forward-ssh.sh

@@ -1,24 +1,7 @@
 #!/bin/bash
 
 # Finds the SSH private key under ./.vagrant and connects to
-# the Vagrant box, port forwarding localhost ports: 8443, 443, 80, 22
+# the Vagrant box, port forwarding localhost ports: 8443, 80, 443
-#
-# Download the latest script:
-# https://git.krislamo.org/kris/homelab/raw/branch/main/forward-ssh.sh
-#
-# Copyright (C) 2023  Kris Lamoureux
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
 # Root check
 if [ "$EUID" -ne 0 ]; then
@@ -58,38 +41,21 @@ function ssh_connect {
 }
 
 # Check for valid PRIVATE_KEY location
-PRIVATE_KEY="$(find .vagrant -name "private_key" 2>/dev/null | sort)"
+PRIVATE_KEY="$(find .vagrant -name "private_key" 2>/dev/null)"
-
+if ! ssh-keygen -l -f "$PRIVATE_KEY" &>/dev/null; then
-# Single vagrant machine or multiple
-if [ "$(echo "$PRIVATE_KEY" | wc -l)" -gt 1 ]; then
-  while IFS= read -r KEYFILE; do
-    if ! ssh-keygen -l -f "$KEYFILE" &>/dev/null; then
-      echo "[ERROR]: The SSH key '$KEYFILE' is not valid. Is your virtual machines running?"
-      exit 1
-    fi
-    echo "[CHECK]: Valid key at $KEYFILE"
-  done < <(echo "$PRIVATE_KEY")
-  PRIVATE_KEY="$(echo "$PRIVATE_KEY" | grep -m1 "${1:-default}")"
-elif ! ssh-keygen -l -f "$PRIVATE_KEY" &>/dev/null; then
   echo "[ERROR]: The SSH key '$PRIVATE_KEY' is not valid. Is your virtual machine running?"
   exit 1
-else
-  echo "[CHECK]: Valid key at $PRIVATE_KEY"
 fi
+echo "[CHECK]: Valid key at $PRIVATE_KEY"
 
 # Grab first IP or use whatever HOST_IP_FIELD is set to and check that the guest is up
-HOST_IP="$(vagrant ssh -c "hostname -I | cut -d' ' -f${HOST_IP_FIELD:-1}" "${1:-default}" 2>/dev/null)"
+HOST_IP="$(vagrant ssh -c "hostname -I | cut -d' ' -f${HOST_IP_FIELD:-1}" 2>/dev/null)"
-if [ -z "$HOST_IP" ]; then
-  echo "[ERROR]: Failed to find ${1:-default}'s IP"
-  exit 1
-fi
 HOST_IP="${HOST_IP::-1}" # trim
-
 if ! ping -c 1 "$HOST_IP" &>/dev/null; then
   echo "[ERROR]: Cannot ping the host IP '$HOST_IP'"
   exit 1
 fi
-echo "[CHECK]: Host at $HOST_IP (${1:-default}) is up"
+echo "[CHECK]: Host at $HOST_IP is up"
 
 # Pattern for matching processes running
 MATCH_PATTERN="ssh -fNT -i ${PRIVATE_KEY}.*vagrant@"

roles/bitwarden/handlers/main.yml

@@ -5,12 +5,7 @@
   listen: rebuild_bitwarden
 
 - name: Rebuild Bitwarden
-  ansible.builtin.command: "{{ bitwarden_root }}/bitwarden.sh rebuild"
+  ansible.builtin.shell: "{{ bitwarden_root }}/bitwarden.sh rebuild"
-  listen: rebuild_bitwarden
-
-- name: Reload systemd manager configuration
-  ansible.builtin.systemd:
-    daemon_reload: true
   listen: rebuild_bitwarden
 
 - name: Start Bitwarden after rebuild
@@ -19,10 +14,3 @@
     state: started
     enabled: true
   listen: rebuild_bitwarden
-
-- name: Create Bitwarden's initial log file
-  ansible.builtin.file:
-    path: "{{ bitwarden_logs_identity }}/{{ bitwarden_logs_identity_date }}.txt"
-    state: touch
-    mode: "644"
-  listen: touch_bitwarden

roles/bitwarden/tasks/main.yml

@@ -7,7 +7,6 @@
   ansible.builtin.file:
     path: "{{ bitwarden_root }}"
     state: directory
-    mode: "755"
 
 - name: Download Bitwarden script
   ansible.builtin.get_url:
@@ -23,7 +22,7 @@
     mode: u+x
 
 - name: Run Bitwarden installation script
-  ansible.builtin.command: "{{ bitwarden_root }}/bw_wrapper"
+  ansible.builtin.shell: "{{ bitwarden_root }}/bw_wrapper"
   args:
     creates: "{{ bitwarden_root }}/bwdata/config.yml"
 
@@ -31,7 +30,6 @@
   ansible.builtin.template:
     src: compose.override.yml.j2
     dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml"
-    mode: "644"
   when: bitwarden_override | default(true)
   notify: rebuild_bitwarden
 
