diff options
Diffstat (limited to 'bootstrap_nategb.yml')
| -rw-r--r-- | bootstrap_nategb.yml | 187 |
1 files changed, 187 insertions, 0 deletions
diff --git a/bootstrap_nategb.yml b/bootstrap_nategb.yml new file mode 100644 index 0000000..72421e0 --- /dev/null +++ b/bootstrap_nategb.yml @@ -0,0 +1,187 @@ +--- + +- hosts: nategb + become: true + vars: + sudoers: + - n8 + tasks: + + - name: pacman -Syu + tags: nategb + pacman: + upgrade: yes + update_cache: yes + when: ansible_distribution == "Archlinux" + + - name: pacman -S nginx, etc. + tags: nategb + pacman: + name: + - base-devel + - git + - tmux + - tor + - rsync + - neovim + - nginx + - cgit + - fcgiwrap + - certbot + - certbot-nginx + update_cache: yes + state: present + when: ansible_distribution == "Archlinux" + + - name: gather package facts + tags: nategb + package_facts: + manager: pacman + when: ansible_distribution == "Archlinux" + + - name: install sudo if not already installed + tags: nategb + pacman: + name: + - sudo + update_cache: yes + state: present + when: "'sudo' not in ansible_facts.packages" + + - name: Make sure 'wheel' group exists + group: + name: wheel + state: present + + - name: Allow 'wheel' group to use sudo + tags: nategb, sudo + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^%wheel' + line: '%wheel ALL=(ALL) ALL' + validate: 'visudo -cf %s' + when: "'sudo' in ansible_facts.packages" + + - name: add users + tags: nategb + user: + name: "{{ item }}" + groups: wheel + append: yes + state: present + with_items: "{{ sudoers }}" + + - name: add ssh keys to users + tags: nategb + authorized_key: + user: "{{ item }}" + state: present + key: "{{ lookup('file', '/home/n8/.ssh/id_ed25519.pub') }}" + with_items: "{{ sudoers }}" + + + - name: secure sshd + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + validate: 'sshd -T -f %s' + with_items: + - regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + - regexp: "^PermitRootLogin" + line: "PermitRootLogin prohibit-password" + + - name: copy nginx.conf to nginx on server + tags: nginx, nategb + copy: + src: files/etc/nginx.conf + dest: /etc/nginx/nginx.conf + owner: root + group: root + mode: 0644 + + - name: mkdir conf.d + tags: nginx, nategb + file: + path: /etc/nginx/conf.d + state: directory + mode: 0755 + + - name: copy nategb.conf to nginx on server + tags: nginx, nategb + copy: + force: no + src: files/conf.d/nategb.conf + dest: /etc/nginx/conf.d/nategb.conf + owner: root + group: root + mode: 0644 + + - name: copy cgit.conf to nginx on server + tags: nginx, nategb + copy: + force: no + src: files/conf.d/cgit.conf + dest: /etc/nginx/conf.d/cgit.conf + owner: root + group: root + mode: 0644 + + - name: copy cgitrc to server + tags: nginx, cgit, nategb + copy: + src: files/etc/cgitrc + dest: /etc/cgitrc + owner: root + group: root + mode: 0644 + + - name: create /var/www/nategb + tags: nginx, nategb + file: + path: /var/www/nategb + state: directory + mode: 0755 + +#can an absolute path be given here? + - name: copy web files + synchronize: + src: files/nategb-root/ + dest: /var/www/nategb + rsync_opts: + - "-r" + - "-d" + - "-v" + - "-l" + - "-P" + - "--delete" + + - name: start nginx service + tags: nginx, nategb + service: + name: nginx + enabled: yes + state: started + + - name: reload nginx service + tags: nginx, nategb + service: + name: nginx + state: reloaded + + - name: start fcgiwrap service + tags: nategb + service: + name: fcgiwrap + enabled: yes + state: started + + - name: start fcgiwrap socket + tags: nategb + service: + name: fcgiwrap.socket + enabled: yes + state: started |