admin/skato-ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 3 Releases Wiki Activity

Compare commits

base: admin:main
Branches Tags
admin:main admin:streamlined_staging
...
compare: admin:e8b29bb8e806acee9a1e9d18d1bb00d14cff6726
Branches Tags
admin:streamlined_staging admin:main

22 Commits
main ... e8b29bb8e8

Author SHA1 Message Date
Alex Tavarez
e8b29bb8e8 added systemd unit for setting iptables rules using added script, added DSNet systemd unit 2026-06-19 19:22:21 -04:00
Alex Tavarez
aa8d61aa09 added attribute to reboot task to ignore errors; included variables file for configuring VPN, i.e. DSNet, service configuration 2026-06-19 19:21:09 -04:00
Alex Tavarez
2d6dcd3dab added attribute to reboot task to ignore errors; included variables file needed for VPN, i.e. DSNet, service configuration 2026-06-19 19:18:54 -04:00
Alex Tavarez
2c66c3bd43 removed tasks that were instead migrated to a role task included by a role handler 2026-06-19 19:17:24 -04:00
Alex Tavarez
20d1cd21a3 removed an empty line 2026-06-19 19:16:29 -04:00
Alex Tavarez
83fa171341 added task for grabbng software binary as software installation 2026-06-19 19:15:38 -04:00
Alex Tavarez
240efbb713 changed hardlink or actual destnation paths for software binaries, and used relative path for fetched secrets 2026-06-19 19:10:39 -04:00
Alex Tavarez
bcf9eaebc9 removed unnecessary copy task for a source file in managed node 2026-06-19 19:06:55 -04:00
Alex Tavarez
125ec09c8f migrated DSNet tasks to own task file in role, as opposed to having it in relevant playbook 2026-06-19 19:04:54 -04:00
Alex Tavarez
b784b781d3 added a DSNet handler including tasks for post-installation 2026-06-19 19:03:52 -04:00
Alex Tavarez
909682d74e moved burp and rsync installations, and added a new package group for direct software binaries, with dsnet listed in it 2026-06-19 19:02:29 -04:00
Alex Tavarez
bd3029b914 made sure that handlers run prior to hostname change as well as a reboot in which the server is rendered inaccessible 2026-06-18 19:20:56 -04:00
Alex Tavarez
57a3e876b8 added task informing user of needed actions to take advantage of now-avaialble vim plugins 2026-06-18 19:19:23 -04:00
Alex Tavarez
1ce6879abf fixed typo in a line substitution, added SystemD restart tasks for service to abide by configuration changes 2026-06-18 19:18:26 -04:00
Alex Tavarez
9ea7fb37b0 fixed missing loop variable for headscale user registration task 2026-06-18 19:17:16 -04:00
Alex Tavarez
7584027890 moved VIM and Crowdsec setup handler listener, former due to now being userspace package group installation, latter due to needing to precede headscale handler tasks 2026-06-18 19:16:26 -04:00
Alex Tavarez
a78613920c moved vim to userspace package group, referenced crowdsec handler, added password hashing/encryption 2026-06-18 19:14:14 -04:00
Alex Tavarez
0dd0633166 hard-coded dedicated SSH keys for staging to automatically populate ssh-agent, added a subcommand for listing SSH keys in use by SSH agent 2026-06-17 14:42:16 -04:00
Alex Tavarez
9945330b82 added task block to prompt user for a fallback password if given root password is null 2026-06-17 14:40:35 -04:00
Alex Tavarez
f4399a2c8a added task block to prompt user for a fallback password if given user password is null 2026-06-17 14:40:17 -04:00
Alex Tavarez
596b828e6f changed SSH key queries to dedicated SSH keys, and automated password creation, for staging; removed token to be prompted instead 2026-06-17 14:39:10 -04:00
Alex Tavarez
13ef8fa459 made ungrouped hosts be two machines for staging or more 2026-06-17 14:36:26 -04:00
29 changed files with 422 additions and 303 deletions
Expand all files Collapse all files

1
administrate@homeserver.yml
View File

@@ -146,4 +146,3 @@
hour: "4-15"
weekday: "1-5"
job: "{{ ansible_user_home.stdout }}/.local/bin/flexget --cron execute"

