18 changed files with 76 additions and 95 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,7 @@
 This is how I set up ppm.pfoe.be
 This repository is currently created to serve
 as an inspiration for creating your own ansible playbook to set up ppm
 At this moment it is not intended to be used as is/it is a work in progress
--- a/all.yml
+++ b/all.yml
@ -0,0 +1,5 @@
 - name: Perform ppm server ansible playbook
  hosts: all
  roles:
    - baseline
    - ppm
--- a/ansible.cfg
+++ b/ansible.cfg
@ -0,0 +1,9 @@
 [defaults]
 inventory=inventory
 retry_files_enabled = False
 remote_user = root
 deperaction_warnings = True
 display_skipped_hosts = True
 result_format=yaml
--- a/group_vars/all/applications.yml
+++ b/group_vars/all/applications.yml
@ -0,0 +1,33 @@
 ppm_apps:
  - on_server: ppm.pfoe.be
    user: git
    chicken_egg_appdefinition: ../forgejo/
    appconfig:
      restic:
        url: "{{ lookup('file', 'passwords/ppm-forgejo-url') }}"
        password: "{{ lookup('file', 'passwords/ppm-forgejo-password') }}"
        backupname: "{{ lookup('file', 'passwords/ppm-forgejo-name') }}"
      appinfo:
        url: https://ppm.pfoe.be/ppm/forgejo.git
      config:
        publicurl: ppm.pfoe.be
  - on_server: ppm.pfoe.be
    user: nginx
    chicken_egg_appdefinition: ../nginx/
    appconfig:
      appinfo:
        url: https://ppm.pfoe.be/ppm/nginx.git
      code:
        type: localfiles
        directory: nginx
  - on_server: ppm.pfoe.be
    user: runner
    chicken_egg_appdefinition: ../forgejo-runner/
    appconfig:
      appinfo:
        url: https://ppm.pfoe.be/ppm/forgejo-runner.git
      code:
        type: localfiles
        directory: forgejo-runner
--- a/group_vars/all/firewall.yml
+++ b/group_vars/all/firewall.yml
@ -0,0 +1,7 @@
 # I prefer not to share the list of admins in a public repo, so refer to passwords...
 # The format for the ssh ranges is as follows:
 # - name: The name that is in a comment in the generated file.  Not used anywhere else
 #   type: ipv4 # or ipv6
 #   range: 10.10.10.10/32 # The range, MUST be a valid range, not an ip address, ie there must be a / and the netmask
 firewall_ssh_ranges: "{{ lookup('file', 'passwords/firewall_ssh_ranges.yml') | from_yaml }}"
--- a/group_vars/all/ppm.yml
+++ b/group_vars/all/ppm.yml
@ -0,0 +1 @@
 ppm_binary: "{{ lookup('pipe', 'pwd') }}/../ppm/out/ppm"
--- a/group_vars/all/rootuser.yml
+++ b/group_vars/all/rootuser.yml
@ -0,0 +1,3 @@
 root_password: "{{ lookup('file', 'passwords/root_password_hashed') }}"
 # ssh keys are public, but I prefer not to share the list of admins in a public repo
 root_sshkeys: "{{ lookup('file', 'passwords/root_sshkeys.yml') | from_yaml }}"
--- a/group_vars/all/zabbix.yml
+++ b/group_vars/all/zabbix.yml
@ -0,0 +1,2 @@
 zabbix_server: "{{ lookup('file', 'passwords/zabbix_server') }}"
 zabbix_psk: "{{ lookup('file', 'passwords/zabbix_psk') }}"
--- a/3
+++ b/3
