From e2ef196a6211f8f9e825cb7e182e410ac1e027ec Mon Sep 17 00:00:00 2001
From: Jef Roosens <roosensjef@gmail.com>
Date: Mon, 14 Apr 2025 14:32:04 +0200
Subject: [PATCH 1/2] webdav: switch to non-bcrypt config password

---
 group_vars/nas/vars.yml               |  1 +
 group_vars/nas/vault.yml              | 87 ++++++++++++++-------------
 roles/webdav/templates/config.toml.j2 |  2 +-
 3 files changed, 47 insertions(+), 43 deletions(-)

diff --git a/group_vars/nas/vars.yml b/group_vars/nas/vars.yml
index 25ec871..ac66459 100644
--- a/group_vars/nas/vars.yml
+++ b/group_vars/nas/vars.yml
@@ -20,3 +20,4 @@ nefarious_admin_pass: "{{ vault_nefarious_admin_pass }}"
 webdav_version: '5.7.4'
 webdav_user: "{{ vault_webdav_user }}"
 webdav_password_bcrypt: "{{ vault_webdav_password_bcrypt }}"
+webdav_password: "{{ vault_webdav_password }}"
diff --git a/group_vars/nas/vault.yml b/group_vars/nas/vault.yml
index b4eda49..15af238 100644
--- a/group_vars/nas/vault.yml
+++ b/group_vars/nas/vault.yml
@@ -1,43 +1,46 @@
 $ANSIBLE_VAULT;1.1;AES256
-61313631626664383562666362636266653966633162646535656238616132333434366633373563
-6131663830316134363130396265393636613631396339340a356137323363316565626234303233
-33393461623663303939386465396361656131333533326166353365376132396531643732373330
-6338386366613665320a333365333263663038343265323862633162386561636332323438323030
-37663434643038333861313563363261613631643939646534646338326432326633356166616232
-34636164663166366530343562366364663538303931666534343262323633633139363137653830
-33663830333164313531366563346235313032313264663163386234383465323739323165613161
-38376437356662313865303065393832623638386335303031376238383964313034636363613430
-62396435643662323936393339653561333163616563346636343066643561643566303234303465
-32356132393434346465666261373830386230373933343561376334393334646565353763363066
-63313763306232353434363139333135653034373336626565343538653564323165613738623662
-61393162383837363464653439373339303832363134396330316166333734373735666634393732
-62653835363461666633613833626435653637306132623736346662323730623732323636316533
-36393533353539396562376636656661383766343235653663343662613130633130306162646134
-30366239336566326461343136313264326532303962613034393335626565326261366636393238
-62666534653839323263393535316564626362633065393861663062666335666637346539303565
-31656339376463646534386663333332373130353131646561663136383562613137383837366336
-63616536653834333634396431643232613832633064656162346465363133356637653438363138
-30303466323031353265643134636138656664356463633430643465383534363836633436306537
-35326565363637626165346265333461633261393834656263666339306163393466326131663166
-36353937396630323733346532306331656131373634343538363835656163633061633537396137
-63366333616265313737613264653563333232393136396437316131656639383935343833616130
-33613566343330613032666632643634613239393963616566353332643931656134386336363363
-34623635633166633339313734323335656137623631383539636338393432353665363835643465
-37363762316136616631656364643763643365393662373531343362313466653366363765396261
-31656466343461316434326432346334313136373237393438373636393631356236303234343263
-38616138386536343265303539386564383939636262646134613736393437653564363137653865
-38656232383564373739376234646338323432623437643362366630373731306136623636303865
-65613134396538343430373438663862333338303030326233626534393865656633376663363961
-65343630356635366663346132626661663036653036323233333261316635363933376634303066
