xenobyte/sukaato-ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Starting from scratch with new playbooks using different directory structure

Browse Source
This commit is contained in:
Alex Tavarez
2025-09-05 00:22:47 -04:00
parent 53cc3ddad3
commit 7ec74d7f95
4 changed files with 0 additions and 443 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
configure@vps.yml
View File

@@ -1,139 +0,0 @@
---
- name: Configure virtual private servers
hosts: vps
gather_facts: yes
vars:
# # below is just to remind you to use '-u' instead
# ansible_user: "{{ root_auths[0].username }}"
# # below is just to remind you to use '--ask-pass' instead
# ansible_password: "{{ root_auths[0].password }}"
FAMILY: "{{ ansible_facts['os_family'] }}"
CURRENT_HOST_IP4: "{{ ansible_facts['default_ipv4']['address'] }}"
CURRENT_HOST_IP6: "{{ ansible_facts['default_ipv6']['address'] }}"
FQDN: "{{ domain_name | default(inventory_hostname, true) }}"
acme_challenge: no
pre_tasks:
- name: Set timezone
become: yes
become_method: sudo
community.general.timezone:
name: "{{ tzone }}"
register: timezone_set
tags: ['baseconf', 'timezone_setting']
- name: Set hostname
become: yes
become_method: sudo
hostname:
name: "{{ hname }}"
use: "{{ FAMILY.lower() }}"
register: hostname_set
tags: ['baseconf', 'hostname_initialization']
- name: Add remote host alias to hosts file
become: yes
become_method: sudo
lineinfile:
path: /etc/hosts
search_string: "127.0.1.1"
line: "127.0.1.1 {{ hname }}"
state: present
create: yes
register: hosts_updated
tags: ['baseconf', 'hostsfile_update']
- name: Add remote host public address aliases to hosts file
become: yes
become_method: sudo
lineinfile:
path: /etc/hosts
search_string: "{{ CURRENT_HOST_IP4 }}"
line: "{{ CURRENT_HOST_IP4 }} {{ FQDN }} {{ hname }}"
state: present
create: yes
register: hosts_updated
when: CURRENT_HOST_IP4 is defined
tags: ['baseconf', 'hostsfile_update']
- name: Add remote host public address aliases to hosts file
become: yes
become_method: sudo
lineinfile:
path: /etc/hosts
search_string: "{{ CURRENT_HOST_IP6 }}"
line: "{{ CURRENT_HOST_IP6 }} {{ FQDN }} {{ hname }}"
state: present
create: yes
register: hosts_updated
when: CURRENT_HOST_IP6 is defined
tags: ['baseconf', 'hostsfile_update']
- name: Create a directory for client source code
file:
path: "{{ ansible_facts['user_dir'] }}/src/clients"
state: directory
- name: Create a directory for container service compose files
file:
path: "{{ compose_source_path }}"
state: directory
# - name: Create a directory for website or web server source code
# file:
# path: "{{ ansible_facts['user_dir'] }}/src/services/web"
# state: directory
tasks:
- name: Configure core packages
include_role:
name: bootstrap
tasks_from: config@corepkgs.yml
defaults_from: main
vars_from: main
vars:
#@TODO improve filters for defining the two below variables
official_name: "{{ [admin.actual_name if admin.username == ansible_facts['user_id'] for admin in admin_auths][0] }}"
official_email: "{{ [admin.email if admin.username == ansible_facts['user_id'] for admin in admin_auths][0] }}"
register: pkgs_configured
tags: ['default', 'configure_pkgs']
- name: Configure DNS using Certbot
include_role:
name: bootstrap
tasks_from: configure_core/certbot.yml
defaults_from: options/certbot.yml
vars_from: options/certbot.yml
register: dns_challenge_made
when: acme_challenge
tags: ['default', 'with_porkbun_api']
- name: Import DNS certificates and keys
block:
- name: Create SSL certificate
become: yes
become_method: sudo
copy:
src: ssl/domain.cert.pem
dest: "{{ web_root }}/domain.cert.pem"
force: yes
backup: yes
- name: Create private key
become: yes
become_method: sudo
copy:
src: ssl/private.key.pem
dest: "{{ web_root }}/private.key.pem"
force: yes
backup: yes
- name: Create public key
become: yes
become_method: sudo
copy:
src: ssl/public.key.pem
dest: "{{ web_root }}/public.key.pem"
force: yes
backup: yes
when: not acme_challenge
tags: ['default']
post_tasks:
- name: Do a system upgrade
include_role:
name: bootstrap
tasks_from: "upgrade@{{ FAMILY }}.yml"
vars:
upgrade_type: dist
register: system_initialized
tags: ['default', 'initial_system_upgrade']

