Added new ansible home directory, moving roles into its 'roles' subdirectory

.ansible/roles/bootstrap/tasks/configure_core/certbot.yml

@@ -0,0 +1,42 @@
+---
+- name: Create a settings file for Porkbun DNS API
+  become: yes
+  become_method: sudo
+  template:
+    src: certbot/porkbun.ini.j2
+    dest: "{{ web_root }}/porkbun.ini"
+    force: yes
+    backup: yes
+  register: porkbun_api_created
+- name: Initiate DNS Acme challenge using Porkbun API plugin
+  become: yes
+  become_method: sudo
+  command:
+    argv:
+      - certbot
+      - certonly
+      - --non-interactive
+      - --agree-tos
+      - --email=ajt95@prole.biz
+      - --preferred-challenges=dns
+      - --authenticator=dns-porkbun
+      - "--dns-porkbun-credentials={{ web_root }}/porkbun.ini"
+      - --dns-porkbun-propagation-seconds=60
+      - -d="sukaato.moe"
+  when: porkbun_api_created.rc == 0
+- name: Initiate DNS Acme challenge using Porkbun API plugin
+  become: yes
+  become_method: sudo
+  command:
+    argv:
+      - certbot
+      - certonly
+      - --non-interactive
+      - --agree-tos
+      - --email=ajt95@prole.biz
+      - --preferred-challenges=dns
+      - --authenticator=dns-porkbun
+      - "--dns-porkbun-credentials={{ web_root }}/porkbun.ini"
+      - --dns-porkbun-propagation-seconds=60
+      - -d="*.sukaato.moe"
+  when: porkbun_api_created.rc == 0

.ansible/roles/bootstrap/tasks/configure_core/clamav.yml

@@ -0,0 +1,94 @@
+---
+#@TODO write handlers for configuring clamav
+#@NOTE https://wiki.archlinux.org/title/ClamAV
+- name: Create freshclam file
+  become: yes
+  become_method: sudo
+  copy:
+    src: clamav/freshclam.conf
+    dest: /etc/clamav/freshclam.conf
+    force: yes
+    backup: yes
+- name: Create clamd file
+  become: yes
+  become_method: sudo
+  copy:
+    src: clamav/clamd.conf
+    dest: /etc/clamav/clamd.conf
+    force: yes
+    backup: yes
+- name: Create clamd file
+  become: yes
+  become_method: sudo
+  copy:
+    src: clamav/clamav-milter.conf
+    dest: /etc/clamav/clamav-milter.conf
+    force: yes
+    backup: yes
+- name: Update clamav virus definitions
+  become: yes
+  become_method: sudo
+  command: freshclam
+- name: Start and enable clamav service
+  service:
+    name: clamav-daemon
+    state: started
+    enabled: yes
+- name: Start and enable clamav onaccess service
+  become: yes
+  become_method: sudo
+  service:
+    name: clamav-clamonacc
+    state: started
+    enabled: yes
+- name: Restart clamav service
+  become: yes
+  become_method: sudo
+  service:
+    name: clamav-daemon
+    state: restarted
+- name: Restart clamav onaccess service
+  become: yes
+  become_method: sudo
+  service:
+    name: clamav-clamonacc
+    state: restarted
+- name: Create freshclam log file
+  become: yes
+  become_method: sudo
+  file:
+    path: /var/log/clamav/freshclam.log
+    state: touch
+    mode: 600
+    owner: clamav
+- name: Start and enable freshclam virus definition update service
+  become: yes
+  become_method: sudo
+  service:
+    name: clamav-freshclam
+    state: started
+    enabled: yes
+- name: Restart freshclam virus definition update service
+  become: yes
+  become_method: sudo
+  service:
+    name: clamav-freshclam
+    state: restarted
+- name: Install Fangfrisch
+  become: yes
+  become_method: sudo
+  package:
+    name: fangfrisch
+    state: present
+- name: Create database structure for fangfrisch
+  become_user: clamav
+  become_method: sudo
+  command:
+    argv: [/usr/bin/fangfrisch, --conf, /etc/fangfrisch/fangfrisch.conf, initdb]
+- name: Start and enable fangfrisch virus definition updates
+  become: yes
+  become_method: sudo
+  service:
+    name: fangfrisch.timer
+    state: started
+    enabled: yes