130
administrate@vps.yml
View File

@@ -3,7 +3,7 @@
remote_user: "{{ chosen_user | default('senpai') }}"
vars_files:
- vars/git_aliases.yml # REQUIRED
- vars/vpn_server.yml # REQUIRED
- vars/vim_settings.yml # REQUIRED
- vars/config@{{ inventory_hostname | default('vps') }}.yml
tasks:
- name: Installing requisite packages
@@ -11,16 +11,6 @@
name: init-server
tasks_from: userspace@install-pkgs
handlers_from: userspace
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Disabling root user shell login
become: true
ansible.builtin.user:
@@ -53,121 +43,3 @@
scope: global
value: "{{ item[1] }}"
loop: "{{ git_aliases }}"
- name: Creating Wireguard VPS VPN service
block:
- name: Ensuring IP forwarding is allowed
become: true
ansible.posix.sysctl:
name: "net.{{ item }}.conf.all.forwarding"
value: "1"
sysctl_set: true
state: present
loop:
- ipv4
- ipv6
- name: Creating a directory to house VPN service client configurations
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "755"
state: directory
- name: Get the current hostname of the machine
ansible.builtin.shell:
cmd: "echo $(hostname)"
register: current_hostname
- name: Starting DSNet-based Wireguard VPN service configuration
when: vpn_server.driver.name == "dsnet"
block:
- name: Getting DSNet binary application
become: true
ansible.builtin.get_url:
url: "https://github.com/naggie/dsnet/releases/download/{{ vpn_server.driver.version }}/dsnet-linux-amd64"
dest: /usr/bin/dsnet
owner: root
group: root
mode: "744"
force: true
backup: true
- name: Initializing DSNet
become: true
ansible.builtin.command:
cmd: dsnet init
- name: Running DSNet VPN service interface
become: true
ansible.builtin.command:
cmd: dsnet up
- name: Adding peer device for DSNet VPN service interface
become: true
ansible.builtin.shell:
cmd: "dsnet add {{ item.name }}{{ idx }} --owner {{ current_user.stdout }} --description 'For {{ current_hostname.stdout }}--{{ item.desc }}' --confirm > {{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
creates: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ idx }}.conf"
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Changing ownership of consequent DSNet VPN service client configurations
become: true
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: file
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Pausing to inquire about how to proceed
ansible.builtin.pause:
prompt: "Type \"fetch\" to get the DSNet VPN service client configuration files, or \"show\" to see their contents for manual copying instead"
echo: true
register: data_method
- name: Presenting DSNet VPN service client configuration files to control node for copying
when: data_method.user_input == "show"
block:
- name: Acquiring contents of DSNet VPN service client configuration files
ansible.builtin.slurp:
src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
register: vpn_client_configs
- name: Presenting contents of DSNet VPN service client configurations to control node
ansible.builtin.debug:
msg: "Copy this client configuration of the DSNet VPN service:\n {{ item.content }}"
loop: "{{ vpn_client_configs.results }}"
- name: Giving opportunity to manually copy contents of DSNet VPN service client configuration files
ansible.builtin.pause:
- name: Providing DSNet VPN service client configuration files to control node machine
when: data_method.user_input == "fetch"
block:
- name: Dupliciating DSNet VPN service client configuration files to control node
ansible.builtin.fetch:
src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
dest: "/var/tmp/{{ inventory_hostname }}/wg/"
flat: true
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Informing control node of acquired files
ansible.builtin.debug:
msg: "The DSNet VPS service client configuration files have been duplicated to '/var/tmp/{{ inventory_hostname }}/wg/' at the control node."
- name: Giving control node user time to read the aforementiioned message
ansible.builtin.pause:
seconds: 30
# @TODO create tasks for registering and presenting contents of just created files
- name: Forwarding network traffic on certain ports to Wireguard VPS service interface
become: true
ansible.builtin.iptables:
chain: FORWARD
protocol: "{{ item[0][0] }}"
source_port: "{{ item[0][1] }}"
in_interface: "{{ item[1] }}"
jump: ACCEPT
loop: "{{ vpn_server.forwards | product([vpn_server.interface]) }}"
- name: Forwarding network traffic on certain ports to Wireguard VPS service interface
become: true
ansible.builtin.iptables:
table: nat
chain: POSTROUTING
out_interface: "{{ vpn_server.interface }}"
jump: MASQUERADE

87
group_vars/armitage_test.yml
View File

@@ -1,12 +1,6 @@
# @TODO create inventory group variables akin to structure of sukaato group's for homeserver
# <str<vault>> representing password for Linux root user account of VPS
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
32333335343939653231313938666134306338356633393035363039373465386165313666383262
6465313738316635633332623765336563626165336330370a616634393266366430363663333066
63373165346236386632393866316164623133373761303262643734356433646661636533666266
3834643765613937300a326365643961626236386261303933643965333565623836313231346537
3030
password: "{{ lookup('password', '../.tmp/armitage_test.pass', seed='armitage_test', encrypt='sha512_crypt') }}"
# <str> representing hostname for LAN server; same as host or group variable name
instance: armitage
# <str<enum>> representing Linux distro or OS image to be used for VPS
@@ -14,28 +8,19 @@ instance: armitage
operating_system: ~
# <list[<str>]> of control node or local SSH key basenames
ssh_keys:
- ed25519@sukaato.hikiki
- ecdsa@sukaato.hikiki
- ed25519@staging
- ecdsa@staging
# <list<dict>> list of administrative users (in Linux, users that can use "sudo")
admins:
- username: senpai # <str> arbitrary valid user name
services: ~ # <list[<str>]> if linux system user, assocated servce
# <list[<str>]> list of control node or local SSH key basenames for this user
ssh_keys:
- ecdsa-37851076-sk@sukaato.hikiki
- ecdsa-37851072-sk@sukaato.hikiki
# @TODO add secondary and teriary Yubikeys
- ecdsa-37851076-sk@staging
- ed25519-37851076-sk@staging
# <str<vault?>> hashed (and maybe salted) password
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
34636132613365646330653431653236303563623464316638643439373761366564663264613738
3033343264373264333362616434333465323439653134340a643066663832353965313434386639
38366263646638353632656431366638393939623537326233306132306436363338373161643433
3439653833333164390a303430616561356464393030353433303738383730643330323031373432
62386231653339616436383837383966643539353036353034363132633539643332386131613537
31356230383561663735363530393562363237343166323635666665386165633130653864646238
39323735386161646531323335393639353630376136663063393930326434346435343937623336
33336132663238326662323536326638333139313535373166636363336366663962373936383536
62303536363939316563646630633064306364366331623665646533633065336236
password: "{{ lookup('password', '../.tmp/senpai@armitage_test.pass', seed='senpai:armitage_test', encrypt='sha512_crypt') }}"
# <dict[<str>:<dict>]> package groups
pkgs:
# <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
@@ -98,14 +83,6 @@ pkgs:
suites: ~
comps: ~
handler: ~
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: vim-vimwiki
uri: ~
sigkey: ~
@@ -122,14 +99,6 @@ pkgs:
suites: ~
comps: ~
handler: ~
# - name: flatpak
# uri: ~
# sources: ~
# sigkey: ~
# types: ~
# suites: ~
# comps: ~
# handler: ~
- name: snapd
uri: ~
sources: ~
@@ -185,7 +154,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
handler: crowdsec
- name: glow
uri: ~
sigkey: "https://repo.charm.sh/apt/gpg.key"
@@ -370,22 +339,6 @@ pkgs:
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg
uri: ~
sigkey: ~
@@ -403,6 +356,14 @@ pkgs:
comps: ~
handler: ~
userspace:
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: neovim
uri: ~
sources: ~
@@ -603,6 +564,22 @@ pkgs:
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rclone
uri: ~
sigkey: ~