-30323666303737396338386365336533376262363739313837636239626263333931396262313430
-66626337386639366531363539633337333834333063326463616634376230653264623339666430
-37393163306562646138353536313561646266303732393637373634363735613131396465656436
-39323966623134316632346131363865396534623261373832326564393161666636393030336335
-37646266373939303530396138396465663733376433646332326634383166323961353435303235
-33616637306334303934366466313261666264653236616335373330313631663037363632613535
-37663138396131343265376430333264336534633238356264613562643835316134306664653830
-62633766306231363635323364313438323161356331636135633832353238353036363362666463
-31353133626365373932336231343736383133323037663163636337336262653862643362353931
-62373062386264366161616230336464386662643836646436366338323861303336313733656333
-31303737643033623962366133653462626162363834333066383333633362333738373235613838
-6163386237363932613938316164333535636161306131643835
+37373564656134613736306633386537663237363864326137613332366537353336373431653664
+6334326532353261303062636632346564303131663462380a333937373539616234663363353536
+33626565303730373666363938343739666138326437323732666238353364636665626439396633
+3039623438383931390a333733356337373636653033303963326338353333663965353465326231
+39306461633566396234646437366130623934623438313631373939343839653062323163326562
+31336337393335313038363263616337343239646366383734306533336432643762303265376161
+39633263326464663538386435313836363831396638663332323135333066636564383139326235
+30313731616363383332666637633431666332613566383437653939386238306634306238383764
+36643864373165633366626130336235303832323132613766623836376531316339313161383533
+38383536656530303262363238343666303535343837623662663537386634346430353464326630
+32383332343633313232316135653561653130363635343731316330643331636265623532633030
+37643234373234663566313436653961333962626436633735623165353237636363323530353061
+64336336373566343664343062396534316332303039663561383339643038336332353762636236
+39636139383138623762373837333063316330306137336163323534316231643331373235613935
+30323730363363663535346534356233623235653131633564613062623661363765663562323661
+31386430623364643262356536343837356139616435306334313137643361383732666133343164
+66383338383137633136373861623062616233346165353165623635663034633031393635333732
+61313238386466346434396632656337393765306464346636643762366261383935393966393963
+66336362303136323033613561613132663863316366663231636365393161353937353236363466
+38663265653136646462396136323231636536373463376635646238386334313965346431373465
+33373431636166303335643338323632336661623531353039633431656365653236303236373735
+32643564363034366631326366326262373239393463363533396365303434393834363438303862
+66313532633439303138323139383739633765366264316637653936333035656438306335333963
+30663331333062396166376538636564303035636561613239363034343036343437323062303432
+63386332346330663939343133393763663130303430333862353165343563623435303131656634
+34663266663030326432626262363632366339383335383534623565356331383439623066303735
+32666137333632653134303331373332626135623861646230363365666333623832306561353163
+31303065653865306136613762333835336535306336326331303161653438363261326339633431
+63643266646630656464646463363930626163363635333061313733353234613766666134393761
+34346137393836666162363834313531353830366164646430373838393636643962646530326436
+39336665323163393236393131633432306639633733353236656131306662373566636530343236
