blob: 1134a50b421a3ee6f82fe2caeca696ca4c0f5e0d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
---
# caveats: ufw will mess with this. the default nginx vhost in sites-enabled
# may mess with this. the server_name causes a 502 error unless DNS is set up.
# cgit has not been extensively tested
- hosts: nategb
become: true
vars:
sudoers:
- n8
tasks:
- name: Install updates (apt)
ansible.builtin.apt:
name: "*"
state: latest
update_cache: yes
when:
- ansible_os_family == "Debian"
- name: apt install nginx, etc.
tags: nategb
apt:
name:
- git
- tmux
- tor
- rsync
- neovim
- nginx
- cgit
- fcgiwrap
- python3-certbot-nginx
update_cache: yes
when: ansible_os_family == "Debian"
- name: gather package facts
tags: nategb
package_facts:
manager: apt
when: ansible_os_family == "Debian"
- name: install sudo if not already installed
tags: nategb
apt:
name:
- sudo
update_cache: yes
when: "'sudo' not in ansible_facts.packages"
- name: Make sure 'sudo' group exists
group:
name: sudo
state: present
- name: Allow 'sudo' group to use sudo
tags: nategb, sudo
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) ALL'
validate: 'visudo -cf %s'
when: "'sudo' in ansible_facts.packages"
- name: add users
tags: nategb
user:
name: "{{ item }}"
groups: sudo
append: yes
with_items: "{{ sudoers }}"
- name: add ssh keys to users
tags: nategb
authorized_key:
user: "{{ item }}"
state: present
key: "{{ lookup('file', '/home/n8/.ssh/id_ed25519.pub') }}"
with_items: "{{ sudoers }}"
- name: secure sshd
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
validate: 'sshd -T -f %s'
with_items:
- regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
- regexp: "^PermitRootLogin"
line: "PermitRootLogin prohibit-password"
- name: copy nategb.conf to nginx on server
tags: nginx, nategb
copy:
src: files/conf.d/nategb.conf
dest: /etc/nginx/sites-available/nategb.conf
owner: root
group: root
mode: 0644
- name: copy cgit.conf to nginx on server
tags: nginx, nategb
copy:
src: files/conf.d/cgit.conf.debian
dest: /etc/nginx/sites-available/cgit.conf
owner: root
group: root
mode: 0644
- name: copy cgitrc to server
tags: nginx, cgit, nategb
copy:
src: files/etc/cgitrc.debian
dest: /etc/cgitrc
owner: root
group: root
mode: 0644
- name: create /var/www/nategb
tags: nginx, nategb
file:
path: /var/www/nategb
state: directory
mode: 0755
- name: copy web files
synchronize:
src: files/nategb-root/
dest: /var/www/nategb
rsync_opts:
- "-r"
- "-d"
- "-v"
- "-l"
- "-P"
- "--delete"
# https://badzilla.co.uk/ansible-tasks-create-symbolic-links-nginx-apache-sites-enabled-directory
- name: Apply symlinks in sites-enabled
file:
dest: /etc/nginx/sites-enabled/{{ item }}
src: /etc/nginx/sites-available/{{ item }}
state: link
force: yes
with_items:
- nategb.conf
- cgit.conf
- name: start nginx service
tags: nginx, nategb
service:
name: nginx
enabled: yes
state: started
- name: reload nginx service
tags: nginx, nategb
service:
name: nginx
state: reloaded
- name: start fcgiwrap service
tags: nategb
service:
name: fcgiwrap
enabled: yes
state: started
- name: start fcgiwrap socket
tags: nategb
service:
name: fcgiwrap.socket
enabled: yes
state: started
|