sukaato-ansible/extended@vps.yml

---
- name: Additional tasks to do on the VPS
  hosts: vps
  gather_facts: yes
  vars:
    want_recc_cimages: yes
    want_custom_cimages: no
    source_repo: ~
    # source_repo:
    #   utility: git
    #   url: senpai@ipv6.sukaato:repos/sukaato.git

  tasks:
    - name: Install core podman images
      include_role:
        name: bootstrap
        tasks_from: core_installations@podman.yml
        defaults_from: core_images@podman.yml
      register: core_podman_images_installed
      tags: [default, with_containers]
    - name: Install additional recommended podman images
      include_role:
        name: bootstrap
        tasks_from: extra_installations@podman.yml
        defaults_from: core_images@podman.yml
      register: recc_podman_images_installed
      when: want_recc_cimages
      tags: [default, with_containers]
    - name: Get variable for custom podman image package list
      include_vars:
        file: "{{ roles_path }}/bootstrap/defaults/custom_images@podman.yml"
        name: podman_cimages
      tags: [default, with_containers]
    - name: Install custom podman images
      include_role:
        name: bootstrap
        tasks_from: extra_installations@podman.yml
      vars:
        recc_cimages: "{{ podman_cimages.my_cimages }}"
      register: extra_podman_images_installed
      when: want_custom_cimages
      tags: [default, with_containers]
    - name: Configure ProFTPd
      include_role:
        name: bootstrap
        tasks_from: configure_core/proftpd.yml
        defaults_from: options/proftpd.yml
        vars_from: options/proftpd.yml
      register: proftpd_configured
      tags: [default, with_ftp]
    - name: Create FTP root
      become: yes
      become_method: sudo
      file:
        path: "{{ ftp_root }}"
        state: directory
        owner: ftpd
        group: nogroup
      register: ftp_root_created
      tags: [default, with_ftp]
    - name: Create a directory for website or web server source code
      file:
        path: "{{ domain_source_path }}"
        state: directory
      tags: [default, with_webserver]
      register: domain_srcdir_created
    - name: Pull website source code
      block:
        - name: Git pull website git repository
          become_user: git
          become_method: sudo
          git:
            repo: "{{ source_repo.url }}"
            dest: "{{ domain_source_path }}"
            single_branch: yes
            version: main
          when: source_repo.utility == 'git'
      register: website_src_available
      when: source_repo is defined
      tags: [default, with_webserver]
    - name: Create fstab entry for rbind mount for web root
      become: yes
      become_method: sudo
      ansible.posix.mount:
        src: "{{ domain_source_path }}"
        path: "{{ domain_root }}"
        fstype: none
        opts: rbind
        state: mounted
      register: webmount_created
      tags: [default, with_webserver]
    - name: Create a gocryptfs vault for mounting under FTP root
      command:
        argv: [/usr/bin/gocryptfs, -init, "{{ ansible_facts['user_dir'] }}/secrets"]
        stdin: "{{ gocrypt_password }}"
      register: secrets_masterkey_created
      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
    - name: Get gocryptfs decryption configuration file metadata
      stat:
        path: "{{ ansible_facts['user_dir'] }}/secrets"
      register: secrets_vault
      when: secrets_masterkey_created.rc == 0
    - name: Create a file to store password for secrets gocryptfs vault
      file:
        path: "{{ ansible_facts['user_dir'] }}/config/.secrets_vault.key"
        state: touch
      register: secrets_passfile_created
      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
    - name: Put password in aforementioned file
      lineinfile:
        path: "{{ gcfs_passfile_created.path }}"
        line: "{{ gocrypt_password }}"
        state: present
      when: secrets_passfile_created
      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
    - name: Copy gocryptfs decryption configuration of secrets vault to hidden directory
      copy:
        remote_src: "{{ ansible_facts['user_dir'] }}/secrets/gocryptfs.conf"
        dest: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers/secrets.conf"
        force: yes
        backup: yes
      register: secrets_conf_copied
      when: secrets_vault.stat.exists and secrets_masterkey_created.rc == 0
      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
    - name: Remove gocryptfs decryption configuration from vault
      file:
        path: "{{ ansible_facts['user_dir'] }}/secrets/gocryptfs.conf"
        state: absent
      when: secrets_conf_copied
      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
    - name: Mount the gocryptfs secrets vault
      ansible.posix.mount:
        src: "{{ ansible_facts['user_dir'] }}/secrets"
        path: "{{ ansible_facts['user_dir'] }}/.mnt/secrets.plain"
        state: mounted
        fstype: fuse./usr/bin/gocryptfs
        opts: "nofail,passfile={{ secrets_passfile_created.path }},config={{ ansible_facts['user_dir'] }}/.fskeys/ciphers/secrets.conf"
      register: secrets_mounted
      when: secrets_vault.stat.exists and secrets_masterkey_created.rc == 0
      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
    #@TODO create handler that sends copy of gcfs_masterkey_created somehow
    - name: Create users for ProFTPd
      block:
        - name: Create ProFTPd user webmaster for website
          become: yes
          become_method: sudo
          command:
            argv:
              - /usr/local/bin/ftpasswd
              - --passwd
              - --file=/etc/proftpd/ftpd.passwd
              - --name=webmaster
              - "--home={{ domain_root }}/public"
              - --shell=/bin/false
              - --sha256
              - --stdin
            stdin: "{{ ftp_web_password }}"
          register: proftpd_webmaster_created
          tags: [with_webserver]
        - name: Create home directory for ProFTPd user cybersmuggler
          become: yes
          become_method: sudo
          file:
            path: "{{ ftp_root }}/black_market"
            state: directory
            owner: "{{ ansible_facts['user_id'] }}"
            group: "{{ ansible_facts['user_id'] }}"
          register: cybersmuggler_home_created
        - name: Create ProFTPd user cybersmuggler for file-sharing
          become: yes
          become_method: sudo
          command:
            argv:
              - /usr/local/bin/ftpasswd
              - --passwd
              - --file=/etc/proftpd/ftpd.passwd
              - --name=cybersmuggler
              - --uid=1000
              - "--home={{ ftp_root }}/black_market"
              - --shell=/bin/false
              - --sha256
              - --stdin
            stdin: "{{ ftp_password }}"
          register: proftpd_cybersmuggler_created
      register: proftpd_users_created
      tags: [default, with_ftp]
    - name: Create fstab entry for rbind mount for secrets decrypted vault
      become: yes
      become_method: sudo
      ansible.posix.mount:
        src: "{{ ansible_facts['user_dir'] }}/.mnt/secrets.plain"
        path: "{{ ftp_root }}/black_market/secrets"
        fstype: none
        opts: rbind
        state: mounted
      when: secrets_mounted
      tags: ['default', 'with_ftp', 'with_ftp_crypt_dir']
    #@TODO create tasks for setting up Caddy--maybe?