playbook_vps.yml

---
- name: Setup ssh port
  hosts: vps
  gather_facts: false

  vars_files:
    - vars/all.yml
    - vars/vps.yml

  tasks:
    - name: SSH Port Juggle
      ansible.builtin.import_tasks: tasks/sshd_port_juggling.yml
      when: testing is undefined or testing != 'true'
    - name: SSH User Juggle
      ansible.builtin.import_tasks: tasks/sshd_login_user_juggling.yml
      when: testing is undefined or testing != 'true'
    - name: Read ssh_public_key from {{ ssh_public_key_file }}
      ansible.builtin.set_fact:
        ssh_public_key: "{{ lookup('file', ssh_public_key_file) }}"
      when: testing is undefined or testing != 'true'

- name: Setup local_ipv4
  hosts: vps
  gather_facts: true

  tasks:
    # https://medium.com/opsops/ansible-default-ipv4-is-not-what-you-think-edb8ab154b10
    - name: Geather local_ipv4
      ansible.builtin.set_fact:
        local_ipv4: "{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
    - name: Debug local_ipv4
      ansible.builtin.debug:
        var: local_ipv4

- name: Setup for testing
  hosts: vps
  gather_facts: false
  become: true

  tasks:
    - name: For testing at github actions set username to "runneradmin"
      ansible.builtin.set_fact:
        username: "runneradmin"
      when: testing is defined and testing == 'true'

    - name: List all ports used
      block:
        - name: List all ports used
          ansible.builtin.command: netstat -tulpn
          become: true
          changed_when: false
          when: testing is defined and testing == 'true'
          register: netstat_output
        - name: Debug output ports
          ansible.builtin.debug:
            var: netstat_output.stdout_lines
          when: testing is defined and testing == 'true'

- name: Configure VPS personal server.
  hosts: vps

  vars_files:
    - vars/all.yml
    - vars/vps.yml

  roles:
    - role: packages_install
      become: true

    - role: linux_server_setup
      vars:
        linux_server_setup_hostname: "{{ device_name }}"
        linux_server_setup_login_user: "{{ username }}"
        linux_server_setup_login_password: "{{ password }}"
        linux_server_setup_login_user_uid: 1000
        linux_server_setup_login_user_gid: 1000
        linux_server_setup_login_ssh_public_key: "{{ lookup('file', '{{ ssh_public_key_path }}') }}"
        linux_server_setup_open_ports:
          - {port: 22, protocol: "tcp", comment: "default ssh"}
          - {port: "{{ ssh_port }}", protocol: "tcp", comment: "custom ssh"}
          - {port: 51820, protocol: "udp", comment: "wireguard"}
          - {port: 80, protocol: "tcp", comment: "http"}
          - {port: 443, protocol: "tcp", comment: "https"}

    - role: hifis.unattended_upgrades
      vars:
        unattended_automatic_reboot_time: 04:00  # noqa: var-naming[no-role-prefix]
        # apt-daily timer
        unattended_apt_daily_oncalendar: "*-*-* 01:00"  # noqa: var-naming[no-role-prefix]
        unattended_apt_daily_randomizeddelaysec: "60m"  # noqa: var-naming[no-role-prefix]
        # apt-daily-upgrade timer
        unattended_apt_daily_upgrade_oncalendar: "*-*-* 2:00"  # noqa: var-naming[no-role-prefix]
        unattended_apt_daily_upgrade_randomizeddelaysec: "60m"  # noqa: var-naming[no-role-prefix]
      become: true

    - role: geerlingguy.security
      security_ssh_port: "{{ ssh_port }}"
      security_ssh_permit_root_login: "no"
      become: true

    - role: geerlingguy.docker
      become: true

    - role: dotfiles
      tags: ["dotfiles"]
      vars:
        dotfiles_repo_url: "https://github.com/k4black/dotfiles.git"
        dotfiles_dest: "~/.dotfiles"
        dotfiles_symlinks:
          .zshrc: "~/.zshrc"
          .gitconfig: "~/.gitconfig"

    - role: zsh_setup
      vars:
        zsh_setup_set_default_shell: true
        zsh_setup_user: "{{ username }}"
      become: true

  tasks:
    - name: Setup .gitconfig.local
      ansible.builtin.template:
        src: files/.gitconfig.local.j2
        dest: ~/.gitconfig.local
        mode: 0600
        owner: "{{ ansible_user_id }}"

    - name: Copy docker configs and run containers
      ansible.builtin.include_role:
        name: containers_setup
      vars:
        containers_setup_user: "{{ username }}"
        containers_setup_configs_dir: "{{ services_configs_dir }}"
        containers_setup_data_dir: "{{ services_data_dir }}"
        containers_setup_docker_compose_template: "files/vps/docker-compose.yml.j2"
        containers_setup_make_dirs:
          #          - "{{ services_data_dir }}/influxdb-data"
          #          - "{{ services_configs_dir }}/influxdb-config"
          - "{{ services_configs_dir }}/pihole"
          - "{{ services_configs_dir }}/pihole-dnsmasq.d"
        containers_setup_touch_files: []
        containers_setup_config_templates:
          files/vps/server-wg0.conf.j2: "server-wg0.conf"  # TODO: fix permissions
          files/vps/pihole-02-custom-dns.conf.j2: "pihole-dnsmasq.d/02-custom-dns.conf"
          files/vps/pihole-adlists.list: "pihole/adlists.list"
          files/vps/pihole-custom.list.j2: "pihole/custom.list"
#          files/vps/telegraf.conf: "{{ services_configs_dir }}/telegraf.conf"