Moving ansible playbook stuff to its new resting place

ansible/.gitignore

@@ -0,0 +1,2 @@
+inventory.ini
+known_hosts

ansible/files/git.shockrah.xyz.conf

@@ -0,0 +1,7 @@
+server {
+	listen 80;
+	server_name git.shockrah.xyz;
+	location / {
+		proxy_pass http://localhost:3000;
+	}
+}

ansible/files/resume.shockrah.xyz.conf

@@ -0,0 +1,13 @@
+server {
+	listen 80;
+	server_name resume.shockrah.xyz;
+	root /opt/nginx/resume.shockrah.xyz;
+	index index.html;
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+}
+
+
+

ansible/files/shockrah.xyz.conf

@@ -0,0 +1,12 @@
+server {
+	listen 80;
+	server_name shockrah.xyz;
+	root /opt/nginx/shockrah.xyz;
+	index index.html;
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+}
+
+

ansible/files/ssh.conf

@@ -0,0 +1,86 @@
+PermitRootLogin yes
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+
+LoginGraceTime 1m
+PermitRootLogin prohibit-password
+StrictModes yes
+MaxAuthTries 6
+MaxSessions 3
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+
+PrintMotd no
+
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

ansible/files/temper.tv.conf

@@ -0,0 +1,13 @@
+server {
+	listen 80;
+	server_name temper.tv;
+	root /opt/nginx/temper.tv;
+	index index.html;
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+}
+
+
+

ansible/playbooks/harden.yml

@@ -0,0 +1,9 @@
+---
+- hosts: webhost
+  remote_user: root
+  tasks:
+    - name: Setup UFW
+      import_tasks: ../tasks/ufw-setup.yml
+    - name: Harden ssh configuration
+      import_tasks: ../tasks/ssh.yml
+

ansible/playbooks/lets-encrypt.yml

@@ -0,0 +1,17 @@
+---
+- hosts: webhost
+  remote_user: root
+  vars:
+    websites:
+      - shockrah.xyz
+      - git.shockrah.xyz
+      - resume.shockrah.xyz
+      - temper.tv
+  tasks:
+    - name: Ensure certbot is setup
+      import_tasks: ../tasks/certbot-installation.yml
+    - name: Get certificate
+      command: certbot -n --nginx certonly -d {{ item }}
+      args:
+        creates: "/etc/letsencrypt/live/{{ item }}"
+      loop: "{{ websites }}"

ansible/playbooks/pull-s3-buckets.yml

@@ -0,0 +1,14 @@
+---
+- hosts: webhost
+  remote_user: root
+  tasks:
+    - name: Copy pull script
+      copy:
+        src: ../scripts/pull-down-s3.sh
+        dest: /opt/nginx/pull-down-s3.sh
+    - name: Pull down all sites from S3
+      shell: bash /opt/nginx/pull-down-s3.sh {{ item }}
+      loop:
+        - shockrah.xyz
+        - resume.shockrah.xyz
+        - temper.tv

ansible/playbooks/refresh-nginx.yml

@@ -0,0 +1,30 @@
+---
+- hosts: webhost
+  remote_user: root
+  vars:
+    websites:
+      - shockrah.xyz
+      - git.shockrah.xyz
+      - temper.tv
+      - resume.shockrah.xyz
+  tasks:
+    - name: Upload configs
+      copy:
+        src: "../files/{{ item }}.conf"
+        dest: "/etc/nginx/sites-available/{{ item }}"
+      loop: "{{ websites }}"
+    - name: Enable the site configs with sym links
+      file:
+        src: "/etc/nginx/sites-available/{{ item }}"
+        dest: "/etc/nginx/sites-enabled/{{ item }}"
+        state: link
+      loop: "{{ websites }}"
+    - name: Ensure no default available
+      file:
+        path: /etc/nginx/sites-enabled/default
+        state: absent
+    - name: Restart nginx conf to pick up new config changes
+      service:
+        name: nginx
+        state: restarted
+

