admin/skato-ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 3 Releases Wiki Activity

Compare commits

base: admin:0e0120588a2bdb9899dbb9768bb79283e41480f4
Branches Tags
admin:main admin:streamlined_staging
...
compare: admin:streamlined_staging
Branches Tags
admin:streamlined_staging admin:main

65 Commits
0e0120588a ... streamline

Author SHA1 Message Date
Alex Tavarez
e8b29bb8e8 added systemd unit for setting iptables rules using added script, added DSNet systemd unit 2026-06-19 19:22:21 -04:00
Alex Tavarez
aa8d61aa09 added attribute to reboot task to ignore errors; included variables file for configuring VPN, i.e. DSNet, service configuration 2026-06-19 19:21:09 -04:00
Alex Tavarez
2d6dcd3dab added attribute to reboot task to ignore errors; included variables file needed for VPN, i.e. DSNet, service configuration 2026-06-19 19:18:54 -04:00
Alex Tavarez
2c66c3bd43 removed tasks that were instead migrated to a role task included by a role handler 2026-06-19 19:17:24 -04:00
Alex Tavarez
20d1cd21a3 removed an empty line 2026-06-19 19:16:29 -04:00
Alex Tavarez
83fa171341 added task for grabbng software binary as software installation 2026-06-19 19:15:38 -04:00
Alex Tavarez
240efbb713 changed hardlink or actual destnation paths for software binaries, and used relative path for fetched secrets 2026-06-19 19:10:39 -04:00
Alex Tavarez
bcf9eaebc9 removed unnecessary copy task for a source file in managed node 2026-06-19 19:06:55 -04:00
Alex Tavarez
125ec09c8f migrated DSNet tasks to own task file in role, as opposed to having it in relevant playbook 2026-06-19 19:04:54 -04:00
Alex Tavarez
b784b781d3 added a DSNet handler including tasks for post-installation 2026-06-19 19:03:52 -04:00
Alex Tavarez
909682d74e moved burp and rsync installations, and added a new package group for direct software binaries, with dsnet listed in it 2026-06-19 19:02:29 -04:00
Alex Tavarez
bd3029b914 made sure that handlers run prior to hostname change as well as a reboot in which the server is rendered inaccessible 2026-06-18 19:20:56 -04:00
Alex Tavarez
57a3e876b8 added task informing user of needed actions to take advantage of now-avaialble vim plugins 2026-06-18 19:19:23 -04:00
Alex Tavarez
1ce6879abf fixed typo in a line substitution, added SystemD restart tasks for service to abide by configuration changes 2026-06-18 19:18:26 -04:00
Alex Tavarez
9ea7fb37b0 fixed missing loop variable for headscale user registration task 2026-06-18 19:17:16 -04:00
Alex Tavarez
7584027890 moved VIM and Crowdsec setup handler listener, former due to now being userspace package group installation, latter due to needing to precede headscale handler tasks 2026-06-18 19:16:26 -04:00
Alex Tavarez
a78613920c moved vim to userspace package group, referenced crowdsec handler, added password hashing/encryption 2026-06-18 19:14:14 -04:00
Alex Tavarez
0dd0633166 hard-coded dedicated SSH keys for staging to automatically populate ssh-agent, added a subcommand for listing SSH keys in use by SSH agent 2026-06-17 14:42:16 -04:00
Alex Tavarez
9945330b82 added task block to prompt user for a fallback password if given root password is null 2026-06-17 14:40:35 -04:00
Alex Tavarez
f4399a2c8a added task block to prompt user for a fallback password if given user password is null 2026-06-17 14:40:17 -04:00
Alex Tavarez
596b828e6f changed SSH key queries to dedicated SSH keys, and automated password creation, for staging; removed token to be prompted instead 2026-06-17 14:39:10 -04:00
Alex Tavarez
13ef8fa459 made ungrouped hosts be two machines for staging or more 2026-06-17 14:36:26 -04:00
Alex Tavarez
52f98c1d57 removed some information from example files for users to fill on their own 2026-06-16 15:02:11 -04:00
Alex Tavarez
c0d0203406 excluded some very specific vars files from version control due to potential sensitive information 2026-06-16 14:57:56 -04:00
Alex Tavarez
889b06bf21 altered template variables for vim editor configuration file 2026-06-16 14:57:11 -04:00
Alex Tavarez
5bfde90be9 altered template variables for flexget configuration file 2026-06-16 14:56:30 -04:00
Alex Tavarez
f592a56c60 added/altered template variables for headscale configuration file 2026-06-16 14:55:56 -04:00
Alex Tavarez
fc95904327 added a default handler that performs a default action for software installation if none needed, as looped installations nonetheless will attempt to notify one 2026-06-16 14:55:06 -04:00
Alex Tavarez
f43e420f66 allowed for change of crowdsec ports from their defaults 2026-06-16 14:53:58 -04:00
Alex Tavarez
a6fc067eb1 added configuration of template files as top-level variable files in vars directory, to be referenced in relevant playbooks 2026-06-16 14:53:01 -04:00
Alex Tavarez
44c343dd7b added decision tree for how to retrieve and make use of output produced on remote machine for future purposes 2026-06-16 14:51:17 -04:00
Alex Tavarez
8894bd8925 ensured backups and forced changes for confguration files; fixed issue with failing to look up path on remote machine for remote machine copying operations 2026-06-16 14:50:02 -04:00
Alex Tavarez
7daf57da64 moved post-installation reboots to task blocks from each software's associated handler to reduce power cycle; fixed semantic errors with varables and fixed repository addition issues 2026-06-16 14:47:31 -04:00
Alex Tavarez
dc8dbcc43e added handlers inclusive of tasks related to headscale, git, vim and tor, as well as those very tasks 2026-06-16 14:40:56 -04:00
Alex Tavarez
a4c26fd9c3 created example files for the basic server groupings 2026-06-16 14:21:50 -04:00
Alex Tavarez
cf7612365a finished new playbook 2026-06-16 14:20:57 -04:00
Alex Tavarez
3343f7ad69 finished new playbook 2026-06-16 14:20:40 -04:00
Alex Tavarez
7268245bb7 finished new playbook 2026-06-16 14:20:16 -04:00
Alex Tavarez
555c7d0a6a replaced example file with original, native playbook file 2026-06-16 14:16:01 -04:00
Alex Tavarez
5049210e25 added community.general to requirements, just in case 2026-06-16 14:14:26 -04:00
Alex Tavarez
0d7b0f0c66 created a new host grouping naming sheme, including a hypothetical ungrouped host for staging purposes 2026-06-16 14:12:30 -04:00
Alex Tavarez
691d85458e excluded old group_vars files from version control 2026-06-16 14:07:14 -04:00
Alex Tavarez
8e1f5c6743 replacing with what is mainly a testing file 2026-06-16 14:06:25 -04:00
Alex Tavarez
1fed9cf441 replaced with what is mainly a testing file 2026-06-16 14:04:30 -04:00
Alex Tavarez
f5fa460e44 renamed bootstrap shell script 2026-06-16 14:03:07 -04:00
Alex Tavarez
9d80fbb567 removed example file, for original file 2026-06-16 14:02:17 -04:00
Alex Tavarez
3fe4d9d5a2 added new dictionary variable, that has groups of container engine images; removed two packages from package groups to prepare for containerization instead 2026-06-10 22:10:23 -04:00
Alex Tavarez
17a921b551 included an ansible-galaxy collecton requirement for containers.podman 2026-06-10 22:09:09 -04:00
Alex Tavarez
ac4af5de3d added task that creates two new networks for podman 2026-06-10 22:08:17 -04:00
Alex Tavarez
f455483d66 brought back use of 'local_facts' variable to make use of local, control node user running plays for path completion 2026-06-10 14:08:01 -04:00
Alex Tavarez
9942fd94f8 created new package tasks for handler-based inclusions, otehrwise got username and home directory of SSH login for path purposes 2026-06-10 14:06:12 -04:00
Alex Tavarez
9d33b45dbc added files or templates to be copied or used for configuration of vim/nvim editors on remote host 2026-06-10 14:04:12 -04:00
Alex Tavarez
0cee2cbb79 changed an SSHD configuration file for remote host so its SSH server also allows agent forwarding from client 2026-06-10 14:02:40 -04:00
Alex Tavarez
50c7b6a56d made use of username of user logged in and running 'sudo' for particular tasks, added true 'become' attrbute to some tasks 2026-06-10 14:01:49 -04:00
Alex Tavarez
fc565fa3ce created new playbook for nonroot user login, moved package installation stage/order prior to user/group management 2026-06-10 13:57:11 -04:00
Alex Tavarez
c31acb2dcc changed passwords, added packages, moved some packages to different package groups for different instasllation approach by plays or role tasks 2026-06-10 13:54:23 -04:00
Alex Tavarez
55a5e956d4 removed core_pkgs variable as no longer needed 2026-06-10 13:53:36 -04:00
Alex Tavarez
a16351985f changed passwords, added packages, moved some packages to different package groups for different instasllation approach by plays or role tasks 2026-06-10 13:52:29 -04:00
Alex Tavarez
ac1eb31926 added agent forwarding capabilities to Ansible SSH connection client to enable private key use 2026-06-10 13:49:49 -04:00
Alex Tavarez
19929405ba excluded non-example, fully configured playbook from version control 2026-06-10 13:48:17 -04:00
Alex Tavarez
f54545b1dd renamed bash script file to reflect its function--automation of playbook runs 2026-06-10 13:47:20 -04:00
Alex Tavarez
4074eacb1f refactor: split up package installation tasks in accord with splittng of post-installation handlers, for use by separate playbooks 2026-06-10 13:46:18 -04:00
Alex Tavarez
af9fc3b4ca refactor: split up file into two distnct sets of handlers to be called separately by plays 2026-06-10 13:43:59 -04:00
Alex Tavarez
1b6811b42b quick push of recent changes for synchronous work on other devices 2026-06-06 16:36:53 -04:00
Alex Tavarez
e2128552b9 used 'product' filter to avoid nested loop for host/group server address and SSH public key paths 2026-06-04 07:59:26 -04:00
58 changed files with 5168 additions and 979 deletions
Expand all files Collapse all files

9
.gitignore vendored
View File

@@ -5,7 +5,14 @@
/hosts.yaml
/hosts.json
*.bak
/init@homeserver.yml
/group_vars/armitage.yml
/group_vars/sukaato.yml
/group_vars/armitage.yml
/group_vars/sukaato.yml
/vars/aria_api.yml
/vars/vpn_server.yml
/vars/tail_net.yml
/vars/local_facts.yml
# Ansible runtime and backups
*.original

148
administrate@homeserver.yml Normal file
View File

@@ -0,0 +1,148 @@
- name: Initialize homeserver
hosts: "{{ chosen_host | default('armitage') }}"
remote_user: "{{ chosen_user | default('senpai') }}"
vars_files:
- vars/git_aliases.yml # REQUIRED
- vars/sox_prox.yml # REQUIRED
- vars/flexget_dls.yml # REQUIRED
- vars/aria_api.yml # REQUIRED
- vars/config@{{ inventory_hostname | default('homeserver') }}.yml
tasks:
- name: Installing requisite packages
ansible.builtin.include_role:
name: init-server
tasks_from: userspace@install-pkgs
handlers_from: userspace
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Disabling root user shell login
become: true
ansible.builtin.user:
name: root
shell: /sbin/nologin
tags:
- disable_root_shell
- name: Disable login for root user altogether
become: true
ansible.builtin.user:
name: root
password: "'*'"
tags:
- disable_root_login
- name: Reorganizing userspace package groups into single list
ansible.builtin.set_fact:
all_userspace_pkgs: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='userspace') | list | flatten }}"
- name: Reorganizing core package groups into single list
ansible.builtin.set_fact:
all_core_pkgs: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='core') | list | flatten }}"
- name: Configuring aliases for using git
when: "'git' in all_core_pkgs"
community.general.git_config:
name: "alias.{{ item[0] }}"
scope: global
value: "{{ item[1] }}"
loop: "{{ git_aliases }}"
- name: Checking presence of dependency for flexget
when: "'uv' in all_core_pkgs"
block:
- name: Installing flexget
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.command:
argv:
- uv
- tool
- install
- "flexget[locked,ftp,sftp]"
- "--with"
- pysocks
- name: Creating requisite download paths
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/downloads/flexget/vids/{{ item }}/torrents"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
mode: "755"
loop:
- series
- name: Creating requisite download paths
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/downloads/flexget/vids/torrents"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
mode: "755"
- name: Creating requisite hidden download paths
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/downloads/.xxx/flexget/vids/torrents"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
mode: "755"
- name: Creating requisite hidden download paths
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/downloads/media/vids/{{ item }}"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
mode: "755"
loop:
- series
- features
- name: Creating requisite hidden file for film torrent links
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/media/vids/{{ item }}.csv"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: touch
mode: "644"
loop:
- features/.films
- name: Creating requisite hidden download paths
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/downloads/.xxx/media/vids"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
mode: "755"
- name: Creating requisite hidden file for NSFW video torrent links
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.xxx/.{{ item }}.csv"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: touch
mode: "644"
loop:
- vids
- name: Configuring flexget
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.template:
src: user/flexget/config.yml.j2
variable_start_string: "<<"
variable_end_string: ">>"
dest: "{{ ansible_user_home.stdout }}/.flexget/config.yml"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
force: true
backup: true
- name: Creating a CRON job for flexget
ansible.builtin.cron:
name: Run flexget
minute: "*/60"
hour: "4-15"
weekday: "1-5"
job: "{{ ansible_user_home.stdout }}/.local/bin/flexget --cron execute"

45
administrate@vps.yml Normal file
View File

@@ -0,0 +1,45 @@
- name: Initialize VPS
hosts: "{{ chosen_host | default('sukaato') }}"
remote_user: "{{ chosen_user | default('senpai') }}"
vars_files:
- vars/git_aliases.yml # REQUIRED
- vars/vim_settings.yml # REQUIRED
- vars/config@{{ inventory_hostname | default('vps') }}.yml
tasks:
- name: Installing requisite packages
ansible.builtin.include_role:
name: init-server
tasks_from: userspace@install-pkgs
handlers_from: userspace
- name: Disabling root user shell login
become: true
ansible.builtin.user:
name: root
shell: /sbin/nologin
tags:
- disable_root_shell
- name: Disable login for root user altogether
become: true
ansible.builtin.user:
name: root
password: "'*'"
tags:
- disable_root_login
# - name: Debugging
# ansible.builtin.debug:
# msg: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='userspace', default='no_userspace') | list | flatten | reject('search', 'no_userspace') | list }}"
# - name: Prematurely ending play
# ansible.builtin.meta: end_play
- name: Reorganizing userspace package groups into single list
ansible.builtin.set_fact:
all_userspace_pkgs: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='userspace', default='no_userspace') | list | flatten | reject('search', 'no_userspace') | list }}"
- name: Reorganizing core package groups into single list
ansible.builtin.set_fact:
all_core_pkgs: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='core', default='no_core') | list | flatten | reject('search', 'no_core') | list }}"
- name: Configuring aliases for using git
when: "'git' in all_core_pkgs"
community.general.git_config:
name: "alias.{{ item[0] }}"
scope: global
value: "{{ item[1] }}"
loop: "{{ git_aliases }}"

2
ansible.cfg
View File

@@ -508,7 +508,7 @@ pipelining=False
# (int) For keys inserted into an agent defined by ``SSH_AGENT``, define a lifetime, in seconds, that the key may remain in the agent.
;ssh_agent_key_lifetime=
ssh_args='-o ControlMaster=auto -o ControlPersist=300s -o PreferredAuthentications=publickey'
ssh_args='-o ControlMaster=auto -o ControlPersist=300s -o PreferredAuthentications=publickey -o ForwardAgent=yes'
[colors]

4
collections/requirements.yml
View File

@@ -1,4 +1,8 @@
---
collections:
- name: community.general
version: "12.6.1"
- name: linode.cloud
version: "0.46.0"
- name: containers.podman
version: "1.20.1"

3
dry_run.sh
View File

@@ -1,3 +0,0 @@
#!/bin/bash
ansible-playbook --ask-pass --ask-become-pass -i hosts.yml init@homeserver.yml --check

