thingies

ansible/example.inventory.ini

@@ -0,0 +1,2 @@
+[vipy]
+your.vps.ip.here ansible_user=counterweight ansible_port=22 ansible_ssh_private_key_file=~/.ssh/your-key

ansible/infra/01_user_and_access_setup_playbook.yml

@@ -0,0 +1,65 @@
+- name: Secure Debian VPS
+  hosts: vipy
+  vars_files:
+    - ../vars.yml
+  become: true
+
+  tasks:
+    - name: Update and upgrade apt packages
+      apt:
+        update_cache: yes
+        upgrade: full
+        autoremove: yes
+
+    - name: Create new user
+      user:
+        name: "{{ new_user }}"
+        groups: sudo
+        shell: /bin/bash
+        state: present
+        create_home: yes
+
+    - name: Set up SSH directory for new user
+      file:
+        path: "/home/{{ new_user }}/.ssh"
+        state: directory
+        mode: "0700"
+        owner: "{{ new_user }}"
+        group: "{{ new_user }}"
+
+    - name: Copy current user's authorized_keys to new user
+      copy:
+        src: "/home/{{ ansible_user }}/.ssh/authorized_keys"
+        dest: "/home/{{ new_user }}/.ssh/authorized_keys"
+        owner: "{{ new_user }}"
+        group: "{{ new_user }}"
+        mode: "0600"
+        remote_src: true
+
+    - name: Allow new user to run sudo without password
+      copy:
+        dest: "/etc/sudoers.d/{{ new_user }}"
+        content: "{{ new_user }} ALL=(ALL) NOPASSWD:ALL"
+        owner: root
+        group: root
+        mode: "0440"
+
+    - name: Disable root login
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: "{{ item.regexp }}"
+        line: "{{ item.line }}"
+        state: present
+        backrefs: yes
+      loop:
+        - { regexp: "^#?PermitRootLogin .*", line: "PermitRootLogin no" }
+        - {
+            regexp: "^#?PasswordAuthentication .*",
+            line: "PasswordAuthentication no",
+          }
+
+    - name: Restart SSH
+      service:
+        name: ssh
+        state: restarted
+

ansible/infra/02_firewall_playbook.yml

@@ -0,0 +1,76 @@
+- name: Secure Debian VPS
+  hosts: vipy
+  vars_files:
+    - ../vars.yml
+  become: true
+
+  tasks:
+    - name: Install UFW
+      apt:
+        name: ufw
+        state: present
+
+    - name: Turn UFW off
+      ufw:
+        state: disabled
+
+    - name: Configure UFW default rules
+      ufw:
+        policy: deny
+        direction: incoming
+
+    - name: Allow outgoing traffic
+      ufw:
+        rule: allow
+        direction: out
+
+    - name: Allow SSH port through UFW
+      ufw:
+        rule: allow
+        direction: in
+        port: "{{ ssh_port }}"
+        proto: tcp
+        from_ip: "{{ allow_ssh_from if allow_ssh_from != 'any' else omit }}"
+
+    - name: Turn UFW on
+      ufw:
+        state: enabled
+
+    - name: Install fail2ban
+      apt:
+        name: fail2ban
+        state: present
+
+    - name: Ensure fail2ban is running
+      service:
+        name: fail2ban
+        enabled: yes
+        state: started
+
+    - name: Remove unnecessary services
+      apt:
+        name: "{{ item }}"
+        state: absent
+        purge: yes
+      loop:
+        - exim4
+        - apache2
+        - cups
+        - rpcbind
+        - nfs-common
+        - telnet
+        - ftp
+        - samba
+
+    - name: Install auditd
+      apt:
+        name:
+          - auditd
+          - audispd-plugins
+        state: present
+
+    - name: Enable and start auditd
+      service:
+        name: auditd
+        enabled: yes
+        state: started

