Added bootstrap role with the tasks, defaults and handlers necessary for the playbooks

roles/bootstrap/handlers/clamav.yml

@@ -0,0 +1,47 @@
+---
+#@TODO write handlers for configuring clamav
+#@NOTE https://wiki.archlinux.org/title/ClamAV
+- name: Check if freshclam file exists
+  stat:
+    path: /etc/clamav/freshclam.conf
+  register: freshclampath
+- name: Check if clamd file exists
+  stat:
+    path: /etc/clamav/clamd.conf
+  register: clamdpath
+- name: Check if milter file exists
+  stat:
+    path: /etc/clamav/clamav-milter.conf
+  register: milterpath
+- name: Create freshclam file if not exists
+  file:
+    path: /etc/clamav/freshclam.conf
+    stat: touch
+  register: freshclam_created
+- name: Create freshclam file
+  become: yes
+  become_method: sudo
+  copy:
+    src: clamav/freshclam.conf
+    dest: /etc/clamav/freshclam.conf
+    force: yes
+    backup: yes
+  when: not freshclampath.stat.exists
+- name: Create clamd file
+  become: yes
+  become_method: sudo
+  copy:
+    src: clamav/clamd.conf
+    dest: /etc/clamav/clamd.conf
+    force: yes
+    backup: yes
+  when: not freshclampath.stat.exists
+- name: Create clamd file
+  become: yes
+  become_method: sudo
+  copy:
+    src: clamav/clamav-milter.conf
+    dest: /etc/clamav/clamav-milter.conf
+    force: yes
+    backup: yes
+  when: not freshclampath.stat.exists

roles/bootstrap/handlers/crowdsec.yml

@@ -0,0 +1,2 @@
+---
+#@TODO write handlers for configuring crowdsec

roles/bootstrap/handlers/fail2ban.yml

@@ -0,0 +1,60 @@
+---
+- name: Check if path to fail2ban configuration files exists
+  stat:
+    path: /etc/fail2ban/jail.d
+  register: fail2path
+- name: Check if path to systemd fail2ban service configuration files exists
+  stat:
+    path: /etc/systemd/system/fail2ban.service.d
+  register: fail2serve_path
+- name: Create relevant fail2ban configuration directory
+  file:
+    path: /etc/fail2ban/jail.d
+    state: directory
+  register: fail2bandir_created
+  when: not fail2path.stat.exists
+- name: Create relevant fail2ban configuration directory
+  file:
+    path: /etc/systemd/system/fail2ban.service.d
+    state: directory
+  register: fail2servdir_created
+  when: not fail2serve_path.stat.exists
+- name: Copy sshd jail file
+  copy:
+    src: ftp.local
+    dest: /etc/fail2ban/jail.d/ftp.local
+    force: yes
+    backup: yes
+  when: fail2path.stat.exists
+- name: Copy sshd jail file
+  copy:
+    src: sshd.local
+    dest: /etc/fail2ban/jail.d/sshd.local
+    force: yes
+    backup: yes
+  when: fail2path.stat.exists
+- name: Copy fail2ban modified service configuration
+  copy:
+    src: override.conf
+    dest: /etc/systemd/system/fail2ban.service.d/sshd.local
+    force: yes
+    backup: yes
+  when: fail2serve_path.stat.exists
+- name: Start fail2ban service
+  service:
+    name: fail2ban
+    state: reloaded
+  register: fail2ban_reloaded
+- name: Start fail2ban service
+  service:
+    name: fail2ban
+    enabled: yes
+    state: started
+  register: fail2ban_running
+  when: fail2ban_reloaded
+- name: Start fail2ban service
+  service:
+    name: fail2ban
+    state: restarted
+  register: fail2ban_restarted
+  when: fail2ban_reloaded

roles/bootstrap/handlers/git.yml

@@ -0,0 +1,113 @@
+---
+- name: Set default git text editor
+  become: yes
+  become_method: sudo
+  community.general.git_config:
+    name: core.editor
+    value: vim
+    scope: system
+    add_mode: replace_all
+    state: present
+  register: gitedit_set
+- name: Create directory for some git files
+  file:
+    path: "{{ homedir }}/.config/git"
+    state: directory
+  register: gitdir_created
+- name: Create git commit message template file
+  copy:
+    src: git/gitmessage
+    dest: "{{ homedir }}/.config/git/gitmessage"
+    force: yes
+    backup: yes
+  register: gittemp_created
+- name: Set a commit template file for git
+  community.general.git_config:
+    name: commit.template
+    value: "{{ homedir }}/.config/git/gitmessage"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gittemp_set
+- name: Set git key format to OpenPGP
+  community.general.git_config:
+    name: gpg.format
+    value: "openpgp"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gitkeyformat_set
+  #@TODO: Add a gpg section to group_var or host_var vaults
+- name: Set a user signing key for git
+  community.general.git_config:
+    name: user.signingkey
+    value: "{{ gpg_sign_id }}"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gitsignkey_registered
+- name: Set key signage to occur for commits by default in git
+  community.general.git_config:
+    name: commit.gpgSign
+    value: "true"
+    scope: global
+    add_mode: replace_all
+    state: present
+- name: Set key signage to occur for tagging by default in git
+  community.general.git_config:
+    name: tag.gpgSign
+    value: "true"
+    scope: global
+    add_mode: replace_all
+    state: present
+- name: Create a boilerplate gitignore file for git
+  copy:
+    src: git/gitignore.sample
+    dest: "{{ homedir }}/.config/git/gitignore"
+    force: yes
+    backup: yes
+  register: gitgignore_created
+- name: Set boilerplate gitignore file in global scope
+  community.general.git_config:
+    name: core.excludesfile
+    value: "{{ homedir }}/.config/git/gitignore"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gitgignore_set
+- name: Set autocorrect for git
+  become: yes
+  become_method: sudo
+  community.general.git_config:
+    name: help.autocorrect
+    value: 0
+    scope: system
+    add_mode: replace_all
+    state: present
+  register: gitautocorr_set
+- name: Set git to replace CRLF endings when pulling
+  become: yes
+  become_method: sudo
+  community.general.git_config:
+    name: core.autocrlf
+    value: input
+    scope: system
+    add_mode: replace_all
+    state: present
+  register: gitcrlf_set
+- name: Set git username
+  community.general.git_config:
+    name: user.name
+    value: "{{ official_name | default(accts.username, true) }}"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gituser_set
+- name: Set git user email
+  community.general.git_config:
+    name: user.email
+    value: "{{ official_email | default(accts.email, true) }}"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gitemail_set

