admin/skato-ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 3 Releases Wiki Activity

refactor: restructured project for higher-utility naming practices and optimized data structures for variables

Browse Source
This commit is contained in:
xenobyte
2025-11-11 00:58:10 -05:00
parent 44a292f19f
commit 0efe13e76b
53 changed files with 1151 additions and 874 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
playbooks/deroot.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- name: Create new users and lock down VPS
hosts: vps1
remote_user: root
vars:
ansible_user: root
ansible_ssh_private_key_file: "{{ vps_service.ssh_private_key_paths[vps_service.ssh_private_key_path_pref] }}"
tasks:
- name: Engage in SSH hardening and user creation
ansible.builtin.include_role:
# allow_duplicates: true
defaults_from: main
handlers_from: main
name: bootstrap
# public: false
# rolespec_validate: true
tasks_from: "init@{{ ansible_facts['system'].lowercase() }}"
vars_from: main

15
playbooks/files/locals/xdg/usr-dirs.defaults.example
View File

@@ -1,15 +0,0 @@
# Default settings for user directories
#
# The values are relative pathnames from the home directory and
# will be translated on a per-path-element basis into the users locale
DESKTOP=Desktop
DOWNLOAD=Downloads
TEMPLATES=Templates
PUBLICSHARE=Public
DOCUMENTS=Documents
MUSIC=Music
PICTURES=Pictures
VIDEOS=Videos
# Another alternative is:
#MUSIC=Documents/Music
#PICTURES=Documents/Pictures

15
playbooks/files/servers/xdg/user-dirs.defaults.example
View File

@@ -1,15 +0,0 @@
# Default settings for user directories
#
# The values are relative pathnames from the home directory and
# will be translated on a per-path-element basis into the users locale
DESKTOP=Desktop
DOWNLOAD=Downloads
TEMPLATES=Templates
PUBLICSHARE=Public
DOCUMENTS=Documents
MUSIC=Music
PICTURES=Pictures
VIDEOS=Videos
# Another alternative is:
#MUSIC=Documents/Music
#PICTURES=Documents/Pictures

6
playbooks/group_vars/locals/main.yml.example
View File

@@ -1,6 +0,0 @@
---
passwords:
- username: admin
password: "{{ vaulted_passwords.admin.password }}"
local_ssh_private_key_files: [] # @NOTE list paths to SSH private keys
chosen_local_ssh_private_key_file: "{{ local_ssh_private_key_files | random }}"

7
playbooks/group_vars/locals/vault.yml.example
View File

@@ -1,7 +0,0 @@
---
# @TODO encrypt as vault
# @NOTE see https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module
# Specifically, section for hashing using python passlib library
vaulted_passwords:
admin:
password: ~

6
playbooks/group_vars/servers/main.yml.example
View File

@@ -1,6 +0,0 @@
---
passwords:
- username: admin
password: "{{ vaulted_passwords.admin.password }}"
local_ssh_private_key_files: [] # @NOTE list paths to SSH private keys
chosen_local_ssh_private_key_file: "{{ local_ssh_private_key_files | random }}"

7
playbooks/group_vars/servers/vault.yml.example
View File

@@ -1,7 +0,0 @@
---
# @TODO encrypt as vault
# @NOTE see https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module
# Specifically, section for hashing using python passlib library
vaulted_passwords:
admin:
password: ~

20
playbooks/init.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Initialize VPS
hosts: localhost
connection: local
tasks:
- name: Create a VPS using Linode
when: vps_service.type == "linode"
community.general.linode_v4:
access_token: "{{ vps_service.api_key }}"
authorized_keys: "{{ vps_service.ssh_authorized_keys }}"
image: linode/debian13
label: sukaato
private_ip: true
region: "{{ vps_service.region }}"
root_pass: "{{ vps_service.password }}"
tags: "{{ hostvars[inventory_hostname].keywords }}"
state: "{{ 'present' if vps_service.exists else 'absent' }}"
tags:
- vps_step
- linode_step

