Quick A record for testing static website migration

Housekeeping but the wiki got hosed :((

.gitea/workflows/ansible-lint.yaml

@@ -0,0 +1,15 @@
+name: Ansible Linting
+on:
+  - push
+
+jobs:
+  ansible-lint:
+    runs-on: ubuntu-latest
+    container:
+      image: shockrah/ansible
+    steps:
+      - name: Checkout repo content
+        uses: actions/checkout@v4
+      - run: ansible-lint -c linter.yaml
+        working-directory: ansible/
+

.gitea/workflows/sec-lint-s3.yaml

@@ -0,0 +1,19 @@
+name: Secops Linting and Safety Checks
+on:
+  push:
+    branches:
+      - master
+
+
+
+jobs:
+  checkov-scan-s3:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo code
+        uses: actions/checkout@v4
+      - name: Scan S3 Terraform with Checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: infra/s3/
+          framework: terraform

.gitignore

@@ -20,3 +20,5 @@ playbooks/beta/files/*.pub
 docker/beta/shockrah.xyz/
 docker/beta/resume.shockrah.xyz/
 k8s/config.yaml
+infra/**/tfplan
+.ansible/

ansible/ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+stdout_callback = yaml
+

ansible/inventory.yaml

@@ -0,0 +1,3 @@
+nigel:
+  hosts:
+    nigel.local:

ansible/linter.yaml

@@ -0,0 +1,4 @@
+---
+skip_list:
+    - role-name
+    - var-naming[no-role-prefix]

ansible/local-setup-admin-user.yaml

@@ -0,0 +1,28 @@
+# This playbook is meant to be a oneshot to be ran manually on the dev box
+# The rest of the role stuff is meant to be ran as the admin user that
+# this playbook creates for us
+---
+- name: Setup local admin user with a fresh ubuntu host
+  hosts: nigel.local
+  remote_user: nigel
+  vars:
+    admin:
+      username: nigel
+  tasks:
+    - name: Copy the nigel admin key
+      ansible.posix.authorized_key:
+        user: "{{ admin.username }}"
+        state: present
+        key: "{{ lookup('file', '~/.ssh/nigel/admin.pub') }}"
+    - name: Prevent password based logins
+      become: true
+      ansible.builtin.lineinfile:
+        dest: /etc/ssh/sshd_config
+        line: PasswordAuthentication no
+        state: present
+        backup: true
+    - name: Restart SSH Daemon
+      become: true
+      ansible.builtin.service:
+        name: ssh
+        state: restarted

ansible/nomad.yaml

@@ -0,0 +1,9 @@
+---
+- name: Setup all the responsibilities of the nomad server
+  hosts: nigel.local
+  remote_user: nigel
+  tasks:
+    - name: Apply the nomad role
+      ansible.builtin.include_role:
+        name: nomad
+

ansible/nuc.yaml

@@ -0,0 +1,14 @@
+---
+- name: Setup bare metal requirements
+  hosts: nigel.local
+  remote_user: nigel
+  tasks:
+    - name: Apply the base role to the nuc
+      ansible.builtin.include_role:
+        name: base
+    - name: Apply the k3s base role
+      ansible.builtin.include_role:
+        name: k3s
+    - name: Apply the proxy role
+      ansible.builtin.include_role:
+        name: proxy

ansible/proxy.yaml

@@ -0,0 +1,8 @@
+---
+- name: Setup host as a reverse proxy
+  hosts: nigel.local
+  remote_user: nigel
+  tasks:
+    - name: Apply reverse proxy role
+      ansible.builtin.include_role:
+        name: proxy

ansible/roles/base/files/docker.list

@@ -0,0 +1 @@
+deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu noble stable