97
group_vars/sukaato_test.yml
View File

@@ -1,22 +1,7 @@
# <str<vault>> representing password for Linux root user account of VPS
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
66353462633933306537323461663665643234306166366663653163306436333037313032306338
3762653037396437633835356630656438623163656536310a306163663234383265386133396634
34363163343766623739646334643031373239373630663731376239333764346531396363636131
6163343335356337660a366337336632333236326532373032353332333636366638616265356562
66616534303035386134623535373935373065326539363065623230633034313433
password: "{{ lookup('password', './.tmp/sukaato_test.pass', seed='sukaato_test', encrypt='sha512_crypt') }}"
# <str<vault>> representing API token for VPS cloud service
token: !vault |
$ANSIBLE_VAULT;1.1;AES256
33333839333337323062326231626534616166646666343261343966636464346630363033653130
3035653864396363376633346362353239643939663462370a323935353061313563336435366331
30393463653661326539326234646438663133616634663439303932656137633839656533376433
3666643635613039390a323138393033623131326438616331386539666333613630316263613636
66663263373665343662393638623064356234646165343835623966643761333562323132396466
63363436333463653130323531343139316466316131313031343232343039396261616231376232
66383938333661363532303166306563396634663132396166646132663131373738396131626633
34393265343061356531
token: ~
# <str> representing name and hostname of VPS to be made in VPS cloud service
instance: sukaato
# <str<enum>> representing region options from or for given VPS cloud service
@@ -25,28 +10,19 @@ origin: us-east
operating_system: linode/debian13
# <list[<str>]> list of control node or local SSH key basenames for root user
ssh_keys:
- ed25519@sukaato.hikiki
- ecdsa@sukaato.hikiki
- ed25519@staging
- ecdsa@staging
# <list<dict>> list of administrative users (in Linux, users that can use "sudo")
admins:
- username: senpai # <str> arbitrary valid user name
services: ~ # <list[<str>]> if linux system user, assocated servce
# <list[<str>]> list of control node or local SSH key basenames for this user
ssh_keys:
- ecdsa-37851076-sk@sukaato.hikiki
- ecdsa-37851072-sk@sukaato.hikiki
# @TODO add secondary and teriary Yubikeys
- ecdsa-37851076-sk@staging
- ed25519-37851076-sk@staging
# <str<vault?>> hashed (and maybe salted) password
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31663265653031323833373663653132653532646638316465393364613961643130653330393062
6165386239303965386261363565353137636164356130370a336465353931373564393339363561
37353162333331663833656631663165356134633961323337663439663733316231666334336539
6537373334326634610a623037613462663733343230306538386561363838316638623365636533
32313931666439363435663161663665346266653763343265376366383837376436643163376430
39393861613037333766386138376335653334363737626664383236303234653461313230383564
33393834636165386562383435666233313664656233326364616237636230303264363732376639
64396564366335366430303031323865333635306536346463386334303235386438663061343934
37376466373566396130366330383834323332626166316661336339346462343466
password: "{{ lookup('password', './.tmp/senpai@sukaato_test.pass', seed='senpai:sukaato_test', encrypt='sha512_crypt') }}"
# <dict[<str>:<dict>]> package groups
pkgs:
# <dict[<str>:<dict>]> representing package groups installed by package manager via repositories
@@ -181,14 +157,6 @@ pkgs:
suites: ~
comps: ~
handler: ~
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: git
uri: ~
sources: ~
@@ -212,7 +180,7 @@ pkgs:
types: ~
suites: ~
comps: ~
handler: ~
handler: crowdsec
- name: glow
uri: ~
sigkey: "https://repo.charm.sh/apt/gpg.key"
@@ -278,22 +246,6 @@ pkgs:
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: gnupg
uri: ~
sigkey: ~
@@ -359,6 +311,14 @@ pkgs:
comps: ~
handler: headscale
userspace:
- name: vim
uri: ~
sources: ~
sigkey: ~
types: ~
suites: ~
comps: ~
handler: vim
- name: neovim
uri: ~
sigkey: ~
@@ -511,6 +471,22 @@ pkgs:
suites: ~
comps: ~
handler: ~
- name: burp
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
- name: rsync
uri: ~
sigkey: ~
sources: ~
types: ~
suites: ~
comps: ~
handler: ~
# <dict[<str>:<dict>]> representing package groups installed by shell scripts
script:
# <list[<dict>]> representing user-level or supplemental shell script installations
@@ -566,4 +542,9 @@ pkgs:
# deploy: ~
# pre: ~
# post: ~
# handler: ~
# handler: ~
binaries:
core:
- name: dsnet
src: "https://github.com/naggie/dsnet/releases/download/v0.8.1/dsnet-linux-amd64"
handler: dsnet

