18 changed files with 76 additions and 95 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,7 @@
+This is how I set up ppm.pfoe.be
+
+This repository is currently created to serve
+as an inspiration for creating your own ansible playbook to set up ppm
+
+At this moment it is not intended to be used as is/it is a work in progress
+
--- a/all.yml
+++ b/all.yml
@ -0,0 +1,5 @@
+- name: Perform ppm server ansible playbook
+  hosts: all
+  roles:
+    - baseline
+    - ppm
--- a/ansible.cfg
+++ b/ansible.cfg
@ -0,0 +1,9 @@
+[defaults]
+inventory=inventory
+retry_files_enabled = False
+remote_user = root
+deperaction_warnings = True
+display_skipped_hosts = True
+
+result_format=yaml
+
--- a/group_vars/all/applications.yml
+++ b/group_vars/all/applications.yml
@ -0,0 +1,33 @@
+ppm_apps:
+  - on_server: ppm.pfoe.be
+    user: git
+    chicken_egg_appdefinition: ../forgejo/
+    appconfig:
+      restic:
+        url: "{{ lookup('file', 'passwords/ppm-forgejo-url') }}"
+        password: "{{ lookup('file', 'passwords/ppm-forgejo-password') }}"
+        backupname: "{{ lookup('file', 'passwords/ppm-forgejo-name') }}"
+      appinfo:
+        url: https://ppm.pfoe.be/ppm/forgejo.git
+      config:
+        publicurl: ppm.pfoe.be
+
+  - on_server: ppm.pfoe.be
+    user: nginx
+    chicken_egg_appdefinition: ../nginx/
+    appconfig:
+      appinfo:
+        url: https://ppm.pfoe.be/ppm/nginx.git
+      code:
+        type: localfiles
+        directory: nginx
+
+  - on_server: ppm.pfoe.be
+    user: runner
+    chicken_egg_appdefinition: ../forgejo-runner/
+    appconfig:
+      appinfo:
+        url: https://ppm.pfoe.be/ppm/forgejo-runner.git
+      code:
+        type: localfiles
+        directory: forgejo-runner
--- a/group_vars/all/firewall.yml
+++ b/group_vars/all/firewall.yml
@ -0,0 +1,7 @@
+# I prefer not to share the list of admins in a public repo, so refer to passwords...
+# The format for the ssh ranges is as follows:
+# - name: The name that is in a comment in the generated file.  Not used anywhere else
+#   type: ipv4 # or ipv6
+#   range: 10.10.10.10/32 # The range, MUST be a valid range, not an ip address, ie there must be a / and the netmask
+
+firewall_ssh_ranges: "{{ lookup('file', 'passwords/firewall_ssh_ranges.yml') | from_yaml }}"
--- a/group_vars/all/ppm.yml
+++ b/group_vars/all/ppm.yml
@ -0,0 +1 @@
+ppm_binary: "{{ lookup('pipe', 'pwd') }}/../ppm/out/ppm"
--- a/group_vars/all/rootuser.yml
+++ b/group_vars/all/rootuser.yml
@ -0,0 +1,3 @@
+root_password: "{{ lookup('file', 'passwords/root_password_hashed') }}"
+# ssh keys are public, but I prefer not to share the list of admins in a public repo
+root_sshkeys: "{{ lookup('file', 'passwords/root_sshkeys.yml') | from_yaml }}"
--- a/group_vars/all/zabbix.yml
+++ b/group_vars/all/zabbix.yml
@ -0,0 +1,2 @@
+zabbix_server: "{{ lookup('file', 'passwords/zabbix_server') }}"
+zabbix_psk: "{{ lookup('file', 'passwords/zabbix_psk') }}"
--- a/3
+++ b/3
@ -0,0 +1,3 @@
+[ppmserver]
+ppm.pfoe.be
+
--- a/roles/baseline/tasks/packages.yml
+++ b/roles/baseline/tasks/packages.yml
@ -5,7 +5,7 @@
  # Even if we "changed it", it's merely a cache, so ignore
  changed_when: false

