admin/skato-ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 3 Releases Wiki Activity

Compare commits

base: admin:0dd063316614ab76057f18ca1edd367ed7189b46
Branches Tags
admin:main admin:streamlined_staging
...
compare: admin:streamlined_staging
Branches Tags
admin:streamlined_staging admin:main

17 Commits
0dd0633166 ... streamline

Author SHA1 Message Date
Alex Tavarez
e8b29bb8e8 added systemd unit for setting iptables rules using added script, added DSNet systemd unit 2026-06-19 19:22:21 -04:00
Alex Tavarez
aa8d61aa09 added attribute to reboot task to ignore errors; included variables file for configuring VPN, i.e. DSNet, service configuration 2026-06-19 19:21:09 -04:00
Alex Tavarez
2d6dcd3dab added attribute to reboot task to ignore errors; included variables file needed for VPN, i.e. DSNet, service configuration 2026-06-19 19:18:54 -04:00
Alex Tavarez
2c66c3bd43 removed tasks that were instead migrated to a role task included by a role handler 2026-06-19 19:17:24 -04:00
Alex Tavarez
20d1cd21a3 removed an empty line 2026-06-19 19:16:29 -04:00
Alex Tavarez
83fa171341 added task for grabbng software binary as software installation 2026-06-19 19:15:38 -04:00
Alex Tavarez
240efbb713 changed hardlink or actual destnation paths for software binaries, and used relative path for fetched secrets 2026-06-19 19:10:39 -04:00
Alex Tavarez
bcf9eaebc9 removed unnecessary copy task for a source file in managed node 2026-06-19 19:06:55 -04:00
Alex Tavarez
125ec09c8f migrated DSNet tasks to own task file in role, as opposed to having it in relevant playbook 2026-06-19 19:04:54 -04:00
Alex Tavarez
b784b781d3 added a DSNet handler including tasks for post-installation 2026-06-19 19:03:52 -04:00
Alex Tavarez
909682d74e moved burp and rsync installations, and added a new package group for direct software binaries, with dsnet listed in it 2026-06-19 19:02:29 -04:00
Alex Tavarez
bd3029b914 made sure that handlers run prior to hostname change as well as a reboot in which the server is rendered inaccessible 2026-06-18 19:20:56 -04:00
Alex Tavarez
57a3e876b8 added task informing user of needed actions to take advantage of now-avaialble vim plugins 2026-06-18 19:19:23 -04:00
Alex Tavarez
1ce6879abf fixed typo in a line substitution, added SystemD restart tasks for service to abide by configuration changes 2026-06-18 19:18:26 -04:00
Alex Tavarez
9ea7fb37b0 fixed missing loop variable for headscale user registration task 2026-06-18 19:17:16 -04:00
Alex Tavarez
7584027890 moved VIM and Crowdsec setup handler listener, former due to now being userspace package group installation, latter due to needing to precede headscale handler tasks 2026-06-18 19:16:26 -04:00
Alex Tavarez
a78613920c moved vim to userspace package group, referenced crowdsec handler, added password hashing/encryption 2026-06-18 19:14:14 -04:00
25 changed files with 343 additions and 235 deletions
Expand all files Collapse all files

1
administrate@homeserver.yml
View File

@@ -146,4 +146,3 @@
hour: "4-15"
weekday: "1-5"
job: "{{ ansible_user_home.stdout }}/.local/bin/flexget --cron execute"

