--- - name: Additional tasks to do on the VPS hosts: vps gather_facts: yes vars: want_recc_cimages: yes want_custom_cimages: no source_repo: ~ # source_repo: # utility: git # url: senpai@ipv6.sukaato:repos/sukaato.git tasks: - name: Install core podman images include_role: name: bootstrap tasks_from: core_installations@podman.yml defaults_from: core_images@podman.yml register: core_podman_images_installed tags: [default, with_containers] - name: Install additional recommended podman images include_role: name: bootstrap tasks_from: extra_installations@podman.yml defaults_from: core_images@podman.yml register: recc_podman_images_installed when: want_recc_cimages tags: [default, with_containers] - name: Get variable for custom podman image package list include_vars: file: "{{ roles_path }}/bootstrap/defaults/custom_images@podman.yml" name: podman_cimages tags: [default, with_containers] - name: Install custom podman images include_role: name: bootstrap tasks_from: extra_installations@podman.yml vars: recc_cimages: "{{ podman_cimages.my_cimages }}" register: extra_podman_images_installed when: want_custom_cimages tags: [default, with_containers] - name: Configure ProFTPd include_role: name: bootstrap tasks_from: configure_core/proftpd.yml defaults_from: options/proftpd.yml vars_from: options/proftpd.yml register: proftpd_configured tags: [default, with_ftp] - name: Create FTP root become: yes become_method: sudo file: path: "{{ ftp_root }}" state: directory owner: ftpd group: nogroup register: ftp_root_created tags: [default, with_ftp] - name: Create a directory for website or web server source code file: path: "{{ domain_source_path }}" state: directory tags: [default, with_webserver] register: domain_srcdir_created - name: Pull website source code block: - name: Git pull website git repository become_user: git become_method: sudo git: repo: "{{ source_repo.url }}" dest: "{{ domain_source_path }}" single_branch: yes version: main when: source_repo.utility == 'git' register: website_src_available when: source_repo is defined tags: [default, with_webserver] - name: Create fstab entry for rbind mount for web root become: yes become_method: sudo ansible.posix.mount: src: "{{ domain_source_path }}" path: "{{ domain_root }}" fstype: none opts: rbind state: mounted register: webmount_created tags: [default, with_webserver] - name: Create a gocryptfs vault for mounting under FTP root command: argv: [/usr/bin/gocryptfs, -init, "{{ ansible_facts['user_dir'] }}/secrets"] stdin: "{{ gocrypt_password }}" register: secrets_masterkey_created tags: ['default', 'with_ftp', 'with_ftp_crypt_dir'] - name: Get gocryptfs decryption configuration file metadata stat: path: "{{ ansible_facts['user_dir'] }}/secrets" register: secrets_vault when: secrets_masterkey_created.rc == 0 - name: Create a file to store password for secrets gocryptfs vault file: path: "{{ ansible_facts['user_dir'] }}/config/.secrets_vault.key" state: touch register: secrets_passfile_created tags: ['default', 'with_ftp', 'with_ftp_crypt_dir'] - name: Put password in aforementioned file lineinfile: path: "{{ gcfs_passfile_created.path }}" line: "{{ gocrypt_password }}" state: present when: secrets_passfile_created tags: ['default', 'with_ftp', 'with_ftp_crypt_dir'] - name: Copy gocryptfs decryption configuration of secrets vault to hidden directory copy: remote_src: "{{ ansible_facts['user_dir'] }}/secrets/gocryptfs.conf" dest: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers/secrets.conf" force: yes backup: yes register: secrets_conf_copied when: secrets_vault.stat.exists and secrets_masterkey_created.rc == 0 tags: ['default', 'with_ftp', 'with_ftp_crypt_dir'] - name: Remove gocryptfs decryption configuration from vault file: path: "{{ ansible_facts['user_dir'] }}/secrets/gocryptfs.conf" state: absent when: secrets_conf_copied tags: ['default', 'with_ftp', 'with_ftp_crypt_dir'] - name: Mount the gocryptfs secrets vault ansible.posix.mount: src: "{{ ansible_facts['user_dir'] }}/secrets" path: "{{ ansible_facts['user_dir'] }}/.mnt/secrets.plain" state: mounted fstype: fuse./usr/bin/gocryptfs opts: "nofail,passfile={{ secrets_passfile_created.path }},config={{ ansible_facts['user_dir'] }}/.fskeys/ciphers/secrets.conf" register: secrets_mounted when: secrets_vault.stat.exists and secrets_masterkey_created.rc == 0 tags: ['default', 'with_ftp', 'with_ftp_crypt_dir'] #@TODO create handler that sends copy of gcfs_masterkey_created somehow - name: Create users for ProFTPd block: - name: Create ProFTPd user webmaster for website become: yes become_method: sudo command: argv: - /usr/local/bin/ftpasswd - --passwd - --file=/etc/proftpd/ftpd.passwd - --name=webmaster - "--home={{ domain_root }}/public" - --shell=/bin/false - --sha256 - --stdin stdin: "{{ ftp_web_password }}" register: proftpd_webmaster_created tags: [with_webserver] - name: Create home directory for ProFTPd user cybersmuggler become: yes become_method: sudo file: path: "{{ ftp_root }}/black_market" state: directory owner: "{{ ansible_facts['user_id'] }}" group: "{{ ansible_facts['user_id'] }}" register: cybersmuggler_home_created - name: Create ProFTPd user cybersmuggler for file-sharing become: yes become_method: sudo command: argv: - /usr/local/bin/ftpasswd - --passwd - --file=/etc/proftpd/ftpd.passwd - --name=cybersmuggler - --uid=1000 - "--home={{ ftp_root }}/black_market" - --shell=/bin/false - --sha256 - --stdin stdin: "{{ ftp_password }}" register: proftpd_cybersmuggler_created register: proftpd_users_created tags: [default, with_ftp] - name: Create fstab entry for rbind mount for secrets decrypted vault become: yes become_method: sudo ansible.posix.mount: src: "{{ ansible_facts['user_dir'] }}/.mnt/secrets.plain" path: "{{ ftp_root }}/black_market/secrets" fstype: none opts: rbind state: mounted when: secrets_mounted tags: ['default', 'with_ftp', 'with_ftp_crypt_dir'] #@TODO create tasks for setting up Caddy--maybe?