refactor

15 files changed, 446 insertions, 0 deletions

diff --git a/roles/common/files/Caddyfile b/roles/common/files/Caddyfile
new file mode 100644
index 0000000..9850012
--- /dev/null
+++ b/roles/common/files/Caddyfile
@@ -0,0 +1,73 @@
+{
+	http_port 80
+	https_port 443
+
+	email freya@freyacat.org
+	acme_ca https://ca.in.freya.cat/acme/acme/directory
+}
+
+(logs) {
+	log {
+		output file /var/log/caddy.log {
+			roll_size 10mb
+			roll_keep 7
+			roll_keep_for 720h
+		}
+	}
+}
+
+(headers) {
+	#header ?Access-Control-Allow-Origin "*"
+	header ?X-Content-Type-Options "nosniff"
+	header Permissions-Policy "interest-cohort=()"
+	header Referrer-Policy "same-origin"
+	header Strict-Transport-Security "max-age=31536000"
+}
+
+(compression) {
+	encode {
+		gzip 6
+		zstd
+	}
+}
+
+(acme) {
+	redir /.well-known/acme-challenge /.well-known/acme-challenge/
+	handle_path /.well-known/acme-challenge/* {
+		file_server browse
+		root * /var/www/html/.well-known/acme-challenge
+	}
+}
+
+(base) {
+	import logs
+	import headers
+	import compression
+	import acme
+}
+
+(http) {
+	try_files {path}.html {path}
+	file_server
+}
+
+(wellknown) {
+	header ?Access-Control-Allow-Origin "*"
+	redir /.well-known /.well-known/
+	handle_path /.well-known/* {
+		file_server browse
+		root * /static/wellknown
+	}
+}
+
+(protect) {
+	forward_auth https://forward.auth.in.freya.cat {
+		uri /
+		header_up Host forward.auth.in.freya.cat
+		copy_headers {
+			X-Webauth-Username X-Webauth-Email X-Webauth-First-Name X-Webauth-Last-Name
+		}
+	}
+}
+
+import /etc/caddy/*.conf
diff --git a/roles/common/files/freyanet.crt b/roles/common/files/freyanet.crt
new file mode 100644
index 0000000..36309d8
--- /dev/null
+++ b/roles/common/files/freyanet.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBnDCCAUKgAwIBAgIRAPVH+EAJd7BV1oocsZ1LQLEwCgYIKoZIzj0EAwIwLDEQ
+MA4GA1UEChMHZnJleWFDQTEYMBYGA1UEAxMPZnJleWFDQSBSb290IENBMB4XDTIz
+MTAyODEzNDAzNVoXDTMzMTAyNTEzNDAzNVowLDEQMA4GA1UEChMHZnJleWFDQTEY
+MBYGA1UEAxMPZnJleWFDQSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
+QgAEvVC5H2UQZQxMJxKnWkNF7kKNXVDpY2N81yFXRb+K/MKw3aQTI1ukJ6A3AmZP
+P9urbt/wOHI2zBuodGi4gaLBSaNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB
+/wQIMAYBAf8CAQEwHQYDVR0OBBYEFGYaattGlZxu5noFWxAnLtpMqJvJMAoGCCqG
+SM49BAMCA0gAMEUCIQCCyubbf8AUq+PPrnBRQ/WFYKH3mwUXcDT7VZoLm+/q+gIg
+YdSLl4AnWfDLlaTTZspft2fq5rEFCB5N+4p/67vSsmY=
+-----END CERTIFICATE-----
diff --git a/roles/common/files/sshd_config b/roles/common/files/sshd_config
new file mode 100644
index 0000000..f2ec50e
--- /dev/null
+++ b/roles/common/files/sshd_config
@@ -0,0 +1,15 @@
+StrictModes yes
+Port 22
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+PermitRootLogin yes
+AuthorizedKeysFile	.ssh/authorized_keys /etc/ssh/authorized_keys
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding yes
+PrintMotd no
+AcceptEnv LANG LC_*
+Subsystem	sftp	internal-sftp
+
+Match Address 10.*
+	PasswordAuthentication yes
diff --git a/roles/common/files/tmux/tmux-window.sh b/roles/common/files/tmux/tmux-window.sh
new file mode 100644
index 0000000..1cdacf0
--- /dev/null
+++ b/roles/common/files/tmux/tmux-window.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if tmux list-windows | grep -q "^$1:"; then
+        tmux select-window -t "$1"
+else