+63323538323365383137326361386162616233633663656461636336343161356334366232363738
+66623534313632343561356261343361346231363639376339366430303739633233343838333061
+38356265633635636361366366343034643631393834343962306466383931353463643333346164
+37366461316638303738376138356165653833616264343937383964326330663265393938643265
+66613364323766613061616434356532383530373434363562653132353031633432376231666135
+30633236386131646438623932363332373037363336663838343035613334323133623933623838
+30313934383634346266326163383362326436333337363034373830666564303761313430303462
+62303035623231326566636265333733386130643231646133366434373438383266346436306134
+64393332383765656163376433636163666564333862303131373561643036303364643831663232
+63303561386334623038383462643463333335396331623530386432646663336638636263306537
+64613239623563626266663536356338363961373636633831613863343631643461376566623138
+33306334353534323465323834306631373139666134373664383735646365643737376233356434
+32653435373533353634306331343139656636643439666536666539313934356532336461653934
+36366537653762303331613466323438653032326132353135303934356430376663
diff --git a/roles/webdav/templates/config.toml.j2 b/roles/webdav/templates/config.toml.j2
index 6c41282..dc8bb0b 100644
--- a/roles/webdav/templates/config.toml.j2
+++ b/roles/webdav/templates/config.toml.j2
@@ -25,7 +25,7 @@ enabled = false
 
 [[users]]
 username = '{{ webdav_user }}'
-password = '{bcrypt}{{ webdav_password_bcrypt }}'
+password = '{{ webdav_password }}'
 permissions = 'CRUD'
 
 # vim: ft=toml

From 2ae759025c18babf53a1b794dbd938ec0f3b954b Mon Sep 17 00:00:00 2001
From: Jef Roosens <roosensjef@gmail.com>
Date: Thu, 24 Apr 2025 17:01:03 +0200
Subject: [PATCH 2/2] refactor: clean up directories and start standardized
 role names

---
 ansible.cfg                                   |  1 +
 inventory/external.ini                        | 14 +++++++
 .../group_vars}/all/vars.yml                  |  0
 .../group_vars}/all/vault.yml                 |  0
 .../group_vars}/nas/vars.yml                  |  0
 .../group_vars}/nas/vault.yml                 |  0
 .../group_vars}/ruby/vars.yml                 |  0
 .../group_vars}/ruby/vault.yml                |  0
 hosts.ini => inventory/local.ini              |  0
 hosts.template.ini => inventory/template.ini  |  0
 inventory/vagrant.ini                         |  2 +
 first_run.yml => plays/first_run.yml          |  0
 main.yml => plays/main.yml                    |  0
 nas.yml => plays/nas.yml                      |  0
 plays/pearl.yml                               | 14 +++++++
 ruby.yml => plays/ruby.yml                    |  0
 web.yml => plays/web.yml                      |  0
 .../files/authorized_keys                     |  5 +++
 roles/any.common.debian-user/tasks/main.yml   | 38 +++++++++++++++++++
 .../files/sources.list                        | 10 +++++
 .../any.common.enable-testing/tasks/main.yml  | 17 +++++++++
 roles/any.common.python/tasks/main.yml        |  5 +++
 roles/any.tools.caddy/files/Caddyfile         | 14 +++++++
 roles/any.tools.caddy/handlers/main.yml       |  5 +++
 roles/any.tools.caddy/tasks/main.yml          | 35 +++++++++++++++++
 25 files changed, 160 insertions(+)
 create mode 100644 inventory/external.ini
 rename {group_vars => inventory/group_vars}/all/vars.yml (100%)
 rename {group_vars => inventory/group_vars}/all/vault.yml (100%)
 rename {group_vars => inventory/group_vars}/nas/vars.yml (100%)
 rename {group_vars => inventory/group_vars}/nas/vault.yml (100%)
