From ec37e9e5359a63de22dc85cfdde258d67471d79e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Pradel?= <pradel.leo@gmail.com>
Date: Fri, 5 Jul 2024 11:56:02 +0200
Subject: [PATCH] feat: create stacks-node server ansible config (#61)

---
 .changeset/few-dots-turn.md        |  5 +++
 ansible/.gitignore                 |  3 ++
 ansible/README.md                  | 39 ++++++++++++++++++++++++
 ansible/docker/handlers/main.yml   |  6 ++++
 ansible/docker/tasks/main.yml      | 49 ++++++++++++++++++++++++++++++
 ansible/firewall/tasks/main.yml    | 30 ++++++++++++++++++
 ansible/hosts.ini.example          |  2 ++
 ansible/packages/handlers/main.yml | 12 ++++++++
 ansible/packages/tasks/main.yml    | 28 +++++++++++++++++
 ansible/playbook.yml               | 12 ++++++++
 ansible/snap/tasks/main.yml        |  8 +++++
 ansible/ssh/handlers/main.yml      |  5 +++
 ansible/ssh/tasks/main.yml         | 40 ++++++++++++++++++++++++
 ansible/vars.yml.example           |  1 +
 14 files changed, 240 insertions(+)
 create mode 100644 .changeset/few-dots-turn.md
 create mode 100644 ansible/.gitignore
 create mode 100644 ansible/README.md
 create mode 100644 ansible/docker/handlers/main.yml
 create mode 100644 ansible/docker/tasks/main.yml
 create mode 100644 ansible/firewall/tasks/main.yml
 create mode 100644 ansible/hosts.ini.example
 create mode 100644 ansible/packages/handlers/main.yml
 create mode 100644 ansible/packages/tasks/main.yml
 create mode 100755 ansible/playbook.yml
 create mode 100644 ansible/snap/tasks/main.yml
 create mode 100644 ansible/ssh/handlers/main.yml
 create mode 100644 ansible/ssh/tasks/main.yml
 create mode 100644 ansible/vars.yml.example

diff --git a/.changeset/few-dots-turn.md b/.changeset/few-dots-turn.md
new file mode 100644
index 0000000..237dee1
--- /dev/null
+++ b/.changeset/few-dots-turn.md
@@ -0,0 +1,5 @@
+---
+"stackspulse": minor
+---
+
+Create ansible config for the stacks-node server.
diff --git a/ansible/.gitignore b/ansible/.gitignore
new file mode 100644
index 0000000..c9e4d94
--- /dev/null
+++ b/ansible/.gitignore
@@ -0,0 +1,3 @@
+# Local ansible files
+hosts.ini
+vars.yml
diff --git a/ansible/README.md b/ansible/README.md
new file mode 100644
index 0000000..aaffda0
--- /dev/null
+++ b/ansible/README.md
@@ -0,0 +1,39 @@
+# Server Configuration
+
+Ansible playbook to configure the server.
+
+## Getting Started
+
+Copy the inventory example file:
+
+```bash
+$ cp hosts.ini.example hosts.ini
+```
+
+Update the `<host1>` with your server's IP address:
+
+```bash
+$ vim hosts.ini
+```
+
+Copy the vars example file:
+
+```bash
+$ cp vars.yml.example vars.yml
+```
+
+Update the values to your needs:
+
+```bash
+$ vim vars.yml
+```
+
+Run the playbook:
+
+```bash
+$ ansible-playbook -i hosts.ini -e @vars.yml playbook.yml
+```
+
+## Credits
+
+Config adapted from https://github.com/guillaumebriday/kamal-ansible-manager.
diff --git a/ansible/docker/handlers/main.yml b/ansible/docker/handlers/main.yml
new file mode 100644
index 0000000..4e8c5a0
--- /dev/null
+++ b/ansible/docker/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart docker
+  service:
+    name: docker
+    state: restarted
+    enabled: yes
diff --git a/ansible/docker/tasks/main.yml b/ansible/docker/tasks/main.yml
new file mode 100644
index 0000000..ec9735a
--- /dev/null
+++ b/ansible/docker/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+- name: Ensure old versions of Docker are not installed
+  package:
+    name:
+      - docker
+      - docker.io
+      - docker-engine
+    state: absent
+
+- name: Add Docker apt key
+  get_url:
+    url: "https://download.docker.com/linux/ubuntu/gpg"
+    dest: /etc/apt/trusted.gpg.d/docker.asc
+    mode: 0644
+    force: false
+
+- name: Add Docker repository
+  apt_repository:
+    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+    state: present
+    filename: docker
+    update_cache: true
+
+- name: Install Docker packages
+  package:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+    state: present
+  notify:
+    - restart docker
+
+# This is required for stacks-blockchain-docker to work, can be removed once they remove this requirement
+# and just use the `docker compose` command instead of `docker-compose`
+# Issue https://github.com/stacks-network/stacks-blockchain-docker/issues/120
+- name: Create /usr/bin/docker-compose file
+  file:
+    path: /usr/bin/docker-compose
+    state: touch
+    mode: '0755'
+
+- name: Write docker compose alias to /usr/bin/docker-compose
+  copy:
+    dest: /usr/bin/docker-compose
+    content: |
+      #!/bin/bash
+      docker compose --compatibility "$@"
+
