provision.yml

---
- hosts: all
  become: true
  become_method: doas
  vars:
    ansible_python_interpreter: /usr/local/bin/python3

  tasks:
    - name: load settings
      include_vars: "settings.yml"

    - name: set install url
      command: echo "{{openbsd_mirror}}/{{openbsd_mirror_directory}}" > /etc/installurl

    - name: packages
      openbsd_pkg: name="{{packages}}" state='present'

    - name: install prometheus node_exporter
      become: yes
      command: go get github.com/prometheus/node_exporter
      args:
        creates: /usr/bin/node_exporter
      environment:
        GOPATH: /usr

    - name: add node_exporter user
      user:
        name: _node-exporter
        shell: /sbin/nologin
        home: /nonexistent
        create_home: false

    - name: copy prometheus node_exporter rc script
      copy: src='nodeexporter' dest='/etc/rc.d/' owner='root' group='wheel' mode='a+x'

      # TODO INSTALL wireguard here

    - name: copy wireguard rc script
      copy: src='wireguard' dest='/etc/rc.d/' owner='root' group='wheel' mode='a+x'

    - name: wireguard conf directory
      file: path='/etc/wireguard' state='directory' owner='root' group='wheel' mode='0640'

    - name: generate wireguard private key
      shell: "umask 077; wg genkey > /etc/wireguard/privatekey"
      args:
        creates: "/etc/wireguard/privatekey"

    - name: register wireguard private key
      command: "cat /etc/wireguard/privatekey"
      register: wireguard_private_key_cmd
      changed_when: false

    - name: compute wireguard public key
      shell: "wg pubkey < /etc/wireguard/publickey"
      register: "wireguard_public_key_cmd"
      changed_when: false

    - name: wireguard conf
      template:
        src: "tun0.conf.j2"
        dest: "/etc/wireguard/tun0.conf"
        owner: root
        group: wheel
        mode: 0640

    - name: update root user full name
      command: usermod -c "{{full_name}}" root

    - name: zshell and groups ({{user}})
      user: name='{{user}}' state='present' groups='wheel' shell='/usr/local/bin/zsh'

    - name: zshell (root)
      user: name='root' state='present' shell='/usr/local/bin/zsh'

    # Doesn't appear to affect matters
    #- name: korn shell vi mode
      #lineinfile: dest='/etc/ksh.kshrc' regexp='^(.*)emacs(.*)$' line='\1vi\2' backrefs=yes

    - name: default editor ({{user}})
      become_user: "{{user}}"
      blockinfile:
        dest: "/home/{{user}}/.zshrc"
        create: 'yes'
        block: |
          alias vi=vim
          EDITOR=vi
          VISUAL=$EDITOR
          export EDITOR VISUAL

    - name: default editor (root)
      blockinfile:
        dest: "/root/.zshrc"
        create: 'yes'
        block: |
          alias vi=vim
          EDITOR=vi
          VISUAL=$EDITOR
          export EDITOR VISUAL

    - name: ntp servers
      template: src='ntpd.conf.j2' dest='/etc/ntpd.conf' owner='root' group='wheel' mode='0644'

    - name: set date from remote
      command: rdate -nv {{ntp_pool}}

    - name: clone dotfiles ({{user}})
      become_user: "{{user}}"
      git:
        repo: "{{dotfiles_repo}}"
        dest: "/home/{{user}}/.dotfiles"
        recursive: no
        accept_hostkey: yes
        depth: 1

    - name: link dotfiles into home folder
      become_user: "{{user}}"
      file:
        src:  "{{item.src}}"
        dest: "{{item.dst}}"
        state: link
      with_items: "{{dotfiles_links}}"

    - name: mail secrets file
      lineinfile: dest='/etc/mail/secrets' line='googlemail {{gmail_user}}:{{gmail_pass}}' create='yes' owner='root' group='_smtpd' mode='0640'

    - name: mail secrets db
      command: makemap /etc/mail/secrets

    - name: relay all mail through google mail (opensmtpd)
      blockinfile:
        dest: /etc/mail/smtpd.conf
        block: |
          table secrets db:/etc/mail/secrets.db
          action "relay" relay host tls+auth://googlemail@smtp.googlemail.com:587 auth <secrets>
          match for any action "relay"

    - name: forward root mail to personal account
      lineinfile: dest='/etc/mail/aliases' regexp='^(#\ +)?root:' line='root{{\':\'}} {{email}}'

    - name: update aliases
      command: newaliases

    - name: set noatime and softdep on root partition
      lineinfile: dest='/etc/fstab' backrefs='yes' regexp='^([0-9a-f]{16}\.[a-z]{1})\ / ' line='\1 / ffs rw,noatime,softdep 1 1'

