Host-Ansible-Setup/server-setup.yml

- hosts: localhost
  vars:
    # Packages to install
    packages:
      # System
      - linux-headers-amd64
      - build-essential
      - ssh
      - mount
      - vim
      - neofetch
      - htop
      - doas

      # Headless KVM Setup
      - qemu-kvm 
      - libvirt-clients 
      - libvirt-daemon-system 
      - bridge-utils 
      - virtinst 
      - libvirt-daemon
      - cpu-checker 
      - libguestfs-tools 
      - libosinfo-bin

      # File Server 
      - zfsutils-linux
      - samba

      # USB Key
        # - exfat-fuse
        # - exfat-utils
      - exfatprogs

      # VPN Client to access Proxy Server (Primarily for cockpit)
      - wireguard

      # Firewall
      - iptables-persistent

      # Cockpit web interface for web management of server
      - cockpit
      - cockpit-machines

      # Two Factor Authentication for Cockpit
      - libpam-oath
      - oathtool
    available_servicedirs: []
  tasks:

    - name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
      become: yes
      template:
        src: root_resources/etc/doas.conf
        dest: "/etc/doas.conf"
    - name: Temporarily disable doas pass prompt as doas persist does not work within scripts
      become: yes
      replace:
        path: /etc/doas.conf
        regexp: 'persist'
        replace: 'nopass'

    # System Setup
    - name: Ensure .bashrc is updated
      template:
        src: home_resources/.bashrc
        dest: "~/.bashrc"
    - name: Add contrib
      replace:
        dest: /etc/apt/sources.list
        regexp: '^(deb(?!.* contrib).*)'
        replace: '\1 contrib'

    # Custom Helper Scripts
    - name: Create the local bin dir if it does not exist
      ansible.builtin.file:
        path: "~/.local/bin"
        state: directory
        mode: '0755'
    - name: Ensure custom scripts are added to local bin dir
      template:
        src: "home_resources/.local/bin/{{ item }}"
        dest: "~/.local/bin/{{ item }}"
        mode: '0777'
      loop:
        - spark_ansible-playbook.sh
        - spark_ansible-editvault.sh
        - spark_ansible-viewvault.sh

    # Network Config
    - name: Ensure Network configuration is updated
      become: yes
      template:
        src: root_resources/etc/network/interfaces
        dest: "/etc/network/interfaces"

    # DNS Config
    - name: Ensure DNS configuration is updated
      become: yes
      template:
        src: root_resources/etc/resolv.conf
        dest: "/etc/resolv.conf"
    - name: Enable Systemd Resolved for DNS queries
      become: yes
      ansible.builtin.systemd:
        name: systemd-resolved
        enabled: yes
        state: started

    # Package Config
    - name: Ensure list of packages is installed
      become: yes
      apt:
        name: '{{ packages }}'
        state: present


    - name: Ensure USB key mountpoint exists
      become: yes
      ansible.builtin.file:
        path: "{{ usbkey_mountdir }}"
        state: directory
    # FStab Config
    - name: Mount up USB key by UUID
      become: yes
      ansible.posix.mount:
        path: '{{ usbkey_mountdir }}'
        src: UUID={{ usbkey_uuid }}
        fstype: exfat
        opts: nofail,dmask=0000,fmask=0111,gid=1000,uid=1000
        state: present 

    # SSH Server Setup
    - name: Enable SSH
      become: yes
      ansible.builtin.systemd:
        name: ssh
        enabled: yes
        state: started
    - name: Ensure local ssh configuration is updated
      template:
        src: home_resources/.ssh/config
        dest: "~/.ssh/config"
    - name: Ensure sshd configuration is updated
      become: yes
      template:
        src: root_resources/etc/ssh/sshd_config
        dest: "/etc/ssh/sshd_config"

    # Cockpit Configuration
    - name: Ensure cockpit configuration is updated
      become: yes
      template:
        src: root_resources/etc/cockpit/cockpit.conf
        dest: "/etc/cockpit/cockpit.conf"
    # Cockpit 2FA Setup
    - name: Add cockpit two factor authentication key to system 
      become: yes
      template:
        src: root_resources/etc/cockpit.oath
        dest: "/etc/cockpit.oath"
    - name: Configure cockpit to use oath two factor authentication
      become: yes
      template:
        src: root_resources/etc/pam.d/cockpit
        dest: "/etc/pam.d/cockpit"

   # Wireguard VPN Client Setup to establish connection to reverse proxy frontend (Primarily for cockpit)
    - name: Ensure wireguard client configuration is updated
      become: yes
      template:
        src: root_resources/etc/wireguard/wg0.conf
        dest: "/etc/wireguard/wg0.conf"
    - name: Ensure wireguard can find resolvconf on SystemD init systems # (This is for SystemD init systems, on systemd systems resolvectl is used instead)
      become: yes
      ansible.builtin.file:
        src: /usr/bin/resolvectl
        dest: "/usr/local/bin/resolvconf"
        state: link
    - name: Enable wireguard client
      become: yes
      ansible.builtin.systemd:
        name: wg-quick@wg0
        enabled: yes
        state: started

    # Each respective service will have a user associated to it to ensure it'll be able to only edit the files in their folder in the service directory
    # Services Configuration - Groups
    - name: "Create admin user {{ admin_user_name }}"
      become: yes
      ansible.builtin.user:
        name: "{{ admin_user_name }}"
        state: present
        groups: wheel,libvirt
        append: yes

    # Services directory - where VM's etc are stored
    - name: Directory permissions for Service folder # (Directory should already exist via ZFS!)
      become: yes
      ansible.builtin.file:
        path: /spool1/services
        state: directory
        owner: "{{ admin_user_name }}"
        group: root
        mode: '0755'

    # Nextcloud has its own dedicated zfs directory to be able to set its own quota
    - name: Directory permissions for dedicated Nextcloud service folder # (Directory should already exist via ZFS!)
      become: yes
      ansible.builtin.file:
        path: /spool1/nextcloud
        state: directory
        owner: "{{ admin_user_name }}"
        group: root
        mode: '1700'

    # File Server Setup
    - name: Enable SAMBA
      become: yes
      ansible.builtin.systemd:
        name: smbd
        enabled: yes
        state: started
    - name: Ensure samba configuration is updated
      become: yes
      template:
        src: root_resources/etc/samba/smb.conf
        dest: "/etc/samba/smb.conf"

    # SMB Fileserver Permissions
    - name: Directory permissions for spool1 secret SMB fileserver directory # (Directory should already exist via ZFS!)
      become: yes
      ansible.builtin.file:
        path: /spool1/secret
        state: directory
        owner: "{{ admin_user_name }}"
        group: root
        mode: '1700'
    - name: Directory permissions for spool2 secret SMB fileserver directory # (Directory should already exist via ZFS!)
      become: yes
      ansible.builtin.file:
        path: /spool2/secret
        state: directory
        owner: "{{ admin_user_name }}"
        group: root
        mode: '1700'

    - name: Reset doas configuration back to default
      become: yes
      template:
        src: root_resources/etc/doas.conf
        dest: "/etc/doas.conf"

    # End
    - name: Debug Finish message
      debug:
        msg: Ansible playbook has finished!