roles/bootstrap/handlers/gpg.yml

@@ -0,0 +1,81 @@
+---
+- name: Copy and import GPG keypairs to remote host
+  block:
+    - name: Create cipher directory for gocryptfs
+      file:
+        path: "{{ homedir }}/.ciphers"
+        state: directory
+    - name: Create a gocryptfs vault
+      command:
+        argv: [/usr/bin/gocryptfs, -init, "{{ homedir }}/.ciphers"]
+        stdin: "{{ gcfs_password }}"
+      register: gcfs_masterkey_created
+    - name: Create temporary file for password
+      tempfile:
+        prefix: gcfs_passfile
+        state: file
+      register: tempfile_created
+    - name: Create directory for storing gocryptfs decryption configuration files
+      file:
+        path: "{{ homedir }}/.fskeys/ciphers"
+        state: directory
+    - name: Get gocryptfs decryption configuration file metadata
+      stat:
+        path: "{{ homedir }}/.ciphers"
+      when: gcfs_masterkey_created
+      register: gcfs_vault
+    - name: Copy gocryptfs decryption configuration to this directory
+      copy:
+        remote_src: "{{ homedir }}/.ciphers/gocryptfs.conf"
+        dest: "{{ homedir }}/.fskeys/ciphers/gocryptfs.conf"
+        force: yes
+        backup: yes
+      when: gcfs_vault.stat.exists and gcfs_masterkey_created
+    - name: Create directory in which to mount decrypted gocryptfs vault
+      file:
+        path: "{{ homedir }}/.mnt/plains"
+        state: directory
+    - name: Mount the gocryptfs vault
+      ansible.posix.mount:
+        src: "{{ homedir }}/.ciphers"
+        path: "{{ homedir }}/.mnt/plains"
+        state: mounted
+        fstype: fuse./usr/bin/gocryptfs
+        opts: "nofail,passfile={{ tempfile_created }},config={{ homedir }}/.fskeys/ciphers/gocryptfs.conf"
+      register: gcfs_mounted
+      when: gcfs_vault.stat.exists and gcfs_masterkey_created
+    - name: Create directory in decrypted gocryptfs vault
+      file:
+        path: "{{ homedir }}/.mnt/plains/gpg"
+        state: directory
+      when: gcfs_mounted
+    - name: Copy GPG keypair
+      copy:
+        src: "gpg/{{ accts.username }}/main.priv.asc"
+        dest: "{{ homedir }}/.mnt/secrets/gpg/main.priv.asc"
+        force: yes
+        backup: yes
+      register: gpgkeys_copied
+      when: gpg_key_extant and gcfs_mounted
+    #@TODO: Create handler that copies gcfs_masterkey_created text into decrypted vault in-between here
+    - name: Import GPG keypair
+      become: yes
+      become_method: sudo
+      command:
+        argv: [gpg, --import, "{{ homedir }}/.mnt/secrets/gpg/main.priv.asc"]
+      register: gpgkeys_imported
+      when: gpgkeys_copied
+    # - name: Unmount the gocryptfs vault
+    #   ansible.posix.mount:
+    #     path: "{{ homedir }}/.mnt/plains"
+    #     state: unmounted
+    #     fstype: fuse
+    #     opts: "u"
+    #   register: gcfs_unmounted
+    #   when: gpg_keys_copied and gcfs_mounted
+    - name: Unmount the gocryptfs vault
+      command:
+        argv: [fusermount, -u, "{{ homedir }}/.mnt/plains"]
+      when: gpgkeys_copied and gcfs_mounted
+  when: gpg_keypair_copy
+  tags: ['copy_gpg']

roles/bootstrap/handlers/main.yml

@@ -0,0 +1,13 @@
+#SPDX-License-Identifier: MIT-0
+---
+#@NOTE below handler requires gnupg, fuse3 and gocryptfs installed on remote system
+- name: Configure gpg
+  import_tasks:
+    file: gpg.yml
+#@NOTE handlers file for bootstrap
+- name: Configure git
+  import_tasks:
+    file: git.yml
+- name: Configure fail2ban
+  import_tasks:
+    file: fail2ban.yml

roles/bootstrap/handlers/update@Debian.yml

@@ -0,0 +1,6 @@
+---
+- name: Update repositories cache
+  apt:
+    update_cache: yes
+  register: apt_refreshed
+  listen: update