From 3343f7ad6962058a8954f88b7ea13151e1f428bb Mon Sep 17 00:00:00 2001 From: Alex Tavarez Date: Tue, 16 Jun 2026 14:20:40 -0400 Subject: [PATCH] finished new playbook --- administrate@vps.yml | 173 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 173 insertions(+) create mode 100644 administrate@vps.yml diff --git a/administrate@vps.yml b/administrate@vps.yml new file mode 100644 index 0000000..55dee89 --- /dev/null +++ b/administrate@vps.yml @@ -0,0 +1,173 @@ +- name: Initialize VPS + hosts: "{{ chosen_host | default('sukaato') }}" + remote_user: "{{ chosen_user | default('senpai') }}" + vars_files: + - vars/git_aliases.yml # REQUIRED + - vars/vpn_server.yml # REQUIRED + - vars/config@{{ inventory_hostname | default('vps') }}.yml + tasks: + - name: Installing requisite packages + ansible.builtin.include_role: + name: init-server + tasks_from: userspace@install-pkgs + handlers_from: userspace + - name: Acquiring home of current user + when: ansible_facts["system"] == "Linux" + ansible.builtin.shell: + cmd: "echo ~{{ ansible_user }}" + register: ansible_user_home + - name: Acquiring current user + when: ansible_facts["system"] == "Linux" + ansible.builtin.shell: + cmd: "echo {{ ansible_user }}" + register: current_user + - name: Disabling root user shell login + become: true + ansible.builtin.user: + name: root + shell: /sbin/nologin + tags: + - disable_root_shell + - name: Disable login for root user altogether + become: true + ansible.builtin.user: + name: root + password: "'*'" + tags: + - disable_root_login + # - name: Debugging + # ansible.builtin.debug: + # msg: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='userspace', default='no_userspace') | list | flatten | reject('search', 'no_userspace') | list }}" + # - name: Prematurely ending play + # ansible.builtin.meta: end_play + - name: Reorganizing userspace package groups into single list + ansible.builtin.set_fact: + all_userspace_pkgs: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='userspace', default='no_userspace') | list | flatten | reject('search', 'no_userspace') | list }}" + - name: Reorganizing core package groups into single list + ansible.builtin.set_fact: + all_core_pkgs: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='core', default='no_core') | list | flatten | reject('search', 'no_core') | list }}" + - name: Configuring aliases for using git + when: "'git' in all_core_pkgs" + community.general.git_config: + name: "alias.{{ item[0] }}" + scope: global + value: "{{ item[1] }}" + loop: "{{ git_aliases }}" + - name: Creating Wireguard VPS VPN service + block: + - name: Ensuring IP forwarding is allowed + become: true + ansible.posix.sysctl: + name: "net.{{ item }}.conf.all.forwarding" + value: "1" + sysctl_set: true + state: present + loop: + - ipv4 + - ipv6 + - name: Creating a directory to house VPN service client configurations + ansible.builtin.file: + path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d" + recurse: true + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: "755" + state: directory + - name: Get the current hostname of the machine + ansible.builtin.shell: + cmd: "echo $(hostname)" + register: current_hostname + - name: Starting DSNet-based Wireguard VPN service configuration + when: vpn_server.driver.name == "dsnet" + block: + - name: Getting DSNet binary application + become: true + ansible.builtin.get_url: + url: "https://github.com/naggie/dsnet/releases/download/{{ vpn_server.driver.version }}/dsnet-linux-amd64" + dest: /usr/bin/dsnet + owner: root + group: root + mode: "744" + force: true + backup: true + - name: Initializing DSNet + become: true + ansible.builtin.command: + cmd: dsnet init + - name: Running DSNet VPN service interface + become: true + ansible.builtin.command: + cmd: dsnet up + - name: Adding peer device for DSNet VPN service interface + become: true + ansible.builtin.shell: + cmd: "dsnet add {{ item.name }}{{ idx }} --owner {{ current_user.stdout }} --description 'For {{ current_hostname.stdout }}--{{ item.desc }}' --confirm > {{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf" + creates: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ idx }}.conf" + loop: "{{ vpn_server.clients }}" + loop_control: + index_var: idx + - name: Changing ownership of consequent DSNet VPN service client configurations + become: true + ansible.builtin.file: + path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf" + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + state: file + loop: "{{ vpn_server.clients }}" + loop_control: + index_var: idx + - name: Pausing to inquire about how to proceed + ansible.builtin.pause: + prompt: "Type \"fetch\" to get the DSNet VPN service client configuration files, or \"show\" to see their contents for manual copying instead" + echo: true + register: data_method + - name: Presenting DSNet VPN service client configuration files to control node for copying + when: data_method.user_input == "show" + block: + - name: Acquiring contents of DSNet VPN service client configuration files + ansible.builtin.slurp: + src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf" + loop: "{{ vpn_server.clients }}" + loop_control: + index_var: idx + register: vpn_client_configs + - name: Presenting contents of DSNet VPN service client configurations to control node + ansible.builtin.debug: + msg: "Copy this client configuration of the DSNet VPN service:\n {{ item.content }}" + loop: "{{ vpn_client_configs.results }}" + - name: Giving opportunity to manually copy contents of DSNet VPN service client configuration files + ansible.builtin.pause: + - name: Providing DSNet VPN service client configuration files to control node machine + when: data_method.user_input == "fetch" + block: + - name: Dupliciating DSNet VPN service client configuration files to control node + ansible.builtin.fetch: + src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf" + dest: "/var/tmp/{{ inventory_hostname }}/wg/" + flat: true + loop: "{{ vpn_server.clients }}" + loop_control: + index_var: idx + - name: Informing control node of acquired files + ansible.builtin.debug: + msg: "The DSNet VPS service client configuration files have been duplicated to '/var/tmp/{{ inventory_hostname }}/wg/' at the control node." + - name: Giving control node user time to read the aforementiioned message + ansible.builtin.pause: + seconds: 30 + # @TODO create tasks for registering and presenting contents of just created files + - name: Forwarding network traffic on certain ports to Wireguard VPS service interface + become: true + ansible.builtin.iptables: + chain: FORWARD + protocol: "{{ item[0][0] }}" + source_port: "{{ item[0][1] }}" + in_interface: "{{ item[1] }}" + jump: ACCEPT + loop: "{{ vpn_server.forwards | product([vpn_server.interface]) }}" + - name: Forwarding network traffic on certain ports to Wireguard VPS service interface + become: true + ansible.builtin.iptables: + table: nat + chain: POSTROUTING + out_interface: "{{ vpn_server.interface }}" + jump: MASQUERADE \ No newline at end of file