Homelab/ansible/playbooks/vps.yml

---
# VPS Scaleway : point d'entree public
# - Hardening Debian
# - WireGuard (tunnel vers gateway homelab)
# - Caddy (reverse proxy + TLS Let's Encrypt)

- name: Configuration VPS
  hosts: vps
  become: true

  vars:
    wg_vps_private_key: "{{ vault_wg_vps_private_key }}"
    wg_gateway_public_key: "{{ vault_wg_gateway_public_key }}"

  tasks:
    # -- Hardening de base --
    - name: Mise a jour des paquets
      ansible.builtin.apt:
        update_cache: true
        upgrade: dist
      tags: [base]

    - name: Installation paquets utilitaires
      ansible.builtin.apt:
        name:
          - vim
          - curl
          - wget
          - ufw
          - wireguard
          - python3
        state: present
      tags: [base]

    - name: Creation utilisateur {{ admin_user }}
      ansible.builtin.user:
        name: "{{ admin_user }}"
        groups: sudo
        shell: /bin/bash
        create_home: true
        password: "{{ vault_admin_password | password_hash('sha512') }}"
        state: present
      tags: [base]

    - name: Cle SSH pour {{ admin_user }}
      ansible.posix.authorized_key:
        user: "{{ admin_user }}"
        key: "{{ lookup('file', '~/.ssh/homelab.pub') }}"
        state: present
      tags: [base]

    - name: Sudo sans mot de passe pour sudo group
      ansible.builtin.lineinfile:
        path: /etc/sudoers.d/sudo-nopasswd
        line: "%sudo ALL=(ALL) NOPASSWD: ALL"
        create: true
        mode: "0440"
        validate: "visudo -cf %s"
      tags: [base]

    - name: Desactiver login root SSH
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^#?PermitRootLogin"
        line: "PermitRootLogin no"
      notify: restart sshd
      tags: [base]

    - name: Desactiver auth par mot de passe SSH
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^#?PasswordAuthentication"
        line: "PasswordAuthentication no"
      notify: restart sshd
      tags: [base]

    # -- Firewall UFW --
    - name: Autoriser SSH
      community.general.ufw:
        rule: allow
        port: "22"
        proto: tcp
      tags: [firewall]

    - name: Autoriser HTTP
      community.general.ufw:
        rule: allow
        port: "80"
        proto: tcp
      tags: [firewall]

    - name: Autoriser HTTPS
      community.general.ufw:
        rule: allow
        port: "443"
        proto: tcp
      tags: [firewall]

    - name: Autoriser WireGuard
      community.general.ufw:
        rule: allow
        port: "51820"
        proto: udp
      tags: [firewall]

    - name: Activer UFW
      community.general.ufw:
        state: enabled
        policy: deny
      tags: [firewall]

    # -- WireGuard --
    - name: Activation IP forwarding
      ansible.posix.sysctl:
        name: net.ipv4.ip_forward
        value: "1"
        sysctl_set: true
        reload: true
      tags: [wireguard]

    - name: Creation repertoire WireGuard
      ansible.builtin.file:
        path: /etc/wireguard
        state: directory
        mode: "0700"
      tags: [wireguard]

    - name: Deploiement config WireGuard VPS
      ansible.builtin.template:
        src: wg0-vps.conf.j2
        dest: /etc/wireguard/wg0.conf
        mode: "0600"
      notify: restart wireguard
      tags: [wireguard]

    - name: Activation WireGuard au boot
      ansible.builtin.systemd:
        name: wg-quick@wg0
        state: started
        enabled: true
      tags: [wireguard]

    # -- Caddy --
    - name: Installation des prerequis Caddy
      ansible.builtin.apt:
        name:
          - debian-keyring
          - debian-archive-keyring
          - apt-transport-https
        state: present
      tags: [caddy]

    - name: Ajout cle GPG Caddy
      ansible.builtin.shell: |
        curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' \
        | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg        
      args:
        creates: /usr/share/keyrings/caddy-stable-archive-keyring.gpg
      tags: [caddy]

    - name: Ajout repo Caddy
      ansible.builtin.shell: |
        curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' \
        | tee /etc/apt/sources.list.d/caddy-stable.list        
      args:
        creates: /etc/apt/sources.list.d/caddy-stable.list
      notify: apt update
      tags: [caddy]

    - name: Installation Caddy
      ansible.builtin.apt:
        name: caddy
        state: present
        update_cache: true
      tags: [caddy]

    - name: Deploiement Caddyfile
      ansible.builtin.template:
        src: Caddyfile-vps.j2
        dest: /etc/caddy/Caddyfile
        mode: "0644"
      notify: restart caddy
      tags: [caddy]

    - name: Activation Caddy
      ansible.builtin.systemd:
        name: caddy
        state: started
        enabled: true
      tags: [caddy]

  handlers:
    - name: restart sshd
      ansible.builtin.systemd:
        name: sshd
        state: restarted

    - name: restart wireguard
      ansible.builtin.systemd:
        name: wg-quick@wg0
        state: restarted

    - name: restart caddy
      ansible.builtin.systemd:
        name: caddy
        state: restarted

    - name: apt update
      ansible.builtin.apt:
        update_cache: true