+        tmux new-window -t "$1"
+fi
diff --git a/roles/common/files/tmux/tmux.conf b/roles/common/files/tmux/tmux.conf
new file mode 100644
index 0000000..f468d55
--- /dev/null
+++ b/roles/common/files/tmux/tmux.conf
@@ -0,0 +1,105 @@
+
+# change prefix
+set -g prefix C-a
+unbind C-b
+bind C-a send-prefix
+
+# split windows like vim
+# vim's definition of a horizontal/vertical split is reversed from tmux's
+bind s split-window -v
+bind v split-window -h
+
+# split panes using | and -
+bind - split-window -v
+bind | split-window -h
+unbind '"'
+unbind %
+
+# reload config file
+bind r source-file ~/.tmux.conf
+
+# large history
+set -g history-limit 10000
+
+# start windows and panes at 1, not 0
+set -g base-index 1
+setw -g pane-base-index 1
+
+# switch term
+bind 1 run-shell "/usr/local/bin/tmux-window.sh 1"
+bind 2 run-shell "/usr/local/bin/tmux-window.sh 2"
+bind 3 run-shell "/usr/local/bin/tmux-window.sh 3"
+bind 4 run-shell "/usr/local/bin/tmux-window.sh 4"
+bind 5 run-shell "/usr/local/bin/tmux-window.sh 5"
+bind 6 run-shell "/usr/local/bin/tmux-window.sh 6"
+bind 7 run-shell "/usr/local/bin/tmux-window.sh 7"
+bind 8 run-shell "/usr/local/bin/tmux-window.sh 8"
+bind 9 run-shell "/usr/local/bin/tmux-window.sh 9"
+bind 0 run-shell "/usr/local/bin/tmux-window.sh 10"
+bind S choose-tree
+
+# terminal style
+set -g default-terminal "tmux-256color"
+set -g terminal-overrides "*:colors=256"
+set -a terminal-features "xterm-256color:RGB"
+
+# focus events
+set -g focus-events on
+
+# move around panes with hjkl, as one would in vim after pressing ctrl-w
+bind -n M-Left select-pane -L
+bind -n M-Right select-pane -R
+bind -n M-Up select-pane -U
+bind -n M-Down select-pane -D
+
+# enable mouse control
+set -g mouse on
+
+# don't rename windows automatically
+set-option -g allow-rename off
+
+# don't do anything when a 'bell' rings
+set -g visual-activity off
+set -g visual-bell off
+set -g visual-silence off
+setw -g monitor-activity off
+set -g bell-action none
+
+# clock mode
+setw -g clock-mode-colour yellow
+
+# copy mode
+setw -g mode-style 'fg=black bg=red bold'
+setw -g mode-keys vi
+
+# panes
+set -g pane-border-style 'fg=red'
+set -g pane-active-border-style 'fg=yellow'
+
+# statusbar
+set -g status-position bottom
+set -g status-justify left
+set -g status-style 'fg=blue'
+set -g status-interval 1
+
+set -g status-left ''
+set -g status-left-length 10
+
+set -g status-right-style 'fg=black bg=blue'
+set -g status-right '%Y-%m-%d %H:%M:%S '
+set -g status-right-length 50
+
+setw -g window-status-current-style 'fg=black bg=blue'
+setw -g window-status-current-format ' #I #W #F '
+
+setw -g window-status-style 'fg=blue bg=black'
+setw -g window-status-format ' #I #[fg=white]#W #[fg=blue]#F '
+
+setw -g window-status-bell-style 'fg=blue bg=red bold'
+
+# messages
+set -g message-style 'fg=yellow bg=red bold'
+
+# bind : to command-prompt like vim
+# this is the default in tmux already
+bind : command-prompt
diff --git a/roles/common/files/zshrc b/roles/common/files/zshrc
new file mode 100644
index 0000000..fc01188
--- /dev/null
+++ b/roles/common/files/zshrc
@@ -0,0 +1,54 @@
+# zsh shell initalization file
+
+# export 'SHELL' and 'TERM' to child processes
+export SHELL
+export TERM
+
+# check for non-interactive shell.