197
playbooks/init_login.yml
View File

@@ -1,197 +0,0 @@
---
- name: init_login
hosts: servers # @NOTE for IPv6, switch to 'servers6' instead of 'servers4'--for both, 'servers'
vars_files:
# @NOTE if second line is uncommented with its variables actively in use, first line should too be uncommented
# - vars/ssh_keys_vault.yml
- vars/ssh_keys.yml
vars:
ansible_user: "{{ passwords[0].username }}"
# @NOTE one of below two lines should be commented/uncommented in a mutually exclusive fashion
# ansible_ssh_private_key_file: "{{ chosen_native_ssh_private_key_file | default(chosen_local_ssh_private_key_file, true) }}" # @NOTE only works with soft-coded SSH key list building
ansible_ssh_private_key_file: "{{ chosen_local_ssh_private_key_file }}" # @NOTE references an inventory / group variable
# @NOTE below three lines should only be uncommented when above two are commented and vice versa; key-based authentication should have already been enabled prior to running this playbook
# ansible_password: "{{ passwords[0].password }}"
ansible_python_interpreter: “{{ ansible_playbook_python }}”
personal_computers: locals # @NOTE can change to *_households group or {{ name }}_{{ surname }} group name
vars_prompt:
- name: gpg_or_ssh_git_signing
prompt: Enter preferred signing key type (e.g., ssh or gpg)
unsafe: yes
private: no
default: "ssh"
- name: git_preferred_signing
prompt: Enter index or number of preferred signing key (negative number for random)
unsafe: yes
private: no
default: -1
tasks:
- name: Disable shell access for root
ansible.builtin.include_role:
name: lockdown
defaults_from: main
vars_from: main
handlers_from: main
tasks_from: deshell
apply:
become: yes
tags:
- default
- name: Create global bash aliases
become: yes
ansible.builtin.copy:
src: bash/bash_aliases
dest: /etc/bash_aliases
owner: root
group: root
follow: yes
force: yes
backup: yes
mode: "0644"
state: present
tags:
- default
- source_sys_bashrc
- name: Create global bash functions
become: yes
ansible.builtin.copy:
src: bash/bash_functions
dest: /etc/bash_functions
owner: root
group: root
follow: yes
force: yes
backup: yes
mode: "0644"
state: present
tags:
- default
- source_sys_bashrc
- name: Register bash aliases and functions to global bashrc
become: yes
ansible.builtin.blockinfile:
block: |
if [ -f /etc/bash_aliases ]; then
. /etc/bash_aliases
fi
if [ -f /etc/bash_functions ]; then
. /etc/bash_functions
fi
path: /etc/bash.bashrc
prepend_newline: yes
marker: "# {mark} ANSIBLE MANAGED SYSTEM-WIDE BASH ALIASES AND FUNCTIONS BLOCK"
insertafter: EOF
create: yes
owner: root
group: root
backup: yes
state: present
tags:
- default
- source_sys_bashrc
- name: Start XDG configuration tasks if current host in servers group
when: "'servers' in group_names and ansible_connection != 'local'"
become: yes
block:
- name: Create XDG user home directory environment variables
ansible.builtin.copy:
src: files/servers/xdg/user-dirs.defaults
dest: /etc/xdg/user-dirs.defaults
owner: root
group: root
follow: yes
force: yes
backup: yes
mode: "0644"
state: present
- name: Create XDG user home directory environment variables
ansible.builtin.copy:
src: "xdg/{{ ansible_facts['user_id'] }}/user-dirs.dirs"
dest: "{{ ansible_facts['user_dir'] }}/.config/user-dirs.dirs"
owner: root
group: root
follow: yes
force: yes
backup: yes
mode: "0644"
state: present
tags:
- default
- create_xdg_config
- servers_exclusive
- name: Start XDG configuration tasks if current host is local or personal
when: "personal_computers in group_names or ansible_connection == 'local'"
become: yes
block:
- name: Create XDG user home directory environment variables
ansible.builtin.copy:
src: files/locals/xdg/user-dirs.defaults
dest: /etc/xdg/user-dirs.defaults
owner: root
group: root
follow: yes
force: yes
backup: yes
mode: "0644"
state: present
- name: Create XDG user home directory environment variables
ansible.builtin.copy:
src: "xdg/{{ ansible_facts['user_id'] }}/user-dirs.dirs"
dest: "{{ ansible_facts['user_dir'] }}/.config/user-dirs.dirs"
owner: root
group: root
follow: yes
force: yes
backup: yes
mode: "0644"
state: present
tags:
- default
- create_xdg_config
- locals_exclusive
- name: Start SSH configuration tasks if current host is local or personal
when: "personal_computers in group_names or ansible_connection == 'local'"
become: yes
block:
- name: Create user SSH configuration
ansible.builtin.copy:
src: "ssh/{{ ansible_facts['user_id'] }}/config"
dest: "{{ ansible_facts['user_dir'] }}/.ssh/config"
follow: yes
force: yes
backup: yes
owner: "{{ ansible_facts['user_id'] }}"
group: "{{ ansible_facts['user_id'] }}"
mode: "0600"
state: present
tags:
- default
- create_ssh_config
- locals_exclusive
- name: Import GPG private keys
ansible.builtin.include_role:
name: lockdown
defaults_from: main
vars_from: main
handlers_from: main
tasks_from: gpg
tags:
- default
- import_gpg_privkeys
- name: Set up git
ansible.builtin.include_role:
name: lockdown
defaults_from: main
vars_from: main
handlers_from: main
tasks_from: git
vars:
git_signing_key_type: gpg_or_ssh_git_signing
preferred_signing_key: git_preferred_signing
tags:
- default
- configure_git

27
playbooks/manage_root.yml
View File

@@ -1,27 +0,0 @@
---
- name: manage_root
hosts: servers # @NOTE for IPv6, switch to 'servers6' instead of 'servers4'--for both, 'servers'
remote_user: root # MUST be run as root
vars:
ansible_user: root
# ansible_ssh_user: root
vars_prompt:
- name: ansible_password
prompt: Enter pasword for root user of VPS
unsafe: yes
private: yes
# - name: ansible_ssh_pass
# prompt: Enter pasword for root user of VPS
# unsafe: yes
# private: yes
tasks:
- name: Set up sys-admin account on VPS and secure VPS
ansible.builtin.include_role:
name: lockdown
defaults_from: main
vars_from: main
handlers_from: main
tasks_from: main
tags:
- init

5
playbooks/servers.yml
View File

@@ -1,5 +0,0 @@
---
- name: Lock down VPS
ansible.builtin.import_playbook: manage_root.yml
- name: Bootstrap VPS
ansible.builtin.import_playbook: init_login.yml

4
playbooks/vars/ssh_keys.yml.example
View File

@@ -1,4 +0,0 @@
---
native_ssh_private_keys: "{{ vaulted_native_ssh_private_keys }}"
native_ssh_private_key_files: []
chosen_native_ssh_private_key_file: "{{ native_ssh_private_key_files | random }}"