130
administrate@vps.yml
View File

@@ -3,7 +3,7 @@
remote_user: "{{ chosen_user | default('senpai') }}"
vars_files:
- vars/git_aliases.yml # REQUIRED
- vars/vpn_server.yml # REQUIRED
- vars/vim_settings.yml # REQUIRED
- vars/config@{{ inventory_hostname | default('vps') }}.yml
tasks:
- name: Installing requisite packages
@@ -11,16 +11,6 @@
name: init-server
tasks_from: userspace@install-pkgs
handlers_from: userspace
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Disabling root user shell login
become: true
ansible.builtin.user:
@@ -53,121 +43,3 @@
scope: global
value: "{{ item[1] }}"
loop: "{{ git_aliases }}"
- name: Creating Wireguard VPS VPN service
block:
- name: Ensuring IP forwarding is allowed
become: true
ansible.posix.sysctl:
name: "net.{{ item }}.conf.all.forwarding"
value: "1"
sysctl_set: true
state: present
loop:
- ipv4
- ipv6
- name: Creating a directory to house VPN service client configurations
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "755"
state: directory
- name: Get the current hostname of the machine
ansible.builtin.shell:
cmd: "echo $(hostname)"
register: current_hostname
- name: Starting DSNet-based Wireguard VPN service configuration
when: vpn_server.driver.name == "dsnet"
block:
- name: Getting DSNet binary application
become: true
ansible.builtin.get_url:
url: "https://github.com/naggie/dsnet/releases/download/{{ vpn_server.driver.version }}/dsnet-linux-amd64"
dest: /usr/bin/dsnet
owner: root
group: root
mode: "744"
force: true
backup: true
- name: Initializing DSNet
become: true
ansible.builtin.command:
cmd: dsnet init
- name: Running DSNet VPN service interface
become: true
ansible.builtin.command:
cmd: dsnet up
- name: Adding peer device for DSNet VPN service interface
become: true
ansible.builtin.shell:
cmd: "dsnet add {{ item.name }}{{ idx }} --owner {{ current_user.stdout }} --description 'For {{ current_hostname.stdout }}--{{ item.desc }}' --confirm > {{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
creates: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ idx }}.conf"
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Changing ownership of consequent DSNet VPN service client configurations
become: true
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: file
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Pausing to inquire about how to proceed
ansible.builtin.pause:
prompt: "Type \"fetch\" to get the DSNet VPN service client configuration files, or \"show\" to see their contents for manual copying instead"
echo: true
register: data_method
- name: Presenting DSNet VPN service client configuration files to control node for copying
when: data_method.user_input == "show"
block:
- name: Acquiring contents of DSNet VPN service client configuration files
ansible.builtin.slurp:
src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
register: vpn_client_configs
- name: Presenting contents of DSNet VPN service client configurations to control node
ansible.builtin.debug:
msg: "Copy this client configuration of the DSNet VPN service:\n {{ item.content }}"
loop: "{{ vpn_client_configs.results }}"
- name: Giving opportunity to manually copy contents of DSNet VPN service client configuration files
ansible.builtin.pause:
- name: Providing DSNet VPN service client configuration files to control node machine
when: data_method.user_input == "fetch"
block:
- name: Dupliciating DSNet VPN service client configuration files to control node
ansible.builtin.fetch:
src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
dest: "/var/tmp/{{ inventory_hostname }}/wg/"
flat: true
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Informing control node of acquired files
ansible.builtin.debug:
msg: "The DSNet VPS service client configuration files have been duplicated to '/var/tmp/{{ inventory_hostname }}/wg/' at the control node."
- name: Giving control node user time to read the aforementiioned message
ansible.builtin.pause:
seconds: 30
# @TODO create tasks for registering and presenting contents of just created files
- name: Forwarding network traffic on certain ports to Wireguard VPS service interface
become: true
ansible.builtin.iptables:
chain: FORWARD
protocol: "{{ item[0][0] }}"
source_port: "{{ item[0][1] }}"
in_interface: "{{ item[1] }}"
jump: ACCEPT
loop: "{{ vpn_server.forwards | product([vpn_server.interface]) }}"
- name: Forwarding network traffic on certain ports to Wireguard VPS service interface
become: true
ansible.builtin.iptables:
table: nat
chain: POSTROUTING
out_interface: "{{ vpn_server.interface }}"
jump: MASQUERADE