 rename {group_vars => inventory/group_vars}/ruby/vars.yml (100%)
 rename {group_vars => inventory/group_vars}/ruby/vault.yml (100%)
 rename hosts.ini => inventory/local.ini (100%)
 rename hosts.template.ini => inventory/template.ini (100%)
 create mode 100644 inventory/vagrant.ini
 rename first_run.yml => plays/first_run.yml (100%)
 rename main.yml => plays/main.yml (100%)
 rename nas.yml => plays/nas.yml (100%)
 create mode 100644 plays/pearl.yml
 rename ruby.yml => plays/ruby.yml (100%)
 rename web.yml => plays/web.yml (100%)
 create mode 100644 roles/any.common.debian-user/files/authorized_keys
 create mode 100644 roles/any.common.debian-user/tasks/main.yml
 create mode 100644 roles/any.common.enable-testing/files/sources.list
 create mode 100644 roles/any.common.enable-testing/tasks/main.yml
 create mode 100644 roles/any.common.python/tasks/main.yml
 create mode 100644 roles/any.tools.caddy/files/Caddyfile
 create mode 100644 roles/any.tools.caddy/handlers/main.yml
 create mode 100644 roles/any.tools.caddy/tasks/main.yml

diff --git a/ansible.cfg b/ansible.cfg
index ffa54b9..387d99f 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,3 +1,4 @@
 [defaults]
 vault_password_file = .ansible-password
 inventory = hosts.ini
+roles_path = roles
diff --git a/inventory/external.ini b/inventory/external.ini
new file mode 100644
index 0000000..16cd285
--- /dev/null
+++ b/inventory/external.ini
@@ -0,0 +1,14 @@
+; [nas]
+; 213.119.99.214 ansible_ssh_port=2223 static_ip=192.168.0.3
+
+[ruby]
+213.119.99.214 ansible_ssh_port=2222 static_ip=192.168.0.2
+
+[gitea]
+213.119.99.214 ansible_ssh_port=2222 static_ip=192.168.0.2
+
+[web]
+213.119.99.214 ansible_ssh_port=2223 static_ip=192.168.0.3
+
+; [actual]
+; 213.119.99.214 ansible_ssh_port=2223 static_ip=192.168.0.3
diff --git a/group_vars/all/vars.yml b/inventory/group_vars/all/vars.yml
similarity index 100%
rename from group_vars/all/vars.yml
rename to inventory/group_vars/all/vars.yml
diff --git a/group_vars/all/vault.yml b/inventory/group_vars/all/vault.yml
similarity index 100%
rename from group_vars/all/vault.yml
rename to inventory/group_vars/all/vault.yml
diff --git a/group_vars/nas/vars.yml b/inventory/group_vars/nas/vars.yml
similarity index 100%
rename from group_vars/nas/vars.yml
rename to inventory/group_vars/nas/vars.yml
diff --git a/group_vars/nas/vault.yml b/inventory/group_vars/nas/vault.yml
similarity index 100%
rename from group_vars/nas/vault.yml
rename to inventory/group_vars/nas/vault.yml
diff --git a/group_vars/ruby/vars.yml b/inventory/group_vars/ruby/vars.yml
similarity index 100%
rename from group_vars/ruby/vars.yml
rename to inventory/group_vars/ruby/vars.yml
diff --git a/group_vars/ruby/vault.yml b/inventory/group_vars/ruby/vault.yml
similarity index 100%
rename from group_vars/ruby/vault.yml
rename to inventory/group_vars/ruby/vault.yml
diff --git a/hosts.ini b/inventory/local.ini
similarity index 100%
rename from hosts.ini
rename to inventory/local.ini
diff --git a/hosts.template.ini b/inventory/template.ini
similarity index 100%
rename from hosts.template.ini
rename to inventory/template.ini
diff --git a/inventory/vagrant.ini b/inventory/vagrant.ini
new file mode 100644
index 0000000..2255d85
--- /dev/null
+++ b/inventory/vagrant.ini
@@ -0,0 +1,2 @@
+[pearl]
+192.168.56.2 ansible_ssh_user=vagrant ansible_ssh_private_key_file='.vagrant/machines/pearl/virtualbox/private_key'
diff --git a/first_run.yml b/plays/first_run.yml
similarity index 100%
rename from first_run.yml
rename to plays/first_run.yml
