feat: create stacks-node server ansible config (#61)

.changeset/few-dots-turn.md

@@ -0,0 +1,5 @@
+---
+"stackspulse": minor
+---
+
+Create ansible config for the stacks-node server.

ansible/.gitignore

@@ -0,0 +1,3 @@
+# Local ansible files
+hosts.ini
+vars.yml

ansible/README.md

@@ -0,0 +1,39 @@
+# Server Configuration
+
+Ansible playbook to configure the server.
+
+## Getting Started
+
+Copy the inventory example file:
+
+```bash
+$ cp hosts.ini.example hosts.ini
+```
+
+Update the `<host1>` with your server's IP address:
+
+```bash
+$ vim hosts.ini
+```
+
+Copy the vars example file:
+
+```bash
+$ cp vars.yml.example vars.yml
+```
+
+Update the values to your needs:
+
+```bash
+$ vim vars.yml
+```
+
+Run the playbook:
+
+```bash
+$ ansible-playbook -i hosts.ini -e @vars.yml playbook.yml
+```
+
+## Credits
+
+Config adapted from https://github.com/guillaumebriday/kamal-ansible-manager.

ansible/docker/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart docker
+  service:
+    name: docker
+    state: restarted
+    enabled: yes

ansible/docker/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+- name: Ensure old versions of Docker are not installed
+  package:
+    name:
+      - docker
+      - docker.io
+      - docker-engine
+    state: absent
+
+- name: Add Docker apt key
+  get_url:
+    url: "https://download.docker.com/linux/ubuntu/gpg"
+    dest: /etc/apt/trusted.gpg.d/docker.asc
+    mode: 0644
+    force: false
+
+- name: Add Docker repository
+  apt_repository:
+    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+    state: present
+    filename: docker
+    update_cache: true
+
+- name: Install Docker packages
+  package:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+    state: present
+  notify:
+    - restart docker
+
+# This is required for stacks-blockchain-docker to work, can be removed once they remove this requirement
+# and just use the `docker compose` command instead of `docker-compose`
+# Issue https://github.com/stacks-network/stacks-blockchain-docker/issues/120
+- name: Create /usr/bin/docker-compose file
+  file:
+    path: /usr/bin/docker-compose
+    state: touch
+    mode: '0755'
+
+- name: Write docker compose alias to /usr/bin/docker-compose
+  copy:
+    dest: /usr/bin/docker-compose
+    content: |
+      #!/bin/bash
+      docker compose --compatibility "$@"
+

ansible/firewall/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+- name: Configure ufw defaults
+  ufw:
+    direction: "{{ item.direction }}"
+    policy: "{{ item.policy }}"
+  loop:
+    - direction: incoming
+      policy: deny
+    - direction: outgoing
+      policy: allow
+
+- name: Configure ufw rules
+  ufw:
+    rule: "{{ item.rule }}"
+    port: "{{ item.port }}"
+    proto: "{{ item.proto }}"
+  loop:
+    - rule: 'limit'
+      port: '22'
+      proto: 'tcp'
+    - rule: 'allow'
+      port: '80'
+      proto: 'tcp'
+    - rule: 'allow'
+      port: '443'
+      proto: 'tcp'
+
+- name: Enable ufw
+  ufw:
+    state: enabled

ansible/hosts.ini.example

@@ -0,0 +1,2 @@
+[webservers]
+<host1> ansible_become_method=su ansible_user=root ansible_password=your_vps_password ansible_ssh_common_args='-o StrictHostKeyChecking=no'

ansible/packages/handlers/main.yml

@@ -0,0 +1,12 @@
+---
+- name: start ntp
+  service:
+    name: ntp
+    state: started
+    enabled: yes
+
+- name: start fail2ban
+  service:
+    name: fail2ban
+    state: started
+    enabled: yes

ansible/packages/tasks/main.yml

@@ -0,0 +1,28 @@
+---
+- name: Upgrade packages
+  apt:
+    update_cache: yes
+    upgrade: yes
+
+- name: Install packages
+  apt:
+    name:
+      - apt-transport-https
+      - build-essential
+      - ca-certificates
+      - curl
+      - fail2ban
+      - git
+      - gnupg
+      - htop
+      - ntp
+      - ufw
+      - unattended-upgrades
+      - vim
+    state: latest
+    update_cache: yes
+    autoremove: yes
+    autoclean: yes
+  notify:
+    - start ntp
+    - start fail2ban

ansible/playbook.yml

@@ -0,0 +1,12 @@
+---
+- name: Provisionning webservers group
+  hosts: webservers
+  strategy: free
+  vars:
+    ssh_key_path: "/path/to/your/local/id_rsa.pub"
+  roles:
+    - packages
+    - docker
+    - firewall
+    - ssh
+    - snap

ansible/snap/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+- name: Remove snap
+  apt:
+    name:
+      - snapd
+      - snap
+    state: absent
+    purge: true

ansible/ssh/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart ssh
+  service:
+    name: ssh
+    state: restarted

ansible/ssh/tasks/main.yml

@@ -0,0 +1,40 @@
+---
+- name: Ensure the user directory exists
+  file:
+    path: /root/.ssh
+    state: directory
+    mode: '0700'
+
+- name: Copy SSH key from local machine to the server
+  copy:
+    src: "{{ ssh_key_path }}"
+    dest: /root/.ssh/authorized_keys
+    mode: '0600'
+
+- name: Update SSH configuration to be more secure
+  lineinfile:
+    dest: "/etc/ssh/sshd_config"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+    validate: 'sshd -T -f %s'
+    mode: 0644
+  with_items:
+    - regexp: "^PasswordAuthentication"
+      line: "PasswordAuthentication no"
+    - regexp: "^PermitRootLogin"
+      line: "PermitRootLogin prohibit-password"
+    - regexp: "^Port"
+      line: "Port 22"
+    - regexp: "^UseDNS"
+      line: "UseDNS no"
+    - regexp: "^PermitEmptyPasswords"
+      line: "PermitEmptyPasswords no"
+    - regexp: "^ChallengeResponseAuthentication"
+      line: "ChallengeResponseAuthentication no"
+    - regexp: "^GSSAPIAuthentication"
+      line: "GSSAPIAuthentication no"
+    - regexp: "^X11Forwarding"
+      line: "X11Forwarding no"
+  notify:
+    - restart ssh

ansible/vars.yml.example

@@ -0,0 +1 @@
+ssh_key_path: "/path/to/your/local/id_rsa.pub"