62
group_vars/armitage_test.yml
View File

@@ -1,6 +1,6 @@
# @TODO create inventory group variables akin to structure of sukaato group's for homeserver
# <str<vault>> representing password for Linux root user account of VPS
password: "{{ lookup('password', '../.tmp/armitage_test.pass', seed='armitage_test') }}"
password: "{{ lookup('password', '../.tmp/armitage_test.pass', seed='armitage_test', encrypt='sha512_crypt') }}"
# <str> representing hostname for LAN server; same as host or group variable name
instance: armitage
# <str<enum>> representing Linux distro or OS image to be used for VPS
@@ -20,7 +20,7 @@ admins:
- ecdsa-37851076-sk@staging
- ed25519-37851076-sk@staging
# <str<vault?>> hashed (and maybe salted) password
password: "{{ lookup('password', '../.tmp/armitage_test.pass', seed='senpai:armitage_test') }}"
password: "{{ lookup('password', '../.tmp/senpai@armitage_test.pass', seed='senpai:armitage_test', encrypt='sha512_crypt') }}"
# <dict[<str>:<dict>]> package groups
pkgs:
# <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
@@ -83,14 +83,6 @@ pkgs:
suites: ~
comps: ~
handler: ~
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: vim-vimwiki
uri: ~
sigkey: ~
@@ -107,14 +99,6 @@ pkgs:
suites: ~
comps: ~
handler: ~
# - name: flatpak
# uri: ~
# sources: ~
# sigkey: ~
# types: ~
# suites: ~
# comps: ~
# handler: ~
- name: snapd
uri: ~
sources: ~
@@ -170,7 +154,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
handler: crowdsec
- name: glow
uri: ~
sigkey: "https://repo.charm.sh/apt/gpg.key"
@@ -355,22 +339,6 @@ pkgs:
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg
uri: ~
sigkey: ~
@@ -388,6 +356,14 @@ pkgs:
comps: ~
handler: ~
userspace:
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: neovim
uri: ~
sources: ~
@@ -588,6 +564,22 @@ pkgs:
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rclone
uri: ~
sigkey: ~

61
group_vars/sukaato_test.yml
View File

@@ -1,5 +1,5 @@
# <str<vault>> representing password for Linux root user account of VPS
password: "{{ lookup('password', '../.tmp/sukaato_test.pass', seed='sukaato_test') }}"
password: "{{ lookup('password', './.tmp/sukaato_test.pass', seed='sukaato_test', encrypt='sha512_crypt') }}"
# <str<vault>> representing API token for VPS cloud service
token: ~
# <str> representing name and hostname of VPS to be made in VPS cloud service
@@ -22,7 +22,7 @@ admins:
- ecdsa-37851076-sk@staging
- ed25519-37851076-sk@staging
# <str<vault?>> hashed (and maybe salted) password
password: "{{ lookup('password', '../.tmp/sukaato_test.pass', seed='senpai:sukaato_test') }}"
password: "{{ lookup('password', './.tmp/senpai@sukaato_test.pass', seed='senpai:sukaato_test', encrypt='sha512_crypt') }}"
# <dict[<str>:<dict>]> package groups
pkgs:
# <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
@@ -157,14 +157,6 @@ pkgs:
suites: ~
comps: ~
handler: ~
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: git
uri: ~
sources: ~
@@ -188,7 +180,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
handler: crowdsec
- name: glow
uri: ~
sigkey: "https://repo.charm.sh/apt/gpg.key"
@@ -254,22 +246,6 @@ pkgs:
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg
uri: ~
sigkey: ~
@@ -335,6 +311,14 @@ pkgs:
comps: ~
handler: headscale
userspace:
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: neovim
uri: ~
sigkey: ~
@@ -487,6 +471,22 @@ pkgs:
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# <dict[<str>:<dict>]> representing package groups installed by shell scripts
script:
# <list[<dict>]> representing user-level or supplemental shell script installations
@@ -542,4 +542,9 @@ pkgs:
# deploy: ~
# pre: ~
# post: ~
# handler: ~
# handler: ~
binaries:
core:
- name: dsnet
src: "https://github.com/naggie/dsnet/releases/download/v0.8.1/dsnet-linux-amd64"
handler: dsnet