.ansible/roles/bootstrap/tasks/configure_core/crowdsec.yml

@@ -0,0 +1,53 @@
+---
+#@TODO write handlers for configuring crowdsec
+- name: Enroll your crowdsec installation
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, console, enroll -e, context, "{{ enrollment_key }}"]
+  register: crowdsec_enrolled
+- name: Install caddy crowdsec collection 
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/caddy]
+- name: Install proftpd crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/proftpd]
+- name: Install sshd crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/sshd]
+- name: Install postgresql crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/pgsql]
+- name: Install denial-of-service HTTP crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/http-dos]
+- name: Install HTTP crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/base-http-scenarios]
+- name: Install Postfix crowdsec collection
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, collections, install, crowdsecurity/postfix]
+- name: Update crowdsec objects
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, hub, update]
+- name: Upgrade crowdsec objects
+  become: yes
+  become_method: sudo
+  command:
+    argv: [cscli, hub, upgrade]

.ansible/roles/bootstrap/tasks/configure_core/fail2ban.yml

@@ -0,0 +1,76 @@
+---
+- name: Check if path to fail2ban configuration files exists
+  stat:
+    path: /etc/fail2ban/jail.d
+  register: fail2path
+- name: Check if path to systemd fail2ban service configuration files exists
+  stat:
+    path: /etc/systemd/system/fail2ban.service.d
+  register: fail2serve_path
+- name: Create relevant fail2ban configuration directory
+  become: yes
+  become_method: sudo
+  file:
+    path: /etc/fail2ban/jail.d
+    state: directory
+  register: fail2bandir_created
+  when: not fail2path.stat.exists
+- name: Create relevant fail2ban configuration directory
+  become: yes
+  become_method: sudo
+  file:
+    path: /etc/systemd/system/fail2ban.service.d
+    state: directory
+  register: fail2servdir_created
+  when: not fail2serve_path.stat.exists
+- name: Copy protftpd jail file
+  become: yes
+  become_method: sudo
+  copy:
+    src: ftp.local
+    dest: /etc/fail2ban/jail.d/ftp.local
+    force: yes
+    backup: yes
+  when: fail2path.stat.exists
+- name: Copy sshd jail file
+  become: yes
+  become_method: sudo
+  copy:
+    src: sshd.local
+    dest: /etc/fail2ban/jail.d/sshd.local
+    force: yes
+    backup: yes
+  when: fail2path.stat.exists
+- name: Copy fail2ban modified service configuration
+  become: yes
+  become_method: sudo
+  copy:
+    src: override.conf
+    dest: /etc/systemd/system/fail2ban.service.d/sshd.local
+    force: yes
+    backup: yes
+  when: fail2serve_path.stat.exists
+- name: Reload fail2ban service
+  become: yes
+  become_method: sudo
+  service:
+    name: fail2ban
+    state: reloaded
+  register: fail2ban_reloaded
+- name: Start and enable fail2ban service
+  become: yes
+  become_method: sudo
+  service:
+    name: fail2ban
+    state: started
+    enabled: yes
+  register: fail2ban_running
+  when: fail2ban_reloaded
+- name: Restart fail2ban service
+  become: yes
+  become_method: sudo
+  service:
+    name: fail2ban
+    state: restarted
+  register: fail2ban_restarted
+  when: fail2ban_reloaded