310
group_vars/armitage.yml
View File

@@ -1,310 +0,0 @@
# @TODO create inventory group variables akin to structure of sukaato group's for homeserver
# <str<vault>> representing password for Linux root user account of VPS
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
32333335343939653231313938666134306338356633393035363039373465386165313666383262
6465313738316635633332623765336563626165336330370a616634393266366430363663333066
63373165346236386632393866316164623133373761303262643734356433646661636533666266
3834643765613937300a326365643961626236386261303933643965333565623836313231346537
3030
# <str> representing hostname for LAN server; same as host or group variable name
instance: armitage
# <str<enum>> representing Linux distro or OS image to be used for VPS
# operating_system: "tftp://hikiki.local:69/debian.iso"
operating_system: ~
# <list[<str>]> of control node or local SSH key basenames
ssh_keys:
- ed25519@sukaato.hikiki
- ecdsa@sukaato.hikiki
# <list<dict>> list of administrative users (in Linux, users that can use "sudo")
admins:
- username: admin # <str> arbitrary valid user name
services: ~ # <list[<str>]> if linux system user, assocated servce
# <list[<str>]> list of control node or local SSH key basenames for this user
ssh_keys:
- ecdsa-37851076-sk@sukaato.hikiki
- ecdsa-37851072-sk@sukaato.hikiki
# <str<vault?>> hashed (and maybe salted) password
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
33663131343861303735643439393165356231366338346538333537643464343761373139303364
6630303563346437373161626662313432306138353132350a353334356139376662333562353834
36326461613664616565373835303636636533616462303732633461343130346134366662373566
6431623034653363310a303665636366353535313436666532623737373930356364616339313633
34663839656637373031393031656332393761623161643730326563323863363461333864353338
30633964353339323465643064636538346464343035626461333366303835333039653661383030
62656663336536373262623062633563646434646431303137306438633937323764633334396539
64353734613662663063343966356562326661626436663430623430663766343030646333306634
32353839313235313339353431323837356537336231366564313431313462613333
# @TODO change 'key' attributes of package entres under 'mngr' section below to 'signkey'
# and edit 'roles/init-server/install-pks.yml' accordngly
# <dict[<str>:<dict>]> package groups
pkgs:
# <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
mngr:
# <list[<dict>]> representing system-level or essential packages
core:
- name: neovim
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: flatpak
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: snapd
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: git
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: fail2ban
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: crowdsec
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: glow
uri: ~
key: "https://repo.charm.sh/apt/gpg.key"
key_path: /etc/apt/keyrings/charm.gpg
src_entry: "deb [signed-by=/etc/apt/keyrings/charm.gpg] https://repo.charm.sh/apt/ * *"
src_path: /etc/apt/sources.list.d/charm.list
- name: vim-vimwiki
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: pandoc
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: tor
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: i2pd
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: radicle
uri: ~
key: "https://radicle.dev/apt/radicle-archive-keyring.deb"
key_path: "{{ ansible_facts['user_dir'] }}/.local_pkgs/"
src_entry: "deb [signed-by=/usr/share/radicle/radicle-archive-keyring.asc] https://radicle.dev/apt release main"
src_path: /etc/apt/sources.list
# - name: syncthing
# uri: ~
# key: ~
# key_path: ~
# src_entry: ~
# src_path: ~
userspace:
- name: podman
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: podman-compose
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: distrobox
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: proftpd-core
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: proftpd-doc
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: proftpd-mod-crypto
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: proftpd-mod-ldap
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: proftpd-mod-sqlite
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: aria2
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: syncplay-server
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: caddy
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: erlang
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: erlang-hex
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: elixir
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: python3.13
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: python3-venv
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: python3-pip
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: golang
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: hugo
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: yt-dlp
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: syncthing-discosrv
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: syncthing-relaysrv
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
handler: ~
- name: avahi-daemon
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: avahi-utils
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
# <dict[<str>:<dict>]> representing package groups installed by shell scripts
script:
# <list[<dict>]> representing user-level or supplemental shell script installations
userspace:
- name: nvm
src: "https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.4/install.sh"
pre: ~
post: ~
- name: rustup
src: "https://sh.rustup.rs"
pre: ~
post: ~
- name: julia
src: "https://install.julialang.org"
pre: ~
post: ~
- name: uv
src: "https://astral.sh/uv/install.sh"
pre: ~
post: ~
# <dict[<str>:<dict>]> representing package groups installed from source archives
archive:
# <list[<dict>]> representing user-level or supplemental source archives
userspace:
- name: surge
# @NOTE https://github.com/SurgeDM/Surge
src: "https://github.com/SurgeDM/Surge/releases/download/v0.8.6/Surge_0.8.6_linux_amd64.tar.gz"
deploy: ~
pre: ~
post: ~
# <dict[<str>:<dict>]> representing package groups installed from source git repositories
git_repos:
userspace:
- name: quartz
src: "https://github.com/jackyzha0/quartz.git"
branch: main
deploy: ~
pre: ~
post: ~
core_pkgs: "{{ (pkgs.mngr.core | default([])) + (pkgs.script.core | default([])) + (pkgs.archive.core | default([])) + (pkgs.git_repos.core | default([])) + (pkgs.containers.core | default([])) + (pkgs.snaps.core | default([])) + (pkgs.flatpaks.core | default([])) }}"

687
group_vars/armitage_test.yml Normal file
View File

@@ -0,0 +1,687 @@
# @TODO create inventory group variables akin to structure of sukaato group's for homeserver
# <str<vault>> representing password for Linux root user account of VPS
password: "{{ lookup('password', '../.tmp/armitage_test.pass', seed='armitage_test', encrypt='sha512_crypt') }}"
# <str> representing hostname for LAN server; same as host or group variable name
instance: armitage
# <str<enum>> representing Linux distro or OS image to be used for VPS
# operating_system: "tftp://hikiki.local:69/debian.iso"
operating_system: ~
# <list[<str>]> of control node or local SSH key basenames
ssh_keys:
- ed25519@staging
- ecdsa@staging
# <list<dict>> list of administrative users (in Linux, users that can use "sudo")
admins:
- username: senpai # <str> arbitrary valid user name
services: ~ # <list[<str>]> if linux system user, assocated servce
# <list[<str>]> list of control node or local SSH key basenames for this user
ssh_keys:
# @TODO add secondary and teriary Yubikeys
- ecdsa-37851076-sk@staging
- ed25519-37851076-sk@staging
# <str<vault?>> hashed (and maybe salted) password
password: "{{ lookup('password', '../.tmp/senpai@armitage_test.pass', seed='senpai:armitage_test', encrypt='sha512_crypt') }}"
# <dict[<str>:<dict>]> package groups
pkgs:
# <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
mngr:
# <list[<dict>]> representing system-level or essential packages
core:
- name: xz-utils
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: wireguard
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: wireguard-tools
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: sudo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: kitty-terminfo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: whois
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: smartmontools
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vim-vimwiki
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vim-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: snapd
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: git
- name: git-delta
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-doc
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-man
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: fail2ban
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: crowdsec
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: crowdsec
- name: glow
uri: ~
sigkey: "https://repo.charm.sh/apt/gpg.key"
sources: "https://repo.charm.sh/apt/"
types: deb
suites: "*"
comps: "*"
handler: ~
- name: pandoc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: curl
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: build-essential
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: fastfetch
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gcc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: dpkg-dev
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: ufw
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: avahi-daemon
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: avahi-utils
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-google-authenticator
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cron
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cron-daemon-common
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tor
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: tor
- name: libpam-u2f
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: pamu2fcfg
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: pcscd
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tftpd-hpa
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gocryptfs
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cryfs
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tmux
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cpu-checker
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg-agent
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
userspace:
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: neovim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: neovim
- name: sqlite3
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: podman
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: podman-compose
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: distrobox
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-core
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-crypto
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-ldap
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-sqlite
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang-hex
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: elixir
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3.13
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-venv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-pip
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: golang
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: golang-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: hugo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: yt-dlp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-discosrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-relaysrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-relaysrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rclone
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: aria2
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: mopidy
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: mopidy-mpd
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: minidlna
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# <dict[<str>:<dict>]> representing package groups installed by shell scripts
script:
# <list[<dict>]> representing user-level or supplemental shell script installations
userspace:
- name: radicle
src: "https://radicle.dev/install"
pre: ~
post: ~
handler: radicle
- name: rustup
src: "https://sh.rustup.rs"
pre: ~
post: ~
handler: rustup
- name: julia
src: "https://install.julialang.org"
pre: ~
post: ~
handler: julia
- name: uv
src: "https://astral.sh/uv/install.sh"
pre: ~
post: ~
handler: uv
# <dict[<str>:<dict>]> representing package groups installed from source archives
archive:
# <list[<dict>]> representing user-level or supplemental source archives
userspace:
# - name: surge
# src: "https://github.com/SurgeDM/Surge/releases/download/v0.8.6/Surge_0.8.6_linux_amd64.tar.gz"
# deploy: ~
# pre: ~
# post: ~
# handler: surge
- name: nvm
src: "https://nodejs.org/dist/v24.16.0/node-v24.16.0-linux-x64.tar.xz"
deploy: ~
pre: ~
post: ~
handler: nvm
- name: difftastic
src: "https://github.com/Wilfred/difftastic/releases/download/0.69.0/difft-x86_64-unknown-linux-gnu.tar.gz"
deploy: ~
pre: ~
post: ~
handler: difftastic
# <dict[<str>:<dict>]> representing package groups installed from source git repositories
git_repos:
# userspace:
# # @TODO use below to build Podman container instead, to deploy with podman-compose
# # @NOTE https://github.com/papis/papis and https://papis.readthedocs.io/en/latest/
# - name: papis
# src: "https://github.com/papis/papis.git"
# branch: main
# deploy: ~
# pre: ~
# post: ~
# handler: false
- name: quartz
src: "https://github.com/jackyzha0/quartz.git"
branch: v5.0.0
deploy: ~
pre: ~
post: ~
handler: quartz

755
group_vars/homeserver.yml
View File

@@ -1,103 +1,690 @@
# <str<vault>> representing password for Linux root user account of LAN server on PC
# @TODO create inventory group variables akin to structure of sukaato group's for homeserver
# <str<vault>> representing password for Linux root user account of VPS
password: ""
# <str<vault>> administrative API token or PXE server authentication key/password
token: ~
# <str> representing hostname for LAN server; same as host or group variable name
instance: ""
# <str<enum>> representing Linux distro or OS image to be used for VPS; can be PXE server URI/URL link
# Example-- operating_system: "tftp://hikiki.local:69/debian.iso"
operating_system: ~
instance: armitage
# <str<enum>> representing Linux distro or OS image to be used for VPS
# operating_system: "tftp://hikiki.local:69/debian.iso"
operating_system: ""
# <list[<str>]> of control node or local SSH key basenames
ssh_keys: []
# @TODO change 'key' attributes of package entres under 'mngr' section below to 'signkey'
# and edit 'roles/init-server/install-pks.yml' accordngly
ssh_keys: []
# <list<dict>> list of administrative users (in Linux, users that can use "sudo")
admins:
- username: senpai # <str> arbitrary valid user name
services: "" # <list[<str>]> if linux system user, assocated servce
# <list[<str>]> list of control node or local SSH key basenames for this user
ssh_keys: []
# <str<vault?>> hashed (and maybe salted) password
password: ""
# <dict[<str>:<dict>]> package groups
pkgs:
# <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
mngr:
# <list[<dict>]> representing system-level or essential packages
core:
- name: "" # <str> name of package in repositori/repositories; used by handler listener
uri: "" # <str> URI/URL or path to package installation file
key: "" # <str> URI/URL or path to package signing key
key_path: "" # <str> destination path of signing key
src_entry: "" # <str> repository entry line/block
src_path: "" # <str> filepath for repository entry insertion
# <list[<dict>]> representing user-level or supplemental packages
- name: xz-utils
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: wireguard
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: wireguard-tools
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: sudo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: kitty-terminfo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: whois
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: smartmontools
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: vim-vimwiki
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vim-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# - name: flatpak
# uri: ~
# sources: ~
# sigkey: ~
# types: ~
# suites: ~
# comps: ~
# handler: ~
- name: snapd
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: git
- name: git-delta
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-doc
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-man
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: fail2ban
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: crowdsec
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: glow
uri: ~
sigkey: "https://repo.charm.sh/apt/gpg.key"
sources: "https://repo.charm.sh/apt/"
types: deb
suites: "*"
comps: "*"
handler: ~
- name: pandoc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: curl
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: build-essential
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: fastfetch
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gcc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: dpkg-dev
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: ufw
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: avahi-daemon
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: avahi-utils
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-google-authenticator
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cron
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cron-daemon-common
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tor
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: tor
- name: libpam-u2f
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: pamu2fcfg
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: pcscd
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tftpd-hpa
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gocryptfs
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cryfs
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tmux
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cpu-checker
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg-agent
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
userspace:
- name: ""
uri: ""
key: ""
key_path: ""
src_entry: ""
src_path: ""
- name: neovim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: neovim
- name: sqlite3
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: podman
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: podman-compose
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: distrobox
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-core
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-crypto
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-ldap
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-sqlite
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang-hex
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: elixir
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3.13
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-venv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-pip
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: golang
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: golang-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: hugo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: yt-dlp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-discosrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-relaysrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-relaysrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rclone
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: aria2
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: mopidy
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: mopidy-mpd
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: minidlna
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# <dict[<str>:<dict>]> representing package groups installed by shell scripts
script:
# <list[<dict>]> representing system-level or essential shell script software installations
core:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path to software installation shell script
pre: "" # <str> URI/URL or path to shell script, or name of handler listener, for pre-installation actions
post: "" # <str> URI/URL or path to shell script, or name of handler listener, for post-installation actions
# <list[<dict>]> representing user-level or supplemental shell script software installations
# <list[<dict>]> representing user-level or supplemental shell script installations
userspace:
- name: ""
src: ""
pre: ""
post: ""
- name: radicle
src: "https://radicle.dev/install"
pre: ~
post: ~
handler: radicle
- name: rustup
src: "https://sh.rustup.rs"
pre: ~
post: ~
handler: rustup
- name: julia
src: "https://install.julialang.org"
pre: ~
post: ~
handler: julia
- name: uv
src: "https://astral.sh/uv/install.sh"
pre: ~
post: ~
handler: uv
# <dict[<str>:<dict>]> representing package groups installed from source archives
archive:
# <list[<dict>]> representing system-level or essential source archives
core:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path of archive file for software build
deploy: "" # <str> URI/URL or path to shell script, or handler listener name, to build software from archive
pre: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take before software build
post: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take after software build
# <list[<dict>]> representing user-level or supplemental source archives
userspace:
- name: ""
src: ""
deploy: ""
pre: ""
post: ""
# - name: surge
# src: "https://github.com/SurgeDM/Surge/releases/download/v0.8.6/Surge_0.8.6_linux_amd64.tar.gz"
# deploy: ~
# pre: ~
# post: ~
# handler: surge
- name: nvm
src: "https://nodejs.org/dist/v24.16.0/node-v24.16.0-linux-x64.tar.xz"
deploy: ~
pre: ~
post: ~
handler: nvm
- name: difftastic
src: "https://github.com/Wilfred/difftastic/releases/download/0.69.0/difft-x86_64-unknown-linux-gnu.tar.gz"
deploy: ~
pre: ~
post: ~
handler: difftastic
# <dict[<str>:<dict>]> representing package groups installed from source git repositories
git_repos:
# <list[<dict>]> representing system-level or essential git repositories
core:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path of git repository
src_path: "" # <str> path in which to place git repository clone
branch: "" # <str> specific branch to pull or otherwise to swtich into
deploy: "" # <str> URI/URL or path to shell script, or handler listener name, to build or run from source repository
pre: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take before building or running from source repository
post: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take after building or running from source repository
# <list[<dict>]> representing user-level or supplemental git repositories
userspace:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path of git repository
src_path: "" # <str> path in which to place git repository clone
remote: "" # <str> the name of the remote source of the git repository
branch: "" # <str> specific branch to pull or otherwise to swtich into
deploy: "" # <str> URI/URL or path to shell script, or handler listener name, to build or run from source repository
pre: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take before building or running from source repository
post: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take after building or running from source repository
# <dict[<str>:<dict>]> representing package groups installed via container engine
containers:
# <list[<dict>]> representing system-level or essential container images
core: []
# <list[<dict>]> representing user-level or supplemental container images
userspace: []
# <dict[<str>:<dict>]> representing package groups installed via snap package
snaps:
# <list[<dict>]> representing system-level or essential packages
core: []
# <list[<dict>]> representing user-level or supplemental packages
userspace: []
# <dict[<str>:<dict>]> representing flatpak groups installed via flatpak package
flatpaks:
# <list[<dict>]> representing system-level or essential flatpaks
core: []
# <list[<dict>]> representing user-level or supplemental flatpaks
userspace: []
core_pkgs: [] # @TODO document this
# userspace:
# # @TODO use below to build Podman container instead, to deploy with podman-compose
# # @NOTE https://github.com/papis/papis and https://papis.readthedocs.io/en/latest/
# - name: papis
# src: "https://github.com/papis/papis.git"
# branch: main
# deploy: ~
# pre: ~
# post: ~
# handler: false
- name: quartz
src: "https://github.com/jackyzha0/quartz.git"
branch: v5.0.0
deploy: ~
pre: ~
post: ~
handler: quartz