199
extended@vps.yml
View File

@@ -1,199 +0,0 @@
---
- name: Additional tasks to do on the VPS
hosts: vps
gather_facts: yes
vars:
want_recc_cimages: yes
want_custom_cimages: no
source_repo: ~
# source_repo:
# utility: git
# url: senpai@ipv6.sukaato:repos/sukaato.git
tasks:
- name: Install core podman images
include_role:
name: bootstrap
tasks_from: core_installations@podman.yml
defaults_from: core_images@podman.yml
register: core_podman_images_installed
tags: [default, with_containers]
- name: Install additional recommended podman images
include_role:
name: bootstrap
tasks_from: extra_installations@podman.yml
defaults_from: core_images@podman.yml
register: recc_podman_images_installed
when: want_recc_cimages
tags: [default, with_containers]
- name: Get variable for custom podman image package list
include_vars:
file: "{{ roles_path }}/bootstrap/defaults/custom_images@podman.yml"
name: podman_cimages
tags: [default, with_containers]
- name: Install custom podman images
include_role:
name: bootstrap
tasks_from: extra_installations@podman.yml
vars:
recc_cimages: "{{ podman_cimages.my_cimages }}"
register: extra_podman_images_installed
when: want_custom_cimages
tags: [default, with_containers]
- name: Configure ProFTPd
include_role:
name: bootstrap
tasks_from: configure_core/proftpd.yml
defaults_from: options/proftpd.yml
vars_from: options/proftpd.yml
register: proftpd_configured
tags: [default, with_ftp]
- name: Create FTP root
become: yes
become_method: sudo
file:
path: "{{ ftp_root }}"
state: directory
owner: ftpd
group: nogroup
register: ftp_root_created
tags: [default, with_ftp]
- name: Create a directory for website or web server source code
file:
path: "{{ domain_source_path }}"
state: directory
tags: [default, with_webserver]
register: domain_srcdir_created
- name: Pull website source code
block:
- name: Git pull website git repository
become_user: git
become_method: sudo
git:
repo: "{{ source_repo.url }}"
dest: "{{ domain_source_path }}"
single_branch: yes
version: main
when: source_repo.utility == 'git'
register: website_src_available
when: source_repo is defined
tags: [default, with_webserver]
- name: Create fstab entry for rbind mount for web root
become: yes
become_method: sudo
ansible.posix.mount:
src: "{{ domain_source_path }}"
path: "{{ domain_root }}"
fstype: none
opts: rbind
state: mounted
register: webmount_created
tags: [default, with_webserver]
- name: Create a gocryptfs vault for mounting under FTP root
command:
argv: [/usr/bin/gocryptfs, -init, "{{ ansible_facts['user_dir'] }}/secrets"]
stdin: "{{ gocrypt_password }}"
register: secrets_masterkey_created
tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
- name: Get gocryptfs decryption configuration file metadata
stat:
path: "{{ ansible_facts['user_dir'] }}/secrets"
register: secrets_vault
when: secrets_masterkey_created.rc == 0
- name: Create a file to store password for secrets gocryptfs vault
file:
path: "{{ ansible_facts['user_dir'] }}/config/.secrets_vault.key"
state: touch
register: secrets_passfile_created
tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
- name: Put password in aforementioned file
lineinfile:
path: "{{ gcfs_passfile_created.path }}"
line: "{{ gocrypt_password }}"
state: present
when: secrets_passfile_created
tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
- name: Copy gocryptfs decryption configuration of secrets vault to hidden directory
copy:
remote_src: "{{ ansible_facts['user_dir'] }}/secrets/gocryptfs.conf"
dest: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers/secrets.conf"
force: yes
backup: yes
register: secrets_conf_copied
when: secrets_vault.stat.exists and secrets_masterkey_created.rc == 0
tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
- name: Remove gocryptfs decryption configuration from vault
file:
path: "{{ ansible_facts['user_dir'] }}/secrets/gocryptfs.conf"
state: absent
when: secrets_conf_copied
tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
- name: Mount the gocryptfs secrets vault
ansible.posix.mount:
src: "{{ ansible_facts['user_dir'] }}/secrets"
path: "{{ ansible_facts['user_dir'] }}/.mnt/secrets.plain"
state: mounted
fstype: fuse./usr/bin/gocryptfs
opts: "nofail,passfile={{ secrets_passfile_created.path }},config={{ ansible_facts['user_dir'] }}/.fskeys/ciphers/secrets.conf"
register: secrets_mounted
when: secrets_vault.stat.exists and secrets_masterkey_created.rc == 0
tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
#@TODO create handler that sends copy of gcfs_masterkey_created somehow
- name: Create users for ProFTPd
block:
- name: Create ProFTPd user webmaster for website
become: yes
become_method: sudo
command:
argv:
- /usr/local/bin/ftpasswd
- --passwd
- --file=/etc/proftpd/ftpd.passwd
- --name=webmaster
- "--home={{ domain_root }}/public"
- --shell=/bin/false
- --sha256
- --stdin
stdin: "{{ ftp_web_password }}"
register: proftpd_webmaster_created
tags: [with_webserver]
- name: Create home directory for ProFTPd user cybersmuggler
become: yes
become_method: sudo
file:
path: "{{ ftp_root }}/black_market"
state: directory
owner: "{{ ansible_facts['user_id'] }}"
group: "{{ ansible_facts['user_id'] }}"
register: cybersmuggler_home_created
- name: Create ProFTPd user cybersmuggler for file-sharing
become: yes
become_method: sudo
command:
argv:
- /usr/local/bin/ftpasswd
- --passwd
- --file=/etc/proftpd/ftpd.passwd
- --name=cybersmuggler
- --uid=1000
- "--home={{ ftp_root }}/black_market"
- --shell=/bin/false
- --sha256
- --stdin
stdin: "{{ ftp_password }}"
register: proftpd_cybersmuggler_created
register: proftpd_users_created
tags: [default, with_ftp]
- name: Create fstab entry for rbind mount for secrets decrypted vault
become: yes
become_method: sudo
ansible.posix.mount:
src: "{{ ansible_facts['user_dir'] }}/.mnt/secrets.plain"
path: "{{ ftp_root }}/black_market/secrets"
fstype: none
opts: rbind
state: mounted
when: secrets_mounted
tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
#@TODO create tasks for setting up Caddy--maybe?