10
hosts.yml.example
View File

@@ -1,18 +1,20 @@
# @TODO use hosts and host groupings that refer or point to VM or containerized servers for testing
ungrouped:
hosts:
staging:
ansible_host: ~ # IP address of test host
staging0:
ansible_host: ~
staging1:
ansible_host: ~
sukaato:
hosts: ~
sukaato_test:
hosts:
staging:
staging0:
armitage:
hosts: ~
armitage_test:
hosts:
staging:
staging1:
vps:
children:
sukaato:

4
init@homeserver.yml
View File

@@ -7,6 +7,7 @@
vars_files:
- vars/local_facts.yml # REQUIRED
- vars/vim_settings.yml # REQUIRED
- vars/vpn_server.yml # REQUIRED
- vars/tail_net.yml
- vars/crowdsec.yml
- vars/users@{{ inventory_hostname | default('homeserver') }}.yml
@@ -41,4 +42,5 @@
- name: Rebooting machine for hostname change
become: true
ansible.builtin.reboot:
msg: "Rebooting machine"
msg: "Rebooting machine"
ignore_errors: true

14
init@vps.yml
View File

@@ -7,7 +7,7 @@
harden: true
vars_files:
- vars/local_facts.yml # REQUIRED
- vars/vim_settings.yml # REQUIRED
- vars/vpn_server.yml # REQUIRED
- vars/tail_net.yml
- vars/crowdsec.yml
- vars/users@{{ inventory_hostname | default('vps') }}.yml
@@ -31,6 +31,8 @@
ansible.builtin.include_role:
name: init-server
tasks_from: ssh-users
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Update hostname
become: true
ansible.builtin.hostname:
@@ -39,7 +41,15 @@
become: true
ansible.builtin.command:
cmd: "hostnamectl set-icon-name computer-server"
- name: Notifying user that all processes have finished
ansible.builtin.debug:
msg: All processes finished. Hit enter to reboot machine.
- name: Ensuring user has read prior message regarding upcoming reboot
ansible.builtin.pause:
- name: Rebooting machine for hostname change
become: true
ansible.builtin.reboot:
msg: "Rebooting machine"
msg: "Rebooting machine.."
connect_timeout: 0
test_command: ~
ignore_errors: true

14
roles/init-server/files/systemd/system/dsnet.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=dsnet
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/bin/dsnet up
ExecStop=/usr/bin/dsnet down
RemainAfterExit=yes
ExecReload=/usr/bin/dsnet sync
[Install]
WantedBy=default.target

14
roles/init-server/files/systemd/system/thrunet.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=thrunet
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/dsnet-forward.sh start
ExecStop=/usr/local/bin/dsnet-forward.sh stop
RemainAfterExit=yes
# ExecReload=/usr/bin/dsnet sync
[Install]
WantedBy=default.target

10
roles/init-server/files/usr/local/bin/dsnet-forward.sh Executable file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
set -euo pipefail
if [[ "$1" == "start" ]]; then
/usr/sbin/iptables -A FORWARD -i dsnet -p tcp --sport {80,443,465,587,995,110,143,993} -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o dsnet -j MASQUERADE
elif [[ "$1" == "stop" ]]; then
/usr/sbin/iptables -D FORWARD -i dsnet -p tcp --sport {80,443,465,587,995,110,143,993} -j ACCEPT
/usr/sbin/iptables -t nat -D POSTROUTING -o dsnet -j MASQUERADE
fi

10
roles/init-server/handlers/core.yml
View File

@@ -5,10 +5,10 @@
ansible.builtin.debug:
msg: "No post-installaton or additional installation steps needed--continuing..."
listen: default
- name: Setting up ViM
- name: Setting up Crowdsec
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/vim.yml
listen: vim
file: tasks/contingent/pkg/crowdsec.yml
listen: crowdsec
- name: Setting up Headscale
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/headscale.yml
@@ -21,3 +21,7 @@
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/tor.yml
listen: tor
- name: Setting up DSNet
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/dsnet.yml
listen: dsnet