311
group_vars/sukaato.yml
View File

@@ -1,311 +0,0 @@
# <str<vault>> representing password for Linux root user account of VPS
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
66353462633933306537323461663665643234306166366663653163306436333037313032306338
3762653037396437633835356630656438623163656536310a306163663234383265386133396634
34363163343766623739646334643031373239373630663731376239333764346531396363636131
6163343335356337660a366337336632333236326532373032353332333636366638616265356562
66616534303035386134623535373935373065326539363065623230633034313433
# <str<vault>> representing API token for VPS cloud service
token: !vault |
$ANSIBLE_VAULT;1.1;AES256
33333839333337323062326231626534616166646666343261343966636464346630363033653130
3035653864396363376633346362353239643939663462370a323935353061313563336435366331
30393463653661326539326234646438663133616634663439303932656137633839656533376433
3666643635613039390a323138393033623131326438616331386539666333613630316263613636
66663263373665343662393638623064356234646165343835623966643761333562323132396466
63363436333463653130323531343139316466316131313031343232343039396261616231376232
66383938333661363532303166306563396634663132396166646132663131373738396131626633
34393265343061356531
# <str> representing name and hostname of VPS to be made in VPS cloud service
instance: sukaato
# <str<enum>> representing region options from or for given VPS cloud service
origin: us-east
# <str<enum>> representing Linux distro or OS image available in VPS service to be used for VPS
operating_system: linode/debian13
# <list[<str>]> list of control node or local SSH key basenames for root user
ssh_keys:
- ed25519@sukaato.hikiki
- ecdsa@sukaato.hikiki
# <list<dict>> list of administrative users (in Linux, users that can use "sudo")
admins:
- username: senpai # <str> arbitrary valid user name
services: ~ # <list[<str>]> if linux system user, assocated servce
# <list[<str>]> list of control node or local SSH key basenames for this user
ssh_keys:
- ecdsa-37851076-sk@sukaato.hikiki
- ecdsa-37851072-sk@sukaato.hikiki
# <str<vault?>> hashed (and maybe salted) password
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
35326430616661626233643261316438323631373736323033666362353732646564366534346333
3435643432336165633832373634333864623363323461630a643366636136393031656163663161
30313863393037623661333030383931366535626135366664656538666330613936656238653862
6232356463633565390a363331306665393832303363316432396363623361396238623064356662
64363061613136643932613430633236313238306366363237366130623031326135393364326164
63303037376431373237616463323938623630333666356634363966613761376266346163636563
63316665653032653533656464336566626166333834653539343961666136653234356362333966
39313436363935303430393966653762326463616264373739333638373337643666623531383064
66353136383666626566643666663761313437396137383063373033366336663731
# @TODO change 'key' attributes of package entres under 'mngr' section below to 'signkey'
# and edit 'roles/init-server/install-pks.yml' accordngly
# <dict[<str>:<dict>]> package groups
pkgs:
# <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
mngr:
# <list[<dict>]> representing system-level or essential packages
core:
- name: neovim
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: flatpak
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: snapd
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: git
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: fail2ban
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: crowdsec
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: glow
uri: ~
key: "https://repo.charm.sh/apt/gpg.key"
key_path: /etc/apt/keyrings/charm.gpg
src_entry: "deb [signed-by=/etc/apt/keyrings/charm.gpg] https://repo.charm.sh/apt/ * *"
src_path: /etc/apt/sources.list.d/charm.list
- name: vim-vimwiki
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: pandoc
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: tor
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: i2pd
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: radicle
uri: ~
key: "https://radicle.dev/apt/radicle-archive-keyring.deb"
key_path: "{{ ansible_facts['user_dir'] }}/.local_pkgs/"
src_entry: "deb [signed-by=/usr/share/radicle/radicle-archive-keyring.asc] https://radicle.dev/apt release main"
src_path: /etc/apt/sources.list
# - name: syncthing
# uri: ~
# key: ~
# key_path: ~
# src_entry: ~
# src_path: ~
userspace:
- name: podman
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: podman-compose
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: distrobox
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: proftpd-core
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: proftpd-doc
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: proftpd-mod-crypto
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: proftpd-mod-ldap
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: proftpd-mod-sqlite
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: aria2
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: syncplay-server
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: caddy
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: erlang
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: erlang-hex
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: elixir
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: python3.13
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: python3-venv
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: python3-pip
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: golang
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: hugo
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: yt-dlp
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: syncthing-discosrv
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
- name: syncthing-relaysrv
uri: ~
key: ~
key_path: ~
src_entry: ~
src_path: ~
handler: ~
# <dict[<str>:<dict>]> representing package groups installed by shell scripts
script:
# <list[<dict>]> representing user-level or supplemental shell script installations
userspace:
- name: nodejs
src: "https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.4/install.sh"
pre: ~
post: ~
- name: rustup
src: "https://sh.rustup.rs"
pre: ~
post: ~
- name: julia
src: "https://install.julialang.org"
pre: ~
post: ~
- name: uv
src: "https://astral.sh/uv/install.sh"
pre: ~
post: ~
# <dict[<str>:<dict>]> representing package groups installed from source archives
archive:
# <list[<dict>]> representing user-level or supplemental source archives
userspace:
- name: surge
# @NOTE https://github.com/SurgeDM/Surge
src: "https://github.com/SurgeDM/Surge/releases/download/v0.8.6/Surge_0.8.6_linux_amd64.tar.gz"
deploy: ~
pre: ~
post: ~
# <dict[<str>:<dict>]> representing package groups installed from source git repositories
git_repos:
userspace:
- name: quartz
src: "https://github.com/jackyzha0/quartz.git"
src_path: "{{ ansible_facts['user_dir'] }}/repos/"
remote: origin
branch: main
deploy: ~
pre: ~
post: ~
core_pkgs: "{{ (pkgs.mngr.core | default([])) + (pkgs.script.core | default([])) + (pkgs.archive.core | default([])) + (pkgs.git_repos.core | default([])) + (pkgs.containers.core | default([])) + (pkgs.snaps.core | default([])) + (pkgs.flatpaks.core | default([])) }}"

550
group_vars/sukaato_test.yml Normal file
View File

@@ -0,0 +1,550 @@
# <str<vault>> representing password for Linux root user account of VPS
password: "{{ lookup('password', './.tmp/sukaato_test.pass', seed='sukaato_test', encrypt='sha512_crypt') }}"
# <str<vault>> representing API token for VPS cloud service
token: ~
# <str> representing name and hostname of VPS to be made in VPS cloud service
instance: sukaato
# <str<enum>> representing region options from or for given VPS cloud service
origin: us-east
# <str<enum>> representing Linux distro or OS image available in VPS service to be used for VPS
operating_system: linode/debian13
# <list[<str>]> list of control node or local SSH key basenames for root user
ssh_keys:
- ed25519@staging
- ecdsa@staging
# <list<dict>> list of administrative users (in Linux, users that can use "sudo")
admins:
- username: senpai # <str> arbitrary valid user name
services: ~ # <list[<str>]> if linux system user, assocated servce
# <list[<str>]> list of control node or local SSH key basenames for this user
ssh_keys:
# @TODO add secondary and teriary Yubikeys
- ecdsa-37851076-sk@staging
- ed25519-37851076-sk@staging
# <str<vault?>> hashed (and maybe salted) password
password: "{{ lookup('password', './.tmp/senpai@sukaato_test.pass', seed='senpai:sukaato_test', encrypt='sha512_crypt') }}"
# <dict[<str>:<dict>]> package groups
pkgs:
# <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
mngr:
# <list[<dict>]> representing system-level or essential packages
core:
- name: sudo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: xz-utils
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: wireguard
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: wireguard-tools
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vagrant
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: qemu-system
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cron
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cron-daemon-common
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: qemu-kvm
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: bridge-utils
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libvirt-clients
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libvirt-daemon-system
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gcc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-delta
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: fastfetch
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: git
- name: fail2ban
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: crowdsec
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: crowdsec
- name: glow
uri: ~
sigkey: "https://repo.charm.sh/apt/gpg.key"
sources: "https://repo.charm.sh/apt/"
types: deb
suites: "*"
comps: "*"
handler: ~
- name: vim-vimwiki
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vim-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tor
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: i2pd
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: whois
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# @TODO make sure to create handler inclusion of tasks in file under/at `tasks/contingent/pkg` for below
- name: iptables
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-google-authenticator
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg-agent
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gocryptfs
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cryfs
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tmux
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cpu-checker
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: headscale
uri: "https://github.com/juanfont/headscale/releases/download/v0.28.0/headscale_0.28.0_linux_amd64.deb"
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: headscale
userspace:
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: neovim
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: neovim
- name: distrobox
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-core
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-crypto
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-ldap
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-sqlite
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: aria2
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang-hex
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: elixir
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3.13
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-venv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-pip
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: golang
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: yt-dlp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-discosrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-relaysrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rclone
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# <dict[<str>:<dict>]> representing package groups installed by shell scripts
script:
# <list[<dict>]> representing user-level or supplemental shell script installations
userspace:
- name: radicle
src: "https://radicle.dev/install"
pre: ~
post: ~
handler: radicle
- name: rustup
src: "https://sh.rustup.rs"
pre: ~
post: ~
handler: rustup
- name: julia
src: "https://install.julialang.org"
pre: ~
post: ~
handler: julia
- name: uv
src: "https://astral.sh/uv/install.sh"
pre: ~
post: ~
handler: uv
# <dict[<str>:<dict>]> representing package groups installed from source archives
archive:
# <list[<dict>]> representing user-level or supplemental source archives
userspace:
- name: surge
src: "https://github.com/SurgeDM/Surge/releases/download/v0.8.6/Surge_0.8.6_linux_amd64.tar.gz"
deploy: ~
pre: ~
post: ~
handler: surge
- name: nvm
src: "https://nodejs.org/dist/v24.16.0/node-v24.16.0-linux-x64.tar.xz"
deploy: ~
pre: ~
post: ~
handler: nvm
- name: difftastic
src: "https://github.com/Wilfred/difftastic/releases/download/0.69.0/difft-x86_64-unknown-linux-gnu.tar.gz"
deploy: ~
pre: ~
post: ~
handler: difftastic
# <dict[<str>:<dict>]> representing package groups installed from source git repositories
git_repos:
# userspace:
# - name: quartz
# src: "https://github.com/jackyzha0/quartz.git"
# branch: v5.0.0
# deploy: ~
# pre: ~
# post: ~
# handler: ~
binaries:
core:
- name: dsnet
src: "https://github.com/naggie/dsnet/releases/download/v0.8.1/dsnet-linux-amd64"
handler: dsnet

600
group_vars/vps.yml
View File

@@ -3,102 +3,538 @@ password: ""
# <str<vault>> representing API token for VPS cloud service
token: ""
# <str> representing name and hostname of VPS to be made in VPS cloud service
instance: ""
instance: sukaato
# <str<enum>> representing region options from or for given VPS cloud service
origin: ""
# <str<enum>> representing Linux distro or OS image available in VPS service to be used for VPS
operating_system: ~
# <list[<str>]> of control node or local SSH key basenames
ssh_keys: []
# @TODO change 'key' attributes of package entres under 'mngr' section below to 'signkey'
# and edit 'roles/init-server/install-pks.yml' accordngly
origin: us-east
# <str<enum>> representing Linux distro or OS image available in VPS service to be used for VPS
operating_system: linode/debian13
# <list[<str>]> list of control node or local SSH key basenames for root user
ssh_keys: []
# <list<dict>> list of administrative users (in Linux, users that can use "sudo")
admins:
- username: senpai # <str> arbitrary valid user name
services: ~ # <list[<str>]> if linux system user, assocated servce
# <list[<str>]> list of control node or local SSH key basenames for this user
ssh_keys: []
# <str<vault?>> hashed (and maybe salted) password
password: ""
# <dict[<str>:<dict>]> package groups
pkgs:
# <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
mngr:
# <list[<dict>]> representing system-level or essential packages
core:
- name: "" # <str> name of package in repositori/repositories; used by handler listener
uri: "" # <str> URI/URL or path to package installation file
key: "" # <str> URI/URL or path to package signing key
key_path: "" # <str> destination path of signing key
src_entry: "" # <str> repository entry line/block
src_path: "" # <str> filepath for repository entry insertion
# <list[<dict>]> representing user-level or supplemental packages
- name: sudo
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: xz-utils
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: wireguard
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: wireguard-tools
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vagrant
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: qemu-system
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cron
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cron-daemon-common
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: qemu-kvm
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: bridge-utils
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libvirt-clients
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libvirt-daemon-system
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gcc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: git-delta
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: fastfetch
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: git
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: git
- name: fail2ban
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: crowdsec
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: glow
uri: ~
sigkey: "https://repo.charm.sh/apt/gpg.key"
sources: "https://repo.charm.sh/apt/"
types: deb
suites: "*"
comps: "*"
handler: ~
- name: vim-vimwiki
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: vim-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tor
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: i2pd
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: whois
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# @TODO make sure to create handler inclusion of tasks in file under/at `tasks/contingent/pkg` for below
- name: iptables
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-google-authenticator
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg-agent
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gocryptfs
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cryfs
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: tmux
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: cpu-checker
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: libpam-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: headscale
uri: "https://github.com/juanfont/headscale/releases/download/v0.28.0/headscale_0.28.0_linux_amd64.deb"
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: headscale
userspace:
- name: ""
uri: ""
key: ""
key_path: ""
src_entry: ""
src_path: ""
- name: neovim
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: neovim
- name: distrobox
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-core
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-doc
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-crypto
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-ldap
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: proftpd-mod-sqlite
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: aria2
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: erlang-hex
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: elixir
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3.13
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-venv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: python3-pip
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: golang
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: yt-dlp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-discosrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: syncthing-relaysrv
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rclone
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# <dict[<str>:<dict>]> representing package groups installed by shell scripts
script:
# <list[<dict>]> representing system-level or essential shell script software installations
core:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path to software installation shell script
pre: "" # <str> URI/URL or path to shell script, or name of handler listener, for pre-installation actions
post: "" # <str> URI/URL or path to shell script, or name of handler listener, for post-installation actions
# <list[<dict>]> representing user-level or supplemental shell script software installations
# <list[<dict>]> representing user-level or supplemental shell script installations
userspace:
- name: ""
src: ""
pre: ""
post: ""
- name: radicle
src: "https://radicle.dev/install"
pre: ~
post: ~
handler: radicle
- name: rustup
src: "https://sh.rustup.rs"
pre: ~
post: ~
handler: rustup
- name: julia
src: "https://install.julialang.org"
pre: ~
post: ~
handler: julia
- name: uv
src: "https://astral.sh/uv/install.sh"
pre: ~
post: ~
handler: uv
# <dict[<str>:<dict>]> representing package groups installed from source archives
archive:
# <list[<dict>]> representing system-level or essential source archives
core:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path of archive file for software build
deploy: "" # <str> URI/URL or path to shell script, or handler listener name, to build software from archive
pre: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take before software build
post: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take after software build
# <list[<dict>]> representing user-level or supplemental source archives
userspace:
- name: ""
src: ""
deploy: ""
pre: ""
post: ""
- name: surge
src: "https://github.com/SurgeDM/Surge/releases/download/v0.8.6/Surge_0.8.6_linux_amd64.tar.gz"
deploy: ~
pre: ~
post: ~
handler: surge
- name: nvm
src: "https://nodejs.org/dist/v24.16.0/node-v24.16.0-linux-x64.tar.xz"
deploy: ~
pre: ~
post: ~
handler: nvm
- name: difftastic
src: "https://github.com/Wilfred/difftastic/releases/download/0.69.0/difft-x86_64-unknown-linux-gnu.tar.gz"
deploy: ~
pre: ~
post: ~
handler: difftastic
# <dict[<str>:<dict>]> representing package groups installed from source git repositories
git_repos:
# <list[<dict>]> representing system-level or essential git repositories
core:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path of git repository
src_path: "" # <str> path in which to place git repository clone
branch: "" # <str> specific branch to pull or otherwise to swtich into
deploy: "" # <str> URI/URL or path to shell script, or handler listener name, to build or run from source repository
pre: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take before building or running from source repository
post: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take after building or running from source repository
# <list[<dict>]> representing user-level or supplemental git repositories
userspace:
- name: "" # <str> arbitrary name, used by handler listener
src: "" # <str> URI/URL or path of git repository
src_path: "" # <str> path in which to place git repository clone
remote: "" # <str> the name of the remote source of the git repository
branch: "" # <str> specific branch to pull or otherwise to swtich into
deploy: "" # <str> URI/URL or path to shell script, or handler listener name, to build or run from source repository
pre: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take before building or running from source repository
post: "" # <str> URI/URL or path to shell script, or handler listener name, for actions to take after building or running from source repository
# <dict[<str>:<dict>]> representing container image groups installed via container engine
containers:
# <list[<dict>]> representing system-level or essential container images
core: []
# <list[<dict>]> representing user-level or supplemental container images
userspace: []
# <dict[<str>:<dict>]> representing package groups installed via snap package
snaps:
# <list[<dict>]> representing system-level or essential packages
core: []
# <list[<dict>]> representing user-level or supplemental packages
userspace: []
# <dict[<str>:<dict>]> representing flatpak groups installed via flatpak package
flatpaks:
# <list[<dict>]> representing system-level or essential flatpaks
core: []
# <list[<dict>]> representing user-level or supplemental flatpaks
userspace: []
core_pkgs: [] # @TODO document this
# userspace:
# - name: quartz
# src: "https://github.com/jackyzha0/quartz.git"
# branch: v5.0.0
# deploy: ~
# pre: ~
# post: ~
# handler: ~