diff --git a/ansible/firewall/tasks/main.yml b/ansible/firewall/tasks/main.yml
new file mode 100644
index 0000000..7e255c1
--- /dev/null
+++ b/ansible/firewall/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: Configure ufw defaults
+  ufw:
+    direction: "{{ item.direction }}"
+    policy: "{{ item.policy }}"
+  loop:
+    - direction: incoming
+      policy: deny
+    - direction: outgoing
+      policy: allow
+
+- name: Configure ufw rules
+  ufw:
+    rule: "{{ item.rule }}"
+    port: "{{ item.port }}"
+    proto: "{{ item.proto }}"
+  loop:
+    - rule: 'limit'
+      port: '22'
+      proto: 'tcp'
+    - rule: 'allow'
+      port: '80'
+      proto: 'tcp'
+    - rule: 'allow'
+      port: '443'
+      proto: 'tcp'
+
+- name: Enable ufw
+  ufw:
+    state: enabled
diff --git a/ansible/hosts.ini.example b/ansible/hosts.ini.example
new file mode 100644
index 0000000..e69a534
--- /dev/null
+++ b/ansible/hosts.ini.example
@@ -0,0 +1,2 @@
+[webservers]
+<host1> ansible_become_method=su ansible_user=root ansible_password=your_vps_password ansible_ssh_common_args='-o StrictHostKeyChecking=no'
diff --git a/ansible/packages/handlers/main.yml b/ansible/packages/handlers/main.yml
new file mode 100644
index 0000000..1ba9446
--- /dev/null
+++ b/ansible/packages/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+- name: start ntp
+  service:
+    name: ntp
+    state: started
+    enabled: yes
+
+- name: start fail2ban
+  service:
+    name: fail2ban
+    state: started
+    enabled: yes
diff --git a/ansible/packages/tasks/main.yml b/ansible/packages/tasks/main.yml
new file mode 100644
index 0000000..6632104
--- /dev/null
+++ b/ansible/packages/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+- name: Upgrade packages
+  apt:
+    update_cache: yes
+    upgrade: yes
+
+- name: Install packages
+  apt:
+    name:
+      - apt-transport-https
+      - build-essential
+      - ca-certificates
+      - curl
+      - fail2ban
+      - git
+      - gnupg
+      - htop
+      - ntp
+      - ufw
+      - unattended-upgrades
+      - vim
+    state: latest
+    update_cache: yes
+    autoremove: yes
+    autoclean: yes
+  notify:
+    - start ntp
+    - start fail2ban
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
new file mode 100755
index 0000000..e43e79f
--- /dev/null
+++ b/ansible/playbook.yml
@@ -0,0 +1,12 @@
+---
+- name: Provisionning webservers group
+  hosts: webservers
+  strategy: free
+  vars:
+    ssh_key_path: "/path/to/your/local/id_rsa.pub"
+  roles:
+    - packages
+    - docker
+    - firewall
+    - ssh
+    - snap
diff --git a/ansible/snap/tasks/main.yml b/ansible/snap/tasks/main.yml
new file mode 100644
index 0000000..b15941d
--- /dev/null
+++ b/ansible/snap/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+- name: Remove snap
+  apt:
+    name:
+      - snapd
+      - snap
+    state: absent
+    purge: true
diff --git a/ansible/ssh/handlers/main.yml b/ansible/ssh/handlers/main.yml
new file mode 100644
index 0000000..822887e
--- /dev/null
+++ b/ansible/ssh/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart ssh
+  service:
+    name: ssh
+    state: restarted
diff --git a/ansible/ssh/tasks/main.yml b/ansible/ssh/tasks/main.yml
new file mode 100644
index 0000000..7d0ab0f
--- /dev/null
+++ b/ansible/ssh/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+- name: Ensure the user directory exists
+  file:
+    path: /root/.ssh
+    state: directory
+    mode: '0700'
+
+- name: Copy SSH key from local machine to the server
+  copy:
+    src: "{{ ssh_key_path }}"
+    dest: /root/.ssh/authorized_keys
+    mode: '0600'
+
+- name: Update SSH configuration to be more secure
+  lineinfile:
+    dest: "/etc/ssh/sshd_config"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+    validate: 'sshd -T -f %s'
+    mode: 0644
+  with_items:
+    - regexp: "^PasswordAuthentication"
+      line: "PasswordAuthentication no"
+    - regexp: "^PermitRootLogin"
+      line: "PermitRootLogin prohibit-password"
+    - regexp: "^Port"
+      line: "Port 22"
+    - regexp: "^UseDNS"
+      line: "UseDNS no"
+    - regexp: "^PermitEmptyPasswords"
+      line: "PermitEmptyPasswords no"
+    - regexp: "^ChallengeResponseAuthentication"
+      line: "ChallengeResponseAuthentication no"
+    - regexp: "^GSSAPIAuthentication"
+      line: "GSSAPIAuthentication no"
+    - regexp: "^X11Forwarding"
+      line: "X11Forwarding no"
+  notify:
+    - restart ssh
diff --git a/ansible/vars.yml.example b/ansible/vars.yml.example
new file mode 100644
index 0000000..9047607
--- /dev/null
+++ b/ansible/vars.yml.example
@@ -0,0 +1 @@
+ssh_key_path: "/path/to/your/local/id_rsa.pub"