4
init@homeserver.yml
View File

@@ -7,6 +7,7 @@
vars_files:
- vars/local_facts.yml # REQUIRED
- vars/vim_settings.yml # REQUIRED
- vars/vpn_server.yml # REQUIRED
- vars/tail_net.yml
- vars/crowdsec.yml
- vars/users@{{ inventory_hostname | default('homeserver') }}.yml
@@ -41,4 +42,5 @@
- name: Rebooting machine for hostname change
become: true
ansible.builtin.reboot:
msg: "Rebooting machine"
msg: "Rebooting machine"
ignore_errors: true

14
init@vps.yml
View File

@@ -7,7 +7,7 @@
harden: true
vars_files:
- vars/local_facts.yml # REQUIRED
- vars/vim_settings.yml # REQUIRED
- vars/vpn_server.yml # REQUIRED
- vars/tail_net.yml
- vars/crowdsec.yml
- vars/users@{{ inventory_hostname | default('vps') }}.yml
@@ -31,6 +31,8 @@
ansible.builtin.include_role:
name: init-server
tasks_from: ssh-users
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Update hostname
become: true
ansible.builtin.hostname:
@@ -39,7 +41,15 @@
become: true
ansible.builtin.command:
cmd: "hostnamectl set-icon-name computer-server"
- name: Notifying user that all processes have finished
ansible.builtin.debug:
msg: All processes finished. Hit enter to reboot machine.
- name: Ensuring user has read prior message regarding upcoming reboot
ansible.builtin.pause:
- name: Rebooting machine for hostname change
become: true
ansible.builtin.reboot:
msg: "Rebooting machine"
msg: "Rebooting machine.."
connect_timeout: 0
test_command: ~
ignore_errors: true

14
roles/init-server/files/systemd/system/dsnet.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=dsnet
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/bin/dsnet up
ExecStop=/usr/bin/dsnet down
RemainAfterExit=yes
ExecReload=/usr/bin/dsnet sync
[Install]
WantedBy=default.target

14
roles/init-server/files/systemd/system/thrunet.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=thrunet
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/dsnet-forward.sh start
ExecStop=/usr/local/bin/dsnet-forward.sh stop
RemainAfterExit=yes
# ExecReload=/usr/bin/dsnet sync
[Install]
WantedBy=default.target

10
roles/init-server/files/usr/local/bin/dsnet-forward.sh Executable file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
set -euo pipefail
if [[ "$1" == "start" ]]; then
/usr/sbin/iptables -A FORWARD -i dsnet -p tcp --sport {80,443,465,587,995,110,143,993} -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o dsnet -j MASQUERADE
elif [[ "$1" == "stop" ]]; then
/usr/sbin/iptables -D FORWARD -i dsnet -p tcp --sport {80,443,465,587,995,110,143,993} -j ACCEPT
/usr/sbin/iptables -t nat -D POSTROUTING -o dsnet -j MASQUERADE
fi

10
roles/init-server/handlers/core.yml
View File

@@ -5,10 +5,10 @@
ansible.builtin.debug:
msg: "No post-installaton or additional installation steps needed--continuing..."
listen: default
- name: Setting up ViM
- name: Setting up Crowdsec
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/vim.yml
listen: vim
file: tasks/contingent/pkg/crowdsec.yml
listen: crowdsec
- name: Setting up Headscale
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/headscale.yml
@@ -21,3 +21,7 @@
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/tor.yml
listen: tor
- name: Setting up DSNet
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/dsnet.yml
listen: dsnet

4
roles/init-server/handlers/userspace.yml
View File

@@ -5,6 +5,10 @@
ansible.builtin.debug:
msg: "No post-installaton or additional installation steps needed--continuing..."
listen: default
- name: Setting up ViM
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/vim.yml
listen: vim
- name: Settng up NeoViM
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/neovim.yml

