shockrah/infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moving around more stuff
Some checks failed
Ansible Linting / ansible-lint (push) Failing after 4s
Details
Secops Linting and Safety Checks / checkov-scan-s3 (push) Failing after 17s
Details

Browse Source
This commit is contained in:
shockrah
2025-05-12 00:18:24 -07:00
parent 5227bea568
commit 79bd7424c3
15 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
deprecated/playbooks/playbooks-deprecated/harden.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- hosts: webhost
remote_user: root
tasks:
- name: Setup UFW
import_tasks: ../tasks/ufw-setup.yml
- name: Harden ssh configuration
import_tasks: ../tasks/ssh.yml

17
deprecated/playbooks/playbooks-deprecated/lets-encrypt.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- hosts: webhost
remote_user: root
vars:
websites:
- shockrah.xyz
- git.shockrah.xyz
- resume.shockrah.xyz
- temper.tv
tasks:
- name: Ensure certbot is setup
import_tasks: ../tasks/certbot-installation.yml
- name: Get certificate
command: certbot -n --nginx certonly -d {{ item }}
args:
creates: "/etc/letsencrypt/live/{{ item }}"
loop: "{{ websites }}"

30
deprecated/playbooks/playbooks-deprecated/refresh-nginx.yml Normal file
View File

@@ -0,0 +1,30 @@
---
- hosts: webhost
remote_user: root
vars:
websites:
- shockrah.xyz
- git.shockrah.xyz
- temper.tv
- resume.shockrah.xyz
tasks:
- name: Upload configs
copy:
src: "../files/{{ item }}.conf"
dest: "/etc/nginx/sites-available/{{ item }}"
loop: "{{ websites }}"
- name: Enable the site configs with sym links
file:
src: "/etc/nginx/sites-available/{{ item }}"
dest: "/etc/nginx/sites-enabled/{{ item }}"
state: link
loop: "{{ websites }}"
- name: Ensure no default available
file:
path: /etc/nginx/sites-enabled/default
state: absent
- name: Restart nginx conf to pick up new config changes
service:
name: nginx
state: restarted

7
deprecated/playbooks/playbooks-deprecated/run-docker-compose.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
- hosts: webhost
remote_user: webadmin
tasks:
- name: Run docker-compose up
community.docker.docker_compose_v2:
project_src: ../../../containers/

54
deprecated/playbooks/playbooks-deprecated/secure-ssh-user.yml Normal file
View File

@@ -0,0 +1,54 @@
# This playbook is to be executed when first setting up
# the machine so we'll have to login as root, but in doing so
# we'll setup a user which can use sudo and use pem based authentication
# this should remove the ability to login as root with a janky password
---
- hosts: webhost
remote_user: root
tasks:
- name: Ensure sudo is available
apt:
state: present
update_cache: true
pkg:
- sudo
- zsh
- name: Create webadmin user
user:
name: webadmin
state: present
shell: /bin/zsh
groups:
- nginx
append: yes
- name: webadmin key copy
authorized_key:
user: webadmin
state: present
key: "{{ lookup('file', '~/.ssh/vultr/webadmin.pem.pub') }}"
- name: Add webadmin to sudoers
copy:
dest: "/etc/sudoers.d/webadmin"
content: "webadmin ALL=(ALL) NOPASSWD: ALL"
- name: Disable Password Authentication
lineinfile:
dest: /etc/ssh/sshd_config
line: PasswordAuthentication no
state: present
backup: yes
notify:
- restart ssh
- name: Disable root login
lineinfile:
dest: /etc/ssh/sshd_config
line: PermitRootLogin no
state: present
backup: yes
notify:
- restart ssh
handlers:
- name: restart ssh
service:
name: sshd
state: restarted

47
deprecated/playbooks/playbooks-deprecated/setup-docker-compose.yaml Normal file
View File

@@ -0,0 +1,47 @@
---
- hosts: webhost
remote_user: webadmin
become: true
tasks:
- name: Install docker and docker-compose
apt:
update_cache: true
pkg:
- ca-certificates
- curl
- name: Setup keyring
command:
cmd: "install -m 0755 -d /etc/apt/keyrings"
- name: Download docker gpg key
get_url:
url: https://download.docker.com/linux/ubuntu/gpg
dest: /etc/apt/keyrings/docker.asc
- name: Set perms on /etc/apt/keyrings/docker.asc
file:
dest: /etc/apt/keyrings/docker.asc
mode: a+r
- name: Ensure docker.lst exists
copy:
content: ''
dest: /etc/apt/sources.list.d/docker.list
force: false
group: root
owner: root
mode: 0644
- name: Ensure docker.lst is present for apt
lineinfile:
line: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu jammy stable\n"
dest: /etc/apt/sources.list.d/docker.list
state: present
- name: install docker packages
apt:
update_cache: true
pkg:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin

25
deprecated/playbooks/playbooks-deprecated/setup-git-web-deployer.yml Normal file
View File