@@ -78,7 +76,6 @@
   ansible.builtin.template:
     src: bitwarden.service.j2
     dest: "/etc/systemd/system/{{ bitwarden_name }}.service"
-    mode: "644"
   register: bitwarden_systemd
   notify: rebuild_bitwarden
 
@@ -86,12 +83,22 @@
   ansible.builtin.file:
     path: "{{ bitwarden_logs_identity }}"
     state: directory
-    mode: "755"
+  register: bitwarden_logs
-  notify: touch_bitwarden
+
+- name: Create Bitwarden's initial log file
+  ansible.builtin.file:
+    path: "{{ bitwarden_logs_identity }}/{{ bitwarden_logs_identity_date }}.txt"
+    state: touch
+  when: bitwarden_logs.changed
 
 - name: Install Bitwarden's Fail2ban jail
   ansible.builtin.template:
     src: fail2ban-jail.conf.j2
     dest: /etc/fail2ban/jail.d/bitwarden.conf
-    mode: "640"
   notify: restart_fail2ban
+
+- name: Reload systemd manager configuration
+  ansible.builtin.systemd:
+    daemon_reload: true
+  when: bitwarden_systemd.changed
+  notify: rebuild_bitwarden

roles/gitea/tasks/main.yml

@@ -21,7 +21,6 @@
 - name: Create git's .ssh directory
   ansible.builtin.file:
     path: /home/git/.ssh
-    mode: "700"
     state: directory
 
 - name: Generate git's SSH keys
@@ -41,7 +40,6 @@
 - name: Create git's authorized_keys file
   ansible.builtin.file:
     path: /home/git/.ssh/authorized_keys
-    mode: "600"
     state: touch
   when: not git_authkeys.stat.exists
 
@@ -55,24 +53,21 @@
   ansible.builtin.template:
     src: gitea.sh.j2
     dest: /usr/local/bin/gitea
-    mode: "755"
+    mode: 0755
 
 - name: Create Gitea's logging directory
   ansible.builtin.file:
     name: /var/log/gitea
     state: directory
-    mode: "755"
 
 - name: Install Gitea's Fail2ban filter
   ansible.builtin.template:
     src: fail2ban-filter.conf.j2
     dest: /etc/fail2ban/filter.d/gitea.conf
-    mode: "644"
   notify: restart_fail2ban
 
 - name: Install Gitea's Fail2ban jail
   ansible.builtin.template:
     src: fail2ban-jail.conf.j2
     dest: /etc/fail2ban/jail.d/gitea.conf
-    mode: "640"
   notify: restart_fail2ban

roles/mariadb/handlers/main.yml

@@ -6,7 +6,7 @@
   listen: restart_mariadb
 
 - name: Set MariaDB as restarted
-  ansible.builtin.set_fact:
+  set_fact:
     mariadb_restarted: true
   when: not mariadb_restarted
   listen: restart_mariadb

roles/mariadb/tasks/main.yml

@@ -4,7 +4,7 @@
     state: present
 
 - name: Set MariaDB restarted fact
-  ansible.builtin.set_fact:
+  set_fact:
     mariadb_restarted: false
 
 - name: Regather facts for the potentially new docker0 interface

roles/proxy/handlers/main.yml

@@ -1,13 +1,3 @@
-- name: Enable nginx sites configuration
-  ansible.builtin.file:
-    src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
-    dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
-    state: link
-    mode: "400"
-  loop: "{{ nginx_sites.results }}"
-  when: item.changed
-  listen: reload_nginx
-
 - name: Reload nginx
   ansible.builtin.service:
     name: nginx

roles/proxy/tasks/main.yml

@@ -19,18 +19,28 @@
   ansible.builtin.template:
     src: nginx.conf.j2
     dest: /etc/nginx/nginx.conf
-    mode: "644"
+    mode: 0644
   notify: reload_nginx
 
 - name: Install nginx sites configuration
   ansible.builtin.template:
     src: server-nginx.conf.j2
     dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
-    mode: "400"
+    mode: 0400
   loop: "{{ proxy.servers }}"
   notify: reload_nginx
   register: nginx_sites
 
+- name: Enable nginx sites configuration
+  ansible.builtin.file:
+    src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
+    dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
+    state: link
+    mode: 0400
+  loop: "{{ nginx_sites.results }}"
+  when: item.changed
+  notify: reload_nginx
+
 - name: Generate self-signed certificate
   ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
           -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
@@ -51,14 +61,14 @@
   ansible.builtin.template:
     src: cloudflare.ini.j2
     dest: /root/.cloudflare.ini
-    mode: "400"
+    mode: 0400
   when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
 
 - name: Create nginx post renewal hook directory
   ansible.builtin.file:
     path: /etc/letsencrypt/renewal-hooks/post
     state: directory
-    mode: "500"
+    mode: 0500
   when: proxy.production is defined and proxy.production
 
 - name: Install nginx post renewal hook