17
roles/init-server/tasks/contingent/pkg/crowdsec.yml
View File

@@ -1,3 +1,10 @@
- name: Restarting SystemD service
become: true
ansible.builtin.systemd_service:
name: crowdsec
scope: system
enabled: true
state: started
- name: Changing the address and port of the Crowdsec server
become: true
ansible.builtin.lineinfile:
@@ -11,7 +18,7 @@
become: true
ansible.builtin.lineinfile:
path: /etc/crowdsec/config.yaml
regexp: "^ {2}listen_uri"
regexp: "^ {2}listen_addr"
line: " listen_addr: localhost"
owner: root
group: root
@@ -24,4 +31,10 @@
line: "url: http://localhost:{{ crowdsec.port }}"
owner: root
group: root
mode: "644"
mode: "644"
- name: Restarting SystemD service
become: true
ansible.builtin.systemd_service:
name: crowdsec
scope: system
state: restarted

2
roles/init-server/tasks/contingent/pkg/difftastic.yml
View File

@@ -15,7 +15,7 @@
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/downloads/archives/released/difftastic/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- difft

147
roles/init-server/tasks/contingent/pkg/dsnet.yml Normal file
View File

@@ -0,0 +1,147 @@
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Initializing DSNet
become: true
ansible.builtin.command:
cmd: dsnet init
- name: Running DSNet VPN service interface
become: true
ansible.builtin.command:
cmd: dsnet up
- name: Creating a directory to house VPN service client configurations
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "755"
state: directory
- name: Adding peer device for DSNet VPN service interface
become: true
ansible.builtin.shell:
cmd: "dsnet add {{ item.name }}{{ idx }} --owner {{ current_user.stdout }} --description 'For {{ item.name }}--{{ item.desc }}' --confirm > {{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
creates: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ idx }}.conf"
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Changing ownership of consequent DSNet VPN service client configurations
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: file
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Pausing to inquire about how to proceed
ansible.builtin.pause:
prompt: "Type \"fetch\" to get the DSNet VPN service client configuration files, or \"show\" to see their contents for manual copying instead"
echo: true
register: data_method
- name: Presenting DSNet VPN service client configuration files to control node for copying
when: data_method.user_input == "show"
block:
- name: Acquiring contents of DSNet VPN service client configuration files
ansible.builtin.slurp:
src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
register: vpn_client_configs
- name: Presenting contents of DSNet VPN service client configurations to control node
ansible.builtin.debug:
msg: "Copy this client configuration of the DSNet VPN service:\n {{ item.content }}"
loop: "{{ vpn_client_configs.results }}"
- name: Giving opportunity to manually copy contents of DSNet VPN service client configuration files
ansible.builtin.pause:
- name: Providing DSNet VPN service client configuration files to control node machine
when: data_method.user_input == "fetch"
block:
- name: Dupliciating DSNet VPN service client configuration files to control node
ansible.builtin.fetch:
src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
dest: "./.tmp/{{ inventory_hostname }}-dsnet/wg/"
flat: true
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Informing control node of acquired files
ansible.builtin.debug:
msg: "The DSNet VPS service client configuration files have been duplicated to '/var/tmp/{{ inventory_hostname }}/wg/' at the control node."
- name: Giving control node user time to read the aforementiioned message
ansible.builtin.pause:
seconds: 30
- name: Ensuring IP forwarding is allowed
become: true
ansible.posix.sysctl:
name: "net.{{ item }}.ip_forward"
value: "1"
sysctl_set: true
state: present
loop:
- ipv4
# - ipv6
- name: Creating SystemD unit for placing up DSNet interface
become: true
ansible.builtin.copy:
src: systemd/system/dsnet.service
dest: /etc/systemd/system/dsnet.service
owner: root
group: root
force: true
backup: true
- name: Reloading SystemD and enabling DSNet interface
become: true
ansible.builtin.systemd_service:
name: dsnet
enabled: true
daemon_reload: true
- name: Copying script for DSNet iptables rules
become: true
ansible.builtin.copy:
src: usr/local/bin/dsnet-forward.sh
dest: /usr/local/bin/
owner: root
group: root
mode: "744"
force: true
backup: true
- name: Creating SystemD unit for DSNet iptables rules
become: true
ansible.builtin.copy:
src: systemd/system/thrunet.service
dest: /etc/systemd/system/thrunet.service
owner: root
group: root
force: true
backup: true
- name: Reloading SystemD and enabling iptables rules SystemD unit
become: true
ansible.builtin.systemd_service:
name: thrunet
enabled: true
daemon_reload: true
- name: Forwarding network traffic on certain ports to Wireguard VPS service interface
become: true
ansible.builtin.iptables:
chain: FORWARD
protocol: "{{ item[0][0] }}"
source_port: "{{ item[0][1] }}"
in_interface: "{{ item[1] }}"
jump: ACCEPT
loop: "{{ vpn_server.forwards | product([vpn_server.interface]) }}"
- name: Forwarding network traffic on certain ports to Wireguard VPS service interface
become: true
ansible.builtin.iptables:
table: nat
chain: POSTROUTING
out_interface: "{{ vpn_server.interface }}"
jump: MASQUERADE

