- hosts: - "{{ proxy_server_hostname }}" # - "{{ proxy_server_hostname }}"-defaultport become: 'yes' ignore_errors: true vars: # Packages to install packages: # System - linux-headers-amd64 - build-essential - ssh - mount - vim - neofetch - htop # Reverse Proxy/Webserver - nginx - libnginx-mod-stream # Module allowing to proxy TCP, UDP (1.9.13), UNIX-domain sockets requests. - libnginx-mod-mail # Module allowing to proxy IMAP, POP3 & SMTP. - haproxy # Alternate dedicated Reverse Proxy, using for mail # VPN Server - wireguard # TLS - certbot - python3-certbot-nginx # Firewall - iptables-persistent tasks: - name: Apply default doas configuration allowing wheel group users to elevate commands with prompt become: yes template: src: root_resources/etc/doas.conf dest: "/etc/doas.conf" - name: Temporarily disable doas pass prompt as doas persist does not work within scripts become: yes replace: path: /etc/doas.conf regexp: 'persist' replace: 'nopass' # System Setup - name: Ensure .bashrc is updated template: src: proxy_resources/.bashrc dest: "~/.bashrc" - name: Add contrib replace: dest: /etc/apt/sources.list regexp: '^(deb(?!.* contrib).*)' replace: '\1 contrib' - name: Ensure list of packages is installed apt: name: '{{ packages }}' state: present # SSH Server Setup - name: Enable SSH ansible.builtin.systemd: name: ssh state: started - name: Ensure sshd configuration is updated template: src: proxy_resources/etc/ssh/sshd_config dest: "/etc/ssh/sshd_config" # Wireguard VPN Server Setup - name: Ensure wireguard server configuration is updated ansible.builtin.template: src: proxy_resources/etc/wireguard/wg0.conf dest: /etc/wireguard/wg0.conf - name: Enable and persist ip forwarding sysctl: name: net.ipv4.ip_forward value: "1" state: present sysctl_set: yes reload: yes - name: Enable wireguard server systemd: name: wg-quick@wg0 enabled: yes state: started # NGinx Reverse Proxy/Webserver Setup - name: Ensure NGinx main config is updated template: src: proxy_resources/etc/nginx/nginx.conf dest: /etc/nginx/nginx.conf - name: Ensure NGinx sites config directory exists ansible.builtin.file: path: /etc/nginx/sites-available/ state: directory - name: Ensure reverse proxy git domain config is updated template: src: proxy_resources/etc/nginx/sites-available/git.domain dest: "/etc/nginx/sites-available/git.{{ domain_name }}" - name: Enable the reverse proxy git domain config ansible.builtin.file: src: "/etc/nginx/sites-available/git.{{ domain_name }}" dest: "/etc/nginx/sites-enabled/git.{{ domain_name }}" state: link # TODO : Overhaul all of this to use loops instead # - name: Ensure reverse proxy invidious domain config is updated # template: # src: proxy_resources/etc/nginx/sites-available/invidious.domain # dest: "/etc/nginx/sites-available/invidious.{{ domain_name }}" # - name: Ensure reverse proxy mail domain config is updated # template: # src: proxy_resources/etc/nginx/sites-available/mail.domain # dest: "/etc/nginx/sites-available/mail.{{ domain_name }}" # - name: Ensure reverse proxy searxng domain config is updated # template: # src: proxy_resources/etc/nginx/sites-available/searxng.domain # dest: "/etc/nginx/sites-available/searxng.{{ domain_name }}" # - name: Ensure reverse proxy nextcloud domain config is updated # template: # src: proxy_resources/etc/nginx/sites-available/nextcloud.domain # dest: "/etc/nginx/sites-available/nextcloud.{{ domain_name }}" # - name: Ensure reverse proxy chat domain config is updated # template: # src: proxy_resources/etc/nginx/sites-available/chat.domain # dest: "/etc/nginx/sites-available/chat.{{ domain_name }}" # - name: Enable the reverse proxy invidious domain config # ansible.builtin.file: # src: /etc/nginx/sites-available/invidious.{{ domain_name }} # dest: /etc/nginx/sites-enabled/invidious.{{ domain_name }} # state: link # - name: Enable the reverse proxy mail domain config # ansible.builtin.file: # src: /etc/nginx/sites-available/mail.{{ domain_name }} # dest: /etc/nginx/sites-enabled/mail.{{ domain_name }} # state: link # - name: Enable the reverse proxy searxng domain config # ansible.builtin.file: # src: /etc/nginx/sites-available/searxng.{{ domain_name }} # dest: /etc/nginx/sites-enabled/searxng.{{ domain_name }} # state: link # - name: Enable the reverse proxy nextcloud domain config # ansible.builtin.file: # src: /etc/nginx/sites-available/nextcloud.{{ domain_name }} # dest: /etc/nginx/sites-enabled/nextcloud.{{ domain_name }} # state: link # - name: Enable the reverse proxy chat domain config # ansible.builtin.file: # src: /etc/nginx/sites-available/chat.{{ domain_name }} # dest: /etc/nginx/sites-enabled/chat.{{ domain_name }} # state: link - name: Enable NGinx ansible.builtin.systemd: name: nginx enabled: yes state: started # Experimental NGinx Email Proxy # - name: Ensure Email Proxy Authentication Server is updated # ansible.builtin.template: # src: proxy_resources/home/mail-authserver.py # dest: ~/mail-authserver.py # HAProxy Reverse Proxy Setup #- name: Ensure HAProxy configuration is updated # template: # src: proxy_resources/etc/haproxy/haproxy.cfg # dest: "/etc/haproxy/haproxy.cfg" #- name: Enable HAProxy # ansible.builtin.systemd: # name: haproxy # state: started - name: Reset doas configuration back to default become: yes template: src: root_resources/etc/doas.conf dest: "/etc/doas.conf" # End - name: Debug Finish message debug: msg: Ansible playbook has finished!