ansible/services/caddy_playbook.yml

@@ -0,0 +1,61 @@
+- name: Install and configure Caddy on Debian 12
+  hosts: vipy
+  become: yes
+
+  tasks:
+    - name: Install required packages
+      apt:
+        name:
+          - debian-keyring
+          - debian-archive-keyring
+          - apt-transport-https
+          - curl
+        state: present
+        update_cache: yes
+
+    - name: Download Caddy GPG armored key
+      ansible.builtin.get_url:
+        url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
+        dest: /tmp/caddy-stable-archive-keyring.asc
+        mode: '0644'
+
+    - name: Convert ASCII armored key to binary keyring
+      ansible.builtin.command:
+        cmd: gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg /tmp/caddy-stable-archive-keyring.asc
+      args:
+        creates: /usr/share/keyrings/caddy-stable-archive-keyring.gpg
+
+    - name: Ensure permissions on keyring file
+      ansible.builtin.file:
+        path: /usr/share/keyrings/caddy-stable-archive-keyring.gpg
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Add Caddy repository list file
+      ansible.builtin.get_url:
+        url: https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt
+        dest: /etc/apt/sources.list.d/caddy-stable.list
+        mode: '0644'
+        validate_certs: yes
+
+    - name: Update apt cache after adding repo
+      apt:
+        update_cache: yes
+
+    - name: Install Caddy
+      apt:
+        name: caddy
+        state: present
+
+    - name: Ensure Caddy service is enabled and started
+      systemd:
+        name: caddy
+        enabled: yes
+        state: started
+
+    - name: Allow HTTPS through UFW
+      ufw:
+        rule: allow
+        port: '443'
+        proto: tcp

ansible/services/docker_playbook.yml

@@ -0,0 +1,59 @@
+- name: Install Docker and Docker Compose on Debian 12
+  hosts: all
+  become: yes
+
+  tasks:
+    - name: Ensure required packages are installed
+      apt:
+        name:
+          - ca-certificates
+          - curl
+          - gnupg
+          - lsb-release
+        state: present
+        update_cache: yes
+
+    - name: Add Docker GPG key
+      ansible.builtin.apt_key:
+        url: https://download.docker.com/linux/debian/gpg
+        state: present
+
+    - name: Add Docker repository
+      ansible.builtin.apt_repository:
+        repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
+        state: present
+        filename: docker
+
+    - name: Update apt cache after adding Docker repo
+      apt:
+        update_cache: yes
+
+    - name: Install Docker Engine and CLI
+      apt:
+        name:
+          - docker-ce
+          - docker-ce-cli
+          - containerd.io
+          - docker-buildx-plugin
+          - docker-compose-plugin
+        state: latest
+
+    - name: Ensure Docker is started and enabled
+      systemd:
+        name: docker
+        enabled: yes
+        state: started
+
+    - name: Add user to docker group
+      user:
+        name: "{{ ansible_user }}"
+        groups: docker
+        append: yes
+
+    - name: Create symlink for docker-compose (optional CLI alias)
+      file:
+        src: /usr/libexec/docker/cli-plugins/docker-compose
+        dest: /usr/local/bin/docker-compose
+        state: link
+      when: ansible_facts['os_family'] == "Debian"
+      ignore_errors: true  # In case the plugin path differs slightly

ansible/services/uptime_kuma_playbook.yml

@@ -0,0 +1,51 @@
+- name: Deploy Uptime Kuma with Docker Compose and configure Caddy reverse proxy
+  hosts: vipy
+  become: yes
+  vars:
+    uptime_kuma_dir: /opt/uptime-kuma
+    uptime_kuma_port: 3001
+    caddy_sites_dir: /etc/caddy/sites-enabled
+    uptime_kuma_domain: uptime.example.com  # Change to your domain
+
+  tasks:
+    - name: Create uptime kuma directory
+      file:
+        path: "{{ uptime_kuma_dir }}"
+        state: directory
+        owner: {{ ansible_user }}
+        group: {{ ansible_user }}
+        mode: '0755'
+
+    - name: Create docker-compose.yml for uptime kuma
+      copy:
+        dest: "{{ uptime_kuma_dir }}/docker-compose.yml"
+        content: |
+          version: "3"
+          services:
+            uptime-kuma:
+              image: louislam/uptime-kuma:latest
+              container_name: uptime-kuma
+              restart: unless-stopped
+              ports:
+                - "{{ uptime_kuma_port }}:3001"
+              volumes:
+                - ./data:/app/data
+
+    - name: Deploy uptime kuma container with docker compose
+      command: docker-compose up -d
+      args:
+        chdir: "{{ uptime_kuma_dir }}"
+
+    - name: Create Caddy reverse proxy configuration for uptime kuma
+      copy:
+        dest: "{{ caddy_sites_dir }}/uptime-kuma.conf"
+        content: |
+          {{ uptime_kuma_domain }} {
+              reverse_proxy localhost:{{ uptime_kuma_port }}
+          }
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Reload Caddy to apply new config
+      command: systemctl reload caddy

ansible/vars.yml

@@ -0,0 +1,4 @@
+new_user: counterweight
+ssh_port: 22
+allow_ssh_from: "any"
+