1
roles/init-server/tasks/contingent/pkg/headscale.yml
View File

@@ -32,6 +32,7 @@
cmd: "headscale users create {{ item.username }} -d '{{ item.dname }}' -e '{{ item.email }}'"
# vars:
# default_pfp: ~
loop: "{{ tail.users }}"
register: headscale_registration
changed_when:
- "'User created' in headscale_registration.stdout"

2
roles/init-server/tasks/contingent/pkg/julia.yml
View File

@@ -19,7 +19,7 @@
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.juliaup/bin/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
owner: root
group: root
state: link

11
roles/init-server/tasks/contingent/pkg/neovim.yml
View File

@@ -9,17 +9,6 @@
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Copy system ViM configuration to home directory
become: true
ansible.builtin.copy:
src: /root/.vimrc
remote_src: true
dest: "{{ ansible_user_home.stdout }}/.vimrc"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "644"
force: true
backup: true
- name: Creating directory tree for NeoViM configuration files
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.config/nvim"

18
roles/init-server/tasks/contingent/pkg/nvm.yml
View File

@@ -20,7 +20,7 @@
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ item[0] }}/bin/{{ item[1] }}"
dest: "/usr/local/bin/{{ item[1] }}"
dest: "/usr/bin/{{ item[1] }}"
owner: root
group: root
state: link
@@ -28,7 +28,7 @@
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ item[0] }}/lib/node_modules/corepack/dist/{{ item[1] }}.js"
dest: "/usr/local/bin/{{ item[1] }}"
dest: "/usr/bin/{{ item[1] }}"
owner: root
group: root
state: link
@@ -36,7 +36,7 @@
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ item[0] }}/lib/node_modules/npm/bin/{{ item[1] }}-cli.js"
dest: "/usr/local/bin/{{ item[1] }}"
dest: "/usr/bin/{{ item[1] }}"
owner: root
group: root
state: link
@@ -44,7 +44,7 @@
- name: Link includes to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/include/{{ item[1] }}"
dest: "/usr/local/include/{{ item[1] }}"
dest: "/usr/include/{{ item[1] }}"
owner: root
group: root
state: link
@@ -52,14 +52,14 @@
- name: Link requisite libraries to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/lib/{{ item[1] }}"
dest: "/usr/local/lib/{{ item[1] }}"
dest: "/usr/lib/{{ item[1] }}"
owner: root
group: root
state: link
loop: "{{ prebuilt_nodepaths | product(['node_modules']) }}"
- name: Create man1 subdirectory for man pages
ansible.builtin.file:
path: /usr/local/share/man/man1
path: /usr/share/man/man1
recurse: true
owner: root
group: root
@@ -68,14 +68,14 @@
- name: Link shared resources to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/share/man/man1/{{ item[1] }}.1"
dest: "/usr/local/share/man/man1/{{ item[1] }}.1"
dest: "/usr/share/man/man1/{{ item[1] }}.1"
owner: root
group: root
state: link
loop: "{{ prebuilt_nodepaths | product(['node']) }}"
- name: Create man1 subdirectory for man pages
ansible.builtin.file:
path: /usr/local/share/doc
path: /usr/share/doc
recurse: true
owner: root
group: root
@@ -84,7 +84,7 @@
- name: Link shared resources to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/share/doc/{{ item[1] }}"
dest: "/usr/local/share/doc/{{ item[1] }}"
dest: "/usr/share/doc/{{ item[1] }}"
owner: root
group: root
state: link