diff --git a/main.yml b/plays/main.yml
similarity index 100%
rename from main.yml
rename to plays/main.yml
diff --git a/nas.yml b/plays/nas.yml
similarity index 100%
rename from nas.yml
rename to plays/nas.yml
diff --git a/plays/pearl.yml b/plays/pearl.yml
new file mode 100644
index 0000000..5051ec3
--- /dev/null
+++ b/plays/pearl.yml
@@ -0,0 +1,14 @@
+---
+- hosts: pearl
+  gather_facts: false
+  become: true
+  roles:
+    - 'any.common.python'
+  tags: base
+
+- hosts: pearl
+  become: true
+  roles:
+    # - 'any.common.enable-testing'
+    - 'any.common.debian-user'
+  tags: base
diff --git a/ruby.yml b/plays/ruby.yml
similarity index 100%
rename from ruby.yml
rename to plays/ruby.yml
diff --git a/web.yml b/plays/web.yml
similarity index 100%
rename from web.yml
rename to plays/web.yml
diff --git a/roles/any.common.debian-user/files/authorized_keys b/roles/any.common.debian-user/files/authorized_keys
new file mode 100644
index 0000000..c63ff39
--- /dev/null
+++ b/roles/any.common.debian-user/files/authorized_keys
@@ -0,0 +1,5 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkDjXuZn+blanbJAhte8KttrpeCPeT5CGcZ5mlAZv724wTa4qebpwCnf4SK4aFuDQEuCusnia3+X7YWAyCDReNURznAWCtq+b8LGxyIm2hTBbLA1m8sj0xidR/djlUtOwDp9VpSNamUWyiPWJ+WNsPd9xLJ6BK3qRsoFiMN87sO12L7DHHDaMze628Oc+IxFd+VZnH0dPVgitis31f+lXCr8w5qSiEepDJ8Nde8M+Ev1RrPQbR5Q5C+wYxlbY0oPNlGqSrs5i1jJl0BVMI4DlibxatTfuteU5IwcDMQObJr3xJGKNTPswSdzpfJFrLfUBZvsDs94BXEHR2CtxZ4aLQPeLfosWe4zuGvX22p7TzSPx1LkuqIF85Tw1PvK3f7u3l9sozHORAoEA8sFHG+DolqldgjuUgCGpfF/QOY1jkGpbEhq57kKFH+VlFI2XePGQ6299R9RN/Y4S88v14ChLwoLSNWgxK+CgYgB4lbquAIKTKsRla3gkEeziz+qoHPQkD5RcajrWOfSKU4alORpgQerSFZ9zMoz9N2rfTVEzCsVUj0Jiwtd5O7pCX9PWBhz1Nl1ItrRPuFiTSKB05dqsQ1CDZAZMDPJNqotd6QRS5+cKzFLgvU6k/gk08/qV00VM+BxlXkh8PwAhaxNPjMxjzqHx0+xC38FtacuhJiOV91Q== roosensjef@gmail.com
+
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCgHqW7mLuaW8XEFJrg031ES7v7y6Uk5QUp++axTd0wzvt5qfqTox9Hg1Xk5C9hdEfYzS5NCU+uoiInR0aHZ3Cl+yxqi3VqDfO20j6Irrt2SOBB86Gsyu9Brj62xtS0rY/e9rmyULJGUtJEz3UmFvn8fE5hUpGjDg7NByFs8f054pzifWw8F/wOvF5rKo9GqkWeXEUZ456FmowXCQLl5SypQliOsHJDs89NiTVvOxiKQXULBhj8o4c0MyCeFfPWqOutSSAetmbnegEjOTy7f/0IiqB+5713KOh1Bm1/u+3J2IVbRgeG1iTJdDVeIxBGmA1wMLvrBtBRIS0MaKa1Xabo3QTgYPHNGrf2w+GMnuoQ6/tdD6omPWGTHXqtHKEeIW1JrlDyhOo86oCl+l2aveMwhFFGW4nQmW7sfrowyLHdU3BpGl4m7pGa+5sTsHiOGEqEN/a7xikztXkuKacQ8E/y1C8gDXgaX8zFl6VOwR5EfMEMX390tz+R+ErDU81h47tSkwbY3KhunSKwPT8jSMldBttnCIexd+QuQgOlSwXkYVPPmXtPUkfp+4VzWSWeGKAa9k3HtVMIvKdVk9eXDVNnVdaAL+EkHyXOyFVVGa9gJ3ZOWhHMNi2/kHAwWMI9CwRxj7AVk30KGBhPN0wdS9Dt8/0Aa33hWuY2p9DxtNaiNw== roosensjef@gmail.com
+
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkcCTP0IE/ANIXJJIMWEg4f5riS8uv3KuypkzQC47XN roosensjef@gmail.com
diff --git a/roles/any.common.debian-user/tasks/main.yml b/roles/any.common.debian-user/tasks/main.yml
new file mode 100644
index 0000000..34c4a22
--- /dev/null
+++ b/roles/any.common.debian-user/tasks/main.yml
@@ -0,0 +1,38 @@
+---
+- name: Install sudo.
+  apt:
+    name: sudo
+    state: present
+
+- name: Create data group.
+  group:
+    name: data
+    gid: 1002
+
+- name: Create debian user.
+  user:
+    name: debian
+    groups:
+      - sudo
+      - data
+    append: true
+    create_home: yes
+    shell: /bin/bash
+    password: "{{ debian_pass | password_hash('sha512') }}"
+    update_password: on_create
+
+- name: Create SSH directory.
+  file:
+    path: /home/debian/.ssh/
+    state: directory
+    owner: debian
+    group: debian
+    mode: '700'
+
+- name: Add authorized SSH keys.