4
roles/init-server/handlers/userspace.yml
View File

@@ -5,6 +5,10 @@
ansible.builtin.debug:
msg: "No post-installaton or additional installation steps needed--continuing..."
listen: default
- name: Setting up ViM
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/vim.yml
listen: vim
- name: Settng up NeoViM
ansible.builtin.include_tasks:
file: tasks/contingent/pkg/neovim.yml

17
roles/init-server/tasks/contingent/pkg/crowdsec.yml
View File

@@ -1,3 +1,10 @@
- name: Restarting SystemD service
become: true
ansible.builtin.systemd_service:
name: crowdsec
scope: system
enabled: true
state: started
- name: Changing the address and port of the Crowdsec server
become: true
ansible.builtin.lineinfile:
@@ -11,7 +18,7 @@
become: true
ansible.builtin.lineinfile:
path: /etc/crowdsec/config.yaml
regexp: "^ {2}listen_uri"
regexp: "^ {2}listen_addr"
line: " listen_addr: localhost"
owner: root
group: root
@@ -24,4 +31,10 @@
line: "url: http://localhost:{{ crowdsec.port }}"
owner: root
group: root
mode: "644"
mode: "644"
- name: Restarting SystemD service
become: true
ansible.builtin.systemd_service:
name: crowdsec
scope: system
state: restarted

2
roles/init-server/tasks/contingent/pkg/difftastic.yml
View File

@@ -15,7 +15,7 @@
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/downloads/archives/released/difftastic/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- difft

147
roles/init-server/tasks/contingent/pkg/dsnet.yml Normal file
View File

@@ -0,0 +1,147 @@
- name: Acquiring home of current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo ~{{ ansible_user }}"
register: ansible_user_home
- name: Acquiring current user
when: ansible_facts["system"] == "Linux"
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Initializing DSNet
become: true
ansible.builtin.command:
cmd: dsnet init
- name: Running DSNet VPN service interface
become: true
ansible.builtin.command:
cmd: dsnet up
- name: Creating a directory to house VPN service client configurations
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d"
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "755"
state: directory
- name: Adding peer device for DSNet VPN service interface
become: true
ansible.builtin.shell:
cmd: "dsnet add {{ item.name }}{{ idx }} --owner {{ current_user.stdout }} --description 'For {{ item.name }}--{{ item.desc }}' --confirm > {{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
creates: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ idx }}.conf"
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Changing ownership of consequent DSNet VPN service client configurations
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
state: file
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Pausing to inquire about how to proceed
ansible.builtin.pause:
prompt: "Type \"fetch\" to get the DSNet VPN service client configuration files, or \"show\" to see their contents for manual copying instead"
echo: true
register: data_method
- name: Presenting DSNet VPN service client configuration files to control node for copying
when: data_method.user_input == "show"
block:
- name: Acquiring contents of DSNet VPN service client configuration files
ansible.builtin.slurp:
src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
register: vpn_client_configs
- name: Presenting contents of DSNet VPN service client configurations to control node
ansible.builtin.debug:
msg: "Copy this client configuration of the DSNet VPN service:\n {{ item.content }}"
loop: "{{ vpn_client_configs.results }}"
- name: Giving opportunity to manually copy contents of DSNet VPN service client configuration files
ansible.builtin.pause:
- name: Providing DSNet VPN service client configuration files to control node machine
when: data_method.user_input == "fetch"
block:
- name: Dupliciating DSNet VPN service client configuration files to control node
ansible.builtin.fetch:
src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
dest: "./.tmp/{{ inventory_hostname }}-dsnet/wg/"
flat: true
loop: "{{ vpn_server.clients }}"
loop_control:
index_var: idx
- name: Informing control node of acquired files
ansible.builtin.debug:
msg: "The DSNet VPS service client configuration files have been duplicated to '/var/tmp/{{ inventory_hostname }}/wg/' at the control node."
- name: Giving control node user time to read the aforementiioned message
ansible.builtin.pause:
seconds: 30
- name: Ensuring IP forwarding is allowed
become: true
ansible.posix.sysctl:
name: "net.{{ item }}.ip_forward"
value: "1"
sysctl_set: true
state: present
loop:
- ipv4
# - ipv6
- name: Creating SystemD unit for placing up DSNet interface
become: true
ansible.builtin.copy:
src: systemd/system/dsnet.service
dest: /etc/systemd/system/dsnet.service
owner: root
group: root
force: true
backup: true
- name: Reloading SystemD and enabling DSNet interface
become: true
ansible.builtin.systemd_service:
name: dsnet
enabled: true
daemon_reload: true
- name: Copying script for DSNet iptables rules
become: true
ansible.builtin.copy:
src: usr/local/bin/dsnet-forward.sh
dest: /usr/local/bin/
owner: root
group: root
mode: "744"
force: true
backup: true
- name: Creating SystemD unit for DSNet iptables rules
become: true
ansible.builtin.copy:
src: systemd/system/thrunet.service
dest: /etc/systemd/system/thrunet.service
owner: root
group: root
force: true
backup: true
- name: Reloading SystemD and enabling iptables rules SystemD unit
become: true
ansible.builtin.systemd_service:
name: thrunet
enabled: true
daemon_reload: true
- name: Forwarding network traffic on certain ports to Wireguard VPS service interface
become: true
ansible.builtin.iptables:
chain: FORWARD
protocol: "{{ item[0][0] }}"
source_port: "{{ item[0][1] }}"
in_interface: "{{ item[1] }}"
jump: ACCEPT
loop: "{{ vpn_server.forwards | product([vpn_server.interface]) }}"
- name: Forwarding network traffic on certain ports to Wireguard VPS service interface
become: true
ansible.builtin.iptables:
table: nat
chain: POSTROUTING
out_interface: "{{ vpn_server.interface }}"
jump: MASQUERADE