28
hosts.yml.example
View File

@@ -1,11 +1,33 @@
# @TODO use hosts and host groupings that refer or point to VM or containerized servers for testing
ungrouped:
hosts: ~
hosts:
staging0:
ansible_host: ~
staging1:
ansible_host: ~
sukaato:
hosts: ~
sukaato_test:
hosts:
staging0:
armitage:
hosts: ~
armitage_test:
hosts:
staging1:
vps:
children: ~
children:
sukaato:
vps_test:
children:
sukaato_test:
homeserver:
children: ~
children:
armitage:
homeserver_test:
children:
armitage_test:
test:
children:
vps_test:
homeserver_test:

40
init@homeserver.yml.example → init@homeserver.yml
View File

@@ -1,12 +1,17 @@
# @NOTE run 'ansible-playbook' command on this using 'sudo'
- name: Initialize homeserver
hosts: armitage
hosts: "{{ chosen_host | default('armitage') }}"
remote_user: root
vars:
harden: true
local_facts:
user_dir: ~
user_id: ~
vars_files:
- vars/local_facts.yml # REQUIRED
- vars/vim_settings.yml # REQUIRED
- vars/vpn_server.yml # REQUIRED
- vars/tail_net.yml
- vars/crowdsec.yml
- vars/users@{{ inventory_hostname | default('homeserver') }}.yml
- vars/config@{{ inventory_hostname | default('homeserver') }}.yml
tasks:
- name: Hardening SSH server
ansible.builtin.include_role:
@@ -17,12 +22,25 @@
# defaults_from: main # not required. File to load from a role's C(defaults/) directory.
# allow_duplicates: True # not required. Overrides the role's metadata setting to allow using a role more than once with the same parameters.
# handlers_from: main # not required. File to load from a role's C(handlers/) directory.
- name: Installing requisite packages
ansible.builtin.include_role:
name: init-server
tasks_from: core@install-pkgs
handlers_from: core
- name: Initializing groups and users
ansible.builtin.include_role:
name: init-server # required. The name of the role to be executed.
# apply: # not required. Accepts a hash of task keywords (e.g. C(tags), C(become)) that will be applied to all tasks within the included role.
tasks_from: ssh-users # not required. File to load from a role's C(tasks/) directory.
vars_from: main # not required. File to load from a role's C(vars/) directory.
defaults_from: main # not required. File to load from a role's C(defaults/) directory.
# allow_duplicates: True # not required. Overrides the role's metadata setting to allow using a role more than once with the same parameters.
# handlers_from: main # not required. File to load from a role's C(handlers/) directory.
name: init-server
tasks_from: ssh-users
- name: Updating hostname
become: true
ansible.builtin.hostname:
name: "{{ inventory_hostname }}"
- name: Updating host icon name
become: true
ansible.builtin.command:
cmd: "hostnamectl set-icon-name computer-server"
- name: Rebooting machine for hostname change
become: true
ansible.builtin.reboot:
msg: "Rebooting machine"
ignore_errors: true

55
init@vps.yml Normal file
View File

@@ -0,0 +1,55 @@
# @NOTE run 'ansible-playbook' command on this using 'sudo'
- name: Initialize VPS
# hosts: sukaato
hosts: "{{ chosen_host | default('sukaato') }}"
remote_user: root
vars:
harden: true
vars_files:
- vars/local_facts.yml # REQUIRED
- vars/vpn_server.yml # REQUIRED
- vars/tail_net.yml
- vars/crowdsec.yml
- vars/users@{{ inventory_hostname | default('vps') }}.yml
- vars/config@{{ inventory_hostname | default('vps') }}.yml
tasks:
- name: Hardening SSH server
ansible.builtin.include_role:
name: init-server # required. The name of the role to be executed.
# apply: # not required. Accepts a hash of task keywords (e.g. C(tags), C(become)) that will be applied to all tasks within the included role.
tasks_from: harden # not required. File to load from a role's C(tasks/) directory.
# vars_from: main # not required. File to load from a role's C(vars/) directory.
# defaults_from: main # not required. File to load from a role's C(defaults/) directory.
# allow_duplicates: True # not required. Overrides the role's metadata setting to allow using a role more than once with the same parameters.
# handlers_from: main # not required. File to load from a role's C(handlers/) directory.
- name: Installing requisite packages
ansible.builtin.include_role:
name: init-server
tasks_from: core@install-pkgs
handlers_from: core
- name: Initializing groups and users
ansible.builtin.include_role:
name: init-server
tasks_from: ssh-users
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Update hostname
become: true
ansible.builtin.hostname:
name: "{{ inventory_hostname }}"
- name: Update host icon name
become: true
ansible.builtin.command:
cmd: "hostnamectl set-icon-name computer-server"
- name: Notifying user that all processes have finished
ansible.builtin.debug:
msg: All processes finished. Hit enter to reboot machine.
- name: Ensuring user has read prior message regarding upcoming reboot
ansible.builtin.pause:
- name: Rebooting machine for hostname change
become: true
ansible.builtin.reboot:
msg: "Rebooting machine.."
connect_timeout: 0
test_command: ~
ignore_errors: true

1
roles/init-server/files/sshd_config.d/auth.conf
View File

@@ -4,4 +4,5 @@ PubkeyAuthentication yes
KbdInteractiveAuthentication no # enable if implementing TOTP 2FA
UsePAM yes
PrintMotd yes
AllowAgentForwarding yes
Banner /etc/banner

14
roles/init-server/files/systemd/system/dsnet.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=dsnet
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/bin/dsnet up
ExecStop=/usr/bin/dsnet down
RemainAfterExit=yes
ExecReload=/usr/bin/dsnet sync
[Install]
WantedBy=default.target

14
roles/init-server/files/systemd/system/thrunet.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=thrunet
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/dsnet-forward.sh start
ExecStop=/usr/local/bin/dsnet-forward.sh stop
RemainAfterExit=yes
# ExecReload=/usr/bin/dsnet sync
[Install]
WantedBy=default.target

5
roles/init-server/files/user/config/nvim/init.vim Normal file
View File

@@ -0,0 +1,5 @@
set runtimepath^=~/.vim runtimepath+=~/.vim/after
let &packpath = &runtimepath
source ~/.vimrc

10
roles/init-server/files/usr/local/bin/dsnet-forward.sh Executable file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
set -euo pipefail
if [[ "$1" == "start" ]]; then
/usr/sbin/iptables -A FORWARD -i dsnet -p tcp --sport {80,443,465,587,995,110,143,993} -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o dsnet -j MASQUERADE
elif [[ "$1" == "stop" ]]; then
/usr/sbin/iptables -D FORWARD -i dsnet -p tcp --sport {80,443,465,587,995,110,143,993} -j ACCEPT
/usr/sbin/iptables -t nat -D POSTROUTING -o dsnet -j MASQUERADE
fi

27
roles/init-server/handlers/core.yml Normal file
View File

@@ -0,0 +1,27 @@
# SPDX-License-Identifier: MIT-0
---
# handlers file for roles/init-vps
- name: Skipping to next installaton
ansible.builtin.debug:
msg: "No post-installaton or additional installation steps needed--continuing..."
listen: default
- name: Setting up Crowdsec
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/crowdsec.yml
listen: crowdsec
- name: Setting up Headscale
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/headscale.yml
listen: headscale
- name: Setting up Git
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/git.yml
listen: git
- name: Setting up TOR
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/tor.yml
listen: tor
- name: Setting up DSNet
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/dsnet.yml
listen: dsnet

7
roles/init-server/handlers/main.yml
View File

@@ -1,7 +0,0 @@
# SPDX-License-Identifier: MIT-0
---
# handlers file for roles/init-vps
- name: Setting up Quartz
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/quartz.yml
listen: quartz

51
roles/init-server/handlers/userspace.yml Normal file
View File

@@ -0,0 +1,51 @@
# SPDX-License-Identifier: MIT-0
---
# handlers file for roles/init-vps
- name: Skipping to next installaton
ansible.builtin.debug:
msg: "No post-installaton or additional installation steps needed--continuing..."
listen: default
- name: Setting up ViM
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/vim.yml
listen: vim
- name: Settng up NeoViM
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/neovim.yml
listen: neovim
- name: Settng up Difftastic
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/difftastic.yml
listen: difftastic
- name: Settng up Git
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/git.yml
listen: git
- name: Setting up NodeJS
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/nvm.yml
listen: nvm
- name: Setting up Rust
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/rustup.yml
listen: rustup
- name: Setting up Julia
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/julia.yml
listen: julia
- name: Setting up UV
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/uv.yml
listen: uv
- name: Setting up Radicle
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/radicle.yml
listen: radicle
- name: Setting up Surge
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/surge.yml
listen: surge
- name: Setting up Quartz
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/quartz.yml
listen: quartz

40
roles/init-server/tasks/contingent/pkg/crowdsec.yml Normal file
View File

@@ -0,0 +1,40 @@
- name: Restarting SystemD service
become: true
ansible.builtin.systemd_service:
name: crowdsec
scope: system
enabled: true
state: started
- name: Changing the address and port of the Crowdsec server
become: true
ansible.builtin.lineinfile:
path: /etc/crowdsec/config.yaml
regexp: "^ {4}listen_uri"
line: " listen_uri: localhost:{{ crowdsec.port }}"
owner: root
group: root
mode: "644"
- name: Changing the address of the Crowdsec Prometheus server
become: true
ansible.builtin.lineinfile:
path: /etc/crowdsec/config.yaml
regexp: "^ {2}listen_addr"
line: " listen_addr: localhost"
owner: root
group: root
mode: "644"
- name: Changing target or expected address for credentials of the Crowdsec local API
become: true
ansible.builtin.lineinfile:
path: /etc/crowdsec/local_api_credentials.yaml
regexp: "^url"
line: "url: http://localhost:{{ crowdsec.port }}"
owner: root
group: root
mode: "644"
- name: Restarting SystemD service
become: true
ansible.builtin.systemd_service:
name: crowdsec
scope: system
state: restarted

26
roles/init-server/tasks/contingent/pkg/difftastic.yml Normal file
View File

@@ -0,0 +1,26 @@
---
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/downloads/archives/released/difftastic/{{ item }}"
dest: "{{ ansible_user_home.stdout }}/.local/bin/{{ item }}"
state: hard
loop:
- difft
- name: Linking binaries to directories already in PATH environment variable
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/downloads/archives/released/difftastic/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- difft
- name: Configuring usage of Difftastic as default git difference tool for user
community.general.git_config:
name: diff.tool
scope: global
value: difftastic

147
roles/init-server/tasks/contingent/pkg/dsnet.yml Normal file
View File

@@ -0,0 +1,147 @@
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Initializing DSNet
become: true
ansible.builtin.command:
cmd: dsnet init
- name: Running DSNet VPN service interface
become: true
ansible.builtin.command:
cmd: dsnet up
- name: Creating a directory to house VPN service client configurations
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "755"
state: directory
- name: Adding peer device for DSNet VPN service interface
become: true
ansible.builtin.shell:
cmd: "dsnet add {{ item.name }}{{ idx }} --owner {{ current_user.stdout }} --description 'For {{ item.name }}--{{ item.desc }}' --confirm > {{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
creates: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ idx }}.conf"
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Changing ownership of consequent DSNet VPN service client configurations
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: file
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Pausing to inquire about how to proceed
ansible.builtin.pause:
prompt: "Type \"fetch\" to get the DSNet VPN service client configuration files, or \"show\" to see their contents for manual copying instead"
echo: true
register: data_method
- name: Presenting DSNet VPN service client configuration files to control node for copying
when: data_method.user_input == "show"
block:
- name: Acquiring contents of DSNet VPN service client configuration files
ansible.builtin.slurp:
src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
register: vpn_client_configs
- name: Presenting contents of DSNet VPN service client configurations to control node
ansible.builtin.debug:
msg: "Copy this client configuration of the DSNet VPN service:\n {{ item.content }}"
loop: "{{ vpn_client_configs.results }}"
- name: Giving opportunity to manually copy contents of DSNet VPN service client configuration files
ansible.builtin.pause:
- name: Providing DSNet VPN service client configuration files to control node machine
when: data_method.user_input == "fetch"
block:
- name: Dupliciating DSNet VPN service client configuration files to control node
ansible.builtin.fetch:
src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
dest: "./.tmp/{{ inventory_hostname }}-dsnet/wg/"
flat: true
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Informing control node of acquired files
ansible.builtin.debug:
msg: "The DSNet VPS service client configuration files have been duplicated to '/var/tmp/{{ inventory_hostname }}/wg/' at the control node."
- name: Giving control node user time to read the aforementiioned message
ansible.builtin.pause:
seconds: 30
- name: Ensuring IP forwarding is allowed
become: true
ansible.posix.sysctl:
name: "net.{{ item }}.ip_forward"
value: "1"
sysctl_set: true
state: present
loop:
- ipv4
# - ipv6
- name: Creating SystemD unit for placing up DSNet interface
become: true
ansible.builtin.copy:
src: systemd/system/dsnet.service
dest: /etc/systemd/system/dsnet.service
owner: root
group: root
force: true
backup: true
- name: Reloading SystemD and enabling DSNet interface
become: true
ansible.builtin.systemd_service:
name: dsnet
enabled: true
daemon_reload: true
- name: Copying script for DSNet iptables rules
become: true
ansible.builtin.copy:
src: usr/local/bin/dsnet-forward.sh
dest: /usr/local/bin/
owner: root
group: root
mode: "744"
force: true
backup: true
- name: Creating SystemD unit for DSNet iptables rules
become: true
ansible.builtin.copy:
src: systemd/system/thrunet.service
dest: /etc/systemd/system/thrunet.service
owner: root
group: root
force: true
backup: true
- name: Reloading SystemD and enabling iptables rules SystemD unit
become: true
ansible.builtin.systemd_service:
name: thrunet
enabled: true
daemon_reload: true
- name: Forwarding network traffic on certain ports to Wireguard VPS service interface
become: true
ansible.builtin.iptables:
chain: FORWARD
protocol: "{{ item[0][0] }}"
source_port: "{{ item[0][1] }}"
in_interface: "{{ item[1] }}"
jump: ACCEPT
loop: "{{ vpn_server.forwards | product([vpn_server.interface]) }}"
- name: Forwarding network traffic on certain ports to Wireguard VPS service interface
become: true
ansible.builtin.iptables:
table: nat
chain: POSTROUTING
out_interface: "{{ vpn_server.interface }}"
jump: MASQUERADE

118
roles/init-server/tasks/contingent/pkg/git.yml Normal file
View File

@@ -0,0 +1,118 @@
---
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
- name: Configuring system-level git settings
become: true
block:
- name: Making commit feedback more verbose
community.general.git_config:
name: commit.verbose
scope: system
value: "true"
state: present
- name: Setting default merge conflict approach algorithm
community.general.git_config:
name: merge.conflictstyle
scope: system
value: zdiff3
state: present
- name: Setting default merging tool for conflicts
community.general.git_config:
name: merge.tool
scope: system
value: nvimdiff
state: present
- name: Ensuring backups prior to merge solution implementation
community.general.git_config:
name: merge.keebbackup
scope: system
value: "true"
state: present
- name: Configuring rebase to autosquash
community.general.git_config:
name: rebase.autosquash
scope: system
value: "true"
state: present
- name: Enforcng error message for missing entries in local commit history
community.general.git_config:
name: rebase.missingCommitsCheck
scope: system
value: error
state: present
- name: Setting the default branch's default name on repository initialization
community.general.git_config:
name: init.defaultBranch
scope: system
value: main
state: present
- name: Setting default pager for, or called by, git
community.general.git_config:
name: core.pager
scope: system
value: delta
state: present
- name: Ensuring git push/pull space handling compatibility with non-Linux operating systems
community.general.git_config:
name: core.autocrlf
scope: system
value: "false"
state: present
- name: Setting default text editor for, or called by, git
community.general.git_config:
name: core.editor
scope: system
value: nvim
state: present
- name: Setting difference filtering tool to delta
community.general.git_config:
name: interactive.diffFilter
scope: system
value: delta
state: present
- name: Setting default difference- finding or presenting approach algorithm
community.general.git_config:
name: diff.algorithm
scope: system
value: histogram
state: present
- name: Setting difference tool for, or called by, git
community.general.git_config:
name: diff.tool
scope: system
value: nvimdiffs
state: present
- name: Setting the default amount of context for git to show around a difference
community.general.git_config:
name: diff.context
scope: system
value: "10"
state: present
- name: Ensuring data integrity and validity is checked prior to fetch or transfer actions
community.general.git_config:
name: "{{ item }}.fsckobjects"
scope: system
value: "true"
state: present
loop:
- transfer
- fetch
- name: Ensuring data integrity and validity is checked prior to reception of data
community.general.git_config:
name: receive.fsckObjects
scope: system
value: "true"
state: present
- name: Setting git TUI to have color
community.general.git_config:
name: color.ui
scope: system
value: "true"
state: present