ansible/playbooks/run-docker-compose.yaml

@@ -0,0 +1,7 @@
+---
+- hosts: webhost
+  remote_user: webadmin
+  tasks:
+    - name: Run docker-compose up
+      community.docker.docker_compose_v2:
+        project_src: ../../../containers/

ansible/playbooks/secure-ssh-user.yml

@@ -0,0 +1,54 @@
+# This playbook is to be executed when first setting up
+# the machine so we'll have to login as root, but in doing so
+# we'll setup a user which can use sudo and use pem based authentication
+# this should remove the ability to login as root with a janky password
+---
+- hosts: webhost
+  remote_user: root
+  tasks:
+    - name: Ensure sudo is available
+      apt:
+        state: present
+        update_cache: true
+        pkg:
+          - sudo
+          - zsh
+    - name: Create webadmin user
+      user:
+        name: webadmin
+        state: present
+        shell: /bin/zsh
+        groups:
+          - nginx
+        append: yes
+    - name: webadmin key copy
+      authorized_key:
+        user: webadmin
+        state: present
+        key: "{{ lookup('file', '~/.ssh/vultr/webadmin.pem.pub') }}"
+    - name: Add webadmin to sudoers
+      copy:
+        dest: "/etc/sudoers.d/webadmin"
+        content: "webadmin ALL=(ALL) NOPASSWD: ALL"
+    - name: Disable Password Authentication
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        line: PasswordAuthentication no
+        state: present
+        backup: yes
+      notify:
+        - restart ssh
+    - name: Disable root login
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        line: PermitRootLogin no
+        state: present
+        backup: yes
+      notify:
+        - restart ssh
+  handlers:
+    - name: restart ssh
+      service:
+        name: sshd
+        state: restarted
+

ansible/playbooks/setup-docker-compose.yaml

@@ -0,0 +1,47 @@
+---
+- hosts: webhost
+  remote_user: webadmin
+  become: true
+  tasks:
+    - name: Install docker and docker-compose
+      apt:
+        update_cache: true
+        pkg:
+          - ca-certificates
+          - curl
+    - name: Setup keyring
+      command:
+        cmd: "install -m 0755 -d /etc/apt/keyrings"
+    - name: Download docker gpg key
+      get_url:
+        url: https://download.docker.com/linux/ubuntu/gpg
+        dest: /etc/apt/keyrings/docker.asc
+    - name: Set perms on /etc/apt/keyrings/docker.asc
+      file:
+        dest: /etc/apt/keyrings/docker.asc
+        mode: a+r
+    - name: Ensure docker.lst exists
+      copy:
+        content: ''
+        dest: /etc/apt/sources.list.d/docker.list
+        force: false
+        group: root
+        owner: root
+        mode: 0644
+    - name: Ensure docker.lst is present for apt
+      lineinfile: 
+        line: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu   jammy stable\n"
+        dest: /etc/apt/sources.list.d/docker.list
+        state: present
+    - name: install docker packages
+      apt:
+        update_cache: true
+        pkg:
+          - docker-ce
+          - docker-ce-cli
+          - containerd.io
+          - docker-buildx-plugin
+          - docker-compose-plugin
+
+
+

ansible/playbooks/static-host-setup.yml

@@ -0,0 +1,16 @@
+# This playbook basically guarantees that the host is in a production ready state
+---
+- hosts: webhost
+  remote_user: root
+  vars:
+    websites:
+      - shockrah.xyz
+      - temper.tv
+      - resume.shockrah.xyz
+  tasks:
+    - name: Setup nginx
+      import_tasks: ../tasks/nginx-setup.yml
+    - name: Test local sites
+      import_tasks: ../tasks/tests/local-site-presence.yml
+    - name: Ensure AWS is setup
+      import_tasks: ../tasks/setup-aws-cli.yml

ansible/scripts/pull-down-s3.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e
+
+bucket="$1"
+s3env=/opt/nginx/s3.env
+
+[[ -z "$bucket" ]] && echo "No bucket selected" && exit 1
+
+[[ ! -f $s3env ]] && echo "No credentials to source!" && exit 1
+source $s3env
+
+pull() {
+	aws s3 sync s3://$bucket /opt/nginx/$bucket
+}
+
+
+case $bucket in 
+	resume.shockrah.xyz|shockrah.xyz|temper.tv) pull;;
+	*) echo "Invalid bucket name" && exit 1 ;;
+esac
+
+

