general.timezone: - name: "{{ tzone }}" - register: timezone_set - tags: ['baseconf', 'timezone_setting'] - - name: Set hostname - become: yes - become_method: sudo - hostname: - name: "{{ hname }}" - use: "{{ FAMILY.lower() }}" - register: hostname_set - tags: ['baseconf', 'hostname_initialization'] - - name: Add remote host alias to hosts file - become: yes - become_method: sudo - lineinfile: - path: /etc/hosts - search_string: "127.0.1.1" - line: "127.0.1.1 {{ hname }}" - state: present - create: yes - register: hosts_updated - tags: ['baseconf', 'hostsfile_update'] - - name: Add remote host public address aliases to hosts file - become: yes - become_method: sudo - lineinfile: - path: /etc/hosts - search_string: "{{ CURRENT_HOST_IP4 }}" - line: "{{ CURRENT_HOST_IP4 }} {{ FQDN }} {{ hname }}" - state: present - create: yes - register: hosts_updated - when: CURRENT_HOST_IP4 is defined - tags: ['baseconf', 'hostsfile_update'] - - name: Add remote host public address aliases to hosts file - become: yes - become_method: sudo - lineinfile: - path: /etc/hosts - search_string: "{{ CURRENT_HOST_IP6 }}" - line: "{{ CURRENT_HOST_IP6 }} {{ FQDN }} {{ hname }}" - state: present - create: yes - register: hosts_updated - when: CURRENT_HOST_IP6 is defined - tags: ['baseconf', 'hostsfile_update'] - - name: Create a directory for client source code - file: - path: "{{ ansible_facts['user_dir'] }}/src/clients" - state: directory - - name: Create a directory for container service compose files - file: - path: "{{ compose_source_path }}" - state: directory - # - name: Create a directory for website or web server source code - # file: - # path: "{{ ansible_facts['user_dir'] }}/src/services/web" - # state: directory - - tasks: - - name: Configure core packages - include_role: - name: bootstrap - tasks_from: config@corepkgs.yml - defaults_from: main - vars_from: main - vars: - #@TODO improve filters for defining the two below variables - official_name: "{{ [admin.actual_name if admin.username == ansible_facts['user_id'] for admin in admin_auths][0] }}" - official_email: "{{ [admin.email if admin.username == ansible_facts['user_id'] for admin in admin_auths][0] }}" - register: pkgs_configured - tags: ['default', 'configure_pkgs'] - - name: Configure DNS using Certbot - include_role: - name: bootstrap - tasks_from: configure_core/certbot.yml - defaults_from: options/certbot.yml - vars_from: options/certbot.yml - register: dns_challenge_made - when: acme_challenge - tags: ['default', 'with_porkbun_api'] - - name: Import DNS certificates and keys - block: - - name: Create SSL certificate - become: yes - become_method: sudo - copy: - src: ssl/domain.cert.pem - dest: "{{ web_root }}/domain.cert.pem" - force: yes - backup: yes - - name: Create private key - become: yes - become_method: sudo - copy: - src: ssl/private.key.pem - dest: "{{ web_root }}/private.key.pem" - force: yes - backup: yes - - name: Create public key - become: yes - become_method: sudo - copy: - src: ssl/public.key.pem - dest: "{{ web_root }}/public.key.pem" - force: yes - backup: yes - when: not acme_challenge - tags: ['default'] - - post_tasks: - - name: Do a system upgrade - include_role: - name: bootstrap - tasks_from: "upgrade@{{ FAMILY }}.yml" - vars: - upgrade_type: dist - register: system_initialized - tags: ['default', 'initial_system_upgrade'] diff --git a/extended@vps.yml b/extended@vps.yml deleted file mode 100644 index 5b35417..0000000 --- a/extended@vps.yml +++ /dev/null @@ -1,199 +0,0 @@ ---- -- name: Additional tasks to do on the VPS - hosts: vps - gather_facts: yes - vars: - want_recc_cimages: yes - want_custom_cimages: no - source_repo: ~ - # source_repo: - # utility: git - # url: senpai@ipv6.sukaato:repos/sukaato.git - - tasks: - - name: Install core podman images - include_role: - name: bootstrap - tasks_from: core_installations@podman.yml - defaults_from: core_images@podman.yml - register: core_podman_images_installed - tags: [default, with_containers] - - name: Install additional recommended podman images - include_role: - name: bootstrap - tasks_from: extra_installations@podman.yml - defaults_from: core_images@podman.yml - register: recc_podman_images_installed - when: want_recc_cimages - tags: [default, with_containers] - - name: Get variable for custom podman image package list - include_vars: - file: "{{ roles_path }}/bootstrap/defaults/custom_images@podman.yml" - name: podman_cimages - tags: [default, with_containers] - - name: Install custom podman images - include_role: - name: bootstrap - tasks_from: extra_installations@podman.yml - vars: - recc_cimages: "{{ podman_cimages.my_cimages }}" - register: extra_podman_images_installed - when: want_custom_cimages - tags: [default, with_containers] - - name: Configure ProFTPd - include_role: - name: bootstrap - tasks_from: configure_core/proftpd.yml - defaults_from: options/proftpd.yml - vars_from: options/proftpd.yml - register: proftpd_configured - tags: [default, with_ftp] - - name: Create FTP root - become: yes - become_method: sudo - file: - path: "{{ ftp_root }}" - state: directory - owner: ftpd - group: nogroup - register: ftp_root_created - tags: [default, with_ftp] - - name: Create a directory for website or web server source code - file: - path: "{{ domain_source_path }}" - state: directory - tags: [default, with_webserver] - register: domain_srcdir_created - - name: Pull website source code - block: - - name: Git pull website git repository - become_user: git - become_method: sudo - git: - repo: "{{ source_repo.url }}" - dest: "{{ domain_source_path }}" - single_branch: yes - version: main - when: source_repo.utility == 'git' - register: website_src_available - when: source_repo is defined - tags: [default, with_webserver] - - name: Create fstab entry for rbind mount for web root - become: yes - become_method: sudo - ansible.posix.mount: - src: "{{ domain_source_path }}" - path: "{{ domain_root }}" - fstype: none - opts: rbind - state: mounted - register: webmount_created - tags: [default, with_webserver] - - name: Create a gocryptfs vault for mounting under FTP root - command: - argv: [/usr/bin/gocryptfs, -init, "{{ ansible_facts['user_dir'] }}/secrets"] - stdin: "{{ gocrypt_password }}" - register: secrets_masterkey_created - tags: ['default', 'with_ftp', 'with_ftp_crypt_dir'] - - name: Get gocryptfs decryption configuration file metadata - stat: - path: "{{ ansible_facts['user_dir'] }}/secrets" - register: secrets_vault - when: secrets_masterkey_created.rc == 0 - - name: Create a file to store password for secrets gocryptfs vault - file: - path: "{{ ansible_facts['user_dir'] }}/config/.secrets_vault.key" - state: touch - register: secrets_passfile_created - tags: ['default', 'with_ftp', 'with_ftp_crypt_dir'] - - name: Put password in aforementioned file - lineinfile: - path: "{{ gcfs_passfile_created.path }}" - line: "{{ gocrypt_password }}" - state: present - when: secrets_passfile_created - tags: ['default', 'with_ftp', 'with_ftp_crypt_dir'] - - name: Copy gocryptfs decryption configuration of secrets vault to hidden directory - copy: - remote_src: "{{ ansible_facts['user_dir'] }}/secrets/gocryptfs.conf" - dest: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers/secrets.conf" - force: yes - backup: yes - register: secrets_conf_copied - when: secrets_vault.stat.exists and secrets_masterkey_created.rc == 0 - tags: ['default', 'with_ftp', 'with_ftp_crypt_dir'] - - name: Remove gocryptfs decryption configuration from vault - file: - path: "{{ ansible_facts['user_dir'] }}/secrets/gocryptfs.conf" - state: absent - when: secrets_conf_copied - tags: ['default', 'with_ftp', 'with_ftp_crypt_dir'] - - name: Mount the gocryptfs secrets vault - ansible.posix.mount: - src: "{{ ansible_facts['user_dir'] }}/secrets" - path: "{{ ansible_facts['user_dir'] }}/.mnt/secrets.plain" - state: mounted - fstype: fuse./usr/bin/gocryptfs - opts: "nofail,passfile={{ secrets_passfile_created.path }},config={{ ansible_facts['user_dir'] }}/.fskeys/ciphers/secrets.conf" - register: secrets_mounted - when: secrets_vault.stat.exists and secrets_masterkey_created.rc == 0 - tags: ['default', 'with_ftp', 'with_ftp_crypt_dir'] - #@TODO create handler that sends copy of gcfs_masterkey_created somehow - - name: Create users for ProFTPd - block: - - name: Create ProFTPd user webmaster for website - become: yes - become_method: sudo - command: - argv: - - /usr/local/bin/ftpasswd - - --passwd - - --file=/etc/proftpd/ftpd.passwd - - --name=webmaster - - "--home={{ domain_root }}/public" - - --shell=/bin/false - - --sha256 - - --stdin - stdin: "{{ ftp_web_password }}" - register: proftpd_webmaster_created - tags: [with_webserver] - - name: Create home directory for ProFTPd user cybersmuggler - become: yes - become_method: sudo - file: - path: "{{ ftp_root }}/black_market" - state: directory - owner: "{{ ansible_facts['user_id'] }}" - group: "{{ ansible_facts['user_id'] }}" - register: cybersmuggler_home_created - - name: Create ProFTPd user cybersmuggler for file-sharing - become: yes - become_method: sudo - command: - argv: - - /usr/local/bin/ftpasswd - - --passwd - - --file=/etc/proftpd/ftpd.passwd - - --name=cybersmuggler - - --uid=1000 - - "--home={{ ftp_root }}/black_market" - - --shell=/bin/false - - --sha256 - - --stdin - stdin: "{{ ftp_password }}" - register: proftpd_cybersmuggler_created - register: proftpd_users_created - tags: [default, with_ftp] - - name: Create fstab entry for rbind mount for secrets decrypted vault - become: yes - become_method: sudo - ansible.posix.mount: - src: "{{ ansible_facts['user_dir'] }}/.mnt/secrets.plain" - path: "{{ ftp_root }}/black_market/secrets" - fstype: none - opts: rbind - state: mounted - when: secrets_mounted - tags: ['default', 'with_ftp', 'with_ftp_crypt_dir'] - #@TODO create tasks for setting up Caddy--maybe? - \ No newline at end of file diff --git a/fortify@vps.yml b/fortify@vps.yml deleted file mode 100644 index 0be4531..0000000 --- a/fortify@vps.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -- name: Bootstrap virtual private servers - hosts: vps - gather_facts: yes - vars: - # # below is just to remind you to use '-u' instead - # ansible_user: "{{ root_auths[0].username }}" - # # below is just to remind you to use '--ask-pass' instead - # ansible_password: "{{ root_auths[0].password }}" - FAMILY: "{{ ansible_facts['os_family'] }}" - - tasks: - - name: Create users - include_role: - name: bootstrap - tasks_from: "users@{{ FAMILY }}.yml" - vars: - admins: "{{ admin_auths }}" - guests: "{{ guest_auths }}" - users: "{{ user_auths }}" - register: accts_created - tags: ['default', 'userbase_creation'] - - name: Require authorized keys for SSH access to accounts - include_role: - name: bootstrap - tasks_from: auth@ssh.yml - defaults_from: options/ssh.yml - vars_from: options/ssh.yml - register: ssh_authorized - tags: ['default', 'ssh_uthorization'] - - name: Disable SSH login for this account - include_role: - name: bootstrap - tasks_from: denyroot@ssh.yml - defaults_from: options/ssh.yml - vars_from: options/ssh.yml - register: sshroot_disabled - tags: ['default', 'root_denial'] - when: not ssh_root_login - - name: Disable root account - include_role: - name: bootstrap - tasks_from: denyroot.yml - defaults_from: options/ssh.yml - vars_from: options/ssh.yml - diff --git a/install@vps.yml b/install@vps.yml deleted file mode 100644 index d6ecf61..0000000 --- a/install@vps.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- -- name: Install packages - hosts: vps - gather_facts: yes - vars: - # # below is just to remind you to use '-u' instead - # ansible_user: "{{ admin_auths[0].username }}" - # # below is just to remind you to use '--ask-pass' instead - # ansible_password: "{{ admin_auths[0].password }}" - FAMILY: "{{ ansible_facts['os_family'] }}" - CORE_PKGS: "core_pkgs@{{ ansible_facts['os_family'] }}.yml" - want_extra_pkgs: no - porkbun_certbot_plugin: yes - - tasks: - - name: Install core packages - become: yes - become_method: sudo - block: - - name: Install native packages - include_role: - name: bootstrap - tasks_from: "core_installations.yml" - defaults_from: "{{ CORE_PKGS }}" - tags: ['native_pkgs'] - - name: Install foreign packages - include_role: - name: bootstrap - tasks_from: "core_installations@{{ FAMILY }}.yml" - defaults_from: "{{ CORE_PKGS }}" - handlers_from: "update@{{ family }}.yml" - tags: ['foreign_pkgs'] - register: core_done - tags: ['default', 'core'] - - name: Install additional packages - become: yes - become_method: sudo - include_role: - tasks_from: extra_installations.yml - defaults_from: "custom_pkgs@{{ FAMILY }}.yml" - register: extra_pkgs_done - when: want_extra_pkgs - tags: ['default', 'extra_pkgs'] - - name: Install a Porkbun API plugin for Certbot - become: yes - become_method: sudo - pip: - name: 'git+https://github.com/infinityofspace/certbot_dns_porkbun.git' - state: present - when: porkbun_certbot_plugin - tags: ['default', 'with_porkbun_api'] - - name: Get ftpasswd utility for ProFTPd - become: yes - become_method: sudo - get_url: - url: http://www.castaglia.org/proftpd/contrib/ftpasswd - dest: /usr/local/bin/ftpasswd - mode: "0755" - tags: ['default', 'with_ftp'] \ No newline at end of file