39
roles/init-server/tasks/contingent/pkg/headscale.yml Normal file
View File

@@ -0,0 +1,39 @@
---
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
- name: Configuring Headscale
become: true
ansible.builtin.template:
src: headscale/config.yaml.j2
dest: /etc/headscale/config.yaml
owner: root
group: root
mode: "644"
force: true
backup: true
- name: Starting SystemD service
become: true
ansible.builtin.systemd_service:
name: headscale
scope: system
enabled: true
state: started
- name: Registering a headscale user
become: true
ansible.builtin.command:
# cmd: "headscale users create {{ item.username }} -d '{{ item.dname }}' -e '{{ item.email }}' -p '{{ pfp | default(default_pfp) }}'"
cmd: "headscale users create {{ item.username }} -d '{{ item.dname }}' -e '{{ item.email }}'"
# vars:
# default_pfp: ~
loop: "{{ tail.users }}"
register: headscale_registration
changed_when:
- "'User created' in headscale_registration.stdout"
- headscale_registration.rc == 0

32
roles/init-server/tasks/contingent/pkg/julia.yml Normal file
View File

@@ -0,0 +1,32 @@
---
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Executing shell-scripted installation process for Julia
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.shell:
cmd: "{{ ansible_user_home.stdout }}/.local/bin/julia-install.sh --yes"
creates: "{{ ansible_user_home.stdout }}/.juliaup/bin"
- name: Linking binaries to directories already in PATH environment variable
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.juliaup/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
owner: root
group: root
state: link
loop:
- julia
- julialauncher
- juliaup
# - name: Reboot machine for shell environment change
# ansible.builtin.reboot:
# msg: Rebooting machine

29
roles/init-server/tasks/contingent/pkg/neovim.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Creating directory tree for NeoViM configuration files
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.config/nvim"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
- name: Configuring NeoViM
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.copy:
src: user/config/nvim/init.vim
dest: "{{ ansible_user_home.stdout }}/.config/nvim/init.vim"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "644"
force: true
backup: true

95
roles/init-server/tasks/contingent/pkg/nvm.yml Normal file
View File

@@ -0,0 +1,95 @@
---
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Find all NVM pre-built binary (sub)directories
ansible.builtin.find:
paths: "{{ ansible_user_home.stdout }}/downloads/archives/released/nvm"
patterns: "^node-v[0-9]*\\."
file_type: directory
use_regex: true
register: prebuilt_nodes
- name: Bootstrapping NVM
become: true
block:
- name: Grabbing only path information for pre-built binary (sub)directories
ansible.builtin.set_fact:
prebuilt_nodepaths: "{{ prebuilt_nodes.files | map(attribute='path') }}"
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ item[0] }}/bin/{{ item[1] }}"
dest: "/usr/bin/{{ item[1] }}"
owner: root
group: root
state: link
loop: "{{ prebuilt_nodepaths | product(['node']) }}"
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ item[0] }}/lib/node_modules/corepack/dist/{{ item[1] }}.js"
dest: "/usr/bin/{{ item[1] }}"
owner: root
group: root
state: link
loop: "{{ prebuilt_nodepaths | product(['corepack']) }}"
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ item[0] }}/lib/node_modules/npm/bin/{{ item[1] }}-cli.js"
dest: "/usr/bin/{{ item[1] }}"
owner: root
group: root
state: link
loop: "{{ prebuilt_nodepaths | product(['npm','npx']) }}"
- name: Link includes to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/include/{{ item[1] }}"
dest: "/usr/include/{{ item[1] }}"
owner: root
group: root
state: link
loop: "{{ prebuilt_nodepaths | product(['node']) }}"
- name: Link requisite libraries to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/lib/{{ item[1] }}"
dest: "/usr/lib/{{ item[1] }}"
owner: root
group: root
state: link
loop: "{{ prebuilt_nodepaths | product(['node_modules']) }}"
- name: Create man1 subdirectory for man pages
ansible.builtin.file:
path: /usr/share/man/man1
recurse: true
owner: root
group: root
mode: "644"
state: directory
- name: Link shared resources to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/share/man/man1/{{ item[1] }}.1"
dest: "/usr/share/man/man1/{{ item[1] }}.1"
owner: root
group: root
state: link
loop: "{{ prebuilt_nodepaths | product(['node']) }}"
- name: Create man1 subdirectory for man pages
ansible.builtin.file:
path: /usr/share/doc
recurse: true
owner: root
group: root
mode: "644"
state: directory
- name: Link shared resources to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/share/doc/{{ item[1] }}"
dest: "/usr/share/doc/{{ item[1] }}"
owner: root
group: root
state: link
loop: "{{ prebuilt_nodepaths | product(['node']) }}"
# - name: Reboot machine for shell environment change
# ansible.builtin.reboot:
# msg: Rebooting machine

18
roles/init-server/tasks/contingent/pkg/quartz.yml
View File

@@ -1,26 +1,26 @@
---
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Installing NodeJS dependencies of quartz software
community.general.npm:
executable: "{{ ansible_facts['user_dir'] }}/.nvm/versions/node/v24.11.1/lib/node_modules/npm"
path: "{{ ansible_facts['user_dir'] }}/repos/.foreign/quartz"
path: "{{ ansible_user_home.stdout }}/repos/.foreign/quartz"
state: latest
- name: Configuring quartz software
block:
- name: Initializing quartz website
ansible.builtin.command:
chdir: "{{ ansible_facts['user_dir'] }}/repos/.foreign/quartz"
chdir: "{{ ansible_user_home.stdout }}/repos/.foreign/quartz"
cmd: npx quartz create
register: stdout
changed_when: stdout.rc == 0
- name: Installing quartz plugins referenced in website template
ansible.builtin.command:
chdir: "{{ ansible_facts['user_dir'] }}/repos/.foreign/quartz"
chdir: "{{ ansible_user_home.stdout }}/repos/.foreign/quartz"
cmd: npx quartz plugin install --from-config
register: stdout
changed_when: stdout.rc == 0
# - name: Starting quartz site web server
# ansible.builtin.command:
# chdir: "{{ ansible_facts['user_dir'] }}/repos/.foreign/quartz"
# chdir: "{{ ansible_user_home.stdout }}/repos/.foreign/quartz"
# cmd: npx quartz build --serve
# register: stdout
# changed_when: stdout

51
roles/init-server/tasks/contingent/pkg/radicle.yml Normal file
View File

@@ -0,0 +1,51 @@
---
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Executing shell-scripted installation process for Radicle
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.shell:
cmd: "{{ ansible_user_home.stdout }}/.local/bin/radicle-install.sh"
creates: "{{ ansible_user_home.stdout }}/.radicle"
- name: Bootstrapping Radicle
become: true
block:
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.radicle/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- rad
- radicle-node
- git-remote-rad
- name: Create man1 subdirectory for man pages
ansible.builtin.file:
path: /usr/share/man/man1
recurse: true
owner: root
group: root
mode: "644"
state: directory
- name: Link manpages to Linux manpage directories
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.radicle/man/man1/{{ item }}.1"
dest: "/usr/share/man/man1/{{ item }}.1"
state: link
loop:
- rad
- radicle-node
- git-remote-rad
- rad-id
- rad-patch
# - name: Reboot machine for shell environment change
# ansible.builtin.reboot:
# msg: Rebooting machine

28
roles/init-server/tasks/contingent/pkg/rustup.yml Normal file
View File

@@ -0,0 +1,28 @@
---
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Executing shell-scripted installation process for Rust
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.shell:
cmd: "{{ ansible_user_home.stdout }}/.local/bin/rustup-install.sh -yq"
creates: "{{ ansible_user_home.stdout }}/.cargo/bin"
- name: Linking binaries to directories already in PATH environment variable
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.cargo/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- rustup
# - name: Reboot machine for shell environment change
# ansible.builtin.reboot:
# msg: Rebooting machine

57
roles/init-server/tasks/contingent/pkg/surge.yml Normal file
View File

@@ -0,0 +1,57 @@
---
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Linking binaries to directories already in PATH environment variable
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/downloads/archives/released/surge/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- surge
- name: Installing accompanying complementary Surge system service
ansible.builtin.command:
cmd: surge service install
- name: Acquiring API token for remote Surge service control
ansible.builtin.command:
cmd: surge token
register: surge_token
- name: Pausing to inquire about how to proceed
ansible.builtin.pause:
prompt: "Type \"fetch\" to get the Surge API token, or \"show\" to see it for manual copying instead"
echo: true
register: data_method
- name: Choosing to present Surge API token to Control Node
when: data_method.user_input == "show"
block:
- name: Presenting Surge API token to Control Node
ansible.builtin.debug:
msg: "Make sure to store the following API token for Surge:\n {{ surge_token.stdout }}"
- name: Giving opportunity to manually copy Surge API token
ansible.builtin.pause:
- name: Choosing to provide file on control node containing Surge's API token
when: data_method.user_input == "fetch"
block:
- name: Creating temporary file on managed node that stores Surge API token
become: true
ansible.builtin.copy:
content: "{{ surge_token.stdout }}"
dest: /tmp/surge.token
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "644"
register: surge_token
- name: Placing Surge API token into file on control node
ansible.builtin.fetch:
src: "{{ surge_token.dest }}"
dest: "./.tmp/{{ inventory_hostname }}-surge/surge.secret"
flat: true
- name: Informing control node of acquired files
ansible.builtin.debug:
msg: "The Surge API token file have been duplicated to '/var/tmp/{{ inventory_hostname }}/surge.token' at the control node."
- name: Giving control node user time to read the aforementiioned message
ansible.builtin.pause:
seconds: 30

8
roles/init-server/tasks/contingent/pkg/tor.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Starting and enabling TOR daemon service
become: true
ansible.builtin.systemd_service:
name: tor
scope: system
enabled: true
state: started

29
roles/init-server/tasks/contingent/pkg/uv.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Executing a shell-scripted installation process
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.shell:
cmd: "{{ ansible_user_home.stdout }}/.local/bin/uv-install.sh"
creates: "{{ ansible_user_home.stdout }}/.local/bin/uv"
- name: Linking binaries to directories already in PATH environment variable
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- uv
- uvx
# - name: Reboot machine for shell environment change
# ansible.builtin.reboot:
# msg: Rebooting machine

55
roles/init-server/tasks/contingent/pkg/vim.yml Normal file
View File

@@ -0,0 +1,55 @@
---
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Preparing to create a directory structure for ViM paths
become: true
become_user: "{{ current_user.stdout }}"
block:
- name: Creating directory structure for ViM paths
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.vim/{{ item }}"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "755"
state: directory
loop:
- autoload
- backup
- colors
- plugged
- name: Pulling and integrating ViM plugin manager
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.uri:
url: "https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim"
dest: "{{ ansible_user_home.stdout }}/.vim/autoload/plug.vim"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
force: true
mode: "644"
follow_redirects: safe
- name: Configuring ViM
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.template:
src: user/vimrc.j2
dest: "{{ ansible_user_home.stdout }}/.vimrc"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
force: true
backup: true
- name: Informing user of need to manually run PlugInstall in ViM
ansible.builtin.debug:
msg: "Make sure to run \":PlugInstall\" the first time you open/use ViM"
- name: Pausing to ensure user has read message about needed manual PlugInstall execution for ViM
ansible.builtin.pause:
seconds: 30

233
roles/init-server/tasks/core@install-pkgs.yml Normal file
View File

@@ -0,0 +1,233 @@
#SPDX-License-Identifier: MIT-0
---
# tasks file for roles/init-vps
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Creating prerequisite directory tree for installation scripts
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.local/bin"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
- name: Creating prerequisite directory tree for unarchived archives
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/downloads/archives/released"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
- name: Creating prerequisite directory tree for package installation executables
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.local_pkgs"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
- name: Installing Linux software
when: ansible_facts["system"] == "Linux"
block:
- name: Installing software using Debian package manager
when: ansible_facts["os_family"] == "Debian"
become: true
block:
- name: Creating core OS repository sources for package manager
when: ansible_facts["os_family"] == "Debian"
ansible.builtin.deb822_repository:
name: "{{ item.name }}"
uris: "{{ item.sources }}"
types: "{{ item.types }}"
suites: "{{ item.suites }}"
components: "{{ item.comps }}"
signed_by: "{{ item.sigkey }}"
state: present
loop:
- name: debian-trixie
sources: "http://deb.debian.org/debian/"
sigkey: /usr/share/keyrings/debian-archive-keyring.gpg
types:
- deb-src
- deb
suites:
- trixie
- trixie-updates
comps:
- main
- non-free-firmware
- contrib
- name: debian-trixie-security
sources: "http://security.debian.org/debian-security"
sigkey: /usr/share/keyrings/debian-archive-keyring.gpg
types:
- deb-src
- deb
suites: trixie-security
comps:
- main
- non-free-firmware
- contrib
- name: Remove previous core OS repository sources for package manager
ansible.builtin.file:
path: /etc/apt/sources.list
state: absent
# @TODO uncomment below before continuing with testing previous task
# - name: Premature end of play
# ansible.builtin.meta: end_play
- name: Updating package cache
ansible.builtin.apt:
update_cache: true
- name: Updating package cache
ansible.builtin.apt:
upgrade: dist
autoremove: true
- name: Registering a package source
when: item.sources != None
ansible.builtin.deb822_repository:
name: "{{ item.name }}"
uris: "{{ item.sources }}"
types: "{{ item.types | default('deb') }}"
suites: "{{ item.suites | default('*') }}"
components: "{{ item.comps | default('*') }}"
signed_by: "{{ item.sigkey }}"
state: present
loop: "{{ ((pkgs.mngr.core | default([]))) }}"
- name: Updating package cache
ansible.builtin.apt:
update_cache: true
- name: Installing a local package in managed node
when: item.uri != None
ansible.builtin.apt:
deb: "{{ item.uri }}"
state: present
notify: "{{ item.handler | default('default') }}"
loop: "{{ (pkgs.mngr.core | default([])) | selectattr('uri', 'search', '\\.deb$') }}"
- name: Installing a package
when: item.name != None and item.uri == None
ansible.builtin.package:
name: "{{ item.name }}"
state: present
notify: "{{ item.handler | default('default') }}"
loop: "{{ ((pkgs.mngr.core | default([]))) | rejectattr('uri', 'search', '\\.deb$') }}"
tags:
- get_mngr_pkgs
- name: Installing software by executing installation shell scripts
block:
- name: Acquiring installation shell script
become: true
become_user: "{{ current_user.stdout }}"
when: item.src != None and (((pkgs.script.core | default([]))) | length) > 0
ansible.builtin.uri:
url: "{{ item.src }}"
dest: "{{ ansible_user_home.stdout }}/.local/bin/{{ item.name }}-install.sh"
follow_redirects: safe
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
force: true
mode: "744"
notify: "{{ ((pkgs.script.core | default([])))[idx].handler | default('default') }}"
loop: "{{ (pkgs.script.core | default([])) }}"
loop_control:
index_var: idx
register: install_scripts
- name: Reboot machine for shell environment change
become: true
ansible.builtin.reboot:
msg: Rebooting machine
tags:
- get_script_pkgs
- name: Installing software by building it from source archives
block:
- name: Acquiring software source archive
become: true
become_user: "{{ current_user.stdout }}"
when: item.src != None
ansible.builtin.get_url:
url: "{{ item.src }}"
dest: "{{ ansible_user_home.stdout }}/downloads/archives/"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
force: true
backup: true
mode: "644"
loop: "{{ (pkgs.archive.core | default([])) }}"
register: archived_builds
- name: Create subdirectories for unarchiving
become: true
become_user: "{{ current_user.stdout }}"
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/downloads/archives/released/{{ ((pkgs.archive.core | default([])))[idx].name }}"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "755"
state: directory
loop: "{{ archived_builds.results }}"
loop_control:
index_var: idx
- name: Unarchiving software build archive
become: true
become_user: "{{ current_user.stdout }}"
when: item.dest != None and (((pkgs.script.core | default([]))) | length) > 0
ansible.builtin.unarchive:
src: "{{ item.dest }}"
remote_src: true
dest: "{{ ansible_user_home.stdout }}/downloads/archives/released/{{ ((pkgs.archive.core | default([])))[idx].name }}/"
notify: "{{ ((pkgs.archive.core | default([])))[idx].handler | default('default') }}"
loop: "{{ archived_builds.results }}"
loop_control:
index_var: idx
- name: Reboot machine for shell environment change
become: true
ansible.builtin.reboot:
msg: Rebooting machine
tags:
- get_archive_pkgs
- name: Installing software from source git repositories
block:
- name: Clone git bare repository
become: true
become_user: "{{ current_user.stdout }}"
when: item.src != None
ansible.builtin.git:
repo: "{{ item.src }}"
dest: "{{ ansible_user_home.stdout }}/repos/.foreign/{{ item.name }}"
version: "{{ item.branch }}"
clone: true
single_branch: true
notify: "{{ item.handler | default('default') }}"
loop: "{{ (pkgs.git_repos.core | default([])) }}"
register: installation_repos
- name: Reboot machine for shell environment change
become: true
ansible.builtin.reboot:
msg: Rebooting machine
tags:
- get_git_pkgs
- name: Installing software as pre-compiled binary
block:
- name: Grabbing software binary
become: true
ansible.builtin.get_url:
url: "{{ item.src }}"
dest: "/usr/bin/{{ item.name }}"
owner: root
group: root
mode: "744"
force: true
backup: true
notify: "{{ item.handler }}"
loop: "{{ (pkgs.binaries.core | default([])) }}"