ansible/tasks/certbot-installation.yml

@@ -0,0 +1,19 @@
+- name: Install required packages
+  pip:
+    name:
+      - certbot
+      - certbot-nginx
+    executable: pip3
+- name: Register
+  shell: |
+    certbot -n register --agree-tos -m dev@shockrah.xyz,temper@temper.tv
+    touch /etc/letsencrypt/.registered
+  args:
+    creates: /etc/letsencrypt/.registered
+- name: Setup cron job for renewal every monday at 1 am
+  cron:
+    name: certbot-renewal
+    job: "bash -lc 'certbot -q renew'"
+    minute: 0
+    hour: 1
+    weekday: 1

ansible/tasks/nginx-setup.yml

@@ -0,0 +1,35 @@
+- name: Install nginx
+  apt:
+    name: nginx
+    update_cache: yes
+- name: Create user for nginx purposes
+  user:
+    name: nginx
+    shell: /bin/bash
+    create_home: false
+- name: Create nginx website directory
+  file:
+    state: directory
+    owner: nginx
+    path:  /opt/nginx
+- name: Copy over the nginx.conf files for each server
+  copy:
+    src: "../files/{{ item }}"
+    dest: /etc/nginx/sites-available/
+  loop:
+    - shockrah.xyz.conf
+    - resume.shockrah.xyz.conf
+    - temper.tv.conf
+- name: Enable the site configs with sym links
+  file:
+    src: "/etc/nginx/sites-available/{{ item }}"
+    dest: "/etc/nginx/sites-enabled/{{ item }}"
+    state: link
+  loop:
+    - shockrah.xyz.conf
+    - resume.shockrah.xyz.conf
+    - temper.tv.conf
+- name: Restart nginx conf to pick up new config changes
+  service:
+    name: nginx
+    state: restarted

ansible/tasks/setup-aws-cli.yml

@@ -0,0 +1,12 @@
+- name: Ensure we have the unzip package
+  apt:
+    name: unzip
+- name: Download the AWS CLI V2
+  get_url:
+    url: https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip
+    dest: /tmp/awscli.zip
+- name: Unzip the cli to the tmp dir
+  shell: unzip /tmp/awscli.zip -d /tmp
+- name: Run awscli installer
+  shell: /tmp/aws/install
+

ansible/tasks/ssh.yml

@@ -0,0 +1,6 @@
+- name: Harden the SSH configuration
+  copy:
+    src: ../files/ssh.conf
+    dest: /etc/sshd_config
+    mode: 644
+

ansible/tasks/tests/local-site-presence.yml

@@ -0,0 +1,26 @@
+  - name: Add local routing for the server confs
+    lineinfile:
+      path: /etc/hosts
+      state: present
+      line: "127.0.0.1 {{ item }}"
+    loop: "{{ websites }}"
+  - name: Curl the local endpoints to check connection nginx reverse proxy
+    uri:
+      url: "http://{{ item }}"
+      status_code:
+        - 200
+        - 404
+    loop: "{{ websites }}"
+  - name: Sanity Check the nginx reverse proxy
+    uri:
+      url: "http://not-real.{{ item }}"
+    loop: "{{ websites }}"
+    register: result
+    failed_when: result.status != -1
+  - name: Cleanup /etc/hosts
+    lineinfile:
+      path: /etc/hosts
+      state: absent
+      line: "127.0.0.1 {{ item }}"
+    loop: "{{ websites }}"
+

ansible/tasks/ufw-setup.yml

@@ -0,0 +1,15 @@
+- name: SSH Limit in fireweall
+  community.general.ufw:
+    rule: limit
+    port: ssh
+    proto: tcp
+- name: Allow web traffic as needed
+  community.general.ufw:
+    rule: allow
+    port: "{{ item }}"
+    proto: tcp
+  loop:
+    - 80
+    - 443
+
+