1
roles/init-server/tasks/contingent/pkg/headscale.yml
View File

@@ -32,6 +32,7 @@
cmd: "headscale users create {{ item.username }} -d '{{ item.dname }}' -e '{{ item.email }}'"
# vars:
# default_pfp: ~
loop: "{{ tail.users }}"
register: headscale_registration
changed_when:
- "'User created' in headscale_registration.stdout"

2
roles/init-server/tasks/contingent/pkg/julia.yml
View File

@@ -19,7 +19,7 @@
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.juliaup/bin/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
owner: root
group: root
state: link

11
roles/init-server/tasks/contingent/pkg/neovim.yml
View File

@@ -9,17 +9,6 @@
ansible.builtin.shell:
cmd: "echo {{ ansible_user }}"
register: current_user
- name: Copy system ViM configuration to home directory
become: true
ansible.builtin.copy:
src: /root/.vimrc
remote_src: true
dest: "{{ ansible_user_home.stdout }}/.vimrc"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "644"
force: true
backup: true
- name: Creating directory tree for NeoViM configuration files
ansible.builtin.file:
path: "{{ ansible_user_home.stdout }}/.config/nvim"

18
roles/init-server/tasks/contingent/pkg/nvm.yml
View File

@@ -20,7 +20,7 @@
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ item[0] }}/bin/{{ item[1] }}"
dest: "/usr/local/bin/{{ item[1] }}"
dest: "/usr/bin/{{ item[1] }}"
owner: root
group: root
state: link
@@ -28,7 +28,7 @@
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ item[0] }}/lib/node_modules/corepack/dist/{{ item[1] }}.js"
dest: "/usr/local/bin/{{ item[1] }}"
dest: "/usr/bin/{{ item[1] }}"
owner: root
group: root
state: link
@@ -36,7 +36,7 @@
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ item[0] }}/lib/node_modules/npm/bin/{{ item[1] }}-cli.js"
dest: "/usr/local/bin/{{ item[1] }}"
dest: "/usr/bin/{{ item[1] }}"
owner: root
group: root
state: link
@@ -44,7 +44,7 @@
- name: Link includes to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/include/{{ item[1] }}"
dest: "/usr/local/include/{{ item[1] }}"
dest: "/usr/include/{{ item[1] }}"
owner: root
group: root
state: link
@@ -52,14 +52,14 @@
- name: Link requisite libraries to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/lib/{{ item[1] }}"
dest: "/usr/local/lib/{{ item[1] }}"
dest: "/usr/lib/{{ item[1] }}"
owner: root
group: root
state: link
loop: "{{ prebuilt_nodepaths | product(['node_modules']) }}"
- name: Create man1 subdirectory for man pages
ansible.builtin.file:
path: /usr/local/share/man/man1
path: /usr/share/man/man1
recurse: true
owner: root
group: root
@@ -68,14 +68,14 @@
- name: Link shared resources to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/share/man/man1/{{ item[1] }}.1"
dest: "/usr/local/share/man/man1/{{ item[1] }}.1"
dest: "/usr/share/man/man1/{{ item[1] }}.1"
owner: root
group: root
state: link
loop: "{{ prebuilt_nodepaths | product(['node']) }}"
- name: Create man1 subdirectory for man pages
ansible.builtin.file:
path: /usr/local/share/doc
path: /usr/share/doc
recurse: true
owner: root
group: root
@@ -84,7 +84,7 @@
- name: Link shared resources to directories already recognized by system
ansible.builtin.file:
src: "{{ item[0] }}/share/doc/{{ item[1] }}"
dest: "/usr/local/share/doc/{{ item[1] }}"
dest: "/usr/share/doc/{{ item[1] }}"
owner: root
group: root
state: link

6
roles/init-server/tasks/contingent/pkg/radicle.yml
View File

@@ -21,7 +21,7 @@
- name: Linking binaries to directories already in PATH environment variable
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.radicle/bin/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- rad
@@ -29,7 +29,7 @@
- git-remote-rad
- name: Create man1 subdirectory for man pages
ansible.builtin.file:
path: /usr/local/share/man/man1
path: /usr/share/man/man1
recurse: true
owner: root
group: root
@@ -38,7 +38,7 @@
- name: Link manpages to Linux manpage directories
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.radicle/man/man1/{{ item }}.1"
dest: "/usr/local/share/man/man1/{{ item }}.1"
dest: "/usr/share/man/man1/{{ item }}.1"
state: link
loop:
- rad

2
roles/init-server/tasks/contingent/pkg/rustup.yml
View File

@@ -19,7 +19,7 @@
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.cargo/bin/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- rustup