ansible/roles/base/tasks/ensure-docker-basic.yaml

@@ -0,0 +1,41 @@
+- name: Ensure we have basic updated packages setting up docker
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    update_cache: true
+  loop:
+    - ca-certificates
+    - curl
+- name: Running install on the keyrings directory
+  ansible.builtin.command:
+    cmd: install -m 0755 -d /etc/apt/keyrings
+  register: install
+  changed_when: install.rc == 0
+- name: Fetch Docker GPG Key
+  vars:
+    keylink: https://download.docker.com/linux/ubuntu/gpg
+  ansible.builtin.get_url:
+    url: "{{ keylink }}"
+    dest: /etc/apt/keyrings/docker.asc
+    mode: "0644"
+- name: Add repo to apt sources
+  ansible.builtin.copy:
+    src: docker.list
+    dest: /etc/apt/sources.list.d/docker.list
+    mode: "0644"
+- name: Update Apt cache with latest docker.list packages
+  ansible.builtin.apt:
+    update_cache: true
+- name: Ensure all docker packages are updated to the latest versions
+  ansible.builtin.apt:
+    name: "{{ item }}"
+  loop:
+    - docker-ce
+    - docker-ce-cli
+    - containerd.io
+    - docker-buildx-plugin
+    - docker-compose-plugin
+- name: Verify that the docker components are installed properly
+  ansible.builtin.command:
+    cmd: docker run hello-world
+  register: docker
+  changed_when: docker.rc == 0

ansible/roles/base/tasks/k3s.yaml

@@ -0,0 +1,8 @@
+- name: Download the setup script
+  ansible.builtin.get_url:
+    url: https://get.k3s.io
+    dest: /tmp/k3s.sh
+    mode: "0644"
+- name: Run installation script
+  ansible.builtin.command:
+    cmd: bash /tmp/k3s.sh

ansible/roles/base/tasks/main.yaml

@@ -0,0 +1,25 @@
+- name: Ensure nigel can use sudo without password
+  become: true
+  tags:
+    - setup
+  ansible.builtin.lineinfile:
+    path: /etc/sudoers
+    state: present
+    line: "nigel ALL=(ALL) NOPASSWD:ALL"
+- name: Ensure docker components are installed
+  tags:
+    - setup
+  ansible.builtin.include_tasks:
+    file: ensure-docker-basic.yaml
+    apply:
+      become: true
+      tags:
+        - setup
+- name: Run through nomad removal steps
+  tags: nomad
+  ansible.builtin.include_tasks:
+    file: nomad.yaml
+    apply:
+      become: true
+      tags:
+        - nomad

ansible/roles/base/templates/consul.hcl

@@ -0,0 +1,12 @@
+bind_addr = "{{ ip }}"
+advertise_addr = "{{ ip }}"
+bootstrap = true
+bootstrap_expect = 1
+client_addr = "{{ ip }}"
+server = true
+data_dir = "/opt/consul"
+
+ui_config { 
+    enabled = true
+}
+

ansible/roles/base/templates/hashicorp.list

@@ -0,0 +1 @@
+deb [signed-by={{ keyfile }}] https://apt.releases.hashicorp.com jammy main

ansible/roles/k3s/tasks/main.yaml

@@ -0,0 +1,11 @@
+- name: Download the installation script
+  ansible.builtin.get_url:
+    url: https://get.k3s.io
+    dest: /tmp
+  register: install_script
+- name: Run installation script
+  become: true
+  environment:
+      INSTALL_K3S_EXEC: server
+  ansible.builtin.command:
+    cmd: sh {{ install_script.dest }}

ansible/roles/nomad/files/nomad.hcl

@@ -0,0 +1,24 @@
+data_dir  = "/opt/nomad/data"
+bind_addr = "0.0.0.0"
+
+server {
+  enabled          = true
+  bootstrap_expect = 1
+}
+
+
+client {
+  enabled = true
+  servers = ["127.0.0.1"]
+}
+
+host_volume "registry" {
+    path = "/opt/volumes/registry"
+    read_only = false
+}
+
+host_volume "nfs" {
+  path = "/opt/volumes/nfs"
+  read_only = false
+}
+

ansible/roles/nomad/tasks/main.yaml

@@ -0,0 +1,18 @@
+- name: Nomad server configuration
+  become:  true
+  block:
+    - name: Ensure the root data directory is present
+      ansible.builtin.file:
+        path: "{{ nomad.volumes.root }}"
+        state: absent
+        mode: "0755"
+    - name: Ensure registry volume is present
+      ansible.builtin.file:
+        path: "{{ nomad.volumes.registry }}"
+        state: absent
+        mode: "0755"
+    - name: Ensure the MinIO diretory is present
+      ansible.builtin.file:
+        path: "{{ nomad.volumes.nfs }}"
+        state: absent
+        mode: "0755"

