1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
---
- hosts: nategb
become: true
vars:
sudoers:
- n8
tasks:
- name: pacman -Syu
tags: nategb
pacman:
upgrade: yes
update_cache: yes
when: ansible_distribution == "Archlinux"
- name: pacman -S nginx, etc.
tags: nategb
pacman:
name:
- base-devel
- git
- tmux
- tor
- rsync
- neovim
- nginx
- cgit
- fcgiwrap
- certbot
- certbot-nginx
update_cache: yes
state: present
when: ansible_distribution == "Archlinux"
- name: gather package facts
tags: nategb
package_facts:
manager: pacman
when: ansible_distribution == "Archlinux"
- name: install sudo if not already installed
tags: nategb
pacman:
name:
- sudo
update_cache: yes
state: present
when: "'sudo' not in ansible_facts.packages"
- name: Make sure 'wheel' group exists
group:
name: wheel
state: present
- name: Allow 'wheel' group to use sudo
tags: nategb, sudo
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%wheel'
line: '%wheel ALL=(ALL) ALL'
validate: 'visudo -cf %s'
when: "'sudo' in ansible_facts.packages"
- name: add users
tags: nategb
user:
name: "{{ item }}"
groups: wheel
append: yes
state: present
with_items: "{{ sudoers }}"
- name: add ssh keys to users
tags: nategb
authorized_key:
user: "{{ item }}"
state: present
key: "{{ lookup('file', '/home/n8/.ssh/id_ed25519.pub') }}"
with_items: "{{ sudoers }}"
- name: secure sshd
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
validate: 'sshd -T -f %s'
with_items:
- regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
- regexp: "^PermitRootLogin"
line: "PermitRootLogin prohibit-password"
- name: copy nginx.conf to nginx on server
tags: nginx, nategb
copy:
src: files/etc/nginx.conf
dest: /etc/nginx/nginx.conf
owner: root
group: root
mode: 0644
- name: mkdir conf.d
tags: nginx, nategb
file:
path: /etc/nginx/conf.d
state: directory
mode: 0755
- name: copy nategb.conf to nginx on server
tags: nginx, nategb
copy:
force: no
src: files/conf.d/nategb.conf
dest: /etc/nginx/conf.d/nategb.conf
owner: root
group: root
mode: 0644
- name: copy cgit.conf to nginx on server
tags: nginx, nategb
copy:
force: no
src: files/conf.d/cgit.conf
dest: /etc/nginx/conf.d/cgit.conf
owner: root
group: root
mode: 0644
- name: copy cgitrc to server
tags: nginx, cgit, nategb
copy:
src: files/etc/cgitrc
dest: /etc/cgitrc
owner: root
group: root
mode: 0644
- name: create /var/www/nategb
tags: nginx, nategb
file:
path: /var/www/nategb
state: directory
mode: 0755
#can an absolute path be given here?
- name: copy web files
synchronize:
src: files/nategb-root/
dest: /var/www/nategb
rsync_opts:
- "-r"
- "-d"
- "-v"
- "-l"
- "-P"
- "--delete"
- name: start nginx service
tags: nginx, nategb
service:
name: nginx
enabled: yes
state: started
- name: reload nginx service
tags: nginx, nategb
service:
name: nginx
state: reloaded
- name: start fcgiwrap service
tags: nategb
service:
name: fcgiwrap
enabled: yes
state: started
- name: start fcgiwrap socket
tags: nategb
service:
name: fcgiwrap.socket
enabled: yes
state: started
|