.ansible/roles/bootstrap/tasks/configure_core/git.yml

@@ -0,0 +1,123 @@
+---
+- name: Set default branch name
+  become: yes
+  become_method: sudo
+  community.general.git_config:
+    name: init.defaultBranch
+    value: main
+    scope: system
+    add_mode: replace_all
+    state: present
+  register: gitedit_set
+- name: Set default git text editor
+  become: yes
+  become_method: sudo
+  community.general.git_config:
+    name: core.editor
+    value: vim
+    scope: system
+    add_mode: replace_all
+    state: present
+  register: gitedit_set
+- name: Create directory for some git files
+  file:
+    path: "{{ ansible_facts['user_dir'] }}/.config/git"
+    state: directory
+  register: gitdir_created
+- name: Create git commit message template file
+  copy:
+    src: git/gitmessage
+    dest: "{{ ansible_facts['user_dir'] }}/.config/git/gitmessage"
+    force: yes
+    backup: yes
+  register: gittemp_created
+- name: Set a commit template file for git
+  community.general.git_config:
+    name: commit.template
+    value: "{{ ansible_facts['user_dir'] }}/.config/git/gitmessage"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gittemp_set
+- name: Set git key format to OpenPGP
+  community.general.git_config:
+    name: gpg.format
+    value: "openpgp"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gitkeyformat_set
+  #@TODO: Add a gpg section to group_var or host_var vaults
+- name: Set a user signing key for git
+  community.general.git_config:
+    name: user.signingkey
+    value: "{{ gpg_sign_id }}"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gitsignkey_registered
+- name: Set key signage to occur for commits by default in git
+  community.general.git_config:
+    name: commit.gpgSign
+    value: "true"
+    scope: global
+    add_mode: replace_all
+    state: present
+- name: Set key signage to occur for tagging by default in git
+  community.general.git_config:
+    name: tag.gpgSign
+    value: "true"
+    scope: global
+    add_mode: replace_all
+    state: present
+- name: Create a boilerplate gitignore file for git
+  copy:
+    src: git/gitignore.sample
+    dest: "{{ ansible_facts['user_dir'] }}/.config/git/gitignore"
+    force: yes
+    backup: yes
+  register: gitgignore_created
+- name: Set boilerplate gitignore file in global scope
+  community.general.git_config:
+    name: core.excludesfile
+    value: "{{ ansible_facts['user_dir'] }}/.config/git/gitignore"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gitgignore_set
+- name: Set autocorrect for git
+  become: yes
+  become_method: sudo
+  community.general.git_config:
+    name: help.autocorrect
+    value: 0
+    scope: system
+    add_mode: replace_all
+    state: present
+  register: gitautocorr_set
+- name: Set git to replace CRLF endings when pulling
+  become: yes
+  become_method: sudo
+  community.general.git_config:
+    name: core.autocrlf
+    value: input
+    scope: system
+    add_mode: replace_all
+    state: present
+  register: gitcrlf_set
+- name: Set git username
+  community.general.git_config:
+    name: user.name
+    value: "{{ official_name | default(ansible_facts['user_id'], true) }}"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gituser_set
+- name: Set git user email
+  community.general.git_config:
+    name: user.email
+    value: "{{ official_email | default('admin@' ~ domain_name, true) }}"
+    scope: global
+    add_mode: replace_all
+    state: present
+  register: gitemail_set