8
roles/init-server/tasks/harden.yml
View File

@@ -1,11 +1,17 @@
#SPDX-License-Identifier: MIT-0
---
# tasks file for roles/init-vps
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Checking whether administrative login used
when: ansible_user not in (admins | map(attribute="username") | list) and ansible_user != "root"
ansible.builtin.fail:
msg: Must use administrative user for subsequent tasks
- name: Hardening SSH service for the Linode VPS
- name: Hardening SSH service
become: true
ansible.builtin.copy:
src: sshd_config.d/harden.conf
dest: /etc/ssh/sshd_config.d/harden.conf

136
roles/init-server/tasks/install-pkgs.yml
View File

@@ -1,136 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# tasks file for roles/init-vps
- name: Checking whether administrative login used
when: ansible_user not in (admins | map(attribute="username") | list)
ansible.builtin.fail:
msg: Must use administrative user for subsequent tasks
- name: Creating prerequisite directory tree for installation scripts
ansible.builtin.file:
path: "{{ ansible_facts['user_dir'] }}/.local/bin"
recurse: true
state: directory
- name: Creating prerequisite directory tree for unarchived archives
ansible.builtin.file:
path: "{{ ansible_facts['user_dir'] }}/downloads/archives/released"
recurse: true
state: directory
- name: Creating prerequisite directory tree for package installation executables
ansible.builtin.file:
path: "{{ ansible_facts['user_dir'] }}/.local_pkgs"
recurse: true
state: directory
- name: Installing Linux software
when: ansible_facts["system"] == "Linux"
block:
- name: Installing software using Debian package manager
when: ansible_facts["os_family"] == "Debian"
become: true
block:
- name: Registering a package signing key
when: item.key != None and item.key_path != None
ansible.builtin.get_url:
url: "{{ item.key }}"
dest: "{{ item.key_path | default('/etc/apt/keyrings/') }}"
owner: root
group: root
mode: "644"
force: true
backup: true
loop: "{{ pkgs.mngr.core + pkgs.mngr.userspace | rejectattr('key', 'search', '\\.deb$') }}"
- name: Premature stop
ansible.builtin.meta: end_play
- name: Installing a package signing key
when: item.key != None
ansible.builtin.apt:
deb: "{{ item.key }}"
state: present
loop: "{{ pkgs.mngr.core + pkgs.mngr.userspace | selectattr('key', 'search', '\\.deb$') }}"
- name: Registering a package source
when: item.src_entry != None and item.src_path != None
ansible.builtin.copy:
content: "{{ item.src_entry }}"
dest: "{{ item.src_path }}"
owner: root
group: root
mode: "644"
force: true
backup: true
loop: "{{ pkgs.mngr.core + pkgs.mngr.userspace }}"
- name: Installing a local package in managed node
when: item.uri != None
ansible.builtin.apt:
deb: "{{ item.uri }}"
update_cache: true
state: present
notify: "{{ item.name }}"
loop: "{{ pkgs.mngr.core + pkgs.mngr.userspace | selectattr('uri', 'search', '\\.deb$') }}"
- name: Installing a package
when: item.name != None and item.uri == None
ansible.builtin.package:
name: "{{ item.name }}"
update_cache: true
state: latest
notify: "{{ item.name }}" # @TODO create corresponding roles/init-vps handlers
loop: "{{ pkgs.mngr.core + pkgs.mngr.userspace | rejectattr('uri', 'search', '\\.deb$') }}"
tags:
- get_mngr_pkgs
- name: Installing software by executing installation shell scripts
when: item.src != None
block:
- name: Acquiring installation shell script
ansible.builtin.get_url:
url: "{{ item.src }}"
dest: "{{ ansible_facts['user_dir'] }}/.local/bin/{{ item.name }}-install.sh"
force: true
backup: true
mode: "744"
loop: "{{ pkgs.script.core + pkgs.script.userspace }}"
register: install_scripts
- name: Executing a shell-scripted installation process
become: true
ansible.builtin.shell:
cmd: "{{ item.dest }}"
notify: "{{ (pkgs.script.core + pkgs.script.userspace)[idx].name }}"
loop: "{{ install_scripts.results }}"
loop_control:
index_var: idx
tags:
- get_script_pkgs
# @TODO complete below block task
- name: Installing software by building it from source archives
block:
- name: Acquiring software source archive
ansible.builtin.get_url:
url: "{{ item.src }}"
dest: "{{ ansible_facts['user_dir'] }}/downloads/archives/"
force: true
backup: true
mode: "644"
loop: "{{ pkgs.archive.core + pkgs.archive.userspace }}"
register: archived_builds
- name: Unarchiving software build archive
ansible.builtin.unarchive:
src: "{{ item.dest }}"
remote_src: true
dest: "{{ ansible_facts['user_dir'] }}/downloads/archives/released/{{ (pkgs.archive.core + pkgs.archive.userspace)[idx].name }}/"
notify: "{{ (pkgs.archive.core + pkgs.archive.userspace)[idx].name }}"
loop: "{{ archived_builds.results }}"
loop_control:
index_var: idx
tags:
- get_archive_pkgs
- name: Installing software from source git repositories
block:
- name: Clone git bare repository
ansible.builtin.git:
repo: "{{ item.src }}"
dest: "{{ ansible_facts['user_dir'] }}/repos/.foreign/{{ item.name }}"
version: "{{ item.branch }}"
clone: true
single_branch: true
notify: "{{ item.name }}"
loop: "{{ pkgs.git_repos.core + pkgs.git_repos.userspace }}"
register: installation_repos
tags:
- get_git_pkgs

7
roles/init-server/tasks/lock.yml
View File

@@ -2,6 +2,11 @@
---
# tasks file for roles/init-vps
# @TODO complete below tasks
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Checking whether administrative login used
when: ansible_user not in (admins | map(attribute="username") | list)
ansible.builtin.fail:
@@ -46,8 +51,6 @@
when: ansible_facts["system"] == "Linux"
become: true
ansible.builtin.blockinfile:
# src: sshd_config.d/sftp.conf.j2
# dest: /etc/ssh/sshd_config.d/sftp.conf
path: /etc/ssh/sshd_config.d/sftp.conf
block: |
Match Group {{ item.name }}

45
roles/init-server/tasks/spawn.yml
View File

@@ -6,7 +6,7 @@
delegate_facts: true
delegate_to: localhost
ansible.builtin.find:
paths: "{{ local_facts['user_dir'] }}/.ssh" # @TODO define 'cnode_homedir' in playbook
paths: "{{ local_facts['user_dir'] | default(lookup('env', 'HOME')) }}/.ssh" # @TODO define 'cnode_homedir' in playbook
patterns: "{{ ['^'] | product(ssh_keys) | map('join') | list }}"
file_type: file
use_regex: true
@@ -18,20 +18,41 @@
ansible.builtin.set_fact:
root_pubkeys: "{{ root_pubkeys | default([]) + [lookup('file', item)] }}"
loop: "{{ root_pubkey_paths }}"
- name: Ensuring password is defined for root user
when: prehashed_password is undefined or prehashed_password == None
block:
- name: Prompting for password for or of root user
when: password is undefined or password == None
ansible.builtin.pause:
prompt: "Provide a password for the root user"
echo: false
register: prompted_password
- name: Getting the inputted password for root user
when: prompted_password is defined or prompted_password != None
ansible.builtin.set_fact:
prehashed_password: "{{ prompted_password.user_input }}"
- name: Bootstrapping VPS
block:
- name: Ensuring token is available for VPS service API
when: token is undefined or token == None
ansible.builtin.pause:
prompt: "Provide the API token for the given VPS service"
echo: false
register: prompted_token
- name: Creating VPS via Linode VPS service API
block:
- name: Creating the VPS
linode.cloud.instance:
api_token: "{{ token }}"
api_token: "{{ token | prompted_token.user_input }}"
label: "{{ instance }}"
type: g6-standard-2
image: "{{ operating_system }}"
disk_encryption: enabled
region: "{{ origin }}"
private_ip: true
root_pass: "{{ password }}"
# @TODO find out if 'root_pass' attribute takes in hashed or plaintext password
# root_pass: "{{ password | default((prehashed_password | lookup('password_hash', hashtype='sha512'))) }}" # IF HASHED
root_pass: "{{ password | default(prehashed_password) }}" # IF PLAINTEXT
authorized_keys: "{{ root_pubkeys }}"
state: present
register: new_instance
@@ -43,7 +64,6 @@
timeout: 300
vars:
ansible_ssh_private_key_file: "{{ chosen_privkey | default(ssh_keypairs.files | rejectattr('path', 'search', '\\.pub$') | map(attribute='path') | list | random) }}" # @TODO define 'chosen_privkey'in playbook
ansible_user: root
loop: "{{ new_instance.instance[ip_pref] }}"
tags:
- linode
@@ -66,8 +86,6 @@
ansible.builtin.wait_for_connection:
delay: 20
timeout: 300
vars:
ansible_user: root
loop: "{{ groups[instance] | default(hostvars[instance]) }}"
- name: Checking if that server has required operating system
delegate_to: "{{ item }}"
@@ -76,8 +94,6 @@
when: ansible_facts["system"] != "Linux" and item is ansible.utils['ip_pref']
ansible.builtin.fail:
msg: Unsupported operating system found
vars:
ansible_user: root
loop: "{{ groups[instance] | default(hostvars[instance]) }}"
- name: Checking if that server has required Linux distro
delegate_to: "{{ item }}"
@@ -86,21 +102,16 @@
when: ansible_facts["system"] == "Linux" and ansible_facts["os_family"] != "Debian" and item is ansible.utils['ip_pref']
ansible.builtin.fail:
msg: Unsupported Linux distro found
vars:
ansible_user: root
loop: "{{ groups[instance] | default(hostvars[instance]) }}"
# @TODO find way to incorporate use of 'groups[instance] | default(hostvars[instance]' for
# looping without loop nesting in below task
- name: Providing authorized keys for server root account
delegate_to: "{{ (groups[instance] | default(hostvars[instance]))[0] }}"
delegate_to: "{{ item[0] }}"
delegate_facts: true
become: true
remote_user: root
ansible.posix.authorized_key:
user: "{{ ansible_user }}"
key: "{{ lookup('file', item) }}"
key: "{{ lookup('file', item[1]) }}"
state: present
vars:
ansible_user: root
loop: "{{ root_pubkey_paths }}"
loop: "{{ (groups[instance] | default(hostvars[instance])) | product(root_pubkey_paths) }}"
tags:
- lan

23
roles/init-server/tasks/ssh-users.yml
View File

@@ -16,6 +16,27 @@
register: remote_group
tags:
- lan
- name: Managing passwords
when: prehashed_passwords is undefined or prehashed_passwords == None
block:
- name: Acquiring users lacking passwords
ansible.builtin.set_fact:
passwordless_admins: "{{ admins | selectattr('password', '==', 'null') | list }}"
- name: Pausing to acquire password for a user
when: item.password is undefined or item.password == None
ansible.builtin.pause:
prompt: "Provide a password for the administrative user, {{ item.username }}"
echo: false
loop: "{{ passwordless_admins }}"
register: prompted_passwords
- name: Processing inputted password per user
when: prompted_passwords is defined and prompted_passwords != None
ansible.builtin.set_fact:
prehashed_passwords: "{{ (prompted_passwords.results | default([])) | map(attribute='user_input') | list }}"
- name: Pairing inputted passwords with associated user
when: prehashed_passwords is defined or prehashed_passwords != None
ansible.builtin.set_fact:
prehashed_passwords: "{{ dict(passwordless_admins | map(attribute='username') | zip(prehashed_passwords) | list) }}"
- name: Creating an administrative user
become: true
ansible.builtin.user:
@@ -27,7 +48,7 @@
append: true
generate_ssh_key: true
create_home: true
password: "{{ item.password }}"
password: "{{ item.password | default((prehashed_passwords[item.username] | password_hash(hashtype='sha512'))) }}"
shell: "/bin/bash"
loop: "{{ admins }}"
register: admin_users

232
roles/init-server/tasks/userspace@install-pkgs.yml Normal file
View File

@@ -0,0 +1,232 @@
#SPDX-License-Identifier: MIT-0
---
# tasks file for roles/init-vps
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Creating prerequisite directory tree for installation scripts
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.local/bin"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
- name: Creating prerequisite directory tree for unarchived archives
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/downloads/archives/released"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
- name: Creating prerequisite directory tree for package installation executables
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.local_pkgs"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
- name: Creating prerequisite directory tree for git repos
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/repos/.foreign"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: directory
- name: Installing Linux software
when: ansible_facts["system"] == "Linux"
block:
- name: Installing software using Debian package manager
when: ansible_facts["os_family"] == "Debian"
become: true
block:
- name: Creating core OS repository sources for package manager
when: ansible_facts["os_family"] == "Debian"
ansible.builtin.deb822_repository:
name: "{{ item.name }}"
uris: "{{ item.sources }}"
types: "{{ item.types }}"
suites: "{{ item.suites }}"
components: "{{ item.comps }}"
signed_by: "{{ item.sigkey }}"
state: present
loop:
- name: debian-trixie
sources: "http://deb.debian.org/debian/"
sigkey: /usr/share/keyrings/debian-archive-keyring.gpg
types:
- deb-src
- deb
suites:
- trixie
- trixie-updates
comps:
- main
- non-free-firmware
- contrib
- name: debian-trixie-security
sources: "http://security.debian.org/debian-security"
sigkey: /usr/share/keyrings/debian-archive-keyring.gpg
types:
- deb-src
- deb
suites: trixie-security
comps:
- main
- non-free-firmware
- contrib
- name: Remove previous core OS repository sources for package manager
ansible.builtin.file:
path: /etc/apt/sources.list
state: absent
# @TODO uncomment below before continuing with testing previous task
# - name: Premature end of play
# ansible.builtin.meta: end_play
- name: Updating package cache
ansible.builtin.apt:
update_cache: true
- name: Updating package cache
ansible.builtin.apt:
upgrade: dist
autoremove: true
- name: Registering a package source
when: item.sources != None
ansible.builtin.deb822_repository:
name: "{{ item.name }}"
uris: "{{ item.sources }}"
types: "{{ item.types | default('deb') }}"
suites: "{{ item.suites | default('*') }}"
components: "{{ item.comps | default('*') }}"
signed_by: "{{ item.sigkey }}"
state: present
loop: "{{ (pkgs.mngr.userspace | default([])) }}"
- name: Updating package cache
ansible.builtin.apt:
update_cache: true
- name: Installing a local package in managed node
when: item.uri != None
ansible.builtin.apt:
deb: "{{ item.uri }}"
state: present
notify: "{{ item.handler | default('default') }}"
loop: "{{ (pkgs.mngr.userspace | default([])) | selectattr('uri', 'search', '\\.deb$') }}"
- name: Installing a package
when: item.name != None and item.uri == None
ansible.builtin.package:
name: "{{ item.name }}"
state: latest
notify: "{{ item.handler | default('default') }}" # @TODO create corresponding roles/init-vps handlers
loop: "{{ (pkgs.mngr.userspace | default([])) | rejectattr('uri', 'search', '\\.deb$') }}"
tags:
- get_mngr_pkgs
- name: Installing software by executing installation shell scripts
become: true
block:
- name: Acquiring installation shell script
become_user: "{{ current_user.stdout }}"
when: item.src != None and ((pkgs.script.userspace | default([])) | length) > 0
ansible.builtin.uri:
url: "{{ item.src }}"
dest: "{{ ansible_user_home.stdout }}/.local/bin/{{ item.name }}-install.sh"
follow_redirects: safe
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
force: true
mode: "744"
notify: "{{ (pkgs.script.userspace | default([]))[idx].handler | default('default') }}"
loop: "{{ (pkgs.script.userspace | default([])) }}"
loop_control:
index_var: idx
register: install_scripts
- name: Reboot machine for shell environment change
ansible.builtin.reboot:
msg: Rebooting machine
tags:
- get_script_pkgs
- name: Installing software by building it from source archives
block:
- name: Acquiring software source archive
become: true
become_user: "{{ current_user.stdout }}"
when: item.src != None
ansible.builtin.get_url:
url: "{{ item.src }}"
dest: "{{ ansible_user_home.stdout }}/downloads/archives/"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
force: true
backup: true
mode: "644"
loop: "{{ (pkgs.archive.userspace | default([])) }}"
register: archived_builds
- name: Create subdirectories for unarchiving
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/downloads/archives/released/{{ (pkgs.archive.userspace | default([]))[idx].name }}"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "755"
state: directory
loop: "{{ archived_builds.results }}"
loop_control:
index_var: idx
- name: Unarchiving software build archive
become: true
become_user: "{{ current_user.stdout }}"
when: item.dest != None and ((pkgs.script.userspace | default([])) | length) > 0
ansible.builtin.unarchive:
src: "{{ item.dest }}"
remote_src: true
dest: "{{ ansible_user_home.stdout }}/downloads/archives/released/{{ (pkgs.archive.userspace | default([]))[idx].name }}/"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
notify: "{{ (pkgs.archive.userspace | default([]))[idx].handler | default('default') }}"
loop: "{{ archived_builds.results }}"
loop_control:
index_var: idx
- name: Reboot machine for shell environment change
become: true
ansible.builtin.reboot:
msg: Rebooting machine
tags:
- get_archive_pkgs
- name: Installing software from source git repositories
block:
- name: Clone git bare repository
become: true
become_user: "{{ current_user.stdout }}"
when: item.src != None
ansible.builtin.git:
repo: "{{ item.src }}"
dest: "{{ ansible_user_home.stdout }}/repos/.foreign/{{ item.name }}"
version: "{{ item.branch }}"
clone: true
single_branch: true
notify: "{{ item.handler | default('default') }}"
loop: "{{ (pkgs.git_repos.userspace | default([])) }}"
register: installation_repos
- name: Reboot machine for shell environment change
become: true
ansible.builtin.reboot:
msg: Rebooting machine
tags:
- get_git_pkgs
- name: Installing software as pre-compiled binary
block:
- name: Grabbing software binary
become: true
ansible.builtin.get_url:
url: "{{ item.src }}"
dest: "/usr/bin/{{ item.name }}"
owner: root
group: root
mode: "744"
force: true
backup: true
notify: "{{ item.handler }}"
loop: "{{ (pkgs.binaries.userspace | default([])) }}"