ansible/roles/nomad/vars/main.yaml

@@ -0,0 +1,5 @@
+nomad:
+  volumes:
+    root: /opt/volumes
+    registry: /opt/volumes/ncr
+    nfs: /opt/volumes/nfs

ansible/roles/proxy/files/host-file

@@ -0,0 +1,15 @@
+127.0.0.1 localhost
+127.0.1.1 nigel
+
+# Our own dns stuff
+127.0.1.1 nigel.local
+127.0.1.1 nomad.nigel.local
+127.0.1.1 sanity.nigel.local
+127.0.1.1 ncr.nigel.local
+
+# The following lines are desirable for IPv6 capable hosts
+::1     ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters

ansible/roles/proxy/files/ncr.conf

@@ -0,0 +1,6 @@
+server {
+    server_name ncr.nigel.local;
+    location / {
+        proxy_pass http://localhost:5000;
+    }
+}

ansible/roles/proxy/files/nomad.conf

@@ -0,0 +1,25 @@
+server {
+    server_name nomad.nigel.local;
+    location / {
+        proxy_pass http://nomad-ws;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        proxy_read_timeout 319s;
+
+        # This is for log streaming requests
+        proxy_buffering off;
+
+        # Upgrade and Connection headers for upgrading to websockets
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+
+        proxy_set_header Origin "${scheme}://${proxy_host}";
+    }
+}
+
+
+upstream nomad-ws {
+    ip_hash;
+    server nomad.nigel.local:4646;
+}

ansible/roles/proxy/tasks/main.yaml

@@ -0,0 +1,28 @@
+- name: Reverse proxy role configuration
+  become: true
+  block:
+    - name: Ensure /etc/hosts are up to date
+      ansible.builtin.copy:
+        dest: /etc/hosts
+        src: host-file
+        mode: "0644"
+    - name: Ensure nginx is setup as latest
+      ansible.builtin.apt:
+        name: nginx
+    - name: Copy the nomad.conf to available configurations
+      ansible.builtin.copy:
+        src: "{{ item }}"
+        dest: "/etc/nginx/sites-available/{{ item }}"
+        mode: "0644"
+      loop: "{{ proxy_nginx_configs }}"
+    - name: Link the nomad.conf to sites-enabled
+      ansible.builtin.file:
+        path: "/etc/nginx/sites-enabled/{{ item }}"
+        state: link
+        src: "/etc/nginx/sites-available/{{ item }}"
+        mode: "0644"
+      loop: "{{ proxy_nginx_configs }}"
+    - name: Restart nginx
+      ansible.builtin.systemd_service:
+        name: nginx
+        state: restarted

ansible/roles/proxy/vars/main.yaml

@@ -0,0 +1,3 @@
+proxy_nginx_configs:
+  - nomad.conf
+  - ncr.conf

deprecated/playbooks/.ssh/config

@@ -0,0 +1,25 @@
+Host alpha-host
+	HostName 54.215.74.195
+	IdentityFile /home/shockrah/GitRepos/vpc/infra/keys/alpha/id_ssh
+	User ubuntu
+	
+Host atlas-host
+	HostName 54.215.74.195
+	IdentityFile /home/shockrah/GitRepos/vpc/infra/keys/atlas/id_ssh
+	User ubuntu
+
+Host beta-host
+	HostName 54.241.104.37
+	IdentityFile ../infra/keys/beta/id_ssh
+	User ubuntu
+
+Host web-host
+	HostName 54.241.104.37
+	IdentityFile ../infra/keys/beta-web/beta_web
+	User web
+
+Host docker-host
+	HostName 54.215.74.195
+	IdentityFile /home/shockrah/GitRepos/vpc/infra/keys/dockerlass/id_ssh
+	User dockerlass
+

