initial ansible setup

11 files changed, 165 insertions, 0 deletions

diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..601c6ea
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,2 @@
+[defaults]
+inventory=inventory.ini
\ No newline at end of file
diff --git a/inventory.ini b/inventory.ini
new file mode 100644
index 0000000..a7b0eb6
--- /dev/null
+++ b/inventory.ini
@@ -0,0 +1 @@
+memzero.de USER=johannst DATA_ROOT=/home/johannst/pods NETWORK=podnet
diff --git a/memzero.yml b/memzero.yml
new file mode 100644
index 0000000..720131b
--- /dev/null
+++ b/memzero.yml
@@ -0,0 +1,13 @@
+- name: Server setup
+  hosts: all
+
+  pre_tasks:
+    - name: Setup podman network
+      containers.podman.podman_network:
+        name: "{{ NETWORK }}"
+        driver: bridge
+
+  roles:
+    - sshd
+    - packages
+    - webserver
\ No newline at end of file
diff --git a/roles/packages/tasks/main.yml b/roles/packages/tasks/main.yml
new file mode 100644
index 0000000..d3f0720
--- /dev/null
+++ b/roles/packages/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: Install EPEL
+  become: True
+  ansible.builtin.package:
+    name: epel-release
+    state: latest
+  when: ansible_facts['os_family'] == 'RedHat'
+
+#- name: Update all packages
+#  become: True
+#  ansible.builtin.package:
+#    name: "*"
+#    state: latest
+
+- name: Install packages
+  become: True
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: latest
+  loop:
+    - vim
+    - podman
+    - fish
+    - netcat
+
+- name: Set fish as default shell
+  become: True
+  ansible.builtin.user:
+    name: "{{ USER }}"
+    shell: /usr/bin/fish
\ No newline at end of file
diff --git a/roles/sshd/handlers/main.yml b/roles/sshd/handlers/main.yml
new file mode 100644
index 0000000..429dd83
--- /dev/null
+++ b/roles/sshd/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart sshd
+  become: True
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
\ No newline at end of file
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
new file mode 100644
index 0000000..c4dd9ea
--- /dev/null
+++ b/roles/sshd/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- name: Configure sshd
+  become: True
+  lineinfile:
+    dest: "/etc/ssh/sshd_config"
+    regexp: "{{ item.regex }}"
+    line: "{{ item.line }}"
+  notify: Restart sshd
+  loop:
+    - { regex: '^(#\s*)?PermitEmptyPasswords'  , line: 'PermitEmptyPasswords no' }
+    - { regex: '^(#\s*)?PermitRootLogin'       , line: 'PermitRootLogin no' }
+    - { regex: '^(#\s*)?PasswordAuthentication', line: 'PasswordAuthentication no' }
+    - { regex: '^(#\s*)?UsePAM'                , line: 'UsePAM yes' }
\ No newline at end of file
diff --git a/roles/webserver/files/user_conf.d/memzero.conf b/roles/webserver/files/user_conf.d/memzero.conf
new file mode 100644
index 0000000..5419eb8
--- /dev/null
+++ b/roles/webserver/files/user_conf.d/memzero.conf
@@ -0,0 +1,43 @@
+server {
+    # Listen to port 443 on both IPv4 and IPv6.
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    # Domain names this server should respond to.
+    server_name memzero.de www.memzero.de;
+
+    # Load the certificate files.
+    ssl_certificate         /etc/letsencrypt/live/memzero/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/memzero/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/memzero/chain.pem;
+
+    # Load the Diffie-Hellman parameter.
+    ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+
+    root /www/memzero;
+}
+
+server {
+    # Listen to port 443 on both IPv4 and IPv6.
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    # Domain names this server should respond to.
+    server_name git.memzero.de;
+
+    # Load the certificate files.
+    ssl_certificate         /etc/letsencrypt/live/memzero/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/memzero/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/memzero/chain.pem;
+
+    # Load the Diffie-Hellman parameter.
+    ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+
+    root /www/git;
+}
+
+server {
+    # Drop any request that does not match any of the other server names.
+    listen               443 ssl default_server;
+    ssl_reject_handshake on;
+}
diff --git a/roles/webserver/files/www/git/index.html b/roles/webserver/files/www/git/index.html
new file mode 100644
index 0000000..a6978b1
--- /dev/null
+++ b/roles/webserver/files/www/git/index.html
@@ -0,0 +1 @@
+<h1>Hello git!</h1>
diff --git a/roles/webserver/files/www/memzero/index.html b/roles/webserver/files/www/memzero/index.html
new file mode 100644
index 0000000..4df77a4
--- /dev/null
+++ b/roles/webserver/files/www/memzero/index.html
@@ -0,0 +1 @@
+<h1>Hello memzero!</h1>
diff --git a/roles/webserver/handlers/main.yml b/roles/webserver/handlers/main.yml
new file mode 100644
index 0000000..3e327d5
--- /dev/null
+++ b/roles/webserver/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart nginx
+  containers.podman.podman_container:
+    name: webserver
+    state: started
+    restart: yes
\ No newline at end of file
diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml
new file mode 100644
index 0000000..a849f2c
--- /dev/null
+++ b/roles/webserver/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+- name: Copy webserver files
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "{{ DATA_ROOT }}/nginx"
+    owner: "{{ USER }}"
+    group: "{{ USER }}"
+  loop:
+    - www
+    - user_conf.d
+  notify: Restart nginx
+
+- name: Setup nginx
+  containers.podman.podman_container:
+    name: webserver
+    image: docker.io/jonasal/nginx-certbot
+    network: "{{ NETWORK }}"
+    ports:
+      - "8080:80"
+      - "8443:443"
+    env:
+      CERTBOT_EMAIL: "johannes@memzero.de"
+      STAGING: "1"
+      DEBUG: "1"
+    volumes:
+      # Use 'Z' to privately relable selinux contexts.
+      - "{{ DATA_ROOT }}/nginx/user_conf.d:/etc/nginx/user_conf.d:ro,Z"
+      - "{{ DATA_ROOT }}/nginx/www:/www:ro,Z"
+
+# All services run in rootless-podman and nginx is the only entry point from
+# the outside acting as webserver and reverse proxy.
+# Since we dont want to lower the *unprivileged* port start (1024) we install
+# two forwarding routes from
+#   80  -> 8080
+#   443 -> 8443
+- name: Forward port 80/443 to 8080/8443
+  ansible.builtin.iptables:
+    table: nat
+    chain: PREROUTING
+    protocol: tcp
+    match: tcp
+    destination_port: "{{ item.from }}"
+    jump: REDIRECT
+    to_ports: "{{ item.to }}"
+    comment: "Redirect web traffic {{ item.from }} -> {{ item.to }}"
+  become: yes
+  loop:
+    - { from: 80 , to: 8080 }
+    - { from: 443, to: 8443 }
\ No newline at end of file