498
roles/init-server/templates/headscale/config.yaml.j2 Normal file
View File

@@ -0,0 +1,498 @@
---
# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:
#
# - `/etc/headscale`
# - `~/.headscale`
# - current working directory
# The url clients will connect to.
# Typically this will be a domain like:
#
# https://myheadscale.example.com:443
#
server_url: {{ tail.scheme + '://' + tail.domain + tail.port }}
# Address to listen to / bind to on the server
#
# For production:
# listen_addr: 0.0.0.0:8080
listen_addr: {{ '0.0.0.0' + tail.port }}
# Address to listen to /metrics and /debug, you may want
# to keep this endpoint private to your internal network
# Use an empty value to disable the metrics listener.
metrics_listen_addr: 127.0.0.1:9090
# Address to listen for gRPC.
# gRPC is used for controlling a headscale server
# remotely with the CLI
# Note: Remote access _only_ works if you have
# valid certificates.
#
# For production:
# grpc_listen_addr: 0.0.0.0:50443
{% if tail.grpc.expose %}
grpc_listen_addr: {{ '0.0.0.0' + tail.grpc.port }}
{% else %}
grpc_listen_addr: 127.0.0.1:50443
{% endif %}
# Allow the gRPC admin interface to run in INSECURE
# mode. This is not recommended as the traffic will
# be unencrypted. Only enable if you know what you
# are doing.
{% if tail.grpc.secure %}
grpc_allow_insecure: false
{% else %}
grpc_allow_insecure: true
{% endif %}
# CIDR(s) of reverse proxies (e.g. 127.0.0.1/32) whose
# True-Client-IP, X-Real-IP and X-Forwarded-For headers should
# be honoured. Empty (default) ignores those headers; setting
# this without a proxy in front lets clients spoof their logged
# source IP.
trusted_proxies: []
# The Noise section includes specific configuration for the
# TS2021 Noise protocol
noise:
# The Noise private key is used to encrypt the traffic between headscale and
# Tailscale clients when using the new Noise-based protocol. A missing key
# will be automatically generated.
private_key_path: /var/lib/headscale/noise_private.key
# List of IP prefixes to allocate tailaddresses from.
# Each prefix consists of either an IPv4 or IPv6 address,
# and the associated prefix length, delimited by a slash.
#
# WARNING: These prefixes MUST be subsets of the standard Tailscale ranges:
# - IPv4: 100.64.0.0/10 (CGNAT range)
# - IPv6: fd7a:115c:a1e0::/48 (Tailscale ULA range)
#
# Using a SUBSET of these ranges is supported and useful if you want to
# limit IP allocation to a smaller block (e.g., 100.64.0.0/24).
#
# Using ranges OUTSIDE of CGNAT/ULA is NOT supported and will cause
# undefined behaviour. The Tailscale client has hard-coded assumptions
# about these ranges and will break in subtle, hard-to-debug ways.
#
# See:
# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
prefixes:
v4: 100.64.0.0/10
v6: fd7a:115c:a1e0::/48
# Strategy used for allocation of IPs to nodes, available options:
# - sequential (default): assigns the next free IP from the previous given
# IP. A best-effort approach is used and Headscale might leave holes in the
# IP range or fill up existing holes in the IP range.
# - random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).
allocation: sequential
# DERP is a relay system that Tailscale uses when a direct
# connection cannot be established.
# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
#
# Headscale needs a list of DERP servers that can be presented to the clients.
derp:
server:
# If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
# The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
enabled: false
# Region ID to use for the embedded DERP server.
# The local DERP prevails if the region ID collides with other region ID coming from
# the regular DERP config.
region_id: 999
# Region code and name are displayed in the Tailscale UI to identify a DERP region
region_code: "headscale"
region_name: "Headscale Embedded DERP"
# Only allow clients associated with this server access
verify_clients: true
# Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
# When the embedded DERP server is enabled stun_listen_addr MUST be defined.
#
# For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
stun_listen_addr: "0.0.0.0:3478"
# Private key used to encrypt the traffic between headscale DERP and
# Tailscale clients. A missing key will be automatically generated.
private_key_path: /var/lib/headscale/derp_server_private.key
# This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically,
# it enables the creation of your very own DERP map entry using a locally available file with the parameter DERP.paths
# If you enable the DERP server and set this to false, it is required to add the DERP server to the DERP map using DERP.paths
automatically_add_embedded_derp_region: true
# For better connection stability (especially when using an Exit-Node and DNS is not working),
# it is possible to optionally add the public IPv4 and IPv6 address to the Derp-Map using:
ipv4: 198.51.100.1
ipv6: 2001:db8::1
# List of externally available DERP maps encoded in JSON
urls:
- https://controlplane.tailscale.com/derpmap/default
# Locally available DERP map files encoded in YAML
#
# This option is mostly interesting for people hosting their own DERP servers:
# https://tailscale.com/docs/reference/derp-servers/custom-derp-servers
# https://headscale.net/stable/ref/derp/
#
# paths:
# - /etc/headscale/derp-example.yaml
paths: []
# If enabled, a worker will be set up to periodically
# refresh the given sources and update the derpmap
# will be set up.
auto_update_enabled: true
# How often should we check for DERP updates?
update_frequency: 3h
# Disables the automatic check for headscale updates on startup
disable_check_updates: false
# Node lifecycle configuration.
node:
# Default key expiry for non-tagged nodes, regardless of registration method
# (auth key, CLI, web auth). Tagged nodes are exempt and never expire.
#
# This is the base default. OIDC can override this via oidc.expiry.
# If a client explicitly requests a specific expiry, the client value is used.
#
# Setting the value to "0" means no default expiry (nodes never expire unless
# explicitly expired via `headscale nodes expire`).
#
# Tailscale SaaS uses 180d; set to a positive duration to match that behaviour.
#
# Default: 0 (no default expiry)
expiry: 0
ephemeral:
# Time before an inactive ephemeral node is deleted.
inactivity_timeout: 30m
# HA subnet router health probing.
#
# When HA routes exist (2+ nodes advertising the same prefix), headscale
# pings each HA node every probe_interval via the Noise channel. If a node
# fails to respond within probe_timeout it is marked unhealthy and the
# primary role moves to the next healthy node. A node that later responds
# is marked healthy again but does NOT reclaim primary (avoids flapping).
#
# Worst-case detection time is probe_interval + probe_timeout (15s default).
# No-op when no HA routes exist. Set probe_interval to 0 to disable.
routes:
ha:
# How often to ping HA subnet routers. Set to 0 to disable probing.
# Must be >= 2s when enabled.
probe_interval: 10s
# How long to wait for a ping response before marking a node unhealthy.
# Must be >= 1s and less than probe_interval.
probe_timeout: 5s
database:
# Database type. Available options: sqlite, postgres
# Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
# All new development, testing and optimisations are done with SQLite in mind.
type: sqlite
# Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".
debug: false
# GORM configuration settings.
gorm:
# Enable prepared statements.
prepare_stmt: true
# Enable parameterized queries.
parameterized_queries: true
# Skip logging "record not found" errors.
skip_err_record_not_found: true
# Threshold for slow queries in milliseconds.
slow_threshold: 1000
# SQLite config
sqlite:
path: /var/lib/headscale/db.sqlite
# Enable WAL mode for SQLite. This is recommended for production environments.
# https://www.sqlite.org/wal.html
write_ahead_log: true
# Maximum number of WAL file frames before the WAL file is automatically checkpointed.
# https://www.sqlite.org/c3ref/wal_autocheckpoint.html
# Set to 0 to disable automatic checkpointing.
wal_autocheckpoint: 1000
# # Postgres config
# Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
# See database.type for more information.
# postgres:
# # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
# host: localhost
# port: 5432
# name: headscale
# user: foo
# pass: bar
# max_open_conns: 10
# max_idle_conns: 10
# conn_max_idle_time_secs: 3600
# # If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
# # in the 'ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
# ssl: false
### TLS configuration
#
## Let's encrypt / ACME
#
# headscale supports automatically requesting and setting up
# TLS for a domain with Let's Encrypt.
#
# URL to ACME directory
acme_url: https://acme-v02.api.letsencrypt.org/directory
# Email to register with ACME provider
acme_email: ""
# Domain name to request a TLS certificate for:
tls_letsencrypt_hostname: ""
# Path to store certificates and metadata needed by
# letsencrypt
# For production:
tls_letsencrypt_cache_dir: /var/lib/headscale/cache
# Type of ACME challenge to use, currently supported types:
# HTTP-01 or TLS-ALPN-01
# See: https://headscale.net/stable/ref/tls/
tls_letsencrypt_challenge_type: HTTP-01
# When HTTP-01 challenge is chosen, letsencrypt must set up a
# verification endpoint, and it will be listening on:
# :http = port 80
tls_letsencrypt_listen: ":http"
## Use already defined certificates:
tls_cert_path: ""
tls_key_path: ""
log:
# Valid log levels: panic, fatal, error, warn, info, debug, trace
level: info
# Output formatting for logs: text or json
format: text
## Policy
# Headscale supports a wide range of Tailscale policy features such as ACLs and
# Grants. Please have a look at their docs to better understand the concepts:
# ACLs: https://tailscale.com/docs/features/access-control/acls
# Grants: https://tailscale.com/docs/features/access-control/grants
policy:
# The mode can be "file" or "database" that defines
# where the policies are stored and read from.
mode: file
# If the mode is set to "file", the path to a HuJSON file containing policies.
path: ""
## DNS
#
# headscale supports Tailscale's DNS configuration and MagicDNS.
# Please have a look to their docs to better understand the concepts:
#
# - https://tailscale.com/docs/features/magicdns
# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns
#
# Please note that for the DNS configuration to have any effect,
# clients must have the `--accept-dns=true` option enabled. This is the
# default for the Tailscale client. This option is enabled by default
# in the Tailscale client.
#
# Setting _any_ of the configuration and `--accept-dns=true` on the
# clients will integrate with the DNS manager on the client or
# overwrite /etc/resolv.conf.
# https://tailscale.com/docs/reference/faq/dns-resolv-conf
#
# If you want stop Headscale from managing the DNS configuration
# all the fields under `dns` should be set to empty values.
dns:
# Whether to use MagicDNS
magic_dns: true
# Defines the base domain to create the hostnames for MagicDNS.
# This domain _must_ be different from the server_url domain.
# `base_domain` must be a FQDN, without the trailing dot.
# The FQDN of the hosts will be
# `hostname.base_domain` (e.g., _myhost.example.com_).
base_domain: {{ tail.magic_dns.domain }}
# Whether to use the local DNS settings of a node or override the local DNS
# settings (default) and force the use of Headscale's DNS configuration.
override_local_dns: true
# List of DNS servers to expose to clients.
nameservers:
global: {{ tail.magic_dns.nameservers }}
# NextDNS (see https://tailscale.com/docs/integrations/nextdns).
# "abc123" is example NextDNS ID, replace with yours.
# - https://dns.nextdns.io/abc123
# Split DNS (see https://tailscale.com/docs/reference/dns-in-tailscale#restricted-nameservers),
# a map of domains and which DNS server to use for each.
split: {}
# foo.bar.com:
# - 1.1.1.1
# darp.headscale.net:
# - 1.1.1.1
# - 8.8.8.8
# Set custom DNS search domains. With MagicDNS enabled,
# your tailnet base_domain is always the first search domain.
search_domains: []
# Extra DNS records
# so far only A and AAAA records are supported (on the tailscale side)
# See: https://headscale.net/stable/ref/dns/
extra_records: []
# - name: "grafana.myvpn.example.com"
# type: "A"
# value: "100.64.0.3"
#
# # you can also put it in one line
# - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
#
# Alternatively, extra DNS records can be loaded from a JSON file.
# Headscale processes this file on each change.
# extra_records_path: /var/lib/headscale/extra-records.json
# Unix socket used for the CLI to connect without authentication
# Note: for production you will want to set this to something like:
unix_socket: /var/run/headscale/headscale.sock
unix_socket_permission: "0770"
# OpenID Connect
# https://headscale.net/stable/ref/oidc/
# oidc:
# # Block startup until the identity provider is available and healthy.
# only_start_if_oidc_is_available: true
#
# # OpenID Connect Issuer URL from the identity provider
# issuer: "https://your-oidc.issuer.com/path"
#
# # Client ID from the identity provider
# client_id: "your-oidc-client-id"
#
# # Client secret generated by the identity provider
# # Note: client_secret and client_secret_path are mutually exclusive.
# client_secret: "your-oidc-client-secret"
# # Alternatively, set `client_secret_path` to read the secret from the file.
# # It resolves environment variables, making integration to systemd's
# # `LoadCredential` straightforward:
# client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
#
# # Use the expiry from the token received from OpenID when the user logged
# # in. This will typically lead to frequent need to reauthenticate and should
# # only be enabled if you know what you are doing.
# # Note: enabling this will cause `node.expiry` to be ignored for
# # OIDC-authenticated nodes.
# use_expiry_from_token: false
#
# # The OIDC scopes to use, defaults to "openid", "profile" and "email".
# # Custom scopes can be configured as needed, be sure to always include the
# # required "openid" scope.
# scope: ["openid", "profile", "email"]
#
# # Only verified email addresses are synchronized to the user profile by
# # default. Unverified emails may be allowed in case an identity provider
# # does not send the "email_verified: true" claim or email verification is
# # not required.
# email_verified_required: true
#
# # Provide custom key/value pairs which get sent to the identity provider's
# # authorization endpoint.
# extra_params:
# domain_hint: example.com
#
# # Only accept users whose email domain is part of the allowed_domains list.
# allowed_domains:
# - example.com
#
# # Only accept users whose email address is part of the allowed_users list.
# allowed_users:
# - alice@example.com
#
# # Only accept users which are members of at least one group in the
# # allowed_groups list.
# allowed_groups:
# - /headscale
#
# # Optional: PKCE (Proof Key for Code Exchange) configuration
# # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
# # by preventing authorization code interception attacks
# # See https://datatracker.ietf.org/doc/html/rfc7636
# pkce:
# # Enable or disable PKCE support (default: false)
# enabled: false
#
# # PKCE method to use:
# # - plain: Use plain code verifier
# # - S256: Use SHA256 hashed code verifier (default, recommended)
# method: S256
# Logtail configuration
# Logtail is Tailscales logging and auditing infrastructure, it allows the
# control panel to instruct tailscale nodes to log their activity to a remote
# server. To disable logging on the client side, please refer to:
# https://tailscale.com/docs/features/logging#opt-out-of-client-logging
logtail:
# Enable logtail for tailscale nodes of this Headscale instance.
# As there is currently no support for overriding the log server in Headscale, this is
# disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
enabled: false
# Taildrop configuration
# Taildrop is the file sharing feature of Tailscale, allowing nodes to
# send files to each other.
# https://tailscale.com/docs/features/taildrop
taildrop:
# Enable or disable Taildrop tailnet-wide. When disabled, headscale
# withholds `https://tailscale.com/cap/file-sharing` from every
# node's CapMap.
enabled: true
# Default node auto-update behaviour. When enabled, every node's
# CapMap carries `default-auto-update: [true]` so clients that have
# not made a local opt-in / opt-out choice run auto-updates by
# default. Setting it back to false flips the default for future
# clients; clients that already stored the value locally keep their
# choice.
auto_update:
enabled: false
# Advanced performance tuning parameters.
# The defaults are carefully chosen and should rarely need adjustment.
# Only modify these if you have identified a specific performance issue.
#
# tuning:
# # Maximum number of pending registration entries in the auth cache.
# # Oldest entries are evicted when the cap is reached.
# #
# # register_cache_max_entries: 1024
#
# # NodeStore write batching configuration.
# # The NodeStore batches write operations before rebuilding peer relationships,
# # which is computationally expensive. Batching reduces rebuild frequency.
# #
# # node_store_batch_size: 100
# # node_store_batch_timeout: 500ms

