Moving around more stuff

2025-05-12 00:18:24 -07:00
parent 5227bea568
commit 79bd7424c3
15 changed files with 0 additions and 0 deletions
--- a/deprecated/playbooks/playbooks-deprecated/harden.yml
+++ b/deprecated/playbooks/playbooks-deprecated/harden.yml
@@ -0,0 +1,9 @@
+---
+- hosts: webhost
+  remote_user: root
+  tasks:
+    - name: Setup UFW
+      import_tasks: ../tasks/ufw-setup.yml
+    - name: Harden ssh configuration
+      import_tasks: ../tasks/ssh.yml
+
--- a/deprecated/playbooks/playbooks-deprecated/lets-encrypt.yml
+++ b/deprecated/playbooks/playbooks-deprecated/lets-encrypt.yml
@@ -0,0 +1,17 @@
+---
+- hosts: webhost
+  remote_user: root
+  vars:
+    websites:
+      - shockrah.xyz
+      - git.shockrah.xyz
+      - resume.shockrah.xyz
+      - temper.tv
+  tasks:
+    - name: Ensure certbot is setup
+      import_tasks: ../tasks/certbot-installation.yml
+    - name: Get certificate
+      command: certbot -n --nginx certonly -d {{ item }}
+      args:
+        creates: "/etc/letsencrypt/live/{{ item }}"
+      loop: "{{ websites }}"
--- a/deprecated/playbooks/playbooks-deprecated/refresh-nginx.yml
+++ b/deprecated/playbooks/playbooks-deprecated/refresh-nginx.yml
@@ -0,0 +1,30 @@
+---
+- hosts: webhost
+  remote_user: root
+  vars:
+    websites:
+      - shockrah.xyz
+      - git.shockrah.xyz
+      - temper.tv
+      - resume.shockrah.xyz
+  tasks:
+    - name: Upload configs
+      copy:
+        src: "../files/{{ item }}.conf"
+        dest: "/etc/nginx/sites-available/{{ item }}"
+      loop: "{{ websites }}"
+    - name: Enable the site configs with sym links
+      file:
+        src: "/etc/nginx/sites-available/{{ item }}"
+        dest: "/etc/nginx/sites-enabled/{{ item }}"
+        state: link
+      loop: "{{ websites }}"
+    - name: Ensure no default available
+      file:
+        path: /etc/nginx/sites-enabled/default
+        state: absent
+    - name: Restart nginx conf to pick up new config changes
+      service:
+        name: nginx
+        state: restarted
+
--- a/deprecated/playbooks/playbooks-deprecated/run-docker-compose.yaml
+++ b/deprecated/playbooks/playbooks-deprecated/run-docker-compose.yaml
@@ -0,0 +1,7 @@
+---
+- hosts: webhost
+  remote_user: webadmin
+  tasks:
+    - name: Run docker-compose up
+      community.docker.docker_compose_v2:
+        project_src: ../../../containers/
--- a/deprecated/playbooks/playbooks-deprecated/secure-ssh-user.yml
+++ b/deprecated/playbooks/playbooks-deprecated/secure-ssh-user.yml
@@ -0,0 +1,54 @@
+# This playbook is to be executed when first setting up
+# the machine so we'll have to login as root, but in doing so
+# we'll setup a user which can use sudo and use pem based authentication
+# this should remove the ability to login as root with a janky password
+---
+- hosts: webhost
+  remote_user: root
+  tasks:
+    - name: Ensure sudo is available
+      apt:
+        state: present
+        update_cache: true
+        pkg:
+          - sudo
+          - zsh
+    - name: Create webadmin user
+      user:
+        name: webadmin
+        state: present
+        shell: /bin/zsh
+        groups:
+          - nginx
+        append: yes
+    - name: webadmin key copy
+      authorized_key:
+        user: webadmin
+        state: present
+        key: "{{ lookup('file', '~/.ssh/vultr/webadmin.pem.pub') }}"
+    - name: Add webadmin to sudoers
+      copy:
+        dest: "/etc/sudoers.d/webadmin"
+        content: "webadmin ALL=(ALL) NOPASSWD: ALL"
+    - name: Disable Password Authentication
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        line: PasswordAuthentication no
+        state: present
+        backup: yes
+      notify:
+        - restart ssh
+    - name: Disable root login
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        line: PermitRootLogin no
+        state: present
+        backup: yes
+      notify:
+        - restart ssh
+  handlers:
+    - name: restart ssh
+      service:
+        name: sshd
+        state: restarted
+
--- a/deprecated/playbooks/playbooks-deprecated/setup-docker-compose.yaml
+++ b/deprecated/playbooks/playbooks-deprecated/setup-docker-compose.yaml
@@ -0,0 +1,47 @@
+---
+- hosts: webhost
+  remote_user: webadmin
+  become: true
+  tasks:
+    - name: Install docker and docker-compose
+      apt:
+        update_cache: true
+        pkg:
+          - ca-certificates
+          - curl
+    - name: Setup keyring
+      command:
+        cmd: "install -m 0755 -d /etc/apt/keyrings"
+    - name: Download docker gpg key
+      get_url:
+        url: https://download.docker.com/linux/ubuntu/gpg
+        dest: /etc/apt/keyrings/docker.asc
+    - name: Set perms on /etc/apt/keyrings/docker.asc
+      file:
+        dest: /etc/apt/keyrings/docker.asc
+        mode: a+r
+    - name: Ensure docker.lst exists
+      copy:
+        content: ''
+        dest: /etc/apt/sources.list.d/docker.list
+        force: false
+        group: root
+        owner: root
+        mode: 0644
+    - name: Ensure docker.lst is present for apt
+      lineinfile: 
+        line: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu   jammy stable\n"
+        dest: /etc/apt/sources.list.d/docker.list
+        state: present
+    - name: install docker packages
+      apt:
+        update_cache: true
+        pkg:
+          - docker-ce
+          - docker-ce-cli
+          - containerd.io
+          - docker-buildx-plugin
+          - docker-compose-plugin
+
+
+
--- a/deprecated/playbooks/playbooks-deprecated/setup-git-web-deployer.yml
+++ b/deprecated/playbooks/playbooks-deprecated/setup-git-web-deployer.yml
@@ -0,0 +1,25 @@
+---
+- name: Setup all attributes of the html-deployer user for static website CI
+  hosts: webhost
+  vars:
+    username: html-deployer
+  remote_user: webadmin
+  tasks:
+    - name: Create user for git actions to deploy html
+      become: true
+      ansible.builtin.user:
+        name: "{{ username }}"
+        comment: Used for deploying html from Gitea Actions
+        group: nginx
+    - name: Set the authorized keys
+      become: true
+      ansible.posix.authorized_key:
+        user: "{{ username }}"
+        state: present
+        key: "{{ lookup('file', '~/.ssh/vultr/html-deployer.pem.pub') }}"
+    - name: Ensure /opt/nginx website folders are owned by html-deployer
+      ansible.builtin.file:
+        path: "/opt/nginx/{{ item }}"
+        recurse: true
+        owner: "{{ username }}"
+        group: "nginx"
--- a/deprecated/playbooks/playbooks-deprecated/static-host-setup.yml
+++ b/deprecated/playbooks/playbooks-deprecated/static-host-setup.yml
@@ -0,0 +1,16 @@
+# This playbook basically guarantees that the host is in a production ready state
+---
+- hosts: webhost
+  remote_user: root
+  vars:
+    websites:
+      - shockrah.xyz
+      - temper.tv
+      - resume.shockrah.xyz
+  tasks:
+    - name: Setup nginx
+      import_tasks: ../tasks/nginx-setup.yml
+    - name: Test local sites
+      import_tasks: ../tasks/tests/local-site-presence.yml
+    - name: Ensure AWS is setup
+      import_tasks: ../tasks/setup-aws-cli.yml
--- a/deprecated/playbooks/playbooks-deprecated/update.yml
+++ b/deprecated/playbooks/playbooks-deprecated/update.yml
@@ -0,0 +1,20 @@
+# Purpose: General update to the system to keep packages up to date
+---
+- hosts: webhost
+  remote_user: webadmin
+  tasks:
+    - name: Informational Dump of what is upgradeable
+      ansible.builtin.command: apt list --upgradable
+      register: pkg
+    - name: Show list of packages to upgrade
+      ansible.builtin.debug:
+        msg: "{{ pkg.stdout_lines }}"
+    - name: Update the packages at the system level to the latest versions
+      become: true
+      ansible.builtin.apt:
+        name: "*"
+        state: latest
+
+
+
+