- name: Update system packages to latest
+- name: Update system packages to lates
  ansible.builtin.apt:
    upgrade: dist

@ -19,7 +19,6 @@
  ansible.builtin.apt:
    pkg:
      - apt-dater
-      - man
      - mosh
      - mc
      - vim
@ -37,9 +36,6 @@
      - iftop
      - htop
      - ncdu
-      - acl
-      - sudo
-      - ntpsec-ntpdate

 - name: Firewall for mosh
  ansible.builtin.template:
--- a/roles/baseline/tasks/rootuser.yml
+++ b/roles/baseline/tasks/rootuser.yml
@ -2,7 +2,6 @@
  ansible.builtin.user:
    name: root
    password: "{{ root_password }}"
-  when: root_password is defined

 - name: Ensure ssh directory for root
  ansible.builtin.file:
@ -11,7 +10,6 @@
    owner: root
    group: root
    mode: "0700"
-  when: root_sshkeys is defined

 - name: Set authorized keys for root
  ansible.builtin.copy:
@ -20,7 +18,6 @@
    owner: root
    group: root
    mode: "0600"
-  when: root_sshkeys is defined

 - name: Only allow root ssh
  ansible.builtin.lineinfile:
@ -28,4 +25,3 @@
    line: "PermitRootLogin prohibit-password"
    regexp: "^PermitRootLogin "
  notify: Restart sshd
-  when: root_sshkeys is defined
--- a/roles/baseline/templates/firewall.j2
+++ b/roles/baseline/templates/firewall.j2
@ -20,16 +20,11 @@ iptables -A INPUT -m limit --limit 1/s --limit-burst 2 -p icmp --icmp-type echo-
 iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
 iptables -A INPUT -p icmp -j ACCEPT

-{% if firewall_ssh_ranges is defined %}
 {% for range in firewall_ssh_ranges %}
 {%if range.type=="ipv4" %}
 iptables -A INPUT -p tcp --dport 22 -s {{range.range}} -j ACCEPT # {{range.name}}
 {%endif%}
 {%endfor%}
-{% else %}
-# This server has an open ssh policy
-iptables -A INPUT -p tcp --dport 22 -j ACCEPT
-{% endif %}

 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -m state --state INVALID -j DROP
@ -53,16 +48,11 @@ ip6tables -A INPUT -m limit --limit 1/s --limit-burst 2 -p icmpv6 --icmpv6-type
 ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
 ip6tables -A INPUT -p icmpv6 -j ACCEPT

-{% if firewall_ssh_ranges is defined %}
 {% for range in firewall_ssh_ranges %}
 {%if range.type=="ipv6" %}
 ip6tables -A INPUT -p tcp --dport 22 -s {{range.range}} -j ACCEPT # {{range.name}}
 {%endif%}
 {%endfor%}
-{% else %}
-# This server has an open ssh policy
-ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
-{% endif %}

 ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A OUTPUT -m state --state INVALID -j DROP
@ -85,11 +75,4 @@ ip6tables -A INPUT -j REJECT
 iptables -A FORWARD -j REJECT
 ip6tables -A FORWARD -j REJECT

-# Now *if* fail2ban has been installed, we would have destroyed it's setup.  
-# Restart it
-if [ -e /etc/fail2ban/fail2ban.conf ]
-then
-	systemctl restart fail2ban || true
-fi
-
 # This file is managed by ansible, do not modify!
--- a/roles/ppm/tasks/copyappdef.yml
+++ b/roles/ppm/tasks/copyappdef.yml
@ -20,11 +20,6 @@
  delegate_to: localhost
  become: false