+if [[ $- != *i* ]]; then
+    # We are being invoked from a non-interactive shell.  If this
+    # is an SSH session (as in "ssh host command"), source
+    # /etc/profile so we get PATH and other essential variables.
+    [[ -n "$SSH_CLIENT" ]] && source /etc/profile
+
+    # Don't do anything else.
+    return
+fi
+
+# load zsh plugins
+setopt extendedglob
+bindkey -e
+autoload -U compinit
+compinit
+autoload -U colors && colors
+setopt promptsubst
+
+# prompt
+function prompt_char {
+    if [ $UID -eq 0 ]; then echo "#"; else echo "$"; fi
+}
+PROMPT='%(!.%F{9}.%F{10})%n@%m: %F{15}%c%F{12}$(prompt_char)%F{7} '
+PROMPT2='%_%F{12}:%F{15} '
+
+# aliases
+alias ls='ls --color=auto'
+alias rf="rm -fr" # remove le french hon hon hon
+alias vim="nvim"
+
+# manpages
+export LESS_TERMCAP_md=$'\e[1;36m'
+export LESS_TERMCAP_me=$'\e[0m'
+export LESS_TERMCAP_se=$'\e[0m'
+export LESS_TERMCAP_so=$'\e[1;92m'
+export LESS_TERMCAP_ue=$'\e[0m'
+export LESS_TERMCAP_us=$'\e[1;35m'
+export GROFF_NO_SGR=1
+
+# keybinds
+bindkey "\e[1;5D" backward-word
+bindkey "\e[1;5C" forward-word
+bindkey "\e[3;5~" kill-word
+bindkey "\C-_"    backward-kill-word
+bindkey "\e[3~" delete-char
+bindkey "\e[H"  beginning-of-line
+bindkey "\e[F"  end-of-li
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
new file mode 100644
index 0000000..91826d6
--- /dev/null
+++ b/roles/common/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: Update CA Certificates
+  command: update-ca-certificates
diff --git a/roles/common/tasks/caddy.yml b/roles/common/tasks/caddy.yml
new file mode 100644
index 0000000..3d2541e
--- /dev/null
+++ b/roles/common/tasks/caddy.yml
@@ -0,0 +1,49 @@
+- name: Install caddy
+  package:
+    name: caddy
+    state: present
+
+- name: Ensure caddy group exists
+  group:
+    name: caddy
+    system: yes
+    state: present
+
+- name: Ensure caddy user exists
+  user:
+    name: caddy
+    group: caddy
+    system: yes
+    create_home: no
+    shell: /usr/sbin/nologin
+    state: present
+
+- name: Create caddy configuration directory
+  file:
+    path: /etc/caddy
+    state: directory
+    owner: caddy
+    group: caddy
+    mode: '0755'
+
+- name: Configure caddy
+  copy:
+    src: Caddyfile
+    dest: /etc/caddy/Caddyfile
+    owner: caddy
+    group: caddy
+    mode: '0664'
+
+- name: Ensure Caddy log file exists
+  file:
+    path: /var/log/caddy.log
+    state: touch
+    owner: caddy
+    group: caddy
+    mode: '0664'
+
+- name: Enable caddy service
+  service:
+    name: caddy
+    enabled: true
+    state: started
diff --git a/roles/common/tasks/certs.yml b/roles/common/tasks/certs.yml
new file mode 100644
index 0000000..cce2e73
--- /dev/null
+++ b/roles/common/tasks/certs.yml
@@ -0,0 +1,13 @@
+- name: Install ca-certificates
+  package:
+    name: ca-certificates
+    state: present
+
+- name: Install FreyaNET Root CA Cert
+  copy:
+    src: freyanet.crt
+    dest: /usr/local/share/ca-certificates/freyanet.crt
+    owner: root
+    group: root
+    mode: '0664'
+  notify: Update CA Certificates
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
new file mode 100644
index 0000000..74088a6
--- /dev/null
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,11 @@
+# baseline
+- import_tasks: packages.yml