deprecated/playbooks/.ssh/known_hosts

@@ -0,0 +1,5 @@
+
+54.241.104.37 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAv1XSgIiVhlOiDLhSGRNhUtpMRacOrJ7lhI7SKy6VC8
+shockrah.xyz ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAv1XSgIiVhlOiDLhSGRNhUtpMRacOrJ7lhI7SKy6VC8
+|1|5pyfR6GIeNlW0EbYZTnO9Uy85Xw=|Ef9X9NBkhCu6qjhIvIVLCd8bxw0= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGjACbiHsV9hvrIjcNGktKJTGVtGBXAgojvhLw0CwwDc
+54.215.74.195 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZKurmFz86dCDtoC8oF0fdUFx8UpOjU2Qij/iVRsnt9

deprecated/playbooks/.ssh/local-config

@@ -0,0 +1,5 @@
+Host alpha-host
+	HostName 192.168.1.23
+	IdentityFile ../infra/keys/alpha/id_ssh
+	User motheradmin
+

deprecated/playbooks/alpha/searx/settings.yml

@@ -0,0 +1,24 @@
+use_default_settings: True
+
+general:
+  debug : False # Debug mode, only for development
+  instance_name : "Project Athens SearX" # displayed name
+
+search:
+  safe_search : 0 # Filter results. 0: None, 1: Moderate, 2: Strict
+  autocomplete : "" # Existing autocomplete backends: "dbpedia", "duckduckgo", "google", "startpage", "swisscows", "qwant", "wikipedia" - leave blank to turn it off by default
+  default_lang : "" # Default search language - leave blank to detect from browser information or use codes from 'languages.py'
+
+server:
+  port : 8080
+  bind_address : "127.0.0.1" # explicitly only listen on localhost
+  secret_key : "VnnTHjYycpMerevPKQ5DAngpcZ3in5R8wgshvz2kW1LBDw6Z/ytWGdkZfXZTdY7zMb0oe6UXoZ9a"
+  base_url : "https://search.project-athens.xyz"
+  image_proxy : False # Proxying image results through searx
+
+# TODO: add morty proxy to the setup for cleaner results
+# uncomment below section if you have running morty proxy
+#result_proxy:
+#    url : http://127.0.0.1:3000/
+#    key : !!binary "your_morty_proxy_key"
+

deprecated/playbooks/beta/files/web.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9n/H/AMcDcz90L5q0zxGxZWU5ShveyLOUFZBlcJ6SBco3Vb2ZD/qwmgDpVrgaB8bRdmioSgBIEvjX1uv6oEPvhCNu9JoXgy9uqOkbV7vqALxxEbleFYT2KQl5aq/OK0f+3Do9yiyNH8xaJ/FgwLHDC3GIKijdLa++e0Ydk1xnmzxD1C+Ciu8s6RHeGjG89txWqE0iEgfc+VNbPYdve9TR3WApbokUkux2KwYYDi3naqNB+pYn4cScx/fHoibiZeTBCnqGrgk+ZDowOtsvrSUVzKqBqQzphKO1YlttoNlcktkRjoUoQUP3g/B3NJqGMZi1NAovy3uD/QG5p1DaFVgZll6WDY4NsfhmT3K1xjNqBf0SSsXwe/CUIQ4oTcLPKwaW8hKygO//727l2n8GtwVAU2v3aYYHPbZrPmz/+3iALq0cjhpFz97WX1ifPijiSFPJ9vvE9H4p24bmVn64mBVaYq8E088t8ycWgPj04makbc5sPu7K5CecUUaGD4MWDws= Beta SSH Key

deprecated/playbooks/beta/vars/main.yml

@@ -0,0 +1,4 @@
+FC_LOCAL_DOCS: "/home/shockrah/GitRepos/freechat/docs/"
+RESUME_LOCAL_PUBLIC: "/home/shockrah/GitRepos/resume/"
+BLOG_LOCAL_PUBLIC: "/home/shockrah/GitRepos/shockrah-city/"
+CERT_EMAIL: "alejandros714@protonmail.com"