@ -0,0 +1,3 @@
 [ppmserver]
 ppm.pfoe.be
--- a/roles/baseline/tasks/packages.yml
+++ b/roles/baseline/tasks/packages.yml
@ -5,7 +5,7 @@
  # Even if we "changed it", it's merely a cache, so ignore
  changed_when: false
- name: Update system packages to latest
+- name: Update system packages to lates
  ansible.builtin.apt:
    upgrade: dist
@ -19,7 +19,6 @@
  ansible.builtin.apt:
    pkg:
      - apt-dater
      - man
      - mosh
      - mc
      - vim
@ -37,9 +36,6 @@
      - iftop
      - htop
      - ncdu
      - acl
      - sudo
      - ntpsec-ntpdate
 - name: Firewall for mosh
  ansible.builtin.template:
--- a/roles/baseline/tasks/rootuser.yml
+++ b/roles/baseline/tasks/rootuser.yml
@ -2,7 +2,6 @@
  ansible.builtin.user:
    name: root
    password: "{{ root_password }}"
  when: root_password is defined
 - name: Ensure ssh directory for root
  ansible.builtin.file:
@ -11,7 +10,6 @@
    owner: root
    group: root
    mode: "0700"
  when: root_sshkeys is defined
 - name: Set authorized keys for root
  ansible.builtin.copy:
@ -20,7 +18,6 @@
    owner: root
    group: root
    mode: "0600"
  when: root_sshkeys is defined
 - name: Only allow root ssh
  ansible.builtin.lineinfile:
@ -28,4 +25,3 @@
    line: "PermitRootLogin prohibit-password"
    regexp: "^PermitRootLogin "
  notify: Restart sshd
  when: root_sshkeys is defined
--- a/roles/baseline/templates/firewall.j2
+++ b/roles/baseline/templates/firewall.j2
@ -20,16 +20,11 @@ iptables -A INPUT -m limit --limit 1/s --limit-burst 2 -p icmp --icmp-type echo-
 iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
 iptables -A INPUT -p icmp -j ACCEPT
 {% if firewall_ssh_ranges is defined %}
 {% for range in firewall_ssh_ranges %}
 {%if range.type=="ipv4" %}
 iptables -A INPUT -p tcp --dport 22 -s {{range.range}} -j ACCEPT # {{range.name}}
 {%endif%}
 {%endfor%}
 {% else %}
 # This server has an open ssh policy
 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 {% endif %}
 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -m state --state INVALID -j DROP
@ -53,16 +48,11 @@ ip6tables -A INPUT -m limit --limit 1/s --limit-burst 2 -p icmpv6 --icmpv6-type
 ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
 ip6tables -A INPUT -p icmpv6 -j ACCEPT
 {% if firewall_ssh_ranges is defined %}
 {% for range in firewall_ssh_ranges %}
 {%if range.type=="ipv6" %}
 ip6tables -A INPUT -p tcp --dport 22 -s {{range.range}} -j ACCEPT # {{range.name}}
 {%endif%}
 {%endfor%}
 {% else %}
 # This server has an open ssh policy
 ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
 {% endif %}
 ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A OUTPUT -m state --state INVALID -j DROP
@ -85,11 +75,4 @@ ip6tables -A INPUT -j REJECT
 iptables -A FORWARD -j REJECT
 ip6tables -A FORWARD -j REJECT
 # Now *if* fail2ban has been installed, we would have destroyed it's setup.  
 # Restart it
 if [ -e /etc/fail2ban/fail2ban.conf ]