46
fortify@vps.yml
View File

@@ -1,46 +0,0 @@
---
- name: Bootstrap virtual private servers
hosts: vps
gather_facts: yes
vars:
# # below is just to remind you to use '-u' instead
# ansible_user: "{{ root_auths[0].username }}"
# # below is just to remind you to use '--ask-pass' instead
# ansible_password: "{{ root_auths[0].password }}"
FAMILY: "{{ ansible_facts['os_family'] }}"
tasks:
- name: Create users
include_role:
name: bootstrap
tasks_from: "users@{{ FAMILY }}.yml"
vars:
admins: "{{ admin_auths }}"
guests: "{{ guest_auths }}"
users: "{{ user_auths }}"
register: accts_created
tags: ['default', 'userbase_creation']
- name: Require authorized keys for SSH access to accounts
include_role:
name: bootstrap
tasks_from: auth@ssh.yml
defaults_from: options/ssh.yml
vars_from: options/ssh.yml
register: ssh_authorized
tags: ['default', 'ssh_uthorization']
- name: Disable SSH login for this account
include_role:
name: bootstrap
tasks_from: denyroot@ssh.yml
defaults_from: options/ssh.yml
vars_from: options/ssh.yml
register: sshroot_disabled
tags: ['default', 'root_denial']
when: not ssh_root_login
- name: Disable root account
include_role:
name: bootstrap
tasks_from: denyroot.yml
defaults_from: options/ssh.yml
vars_from: options/ssh.yml

59
install@vps.yml
View File

@@ -1,59 +0,0 @@
---
- name: Install packages
hosts: vps
gather_facts: yes
vars:
# # below is just to remind you to use '-u' instead
# ansible_user: "{{ admin_auths[0].username }}"
# # below is just to remind you to use '--ask-pass' instead
# ansible_password: "{{ admin_auths[0].password }}"
FAMILY: "{{ ansible_facts['os_family'] }}"
CORE_PKGS: "core_pkgs@{{ ansible_facts['os_family'] }}.yml"
want_extra_pkgs: no
porkbun_certbot_plugin: yes
tasks:
- name: Install core packages
become: yes
become_method: sudo
block:
- name: Install native packages
include_role:
name: bootstrap
tasks_from: "core_installations.yml"
defaults_from: "{{ CORE_PKGS }}"
tags: ['native_pkgs']
- name: Install foreign packages
include_role:
name: bootstrap
tasks_from: "core_installations@{{ FAMILY }}.yml"
defaults_from: "{{ CORE_PKGS }}"
handlers_from: "update@{{ family }}.yml"
tags: ['foreign_pkgs']
register: core_done
tags: ['default', 'core']
- name: Install additional packages
become: yes
become_method: sudo
include_role:
tasks_from: extra_installations.yml
defaults_from: "custom_pkgs@{{ FAMILY }}.yml"
register: extra_pkgs_done
when: want_extra_pkgs
tags: ['default', 'extra_pkgs']
- name: Install a Porkbun API plugin for Certbot
become: yes
become_method: sudo
pip:
name: 'git+https://github.com/infinityofspace/certbot_dns_porkbun.git'
state: present
when: porkbun_certbot_plugin
tags: ['default', 'with_porkbun_api']
- name: Get ftpasswd utility for ProFTPd
become: yes
become_method: sudo
get_url:
url: http://www.castaglia.org/proftpd/contrib/ftpasswd
dest: /usr/local/bin/ftpasswd
mode: "0755"
tags: ['default', 'with_ftp']