deprecated/playbooks/env/alpha.yml

@@ -0,0 +1,48 @@
+$ANSIBLE_VAULT;1.1;AES256
+35623361306666636339326632313237383635613761383063386465383731336430383036643037
+3839363734393463306266386137366262333736643737610a666234303965336135346161306530
+66383032333363386237636431613930333131376331663636373661636662323665343434316664
+6464323465363664340a313066633161653537356663646266656433396238653133613861626362
+32316332366634326161663163363233663635366532346437633738643138616462313735653733
+66623432383135376339353131613632333837356430393764316336303935343562363331616466
+66323639646631643533303338363532306439393835386539373532626234336437643734373461
+39386665326464663461323434663662393233303032646338376234663462656135323836383762
+38613336376436396465633334343632376133383661333234656634346532383636346639633661
+65343731656465323138323437386533343161646139663336333663343265623333613234323962
+34303332383330623037316365663139303539343366633537326239336237306132333736383561
+36396262383564383166303763636534313739373864663532616465386536303138333537643964
+31653766393963613539303765653737343966333833396664626332643162386130333363363634
+30306463666338653961616165353166333137663663313566613164663733663965363536343839
+32393238636639386364336264306430316134373537303263316333333639346439333336313735
+62373361323136393330333336363565336436393165633634383732663738623965376532336664
+65396135343939353837313664646137396138613565653831396233323032343335396239303837
+38653135613764326438353365613630346631313065643664633330383936353530623933346563
+30376133333432323636613663393766663364656563646233353037356561363937306535623638
+66306537356464353430633238373731633666633763343631356139373365656239633038383938
+35363737643164393639393232666664373763353835323234306463306366383634393133326635
+32306534636366666633663435623165393631643834613965663464613263636136383365353062
+35316136376334393634303861626338346338646534626364623530323634376331363864663738
+65313764343563663838333931646563313232383266323735313736663635663830363762306238
+30373030343361393330303363623434333532303661656131346434393236383131633264396232
+62663835663036643261346536316632343464373338363739393531366132376364383866656262
+65646139356231613364643765643135393132316634363266356431353833613066313432623766
+31616562623362636432646166356530323430626639303161653635636536373535373964323365
+39356532666532373937336265346137623031383735323063323639626435656331633464643735
+35653661633266366662626535633530393163613861643764633264343862666334643834633030
+35636363356533313062626362323162343838643736613735316336373938393236306532646261
+32316265646365656366393937383530376233306665333435376532313731303931333531636263
+35653563653639323762663463306235623336353438623237376331376366323661303636396466
+39386432316335656531333465336332306336303164346461376366343165336438336432666335
+61366533633332663536643637356665303066663130616236353561376662313236336466633335
+64666665393430336662393163656430386665656263333132363763333539623963393039396338
+61313833663963333065636537613461393334643130646664343434303133396533653434666632
+32383932633264623032313435343333366663353935313230386538363035626634616531666538
+37623738323233366638373530343234343030613036386138643462333762626630383666643762
+62363133613134303863643532656464383536393761653138356136623562316362363132653461
+39303635663362316234343462633534313930333365633335353033393062303839333131653233
+63363730356139373962363530633166666361343439656630633266373032343939313565623737
+66656535366539326437313461636236343037393532313366396265373466356237376135383362
+65633063666238333733323265336533643037626562656334326335343466323964653762643139
+32306261323835653536333734626363393039393831356463623132303966346234633032663730
+65653630623438653637383833373531653037356363613031363932313162623037396166313764
+393530663436386232333634666665396465

deprecated/playbooks/env/beta.yml

@@ -0,0 +1,5 @@
+RESUME_LOCAL_PUBLIC: /home/shockrah/GitRepos/resume
+FC_LOCAL_DOCS: /home/shockrah/GitRepos/freechat/docs
+BLOG_LOCAL_PUBLIC: /home/shockrah/GitRepos/shockrah-city
+QRCODES_LOCAL_PUBLIC: /home/shockrah/GitRepos/badge-app/qrcodes
+CERT_EMAIL: dev@shockrah.xyz