- name: delete appdefinition directory
-  ansible.builtin.file:
-    path: "{{ ppm_app_user.home }}/appdefinition"
-    state: absent
-
 - name: Create directory
  ansible.builtin.file:
    path: "{{ ppm_app_user.home }}/appdefinition"
--- a/roles/ppm/tasks/firewall.yml
+++ b/roles/ppm/tasks/firewall.yml
@ -3,7 +3,7 @@
    dest: /home/.ppmfirewalltemplate
    group: root
    owner: root
-    mode: "0644"
+    mode: "0755"
    src: ppmfirewall

 - name: Render firewall
--- a/roles/ppm/tasks/oneapp.yml
+++ b/roles/ppm/tasks/oneapp.yml
@ -53,10 +53,6 @@
  ansible.builtin.include_tasks: copyappdef.yml
  when: ppm_app.chicken_egg_appdefinition is defined and not appdefinition.stat.exists

- name: "Update appdefinition ({{ ppm_app.user }})"
-  ansible.builtin.include_tasks: updateappdef.yml
-  when: ppm_app.chicken_egg_appdefinition is defined
-
 - name: "Set up extra files for {{ ppm_app.user }}"
  ansible.builtin.copy:
    src: "{{ item.from }}"
--- a/roles/ppm/tasks/updateappdef.yml
+++ b/roles/ppm/tasks/updateappdef.yml
@ -1,58 +0,0 @@
- name: Check local working tree for uncommitted changes
-  command: git status --porcelain
-  args:
-    chdir: "{{ ppm_app.chicken_egg_appdefinition }}"
-  register: local_status
-  changed_when: false
-  delegate_to: localhost
-
- name: Get local HEAD hash
-  command: git rev-parse HEAD
-  args:
-    chdir: "{{ ppm_app.chicken_egg_appdefinition }}"
-  register: local_hash
-  changed_when: false
-  delegate_to: localhost
-
-
- name: Check remote working tree for uncommitted changes
-  command: git status --porcelain
-  args:
-    chdir: "{{ ppm_app_user.home }}/appdefinition"
-  register: remote_status
-  changed_when: false
-  become: true
-  become_user: "{{ ppm_app_user.name }}"
-
- name: Get remote HEAD hash
-  command: git rev-parse HEAD
-  args:
-    chdir: "{{ ppm_app_user.home }}/appdefinition"
-  register: remote_hash
-  changed_when: false
-  become: true
-  become_user: "{{ ppm_app_user.name }}"
-
-
- name: Set helper facts
-  set_fact:
-    local_dirty: "{{ (local_status.stdout | default('')) != '' }}"
-    local_hash: "{{ local_hash.stdout }}"
-    remote_dirty: "{{ (remote_status.stdout | default('')) != '' }}"
-    remote_hash: "{{ remote_hash.stdout }}"
-
- name: Debug when remote is dirty (ignore remote dirty for sync decision)
-  debug:
-    msg: "Remote repository has uncommitted changes; ignoring for sync."
-  changed_when: true
-  when: remote_dirty
-
- name: Debug when local is dirty
-  debug:
-    msg: "Local repository has uncommitted changes; unconditional - non-idempotent sync."
-  changed_when: true
-  when: local_dirty and not remote_dirty
-
- name: Include copyappdef.yml when local dirty, hash retrieval failed, or hashes differ
-  include_tasks: copyappdef.yml
-  when: not remote_dirty and (local_hash!=remote_hash or local_dirty)
--- a/roles/ppm/tasks/zabbix.yml
+++ b/roles/ppm/tasks/zabbix.yml
@ -3,7 +3,7 @@
    dest: /home/.zabbixagenttemplate
    group: root
    owner: root
-    mode: "0644"
+    mode: "0755"
    src: ppmzabbixagent

 - name: Render zabbix template
--- a/3
+++ b/3
@ -0,0 +1,3 @@
+#!/bin/sh
+
+ansible-playbook --diff all.yml "$@"
				`@ -0,0 +1 @@`
				`ppm_binary: "{{ lookup('pipe', 'pwd') }}/../ppm/out/ppm"`