Moving ansible playbook stuff to its new resting place

ansible/playbooks/harden.yml

@@ -0,0 +1,9 @@
+---
+- hosts: webhost
+  remote_user: root
+  tasks:
+    - name: Setup UFW
+      import_tasks: ../tasks/ufw-setup.yml
+    - name: Harden ssh configuration
+      import_tasks: ../tasks/ssh.yml
+

ansible/playbooks/lets-encrypt.yml

@@ -0,0 +1,17 @@
+---
+- hosts: webhost
+  remote_user: root
+  vars:
+    websites:
+      - shockrah.xyz
+      - git.shockrah.xyz
+      - resume.shockrah.xyz
+      - temper.tv
+  tasks:
+    - name: Ensure certbot is setup
+      import_tasks: ../tasks/certbot-installation.yml
+    - name: Get certificate
+      command: certbot -n --nginx certonly -d {{ item }}
+      args:
+        creates: "/etc/letsencrypt/live/{{ item }}"
+      loop: "{{ websites }}"

ansible/playbooks/pull-s3-buckets.yml

@@ -0,0 +1,14 @@
+---
+- hosts: webhost
+  remote_user: root
+  tasks:
+    - name: Copy pull script
+      copy:
+        src: ../scripts/pull-down-s3.sh
+        dest: /opt/nginx/pull-down-s3.sh
+    - name: Pull down all sites from S3
+      shell: bash /opt/nginx/pull-down-s3.sh {{ item }}
+      loop:
+        - shockrah.xyz
+        - resume.shockrah.xyz
+        - temper.tv

ansible/playbooks/refresh-nginx.yml

@@ -0,0 +1,30 @@
+---
+- hosts: webhost
+  remote_user: root
+  vars:
+    websites:
+      - shockrah.xyz
+      - git.shockrah.xyz
+      - temper.tv
+      - resume.shockrah.xyz
+  tasks:
+    - name: Upload configs
+      copy:
+        src: "../files/{{ item }}.conf"
+        dest: "/etc/nginx/sites-available/{{ item }}"
+      loop: "{{ websites }}"
+    - name: Enable the site configs with sym links
+      file:
+        src: "/etc/nginx/sites-available/{{ item }}"
+        dest: "/etc/nginx/sites-enabled/{{ item }}"
+        state: link
+      loop: "{{ websites }}"
+    - name: Ensure no default available
+      file:
+        path: /etc/nginx/sites-enabled/default
+        state: absent
+    - name: Restart nginx conf to pick up new config changes
+      service:
+        name: nginx
+        state: restarted
+

ansible/playbooks/run-docker-compose.yaml

@@ -0,0 +1,7 @@
+---
+- hosts: webhost
+  remote_user: webadmin
+  tasks:
+    - name: Run docker-compose up
+      community.docker.docker_compose_v2:
+        project_src: ../../../containers/

ansible/playbooks/secure-ssh-user.yml

@@ -0,0 +1,54 @@
+# This playbook is to be executed when first setting up
+# the machine so we'll have to login as root, but in doing so
+# we'll setup a user which can use sudo and use pem based authentication
+# this should remove the ability to login as root with a janky password
+---
+- hosts: webhost
+  remote_user: root
+  tasks:
+    - name: Ensure sudo is available
+      apt:
+        state: present
+        update_cache: true
+        pkg:
+          - sudo
+          - zsh
+    - name: Create webadmin user
+      user:
+        name: webadmin
+        state: present
+        shell: /bin/zsh
+        groups:
+          - nginx
+        append: yes
+    - name: webadmin key copy
+      authorized_key:
+        user: webadmin
+        state: present
+        key: "{{ lookup('file', '~/.ssh/vultr/webadmin.pem.pub') }}"
+    - name: Add webadmin to sudoers
+      copy:
+        dest: "/etc/sudoers.d/webadmin"
+        content: "webadmin ALL=(ALL) NOPASSWD: ALL"
+    - name: Disable Password Authentication
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        line: PasswordAuthentication no
+        state: present
+        backup: yes
+      notify:
+        - restart ssh
+    - name: Disable root login
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        line: PermitRootLogin no
+        state: present
+        backup: yes
+      notify:
+        - restart ssh
+  handlers:
+    - name: restart ssh
+      service:
+        name: sshd
+        state: restarted
+

ansible/playbooks/setup-docker-compose.yaml

@@ -0,0 +1,47 @@
+---
+- hosts: webhost
+  remote_user: webadmin
+  become: true
+  tasks:
+    - name: Install docker and docker-compose
+      apt:
+        update_cache: true
+        pkg:
+          - ca-certificates
+          - curl
+    - name: Setup keyring
+      command:
+        cmd: "install -m 0755 -d /etc/apt/keyrings"
+    - name: Download docker gpg key
+      get_url:
+        url: https://download.docker.com/linux/ubuntu/gpg
+        dest: /etc/apt/keyrings/docker.asc
+    - name: Set perms on /etc/apt/keyrings/docker.asc
+      file:
+        dest: /etc/apt/keyrings/docker.asc
+        mode: a+r
+    - name: Ensure docker.lst exists
+      copy:
+        content: ''
+        dest: /etc/apt/sources.list.d/docker.list
+        force: false
+        group: root
+        owner: root
+        mode: 0644
+    - name: Ensure docker.lst is present for apt
+      lineinfile: 
+        line: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu   jammy stable\n"
+        dest: /etc/apt/sources.list.d/docker.list
+        state: present
+    - name: install docker packages
+      apt:
+        update_cache: true
+        pkg:
+          - docker-ce
+          - docker-ce-cli
+          - containerd.io
+          - docker-buildx-plugin
+          - docker-compose-plugin
+
+
+

ansible/playbooks/static-host-setup.yml

@@ -0,0 +1,16 @@
+# This playbook basically guarantees that the host is in a production ready state
+---
+- hosts: webhost
+  remote_user: root
+  vars:
+    websites:
+      - shockrah.xyz
+      - temper.tv
+      - resume.shockrah.xyz
+  tasks:
+    - name: Setup nginx
+      import_tasks: ../tasks/nginx-setup.yml
+    - name: Test local sites
+      import_tasks: ../tasks/tests/local-site-presence.yml
+    - name: Ensure AWS is setup
+      import_tasks: ../tasks/setup-aws-cli.yml