@@ -0,0 +1,25 @@
---
- name: Setup all attributes of the html-deployer user for static website CI
hosts: webhost
vars:
username: html-deployer
remote_user: webadmin
tasks:
- name: Create user for git actions to deploy html
become: true
ansible.builtin.user:
name: "{{ username }}"
comment: Used for deploying html from Gitea Actions
group: nginx
- name: Set the authorized keys
become: true
ansible.posix.authorized_key:
user: "{{ username }}"
state: present
key: "{{ lookup('file', '~/.ssh/vultr/html-deployer.pem.pub') }}"
- name: Ensure /opt/nginx website folders are owned by html-deployer
ansible.builtin.file:
path: "/opt/nginx/{{ item }}"
recurse: true
owner: "{{ username }}"
group: "nginx"

16
deprecated/playbooks/playbooks-deprecated/static-host-setup.yml Normal file
View File

@@ -0,0 +1,16 @@
# This playbook basically guarantees that the host is in a production ready state
---
- hosts: webhost
remote_user: root
vars:
websites:
- shockrah.xyz
- temper.tv
- resume.shockrah.xyz
tasks:
- name: Setup nginx
import_tasks: ../tasks/nginx-setup.yml
- name: Test local sites
import_tasks: ../tasks/tests/local-site-presence.yml
- name: Ensure AWS is setup
import_tasks: ../tasks/setup-aws-cli.yml

20
deprecated/playbooks/playbooks-deprecated/update.yml Normal file
View File

@@ -0,0 +1,20 @@
# Purpose: General update to the system to keep packages up to date
---
- hosts: webhost
remote_user: webadmin
tasks:
- name: Informational Dump of what is upgradeable
ansible.builtin.command: apt list --upgradable
register: pkg
- name: Show list of packages to upgrade
ansible.builtin.debug:
msg: "{{ pkg.stdout_lines }}"
- name: Update the packages at the system level to the latest versions
become: true
ansible.builtin.apt:
name: "*"
state: latest

19
deprecated/playbooks/tasks/certbot-installation.yml Normal file
View File

@@ -0,0 +1,19 @@
- name: Install required packages
pip:
name:
- certbot
- certbot-nginx
executable: pip3
- name: Register
shell: |
certbot -n register --agree-tos -m dev@shockrah.xyz,temper@temper.tv
touch /etc/letsencrypt/.registered
args:
creates: /etc/letsencrypt/.registered
- name: Setup cron job for renewal every monday at 1 am
cron:
name: certbot-renewal
job: "bash -lc 'certbot -q renew'"
minute: 0
hour: 1
weekday: 1

35
deprecated/playbooks/tasks/nginx-setup.yml Normal file
View File

@@ -0,0 +1,35 @@
- name: Install nginx
apt:
name: nginx
update_cache: yes
- name: Create user for nginx purposes
user:
name: nginx
shell: /bin/bash
create_home: false
- name: Create nginx website directory
file:
state: directory
owner: nginx
path: /opt/nginx
- name: Copy over the nginx.conf files for each server
copy:
src: "../files/{{ item }}"
dest: /etc/nginx/sites-available/
loop:
- shockrah.xyz.conf
- resume.shockrah.xyz.conf
- temper.tv.conf
- name: Enable the site configs with sym links
file:
src: "/etc/nginx/sites-available/{{ item }}"
dest: "/etc/nginx/sites-enabled/{{ item }}"
state: link
loop:
- shockrah.xyz.conf
- resume.shockrah.xyz.conf
- temper.tv.conf
- name: Restart nginx conf to pick up new config changes
service:
name: nginx
state: restarted

12
deprecated/playbooks/tasks/setup-aws-cli.yml Normal file
View File

@@ -0,0 +1,12 @@
- name: Ensure we have the unzip package
apt:
name: unzip
- name: Download the AWS CLI V2
get_url:
url: https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip
dest: /tmp/awscli.zip
- name: Unzip the cli to the tmp dir
shell: unzip /tmp/awscli.zip -d /tmp
- name: Run awscli installer
shell: /tmp/aws/install

6
deprecated/playbooks/tasks/ssh.yml Normal file
View File

@@ -0,0 +1,6 @@
- name: Harden the SSH configuration
copy:
src: ../files/ssh.conf
dest: /etc/sshd_config
mode: 644

26
deprecated/playbooks/tasks/tests/local-site-presence.yml Normal file
View File

@@ -0,0 +1,26 @@
- name: Add local routing for the server confs
lineinfile:
path: /etc/hosts
state: present
line: "127.0.0.1 {{ item }}"
loop: "{{ websites }}"
- name: Curl the local endpoints to check connection nginx reverse proxy
uri:
url: "http://{{ item }}"
status_code:
- 200
- 404
loop: "{{ websites }}"
- name: Sanity Check the nginx reverse proxy
uri:
url: "http://not-real.{{ item }}"
loop: "{{ websites }}"
register: result
failed_when: result.status != -1
- name: Cleanup /etc/hosts
lineinfile:
path: /etc/hosts
state: absent
line: "127.0.0.1 {{ item }}"
loop: "{{ websites }}"

15
deprecated/playbooks/tasks/ufw-setup.yml Normal file
View File

@@ -0,0 +1,15 @@
- name: SSH Limit in fireweall
community.general.ufw:
rule: limit
port: ssh
proto: tcp
- name: Allow web traffic as needed
community.general.ufw:
rule: allow
port: "{{ item }}"
proto: tcp
loop:
- 80
- 443