common.yaml

---
- name: Common setup
  hosts: all

  vars:
    ssh_users:
    - sami
    - root
    - arma
    - minecraft
    sudoers:
    - sami
    git_config_users:
    - sami
    - root
    git_configs:
    - { config: user.name,  value: Sami Laine }
    - { config: user.email, value: sami.v.laine@gmail.com }
    mail_domain: hestia.zeusops.com
    backups:
      user: !vault |
        $ANSIBLE_VAULT;1.1;AES256
        64663337373164303239393731323964366263383230383038353833373138623066343233383537
        3330623062643336366338306564306534633265626537390a366434383762643939333936663139
        63623530653835633264356636326333303234346134366661383337353561326462356539306439
        3532623934323932320a343461623338376233353964386438376364666562396435316630353563
        6365
      password: !vault |
        $ANSIBLE_VAULT;1.1;AES256
        31333763663730653765396339653865666630336465373133626138373965626635643235333962
        6631303839356432613839623730333939313738363261330a366233373134323166356139346162
        31346562653066343430383430363662343239643265623231323339346539653062396136323562
        3564663230313766310a633061336264383664633231353166616136613432353138383530373634
        66663635616465323231353330653762346534353761623034666264386366656238623766326439
        6433663038383764353333303533346235643466386132653261

  tasks:
  - name: Add cockpit-navigator repo
    block:
      - name: Add 45drives key
        ansible.builtin.get_url:
          url: https://repo.45drives.com/key/gpg.asc
          dest: /etc/apt/trusted.gpg.d/45drives-archive-keyring.asc

      - name: Add 45drives repo
        ansible.builtin.apt_repository:
          repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/45drives-archive-keyring.asc] https://repo.45drives.com/debian focal main"
          state: present
  - name: Install packages
    ansible.builtin.apt:
      name:
        - zsh
        - git
        - tmux
        - byobu
        - ufw
        - fail2ban
        - etckeeper
        - ncdu
        - aptitude
        - apt-file
        - python3-venv
        - molly-guard
        - cockpit
        - cockpit-podman
        # store past metrics
        - cockpit-pcp
        - cockpit-machines
        - cockpit-navigator
        # certificate generator for cockpit
        - sscg
        - unzip
        # Includes the checkrestart command
        - debian-goodies
        - mosh
        - mailutils
        # vidir
        - moreutils
        - postfix
        - xauth
        # for backups
        - duplicity
      update_cache: true
  - name: Set git default branch
    community.general.git_config:
      scope: system
      name: init.defaultBranch
      value: main
  - name: Create users
    ansible.builtin.user:
      name: sami
      shell: /usr/bin/zsh
  - name: Set git configs
    become: true
    become_user: "{{ item.0 }}"
    community.general.git_config:
      scope: global
      name: "{{ item.1.config }}"
      value: "{{ item.1.value }}"
    loop: "{{ git_config_users|product(git_configs)|list }}"
  - name: Add SSH keys
    ansible.posix.authorized_key:
      user: "{{ item }}"
      key: "{{ lookup('file', 'files/pubkeys/{{ item }}') }}"
      exclusive: True
    loop: "{{ ssh_users }}"
  - name: Set vim as editor
    community.general.alternatives:
      name: editor
      path: /usr/bin/vim.basic
  - name: Enable ufw
    community.general.ufw:
      state: enabled
      policy: reject
  - name: Allow SSH
    community.general.ufw:
      rule: allow
      name: OpenSSH
  - name: Allow mosh
    community.general.ufw:
      rule: allow
      name: mosh
  - name: Start fail2ban
    ansible.builtin.systemd:
      state: started
      enabled: yes
      name: fail2ban
  - name: Enable fwupd service
    # A previous bug in systemd caused fwupd to always fail. The services were
    # previously masked, making sure it's enabled now. See the following links
    # for further info:
    # https://github.com/fwupd/fwupd/issues/3037
    # https://github.com/fwupd/fwupd/commit/0c9ac226c976836b89e8a3736145f162f43f4691
    # https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1969976
    ansible.builtin.systemd:
      name: "{{ item }}"
      state: started
      masked: no
    loop:
    - fwupd-refresh.service
    - fwupd-refresh.timer
  - name: Suppress Cockpit warning
    # Cockpit outputs error messages if this directory is missing. See
    # https://www.digitalocean.com/community/tutorials/how-to-install-cockpit-on-debian-10#step-1-installing-cockpit
    ansible.builtin.file:
      path: /usr/lib/x86_64-linux-gnu/udisks2/modules
      state: directory
  - name: Dummy NetworkManager interface for Cockpit
    # Cockpit/packagekit relies heavily on NetworkManager, refuses to download
    # updates unless it can see an "online" interface
    # https://cockpit-project.org/faq#error-message-about-being-offline
    block:
    - ansible.builtin.copy:
        src: files/cockpit/nm-conf-10-globally-managed-devices.conf
        dest: /etc/NetworkManager/conf.d/10-globally-managed-devices.conf
    - community.general.nmcli:
        state: present
        type: dummy
        conn_name: fake
        ifname: fake0
        ip4: 1.2.3.4/24
        gw4: 1.2.3.1

  - name: Postfix local transport
    block:
    - name: Bind postfix to local only
      ansible.builtin.lineinfile:
        dest: /etc/postfix/main.cf
        line: "inet_interfaces = loopback-only"
        regexp: '^inet_interfaces'
        state: present
        mode: "0644"
      notify:
      - Reload postfix
    - name: Add virtual map to postfix
      ansible.builtin.lineinfile:
        dest: /etc/postfix/main.cf
        line: "virtual_alias_maps = hash:/etc/postfix/virtual"
        state: present
        mode: "0644"
      notify:
      - Reload postfix
    - name: Add catch-all alias for root
      ansible.builtin.lineinfile:
        dest: /etc/postfix/virtual
        line: "@{{ mail_domain }} root"
        state: present
        mode: "0644"
        create: yes
      notify:
      - Rebuild virtual.db
  - name: Setup backups
    block:
    - name: Install backup script
      ansible.builtin.template:
        src: files/backups/duplicity.sh.j2
        dest: /usr/libexec/duplicity.sh
        mode: '0700'
      no_log: yes
    - name: Create backup log directory
      ansible.builtin.file:
        state: directory
        path: /var/log/backups
    - name: Create backup cronjob
      ansible.builtin.cron:
        name: Back up to storagebox
        cron_file: backup
        hour: 4
        minute: 13
        user: root
        job: "/usr/libexec/duplicity.sh > /var/log/backups/$(date -I).log"
  - name: needrestart - mail to user
    ansible.builtin.lineinfile:
      dest: /etc/needrestart/notify.conf
      line: "NR_NOTIFYD_DISABLE_MAIL='0'"
      regexp: "NR_NOTIFYD_DISABLE_MAIL='1'"
      state: present
      mode: "0644"


  # ====== handlers ======
  handlers:
  - name: Reload postfix
    ansible.builtin.service:
      name: postfix
      state: reloaded
  - name: Rebuild virtual.db
    shell: postmap /etc/postfix/virtual