+- import_tasks: certs.yml
+
+# programs
+- import_tasks: zsh.yml
+- import_tasks: tmux.yml
+
+# services
+- import_tasks: caddy.yml
+- import_tasks: ssh.yml
diff --git a/roles/common/tasks/packages.yml b/roles/common/tasks/packages.yml
new file mode 100644
index 0000000..60fd285
--- /dev/null
+++ b/roles/common/tasks/packages.yml
@@ -0,0 +1,12 @@
+- name: Install base packages
+  package:
+    name: "{{ base_packages }}"
+    state: present
+
+- name: Install keys packages
+  package:
+    name:
+      - "{{ man_pkg }}"
+      - "{{ man_pages_pkg }}"
+      - "{{ bind_pkg }}"
+      - "{{ passwd_pkg }}"
diff --git a/roles/common/tasks/ssh.yml b/roles/common/tasks/ssh.yml
new file mode 100644
index 0000000..36498fb
--- /dev/null
+++ b/roles/common/tasks/ssh.yml
@@ -0,0 +1,31 @@
+- name: Install openssh
+  package:
+    name: "{{ openssh_pkg }}"
+    state: present
+
+- name: Configure sshd
+  copy:
+    src: sshd_config
+    dest: /etc/ssh/sshd_config.d/10-freya.conf
+    owner: root
+    group: root
+    mode: '0664'
+
+- name: Remove old sshd config
+  file:
+    path: /etc/shh/sshd_config.d/freya.yml
+    state: absent
+
+- name: Configure sshd authorized keys
+  template:
+    src: authorized_keys.j2
+    dest: /etc/ssh/authorized_keys
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Enable sshd service
+  service:
+    name: "{{ openssh_service }}"
+    enabled: true
+    state: started
diff --git a/roles/common/tasks/tmux.yml b/roles/common/tasks/tmux.yml
new file mode 100644
index 0000000..7f8a653
--- /dev/null
+++ b/roles/common/tasks/tmux.yml
@@ -0,0 +1,20 @@
+- name: Install tmux
+  package:
+    name: tmux
+    state: present
+
+- name: Configure tmux
+  copy:
+    src: tmux/tmux.conf
+    dest: /etc/tmux.conf
+    owner: root
+    group: root
+    mode: '0664'
+
+- name: Configure tmux window script
+  copy:
+    src: tmux/tmux-window.sh
+    dest: /usr/local/bin/tmux-window.sh
+    owner: root
+    group: root
+    mode: '0755'
diff --git a/roles/common/tasks/zsh.yml b/roles/common/tasks/zsh.yml
new file mode 100644
index 0000000..aabcfac
--- /dev/null
+++ b/roles/common/tasks/zsh.yml
@@ -0,0 +1,40 @@
+- name: Install zsh
+  package:
+    name: zsh
+    state: present
+
+- name: Ensure zshrc.d directory exists
+  file:
+    path: /etc/zsh/zshrc.d
+    state: directory
+    mode: '0755'
+
+- name: Enable zshrc.d loading
+  blockinfile:
+    path: /etc/zsh/zshrc
+    block: |
+      # Load modular zsh config
+      if [ -d /etc/zsh/zshrc.d ]; then
+        for file in /etc/zsh/zshrc.d/*.zsh; do
+          [ -r "$file" ] && source "$file"
+        done
+      fi
+  when: ansible_distribution == "Debian"
+
+- name: Configure zsh
+  copy:
+    src: zshrc
+    dest: /etc/zsh/zshrc.d/10-freya.zsh
+    owner: root
+    group: root
+    mode: '0664'
+
+- name: Remove old zsh config
+  file:
+    path: /etc/zsh/zshrc.d/freya.yml
+    state: absent
+
+- name: Ensure root user shell is zsh
+  user:
+    name: root
+    shell: /bin/zsh
diff --git a/roles/common/templates/authorized_keys.j2 b/roles/common/templates/authorized_keys.j2
new file mode 100644
index 0000000..d9f6386
--- /dev/null
+++ b/roles/common/templates/authorized_keys.j2
@@ -0,0 +1,3 @@
+{% for key in ssh_authorized_keys %}
+{{ key }}
+{% endfor %}