.ansible/roles/bootstrap/tasks/configure_core/gpg.yml

@@ -0,0 +1,89 @@
+---
+- name: Copy and import GPG keypairs to remote host
+  block:
+    - name: Create cipher directory for gocryptfs
+      file:
+        path: "{{ ansible_facts['user_dir'] }}/.ciphers"
+        state: directory
+    - name: Create a gocryptfs vault
+      command:
+        argv: [/usr/bin/gocryptfs, -init, "{{ ansible_facts['user_dir'] }}/.ciphers"]
+        stdin: "{{ gcfs_password }}"
+      register: gcfs_masterkey_created
+    - name: Create temporary file for password
+      tempfile:
+        prefix: gcfs_passfile
+        state: file
+      register: tempfile_created
+    - name: Put password in temporary file
+      lineinfile:
+        path: "{{ tempfile_created.path }}"
+        line: "{{ gcfs_password }}"
+        state: present
+      when: tempfile_created
+    - name: Create directory for storing gocryptfs decryption configuration files
+      file:
+        path: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers"
+        state: directory
+    - name: Get gocryptfs decryption configuration file metadata
+      stat:
+        path: "{{ ansible_facts['user_dir'] }}/.ciphers"
+      when: gcfs_masterkey_created.rc == 0
+      register: gcfs_vault
+    - name: Copy gocryptfs decryption configuration to another directory
+      copy:
+        remote_src: "{{ ansible_facts['user_dir'] }}/.ciphers/gocryptfs.conf"
+        dest: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers/gocryptfs.conf"
+        force: yes
+        backup: yes
+      register: gocryptfs_conf_copied
+      when: gcfs_vault.stat.exists and gcfs_masterkey_created.rc == 0
+    - name: Remove gocryptfs decryption configuration from source directory
+      file:
+        path: "{{ ansible_facts['user_dir'] }}/.ciphers/gocryptfs.conf"
+        state: absent
+      register: gocryptfs_orig_conf_removed
+      when: gocryptfs_conf_copied
+    - name: Mount the gocryptfs vault
+      ansible.posix.mount:
+        src: "{{ ansible_facts['user_dir'] }}/.ciphers"
+        path: "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain"
+        state: ephemeral
+        fstype: fuse./usr/bin/gocryptfs
+        opts: "nofail,passfile={{ tempfile_created.path }},config={{ ansible_facts['user_dir'] }}/.fskeys/ciphers/gocryptfs.conf"
+      register: gcfs_mounted
+      when: gcfs_vault.stat.exists and gcfs_masterkey_created.rc == 0
+    - name: Create directory in decrypted gocryptfs vault
+      file:
+        path: "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain/gpg"
+        state: directory
+      when: gcfs_mounted
+    - name: Copy GPG keypair
+      copy:
+        src: "gpg/{{ ansible_facts['user_id'] }}/{{ item }}"
+        dest: "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain/gpg/{{ item }}"
+        force: yes
+        backup: yes
+      loop: "{{ query('fileglob', roles_path ~ 'bootstrap/files/gpg/' ~ ansible_facts['user_id'] ~ '/*') }}"
+      register: gpgkeys_copied
+      when: gcfs_mounted
+    - name: Import GPG keypair
+      become: yes
+      become_method: sudo
+      command:
+        argv: [gpg, --import, "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain/gpg/{{ item }}"]
+      loop: "{{ query('fileglob', roles_path ~ 'bootstrap/files/gpg/' ~ ansible_facts['user_id'] ~ '/*') }}"
+      register: gpgkeys_imported
+      when: gpgkeys_copied and gcfs_mounted
+    #@TODO create handler that sends copy of gcfs_masterkey_created somehow
+    - name: Unmount the gocryptfs vault
+      ansible.posix.mount:
+        path: "{{ ansible_facts['user_dir'] }}/.mnt/plains"
+        state: unmounted
+      register: gcfs_unmounted
+      when: gpgkeys_copied and gcfs_mounted
+    # - name: Unmount the gocryptfs vault
+    #   command:
+    #     argv: [fusermount, -u, "{{ ansible_facts['user_dir'] }}/.mnt/plains"]
+    #   when: gpgkeys_copied and gcfs_mounted
+  register: gpg_keypair_copy

.ansible/roles/bootstrap/tasks/configure_core/proftpd.yml

@@ -0,0 +1,19 @@
+---
+- name: Configure ProFTPd
+  block:
+    - name: Apply proftpd configuration template
+      become: yes
+      become_method: sudo
+      template:
+        src: proftpd/proftpd.conf.j2
+        dest: /etc/proftpd/proftpd.conf
+        force: yes
+        backup: yes
+    - name: Apply proftpd virtualhost configuration template
+      become: yes
+      become_method: sudo
+      template:
+        src: proftpd/vhost.conf.j2
+        dest: /etc/proftpd/conf.d/hosts.conf
+        force: yes
+        backup: yes