5
roles/init-server/tasks/contingent/pkg/surge.yml
View File

@@ -8,7 +8,7 @@
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/downloads/archives/released/surge/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- surge
@@ -43,12 +43,11 @@
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "644"
state: touch
register: surge_token
- name: Placing Surge API token into file on control node
ansible.builtin.fetch:
src: "{{ surge_token.dest }}"
dest: "/var/tmp/{{ inventory_hostname }}/surge.token"
dest: "./.tmp/{{ inventory_hostname }}-surge/surge.secret"
flat: true
- name: Informing control node of acquired files
ansible.builtin.debug:

2
roles/init-server/tasks/contingent/pkg/uv.yml
View File

@@ -19,7 +19,7 @@
become: true
ansible.builtin.file:
src: "{{ ansible_user_home.stdout }}/.local/bin/{{ item }}"
dest: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
state: link
loop:
- uv

10
roles/init-server/tasks/contingent/pkg/vim.yml
View File

@@ -19,6 +19,7 @@
recurse: true
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: "755"
state: directory
loop:
- autoload
@@ -30,7 +31,7 @@
become_user: "{{ current_user.stdout }}"
ansible.builtin.uri:
url: "https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim"
dest: "{{ ansible_user_home.stdout }}/.vim/autoload/"
dest: "{{ ansible_user_home.stdout }}/.vim/autoload/plug.vim"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
force: true
@@ -46,4 +47,9 @@
group: "{{ ansible_user }}"
force: true
backup: true
# @TODO run command to make sure plugins referenced in 'vimrc' are installed
- name: Informing user of need to manually run PlugInstall in ViM
ansible.builtin.debug:
msg: "Make sure to run \":PlugInstall\" the first time you open/use ViM"
- name: Pausing to ensure user has read message about needed manual PlugInstall execution for ViM
ansible.builtin.pause:
seconds: 30

15
roles/init-server/tasks/core@install-pkgs.yml
View File

@@ -216,3 +216,18 @@
msg: Rebooting machine
tags:
- get_git_pkgs
- name: Installing software as pre-compiled binary
block:
- name: Grabbing software binary
become: true
ansible.builtin.get_url:
url: "{{ item.src }}"
dest: "/usr/bin/{{ item.name }}"
owner: root
group: root
mode: "744"
force: true
backup: true
notify: "{{ item.handler }}"
loop: "{{ (pkgs.binaries.core | default([])) }}"

35
roles/init-server/tasks/spawn.yml
View File

@@ -18,20 +18,41 @@
ansible.builtin.set_fact:
root_pubkeys: "{{ root_pubkeys | default([]) + [lookup('file', item)] }}"
loop: "{{ root_pubkey_paths }}"
- name: Ensuring password is defined for root user
when: prehashed_password is undefined or prehashed_password == None
block:
- name: Prompting for password for or of root user
when: password is undefined or password == None
ansible.builtin.pause:
prompt: "Provide a password for the root user"
echo: false
register: prompted_password
- name: Getting the inputted password for root user
when: prompted_password is defined or prompted_password != None
ansible.builtin.set_fact:
prehashed_password: "{{ prompted_password.user_input }}"
- name: Bootstrapping VPS
block:
- name: Ensuring token is available for VPS service API
when: token is undefined or token == None
ansible.builtin.pause:
prompt: "Provide the API token for the given VPS service"
echo: false
register: prompted_token
- name: Creating VPS via Linode VPS service API
block:
- name: Creating the VPS
linode.cloud.instance:
api_token: "{{ token }}"
api_token: "{{ token | prompted_token.user_input }}"
label: "{{ instance }}"
type: g6-standard-2
image: "{{ operating_system }}"
disk_encryption: enabled
region: "{{ origin }}"
private_ip: true
root_pass: "{{ password }}"
# @TODO find out if 'root_pass' attribute takes in hashed or plaintext password
# root_pass: "{{ password | default((prehashed_password | lookup('password_hash', hashtype='sha512'))) }}" # IF HASHED
root_pass: "{{ password | default(prehashed_password) }}" # IF PLAINTEXT
authorized_keys: "{{ root_pubkeys }}"
state: present
register: new_instance
@@ -43,7 +64,6 @@
timeout: 300
vars:
ansible_ssh_private_key_file: "{{ chosen_privkey | default(ssh_keypairs.files | rejectattr('path', 'search', '\\.pub$') | map(attribute='path') | list | random) }}" # @TODO define 'chosen_privkey'in playbook
ansible_user: root
loop: "{{ new_instance.instance[ip_pref] }}"
tags:
- linode
@@ -66,8 +86,6 @@
ansible.builtin.wait_for_connection:
delay: 20
timeout: 300
vars:
ansible_user: root
loop: "{{ groups[instance] | default(hostvars[instance]) }}"
- name: Checking if that server has required operating system
delegate_to: "{{ item }}"
@@ -76,8 +94,6 @@
when: ansible_facts["system"] != "Linux" and item is ansible.utils['ip_pref']
ansible.builtin.fail:
msg: Unsupported operating system found
vars:
ansible_user: root
loop: "{{ groups[instance] | default(hostvars[instance]) }}"
- name: Checking if that server has required Linux distro
delegate_to: "{{ item }}"
@@ -86,19 +102,16 @@
when: ansible_facts["system"] == "Linux" and ansible_facts["os_family"] != "Debian" and item is ansible.utils['ip_pref']
ansible.builtin.fail:
msg: Unsupported Linux distro found
vars:
ansible_user: root
loop: "{{ groups[instance] | default(hostvars[instance]) }}"
- name: Providing authorized keys for server root account
delegate_to: "{{ item[0] }}"
delegate_facts: true
become: true
remote_user: root
ansible.posix.authorized_key:
user: "{{ ansible_user }}"
key: "{{ lookup('file', item[1]) }}"
state: present
vars:
ansible_user: root
loop: "{{ (groups[instance] | default(hostvars[instance])) | product(root_pubkey_paths) }}"
tags:
- lan