137
roles/init-server/templates/user/flexget/config.yml.j2 Normal file
View File

@@ -0,0 +1,137 @@
templates:
limited_series:
configure_series:
from:
filesystem:
path:
- ~/media/vids/series
# - ~/media/vids/features
recursive: false
retrieve: dirs
settings:
identified_by: ep
path: '~/media/vids/series/{{ series_name }}'
target: 1080p
timeframe: 2 weeks
parse_only: true
exists_series:
path: '~/media/vids/series/{{ series_name }}'
allow_different_qualities: better
feature_films:
csv:
url: 'file://%7e/media/vids/features/.films.csv'
values:
title: 1
url: 2
list_add:
- entry_list: films
porn_vids:
csv:
url: 'file://%7e/.xxx/.vids.csv'
values:
title: 1
url: 2
list_add:
- entry_list: pornos
tasks:
# @NOTE uncommenting aria2 block requires commenting out download and proxy blocks
populate_folders:
{% if download_mode == 'direct' %}
proxy:
https: 'socks5://<< sox.hostname >>:<< sox.port >>'
{% endif %}
if:
- "'batch' in title.lower()": reject
discover:
what:
- next_series_episodes:
from_start: true
backfill: false
from:
- nyaa:
category: anime eng
filter: trusted only
- search_rss:
url: 'https://nyaa.si/?f=2&c=1_2&q={{ search_term }}'
link:
- magneturi
- link
all_entries: false
- eztv: true
interval: 1 week
limit: 80
template: limited_series
{% if flexget.download_mode == 'aria2' %}
aria2:
server: << aria.hostname >>
port: << aria.port >>
{% if aria.secret != None or aria.secret is defined %}
secret: << aria.secret >>
{% endif %}
{% if aria.credentials != None or aria.credentials is defined %}
username: << aria.credentials.username >>
password: << aria.credentials.password >>
{% endif %}
scheme: << aria.scheme >>
rpc_mode: json
rpc_path: jsonrpc
path: '~/downloads/media/vids/{{ series_name }}'
{% else %}
download:
temp: ~/.tmp
path: '~/downloads/flexget/vids/series/torrents/{{ series_name }}'
{% endif %}
# @NOTE uncommenting aria2 block requires commenting out download and proxy blocks
fap_queue:
{% if download_mode == 'direct' %}
proxy:
https: 'socks5://<< sox.hostname >>:<< sox.port >>'
{% endif %}
template: porn_vids
{% if flexget.download_mode == 'aria2' %}
aria2:
server: << aria.hostname >>
port: << aria.port >>
{% if aria.secret != None or aria.secret is defined %}
secret: << aria.secret >>
{% endif %}
{% if aria.credentials != None or aria.credentials is defined %}
username: << aria.credentials.username >>
password: << aria.credentials.password >>
{% endif %}
scheme: << aria.scheme >>
rpc_mode: json
rpc_path: jsonrpc
path: ~/downloads/.xxx/media/vids
{% elif flexget.download_mode == 'direct' %}
download:
temp: ~/.tmp
path: ~/downloads/.xxx/flexget/vids/torrents
{% endif %}
# @NOTE uncommenting aria2 block requires commenting out download and proxy blocks
film_queue:
{% if download_mode == 'direct' %}
proxy:
https: 'socks5://<< sox.hostname >>:<< sox.port >>'
{% endif %}
template: feature_films
{% if flexget.download_mode == 'aria2' %}
aria2:
server: << aria.hostname >>
port: << aria.port >>
{% if aria.secret != None or aria.secret is defined %}
secret: << aria.secret >>
{% endif %}
{% if aria.credentials != None or aria.credentials is defined %}
username: << aria.credentials.username >>
password: << aria.credentials.password >>
{% endif %}
scheme: << aria.scheme >>
rpc_mode: json
rpc_path: jsonrpc
path: ~/downloads/media/vids
{% elif flexget.download_mode == 'direct' %}
download:
temp: ~/.tmp
path: ~/downloads/flexget/vids/torrents
{% endif %}

112
roles/init-server/templates/user/vimrc.j2 Normal file
View File

@@ -0,0 +1,112 @@
" Disable compatibility with vi which can cause unexpected issues.
set nocompatible
" Enable type file detection. Vim will be able to try to detect the type of file in use.
filetype on
" Enable plugins and load plugin for the detected file type.
filetype plugin on
" Load an indent file for the detected file type.
filetype indent on
" Turn syntax highlighting on.
syntax on
" Add numbers to each line on the left-hand side.
set number
" Jump to line by relative number
set relativenumber
{% if (vimrc.cursor.blocky | default(True)) %}
" Highlight cursor line underneath the cursor horizontally.
set cursorline
" Highlight cursor line underneath the cursor vertically.
set cursorcolumn
{% endif %}
{% if (vim.tabs.spatialize | default(True)) %}
" Use space characters instead of tabs.
set expandtab
" Set tab width to 4 columns.
set tabstop={{ vimrc.tabs.gap | default(2) }}
{% endif %}
" While searching though a file incrementally highlight matching characters as you type.
set incsearch
" Show the mode you are on the last line.
set showmode
" Show matching words during a search.
set showmatch
" Use highlighting when doing a search.
set hlsearch
" Set the commands to save in history default number is 20.
set history={{ vimrc.history_span | default(20) }}
{% if (vimrc.typed_paths.autocomplete | default(True)) %}
" Enable auto completion menu after pressing TAB.
set wildmenu
" Make wildmenu behave like similar to Bash completion.
set wildmode=list:longest
{% if vimrc.typed_paths.ignore is defined or vimrc.typed_paths.ignore != None %}
" There are certain files that we would never want to edit with Vim.
" Wildmenu will ignore files with these extensions.
set wildignore={{ vimrc.typed_paths.ignore | join(',') }}
{% endif %}
{% endif %}
" PLUGINS ----------------------------------------------------------------
" Plugin code goes here.
call plug#begin('~/.vim/plugged')
Plug 'flazz/vim-colorschemes'
{% if (vimrc.autodelimit | default(True)) %}
Plug 'tpope/vim-surround'
{% endif %}
{% if (vimrc.git_spice | default(True)) %}
Plug 'airblade/vim-gitgutter'
Plug 'tpope/vim-fugitive'
{% endif %}
{% if (vimrc.status_line | default(True)) %}
Plug 'vim-airline/vim-airline'
{% endif %}
{% if (vimrc.fancy_commenting | default(True)) %}
Plug 'scrooloose/nerdcommenter'
{% endif %}
{% if (vimrc.ide | default(True)) %}
Plug 'dense-analysis/ale'
{% endif %}
call plug#end()
" MAPPINGS ---------------------------------------------------------------
" Mappings code goes here.
" VIMSCRIPT --------------------------------------------------------------
{% if (vimrc.origami | default(True)) %}
" This will enable code folding.
" Use the marker method of folding.
augroup filetype_vim
autocmd!
autocmd FileType vim setlocal foldmethod=marker
augroup END
{% endif %}
" More Vimscripts code goes here.
" STATUS LINE ------------------------------------------------------------
" Status bar code goes here.

134
skato-ansible.sh Executable file
View File

@@ -0,0 +1,134 @@
#!/bin/bash
set -euo pipefail
# @TODO long-term, turn this simple bash script into more complex Python Click project
SKANSIBLE_SCRIPT_PATH=$(dirname "$0")
SKANSIBLE_STAGE=1
SKANSIBLE_DEBUG=1
SKANSIBLE_UNIT_TEST=1
DEFAULT_USER=senpai
DEFAULT_SKANSIBLE_PLAY_HOST=vps
SKANSIBLE_SSH_KEY_COLLECTION=(~/.ssh/ed25519\@staging ~/.ssh/ecdsa\@staging ~/.ssh/ed25519-37851076-sk\@staging ~/.ssh/ecdsa-37851076-sk\@staging)
if [[ "$1" == "version" ]]; then
echo "0.0.0"
fi
if [[ "$1" == "show-defaults" ]]; then
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
printf "User: %s\n" "$DEFAULT_USER"
printf "Expected hosts for playbook: %s\n" "$DEFAULT_SKANSIBLE_PLAY_HOST"
printf "Private SSH keys available throufh SSH agent: |\n%s\n" "$(ssh-add -l)"
fi
if [[ "$1" == "start-agent" ]]; then
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
eval "$(ssh-agent -s)"
fi
if [[ "$1" == "populate-agent" ]]; then
shift 1
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
if [[ "$1" == "all" ]]; then
for SKANSIBLE_SSH_KEY in ~/.ssh/*; do
case $SKANSIBLE_SSH_KEY in
*.pub);;
*.old);;
*.bak);;
*/config);;
*/authorized_keys);;
*_hosts);;
*/agent);;
*) ssh-add "${SKANSIBLE_SSH_KEY}";;
esac
done
elif [[ "$1" == "select" ]]; then
for key in "${SKANSIBLE_SSH_KEY_COLLECTION[@]}"; do
ssh-add "$key"
done
elif [[ -z "$1" ]]; then
# @TODO improve by adding fuzzy querying or file finding pror
ssh-add "$1"
fi
fi
if [[ "$1" == "list-agent" ]]; then
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
ssh-add -l
fi
if [[ "$1" == "init" ]]; then
shift 1
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
while getopts "hsdtu:p:n:" opt; do
case $opt in
h) Help "$1";;
s) SKANSIBLE_STAGE=0;;
d) SKANSIBLE_DEBUG=0;;
t) SKANSIBLE_UNIT_TEST=0;;
u) SKANSIBLE_CONN_USER="$OPTARG";;
n) SKANSIBLE_CONN_HOSTS="$OPTARG";;
p) SKANSIBLE_PLAY_HOSTS="$OPTARG";;
*) echo "Err: Invalid option set"; exit 1;;
esac
done
if [[ "$SKANSIBLE_STAGE" == 0 ]]; then
SKANSIBLE_CONN_HOSTS=${SKANSIBLE_CONN_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}_test
fi
if [[ "$SKANSIBLE_DEBUG" == 0 ]]; then
if [[ "$SKANSIBLE_UNIT_TEST" == 0 ]]; then
sudo ansible-playbook -vvvv --ask-pass --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-root}" "init@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml" --check
else
sudo ansible-playbook -vvvv --ask-pass --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-root}" "init@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml"
fi
else
if [[ "$SKANSIBLE_UNIT_TEST" == 0 ]]; then
sudo ansible-playbook --ask-pass --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-root}" "init@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml" --check
else
sudo ansible-playbook --ask-pass --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-root}" "init@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml"
fi
fi
fi
if [[ "$1" == "bootstrap" ]]; then
shift 1
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
while getopts "hsdtu:p:n:" opt; do
case $opt in
h) Help "$1";;
s) SKANSIBLE_STAGE=0;;
d) SKANSIBLE_DEBUG=0;;
t) SKANSIBLE_UNIT_TEST=0;;
u) SKANSIBLE_CONN_USER="$OPTARG";;
n) SKANSIBLE_CONN_HOSTS="$OPTARG";;
p) SKANSIBLE_PLAY_HOSTS="$OPTARG";;
*) echo "Err: Invalid option set"; exit 1;;
esac
done
if [[ "$SKANSIBLE_STAGE" == 0 ]]; then
SKANSIBLE_CONN_HOSTS=${SKANSIBLE_CONN_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}_test
fi
if [[ "$SKANSIBLE_DEBUG" == 0 ]]; then
if [[ "$SKANSIBLE_UNIT_TEST" == 0 ]]; then
ansible-playbook -vvvv --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-${DEFAULT_USER}}" "administrate@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml" --check
else
ansible-playbook -vvvv --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-${DEFAULT_USER}}" "administrate@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml"
fi
else
if [[ "$SKANSIBLE_UNIT_TEST" == 0 ]]; then
ansible-playbook --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-${DEFAULT_USER}}" "administrate@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml" --check
else
ansible-playbook --ask-become-pass -i hosts.yml --extra-vars "chosen_host=${SKANSIBLE_CONN_HOSTS}" --extra-vars "chosen_user=${SKANSIBLE_CONN_USER:-${DEFAULT_USER}}" "administrate@${SKANSIBLE_PLAY_HOSTS:-${DEFAULT_SKANSIBLE_PLAY_HOST}}.yml"
fi
fi
fi

6
vars/aria_api.yml.example Normal file
View File

@@ -0,0 +1,6 @@
aria:
scheme: http
hostname: localhost
port: "6800"
secret: ~
credentals: ~

2
vars/crowdsec.yml Normal file
View File

@@ -0,0 +1,2 @@
crowdsec:
port: 8181

2
vars/flexget_dls.yml Normal file
View File

@@ -0,0 +1,2 @@
flexget:
download_mode: direct

57
vars/git_aliases.yml Normal file
View File

@@ -0,0 +1,57 @@
git_aliases:
- [ckot, checkout]
- [chbr, checkout]
- [ch_br, checkout]
- [tch_br, "'checkout -b'"]
- [tchbr, "'checkout -b'"]
- [tchbr, "'checkout -b'"]
- [add_br, "'checkout -b'"]
- [addbr, "'checkout -b'"]
- [rm_br, "'branch -D'"]
- [rmbr, "'branch -D'"]
- [del_br, "'branch -D'"]
- [delbr, "'branch -D'"]
- [tch_rmt, "'remote add'"]
- [tchrmt, "'remote add'"]
- [add_rmt, "'remote add'"]
- [addrmt, "'remote add'"]
- [rm_rmt, "'remote remove'"]
- [rmrmt, "'remote remove'"]
- [del_rmt, "'remote remove'"]
- [delrmt, "'remote remove'"]
- [cfg, config]
- [psh, push]
- [snd, push]
- [send, push]
- [post, push]
- [pl, pull]
- [receive, pull]
- [get, pull]
- [fch, fetch]
- [hist, log]
- [scenes, log]
- [br, branch]
- [lsbr, "'branch -v'"]
- [ls_br, "'branch -v'"]
- [rmt, remote]
- [ls_rmt, "'remote -v'"]
- [lsrmt, "'remote -v'"]
- [cmmt, commit]
- [register, commit]
- [st, status]
- [stat, status]
- [state, status]
- [current, status]
- [restart, "reset --hard"]
- [undo, "'reset HEAD~1 --mixed'"]
- [unstage, "'reset HEAD --'"]
- [stage, add]
- [touch, add]
- [tch, add]
- [del, rm]
- [prev, "'log -1 HEAD'"]
- [last, "'log -1 HEAD'"]
- [finito, "'!git push origin HEAD'"]
- [chkpnt, "'!git add -A && git commit -m'"]
- [sgn, "'commit --amend --no-edit -S'"]
- [rvrt, revert]

3
vars/local_facts.yml.example Normal file
View File

@@ -0,0 +1,3 @@
local_facts:
user_id: ""
user_dir: ""

3
vars/sox_prox.yml Normal file
View File

@@ -0,0 +1,3 @@
sox:
hostname: localhost
port: "9050"

18
vars/tail_net.yml.example Normal file
View File

@@ -0,0 +1,18 @@
tail:
users:
- username: ""
dname: ""
email: ""
pfp: ~
scheme: https
domain: localhost
port: ":8080"
grpc:
expose: false
secure: true
port: ":50443"
magic_dns:
domain: ""
nameservers:
- 9.9.9.9

26
vars/vim_settings.yml Normal file
View File

@@ -0,0 +1,26 @@
vimrc:
git_spice: true
status_line: true
autodelimit: true
origami: true
history_span: 500
typed_paths:
autocomplete: true
ignore:
- "*.docx"
- "*.jpg"
- "*.png"
- "*.gif"
- "*.pdf"
- "*.pyc"
- "*.exe"
- "*.flv"
- "*.img"
- "*.xlsx"
fancy_commenting: true
tabs:
spatialize: true
gap: 2
cursor:
blocky: true
ide: true

17
vars/vpn_server.yml.example Normal file
View File

@@ -0,0 +1,17 @@
vpn_server:
driver:
name: dsnet
version: "v0.8.1"
interface: dsnet
forwards:
- [tcp,"80"] # HTTP
- [tcp,"443"] # HTTPS
- [tcp,"465"] # SMTP
- [tcp,"587"] # SMTP
- [tcp,"995"] # POP3
- [tcp,"110"] # POP3
- [tcp,"143"] # IMAP
- [tcp,"993"] # IMAP
clients:
- name: ""
desc: "my homelab server"