deprecated/playbooks/env/certbot.yml

@@ -0,0 +1,2 @@
+CERT_EMAIL: dev@shockrah.xyz
+

deprecated/playbooks/env/common.yml

@@ -0,0 +1 @@
+CERT_EMAIL: dev@shockrah.xyz

deprecated/playbooks/files/git.shockrah.xyz.conf

@@ -0,0 +1,7 @@
+server {
+	listen 80;
+	server_name git.shockrah.xyz;
+	location / {
+		proxy_pass http://localhost:3000;
+	}
+}

deprecated/playbooks/hosts.ini

@@ -0,0 +1,31 @@
+[alpha]
+alpha-host
+
+[alpha:vars]
+ansible_ssh_user=ubuntu
+ansible_ssh_private=../infra/keys/alpha/id_ssh
+ansible_ssh_common_args='-F .ssh/config -o UserKnownHostsFile=.ssh/known_hosts'
+
+[atlas]
+atlas-host
+
+[atlas:vars]
+ansible_ssh_user=ubuntu
+ansible_ssh_private=../infra/keys/atlas/id_ssh
+ansible_ssh_common_args='-F .ssh/config -o UserKnownHostsFile=.ssh/known_hosts'
+
+[beta]
+beta-host
+
+[beta:vars]
+ansible_ssh_user=ubuntu
+ansible_ssh_private=../infra/keys/beta/id_ssh
+ansible_ssh_common_args='-F .ssh/config -o UserKnownHostsFile=.ssh/known_hosts'
+
+[web]
+web-host
+
+[web:vars]
+ansible_ssh_user=web
+ansible_ssh_private=../infra/keys/beta-web/beta_web
+ansible_ssh_common_args='-F .ssh/config -o UserKnownHostsFile=.ssh/known_hosts'

deprecated/playbooks/playbooks-deprecated/lets-encrypt.yml

@@ -4,6 +4,7 @@
   vars:
     websites:
       - shockrah.xyz
+      - git.shockrah.xyz
       - resume.shockrah.xyz
       - temper.tv
   tasks:

deprecated/playbooks/playbooks-deprecated/refresh-nginx.yml

@@ -4,6 +4,7 @@
   vars:
     websites:
       - shockrah.xyz
+      - git.shockrah.xyz
       - temper.tv
       - resume.shockrah.xyz
   tasks:

deprecated/playbooks/playbooks-deprecated/run-docker-compose.yaml

@@ -0,0 +1,7 @@
+---
+- hosts: webhost
+  remote_user: webadmin
+  tasks:
+    - name: Run docker-compose up
+      community.docker.docker_compose_v2:
+        project_src: ../../../containers/

deprecated/playbooks/playbooks-deprecated/secure-ssh-user.yml

@@ -0,0 +1,54 @@
+# This playbook is to be executed when first setting up
+# the machine so we'll have to login as root, but in doing so
+# we'll setup a user which can use sudo and use pem based authentication
+# this should remove the ability to login as root with a janky password
+---
+- hosts: webhost
+  remote_user: root
+  tasks:
+    - name: Ensure sudo is available
+      apt:
+        state: present
+        update_cache: true
+        pkg:
+          - sudo
+          - zsh
+    - name: Create webadmin user
+      user:
+        name: webadmin
+        state: present
+        shell: /bin/zsh
+        groups:
+          - nginx
+        append: yes
+    - name: webadmin key copy
+      authorized_key:
+        user: webadmin
+        state: present
+        key: "{{ lookup('file', '~/.ssh/vultr/webadmin.pem.pub') }}"
+    - name: Add webadmin to sudoers
+      copy:
+        dest: "/etc/sudoers.d/webadmin"
+        content: "webadmin ALL=(ALL) NOPASSWD: ALL"
+    - name: Disable Password Authentication
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        line: PasswordAuthentication no
+        state: present
+        backup: yes
+      notify:
+        - restart ssh
+    - name: Disable root login
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        line: PermitRootLogin no
+        state: present
+        backup: yes
+      notify:
+        - restart ssh
+  handlers:
+    - name: restart ssh
+      service:
+        name: sshd
+        state: restarted
+