+  copy:
+    src: authorized_keys
+    dest: /home/debian/.ssh/authorized_keys
+    owner: debian
+    group: debian
+    mode: '600'
diff --git a/roles/any.common.enable-testing/files/sources.list b/roles/any.common.enable-testing/files/sources.list
new file mode 100644
index 0000000..bdb2f58
--- /dev/null
+++ b/roles/any.common.enable-testing/files/sources.list
@@ -0,0 +1,10 @@
+deb http://deb.debian.org/debian/ trixie main non-free-firmware
+deb-src http://deb.debian.org/debian/ trixie main non-free-firmware
+
+deb http://security.debian.org/debian-security trixie-security main non-free-firmware
+deb-src http://security.debian.org/debian-security trixie-security main non-free-firmware
+
+# trixie-updates, to get updates before a point release is made;
+# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
+deb http://deb.debian.org/debian/ trixie-updates main non-free-firmware
+deb-src http://deb.debian.org/debian/ trixie-updates main non-free-firmware
diff --git a/roles/any.common.enable-testing/tasks/main.yml b/roles/any.common.enable-testing/tasks/main.yml
new file mode 100644
index 0000000..2799dd1
--- /dev/null
+++ b/roles/any.common.enable-testing/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+- ansible.builtin.copy:
+    src: 'sources.list'
+    dest: '/etc/apt/sources.list'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
+- name: Upgrade all packages to the latest version in testing
+  ansible.builtin.apt:
+    upgrade: dist
+    update_cache: yes
+    cache_valid_time: 3600
+
+- name: Clean up unused packages
+  ansible.builtin.apt:
+    autoremove: yes
diff --git a/roles/any.common.python/tasks/main.yml b/roles/any.common.python/tasks/main.yml
new file mode 100644
index 0000000..47e9b89
--- /dev/null
+++ b/roles/any.common.python/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Update package database
+  raw: apt update
+- name: Install Python
+  raw: apt install --yes python3
diff --git a/roles/any.tools.caddy/files/Caddyfile b/roles/any.tools.caddy/files/Caddyfile
new file mode 100644
index 0000000..8d16237
--- /dev/null
+++ b/roles/any.tools.caddy/files/Caddyfile
@@ -0,0 +1,14 @@
+# The Caddyfile is an easy way to configure your Caddy web server.
+#
+# Unless the file starts with a global options block, the first
+# uncommented line is always the address of your site.
+#
+# To use your own domain name (with automatic HTTPS), first make
+# sure your domain's A/AAAA DNS records are properly pointed to
+# this machine's public IP, then replace ":80" below with your
+# domain name.
+
+import *.Caddyfile
+
+# Refer to the Caddy docs for more information:
+# https://caddyserver.com/docs/caddyfile
diff --git a/roles/any.tools.caddy/handlers/main.yml b/roles/any.tools.caddy/handlers/main.yml
new file mode 100644
index 0000000..68f2b80
--- /dev/null
+++ b/roles/any.tools.caddy/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: reload caddy
+  service:
+    name: caddy
+    state: reloaded
diff --git a/roles/any.tools.caddy/tasks/main.yml b/roles/any.tools.caddy/tasks/main.yml
new file mode 100644
index 0000000..c40fa3a
--- /dev/null
+++ b/roles/any.tools.caddy/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+- name: Add Caddy GPG key
+  apt_key:
+    url: "https://dl.cloudsmith.io/public/caddy/stable/gpg.key"
+    state: present
+
+- name: Add Caddy repositories
+  apt_repository:
+    repo: "{{ item }} https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main"
+    filename: 'caddy-stable'
+    state: present
+  with_items:
+    - deb
+    - deb-src
+
+- name: Install Caddy
+  apt:
+    name: caddy
+    state: present
+
+- name: Copy over Caddyfile
+  copy:
+    src: Caddyfile
+    dest: '/etc/caddy/Caddyfile'
+    owner: root
+    group: root
+    mode: '644'
+  notify: 'reload caddy'
+
+- name: Ensure Caddy service is running & enabled
+  service:
+    name: caddy
+    state: started
+    enabled: true
+