23
roles/init-server/tasks/ssh-users.yml
View File

@@ -16,6 +16,27 @@
register: remote_group
tags:
- lan
- name: Managing passwords
when: prehashed_passwords is undefined or prehashed_passwords == None
block:
- name: Acquiring users lacking passwords
ansible.builtin.set_fact:
passwordless_admins: "{{ admins | selectattr('password', '==', 'null') | list }}"
- name: Pausing to acquire password for a user
when: item.password is undefined or item.password == None
ansible.builtin.pause:
prompt: "Provide a password for the administrative user, {{ item.username }}"
echo: false
loop: "{{ passwordless_admins }}"
register: prompted_passwords
- name: Processing inputted password per user
when: prompted_passwords is defined and prompted_passwords != None
ansible.builtin.set_fact:
prehashed_passwords: "{{ (prompted_passwords.results | default([])) | map(attribute='user_input') | list }}"
- name: Pairing inputted passwords with associated user
when: prehashed_passwords is defined or prehashed_passwords != None
ansible.builtin.set_fact:
prehashed_passwords: "{{ dict(passwordless_admins | map(attribute='username') | zip(prehashed_passwords) | list) }}"
- name: Creating an administrative user
become: true
ansible.builtin.user:
@@ -27,7 +48,7 @@
append: true
generate_ssh_key: true
create_home: true
password: "{{ item.password }}"
password: "{{ item.password | default((prehashed_passwords[item.username] | password_hash(hashtype='sha512'))) }}"
shell: "/bin/bash"
loop: "{{ admins }}"
register: admin_users

16
roles/init-server/tasks/userspace@install-pkgs.yml
View File

@@ -216,5 +216,17 @@
msg: Rebooting machine
tags:
- get_git_pkgs
# @TODO add a reboot either here or in any of the handlers potentially notified from here in
# order to update environment (unless found better solution)
- name: Installing software as pre-compiled binary
block:
- name: Grabbing software binary
become: true
ansible.builtin.get_url:
url: "{{ item.src }}"
dest: "/usr/bin/{{ item.name }}"
owner: root
group: root
mode: "744"
force: true
backup: true
notify: "{{ item.handler }}"
loop: "{{ (pkgs.binaries.userspace | default([])) }}"

18
skato-ansible.sh
View File

@@ -8,25 +8,30 @@ SKANSIBLE_DEBUG=1
SKANSIBLE_UNIT_TEST=1
DEFAULT_USER=senpai
DEFAULT_SKANSIBLE_PLAY_HOST=vps
SKANSIBLE_SSH_KEY_COLLECTION=(~/.ssh/ed25519\@staging ~/.ssh/ecdsa\@staging ~/.ssh/ed25519-37851076-sk\@staging ~/.ssh/ecdsa-37851076-sk\@staging)
if [[ "$1" == "version" ]]; then
echo "0.0.0"
fi
if [[ "$1" == "show-defaults" ]]; then
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
printf "User: %s\n" "$DEFAULT_USER"
printf "Expected hosts for playbook: %s\n" "$DEFAULT_SKANSIBLE_PLAY_HOST"
printf "Private SSH keys available throufh SSH agent: |\n%s\n" "$(ssh-add -l)"
fi
if [[ "$1" == "start-agent" ]]; then
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
eval "$(ssh-agent -s)"
fi
if [[ "$1" == "populate-agent" ]]; then
shift 1
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
if [[ -z "$1" ]]; then
if [[ "$1" == "all" ]]; then
for SKANSIBLE_SSH_KEY in ~/.ssh/*; do
case $SKANSIBLE_SSH_KEY in
*.pub);;
@@ -39,12 +44,21 @@ if [[ "$1" == "populate-agent" ]]; then
*) ssh-add "${SKANSIBLE_SSH_KEY}";;
esac
done
else
elif [[ "$1" == "select" ]]; then
for key in "${SKANSIBLE_SSH_KEY_COLLECTION[@]}"; do
ssh-add "$key"
done
elif [[ -z "$1" ]]; then
# @TODO improve by adding fuzzy querying or file finding pror
ssh-add "$1"
fi
fi
if [[ "$1" == "list-agent" ]]; then
source "${SKANSIBLE_SCRIPT_PATH}/.env/bin/activate"
ssh-add -l
fi
if [[ "$1" == "init" ]]; then
shift 1