    - name: dns resolvers
      template: src='resolv.conf.j2' dest='/etc/resolv.conf' owner='root' group='wheel' mode='0644'

    - name: recursive caching dns server (unbound)
      template:
        src: 'unbound.conf.j2'
        dest: '/var/unbound/etc/unbound.conf'
        owner: 'root'
        group: 'wheel'
        mode: '0644'

    - name: copy unbound rc script
      copy: src='unbound' dest='/etc/rc.d/' owner='root' group='wheel' mode='a+x'

    - name: copy unbound conf
      copy: remote_src=true src=/var/unbound/etc/unbound.conf dest=/etc/unbound.conf

    - name: adservers mkdb script
      copy: src='adservers_mkdb.sh' dest='/usr/local/bin/adservers_mkdb' owner='root' group='wheel' mode='a+x'

    - name: create permitted adservers db
      template: src='adservers_permitted.db.j2' dest='/etc/adservers_permitted.db' owner='root' group='wheel' mode='0640'

    - name: create adservers db
      command: /usr/local/bin/adservers_mkdb
      ignore_errors: yes
      args:
        creates: /etc/adservers.db

    - name: cron to update adservers db
      cron:
        name: 'update adservers db'
        special_time: monthly
        job: '/usr/local/bin/adservers_mkdb'

    - name: network bridge
      copy: src='hostname.bridge0' dest='/etc/hostname.bridge0' owner='root' group='wheel' mode='0640'

    - name: virtual ethernet interface
      template: src='hostname.vether0.j2' dest='/etc/hostname.vether0' owner='root' group='wheel' mode='0640'

    - name: physical ethernet interfaces
      copy: src='hostname.emx' dest="/etc/hostname.{{item}}" owner="root" group="wheel" mode="0640"
      with_items:
        - 'em0'
        - 'em1'
        - 'em2'

    - name: ppp over ethernet
      template: src='hostname.pppoe0.j2' dest='/etc/hostname.pppoe0' owner='root' group='wheel' mode='0640'

    - name: wireless access point
      template: src='hostname.athn0.j2' dest='/etc/hostname.athn0' owner='root' group='wheel' mode='0640'

    - name: wireguard tunnel
      template: src='hostname.tun0.j2' dest='/etc/hostname.tun0' owner='root' group='wheel' mode='0640'

    - name: dhcpd
      template: src='dhcpd.conf.j2' dest='/etc/dhcpd.conf' owner='root' group='wheel' mode='0640'

    - name: sensorsd
      copy: src='sensorsd.conf' dest='/etc/sensorsd.conf' owner='root' group='wheel' mode='0600'

    - name: bogon mkdb script
      copy: src='bogons_mkdb.sh' dest='/usr/local/bin/bogons_mkdb' owner='root' group='wheel' mode='a+x'

    - name: create bogons db
      command: /usr/local/bin/bogons_mkdb
      args:
        creates: /etc/bogons.db

    - name: cron to update bogons db
      cron:
        name: 'update bogons db'
        special_time: weekly
        job: '/usr/local/bin/bogons_mkdb'

    - name: packet filter (pf)
      template: src='pf.conf.j2' dest='/etc/pf.conf' owner='root' group='wheel' mode='0600' validate='pfctl -nf %s'

    - name: syslog conf for pf
      lineinfile: dest='/etc/syslog.conf' line='local0.info     /var/log/pflog.txt'

    - name: pf log rotator
      copy: src='pf_log_rotate.sh' dest='/usr/local/bin/pf_log_rotate' owner='root' group='wheel' mode='a+x'

    - name: cron to rotate pf logs
      cron:
        name: 'rotate packet filter logs'
        special_time: hourly
        job: '/usr/local/bin/pf_log_rotate'

    - name: pf log file
      file: path='/var/log/pflog.txt' owner='root' group='wheel' mode='0600' state='touch'

    - name: kernel configuration (sysctl)
      copy: src='sysctl.conf' dest='/etc/sysctl.conf' owner='root' group='wheel' mode='0600'

    - name: enable services
      lineinfile: dest='/etc/rc.conf.local' regexp='^{{item.name}}_flags=' line='{{item.name}}_flags=\"{{item.flags}}\"' create='yes'
      with_items:
        - { name: 'unbound',  flags: '' }
        - { name: 'ntpd',   flags: '-s' }
        - { name: 'dhcpd',  flags: 'vether0' }
        - { name: 'sensorsd',  flags: '' }
        - { name: 'sndiod',  flags: 'NO' }
        - { name: 'nodeexporter',  flags: '--web.listen-address={{network_address}}:9100' }
        - { name: 'wireguard',  flags: 'tun0' }