 then
 	systemctl restart fail2ban || true
 fi
 # This file is managed by ansible, do not modify!
--- a/roles/ppm/tasks/copyappdef.yml
+++ b/roles/ppm/tasks/copyappdef.yml
@ -20,11 +20,6 @@
  delegate_to: localhost
  become: false
 - name: delete appdefinition directory
  ansible.builtin.file:
    path: "{{ ppm_app_user.home }}/appdefinition"
    state: absent
 - name: Create directory
  ansible.builtin.file:
    path: "{{ ppm_app_user.home }}/appdefinition"
--- a/roles/ppm/tasks/firewall.yml
+++ b/roles/ppm/tasks/firewall.yml
@ -3,7 +3,7 @@
    dest: /home/.ppmfirewalltemplate
    group: root
    owner: root
-    mode: "0644"
+    mode: "0755"
    src: ppmfirewall
 - name: Render firewall
--- a/roles/ppm/tasks/oneapp.yml
+++ b/roles/ppm/tasks/oneapp.yml
@ -53,10 +53,6 @@
  ansible.builtin.include_tasks: copyappdef.yml
  when: ppm_app.chicken_egg_appdefinition is defined and not appdefinition.stat.exists
 - name: "Update appdefinition ({{ ppm_app.user }})"
  ansible.builtin.include_tasks: updateappdef.yml
  when: ppm_app.chicken_egg_appdefinition is defined
 - name: "Set up extra files for {{ ppm_app.user }}"
  ansible.builtin.copy:
    src: "{{ item.from }}"
--- a/roles/ppm/tasks/updateappdef.yml
+++ b/roles/ppm/tasks/updateappdef.yml
@ -1,58 +0,0 @@
 - name: Check local working tree for uncommitted changes
  command: git status --porcelain
  args:
    chdir: "{{ ppm_app.chicken_egg_appdefinition }}"
  register: local_status
  changed_when: false
  delegate_to: localhost
 - name: Get local HEAD hash
  command: git rev-parse HEAD
  args:
    chdir: "{{ ppm_app.chicken_egg_appdefinition }}"
  register: local_hash
  changed_when: false
  delegate_to: localhost
 - name: Check remote working tree for uncommitted changes
  command: git status --porcelain
  args:
    chdir: "{{ ppm_app_user.home }}/appdefinition"
  register: remote_status
  changed_when: false
  become: true
  become_user: "{{ ppm_app_user.name }}"
 - name: Get remote HEAD hash
  command: git rev-parse HEAD
  args:
    chdir: "{{ ppm_app_user.home }}/appdefinition"
  register: remote_hash
  changed_when: false
  become: true
  become_user: "{{ ppm_app_user.name }}"
 - name: Set helper facts
  set_fact:
    local_dirty: "{{ (local_status.stdout | default('')) != '' }}"
    local_hash: "{{ local_hash.stdout }}"
    remote_dirty: "{{ (remote_status.stdout | default('')) != '' }}"
    remote_hash: "{{ remote_hash.stdout }}"
 - name: Debug when remote is dirty (ignore remote dirty for sync decision)
  debug:
    msg: "Remote repository has uncommitted changes; ignoring for sync."
  changed_when: true
  when: remote_dirty
 - name: Debug when local is dirty
  debug:
    msg: "Local repository has uncommitted changes; unconditional - non-idempotent sync."
  changed_when: true
  when: local_dirty and not remote_dirty
 - name: Include copyappdef.yml when local dirty, hash retrieval failed, or hashes differ
  include_tasks: copyappdef.yml
  when: not remote_dirty and (local_hash!=remote_hash or local_dirty)
--- a/roles/ppm/tasks/zabbix.yml
+++ b/roles/ppm/tasks/zabbix.yml
@ -3,7 +3,7 @@
    dest: /home/.zabbixagenttemplate
    group: root
    owner: root
-    mode: "0644"
+    mode: "0755"
    src: ppmzabbixagent
 - name: Render zabbix template
--- a/3
+++ b/3
@ -0,0 +1,3 @@
 #!/bin/sh
 ansible-playbook --diff all.yml "$@"
		`@ -0,0 +1 @@`
							`ppm_binary: "{{ lookup('pipe', 'pwd') }}/../ppm/out/ppm"`
		`@ -0,0 +1,2 @@`
							`zabbix_server: "{{ lookup('file', 'passwords/zabbix_server') }}"`
							`zabbix_psk: "{{ lookup('file', 'passwords/zabbix_psk') }}"`
		`@ -0,0 +1,3 @@`
							`#!/bin/sh`

							`ansible-playbook --diff all.yml "$@"`