6
roles/init-server/tasks/contingent/pkg/radicle.yml
View File

@@ -21,7 +21,7 @@
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.radicle/bin/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- rad
@@ -29,7 +29,7 @@
- git-remote-rad
- name: Create man1 subdirectory for man pages
ansible.builtin.file:
path: /usr/local/share/man/man1
path: /usr/share/man/man1
recurse: true
owner: root
group: root
@@ -38,7 +38,7 @@
- name: Link manpages to Linux manpage directories
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.radicle/man/man1/{{ item }}.1"
dest: "/usr/local/share/man/man1/{{ item }}.1"
dest: "/usr/share/man/man1/{{ item }}.1"
state: link
loop:
- rad

2
roles/init-server/tasks/contingent/pkg/rustup.yml
View File

@@ -19,7 +19,7 @@
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.cargo/bin/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- rustup

5
roles/init-server/tasks/contingent/pkg/surge.yml
View File

@@ -8,7 +8,7 @@
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/downloads/archives/released/surge/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- surge
@@ -43,12 +43,11 @@
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "644"
state: touch
register: surge_token
- name: Placing Surge API token into file on control node
ansible.builtin.fetch:
src: "{{ surge_token.dest }}"
dest: "/var/tmp/{{ inventory_hostname }}/surge.token"
dest: "./.tmp/{{ inventory_hostname }}-surge/surge.secret"
flat: true
- name: Informing control node of acquired files
ansible.builtin.debug:

2
roles/init-server/tasks/contingent/pkg/uv.yml
View File

@@ -19,7 +19,7 @@
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.local/bin/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- uv

10
roles/init-server/tasks/contingent/pkg/vim.yml
View File

@@ -19,6 +19,7 @@
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "755"
state: directory
loop:
- autoload
@@ -30,7 +31,7 @@
become_user: "{{ current_user.stdout }}"
ansible.builtin.uri:
url: "https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim"
dest: "{{ ansible_user_home.stdout }}/.vim/autoload/"
dest: "{{ ansible_user_home.stdout }}/.vim/autoload/plug.vim"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
force: true
@@ -46,4 +47,9 @@
group: "{{ ansible_user }}"
force: true
backup: true
# @TODO run command to make sure plugins referenced in 'vimrc' are installed
- name: Informing user of need to manually run PlugInstall in ViM
ansible.builtin.debug:
msg: "Make sure to run \":PlugInstall\" the first time you open/use ViM"
- name: Pausing to ensure user has read message about needed manual PlugInstall execution for ViM
ansible.builtin.pause:
seconds: 30

15
roles/init-server/tasks/core@install-pkgs.yml
View File

@@ -216,3 +216,18 @@
msg: Rebooting machine
tags:
- get_git_pkgs
- name: Installing software as pre-compiled binary
block:
- name: Grabbing software binary
become: true
ansible.builtin.get_url:
url: "{{ item.src }}"
dest: "/usr/bin/{{ item.name }}"
owner: root
group: root
mode: "744"
force: true
backup: true
notify: "{{ item.handler }}"
loop: "{{ (pkgs.binaries.core | default([])) }}"

16
roles/init-server/tasks/userspace@install-pkgs.yml
View File

@@ -216,5 +216,17 @@
msg: Rebooting machine
tags:
- get_git_pkgs
# @TODO add a reboot either here or in any of the handlers potentially notified from here in
# order to update environment (unless found better solution)
- name: Installing software as pre-compiled binary
block:
- name: Grabbing software binary
become: true
ansible.builtin.get_url:
url: "{{ item.src }}"
dest: "/usr/bin/{{ item.name }}"
owner: root
group: root
mode: "744"
force: true
backup: true
notify: "{{ item.handler }}"
loop: "{{ (pkgs.binaries.userspace | default([])) }}"