diff options
Diffstat (limited to 'bootstrap_nategb_debian.yml')
-rw-r--r-- | bootstrap_nategb_debian.yml | 180 |
1 files changed, 180 insertions, 0 deletions
diff --git a/bootstrap_nategb_debian.yml b/bootstrap_nategb_debian.yml new file mode 100644 index 0000000..1134a50 --- /dev/null +++ b/bootstrap_nategb_debian.yml @@ -0,0 +1,180 @@ +--- + +# caveats: ufw will mess with this. the default nginx vhost in sites-enabled +# may mess with this. the server_name causes a 502 error unless DNS is set up. +# cgit has not been extensively tested + +- hosts: nategb + become: true + vars: + sudoers: + - n8 + tasks: + + - name: Install updates (apt) + ansible.builtin.apt: + name: "*" + state: latest + update_cache: yes + when: + - ansible_os_family == "Debian" + + - name: apt install nginx, etc. + tags: nategb + apt: + name: + - git + - tmux + - tor + - rsync + - neovim + - nginx + - cgit + - fcgiwrap + - python3-certbot-nginx + update_cache: yes + when: ansible_os_family == "Debian" + + - name: gather package facts + tags: nategb + package_facts: + manager: apt + when: ansible_os_family == "Debian" + + - name: install sudo if not already installed + tags: nategb + apt: + name: + - sudo + update_cache: yes + when: "'sudo' not in ansible_facts.packages" + + - name: Make sure 'sudo' group exists + group: + name: sudo + state: present + + - name: Allow 'sudo' group to use sudo + tags: nategb, sudo + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^%sudo' + line: '%sudo ALL=(ALL) ALL' + validate: 'visudo -cf %s' + when: "'sudo' in ansible_facts.packages" + + - name: add users + tags: nategb + user: + name: "{{ item }}" + groups: sudo + append: yes + with_items: "{{ sudoers }}" + + - name: add ssh keys to users + tags: nategb + authorized_key: + user: "{{ item }}" + state: present + key: "{{ lookup('file', '/home/n8/.ssh/id_ed25519.pub') }}" + with_items: "{{ sudoers }}" + + + - name: secure sshd + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + validate: 'sshd -T -f %s' + with_items: + - regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + - regexp: "^PermitRootLogin" + line: "PermitRootLogin prohibit-password" + + - name: copy nategb.conf to nginx on server + tags: nginx, nategb + copy: + src: files/conf.d/nategb.conf + dest: /etc/nginx/sites-available/nategb.conf + owner: root + group: root + mode: 0644 + + - name: copy cgit.conf to nginx on server + tags: nginx, nategb + copy: + src: files/conf.d/cgit.conf.debian + dest: /etc/nginx/sites-available/cgit.conf + owner: root + group: root + mode: 0644 + + - name: copy cgitrc to server + tags: nginx, cgit, nategb + copy: + src: files/etc/cgitrc.debian + dest: /etc/cgitrc + owner: root + group: root + mode: 0644 + + - name: create /var/www/nategb + tags: nginx, nategb + file: + path: /var/www/nategb + state: directory + mode: 0755 + + + - name: copy web files + synchronize: + src: files/nategb-root/ + dest: /var/www/nategb + rsync_opts: + - "-r" + - "-d" + - "-v" + - "-l" + - "-P" + - "--delete" + +# https://badzilla.co.uk/ansible-tasks-create-symbolic-links-nginx-apache-sites-enabled-directory + - name: Apply symlinks in sites-enabled + file: + dest: /etc/nginx/sites-enabled/{{ item }} + src: /etc/nginx/sites-available/{{ item }} + state: link + force: yes + with_items: + - nategb.conf + - cgit.conf + + - name: start nginx service + tags: nginx, nategb + service: + name: nginx + enabled: yes + state: started + + - name: reload nginx service + tags: nginx, nategb + service: + name: nginx + state: reloaded + + - name: start fcgiwrap service + tags: nategb + service: + name: fcgiwrap + enabled: yes + state: started + + - name: start fcgiwrap socket + tags: nategb + service: + name: fcgiwrap.socket + enabled: yes + state: started |