Initial commit

4 files changed, 378 insertions, 0 deletions

diff --git a/src/BaseServerSetup.php b/src/BaseServerSetup.php
new file mode 100644
index 0000000..7ff1efb
--- /dev/null
+++ b/src/BaseServerSetup.php
@@ -0,0 +1,96 @@
+<?php
+
+namespace Dweipert\DevOps\BaseServerSetup;
+
+use PHPIAC\Module\State;
+use PHPIAC\Modules\AptModule;
+use PHPIAC\Modules\CopyModule;
+use PHPIAC\Modules\GitModule;
+use PHPIAC\Modules\TemplateModule;
+use PHPIAC\Modules\UfwModule;
+use PHPIAC\Modules\UserModule;
+use PHPIAC\Role\RoleInterface;
+use PHPIAC\Task;
+
+class BaseServerSetup implements RoleInterface
+{
+    public function __invoke(array $config = []): array
+    {
+        $config = array_replace_recursive(
+            include __DIR__ . '/unattended-upgrades/unattended-upgrades.php',
+            [
+                'unattended_origins_patterns' => [
+                    'o=${distro_id},a=${distro_codename}',
+                    'o=${distro_id},a=${distro_codename}-security',
+                ],
+                'unattended_mail' => $config['mail'],
+                'unattended_automatic_reboot' => true,
+                'unattended_syslog_enable' => true,
+            ],
+            $config
+        );
+
+        return [
+            # setup unattended upgrades
+            (new Task())->setModule(new AptModule([
+                'package' => 'unattended-upgrades',
+                'updateCache' => true,
+            ])),
+            (new Task())->setModule(new TemplateModule([
+                'src' => __DIR__ . '/unattended-upgrades/auto-upgrades.twig',
+                'dest' => '/etc/apt/apt.conf.d/20auto-upgrades',
+                'vars' => $config,
+                'owner' => 'root',
+                'group' => 'root',
+                'mode' => 0644,
+            ])),
+            (new Task())->setModule(new TemplateModule([
+                'src' => __DIR__ . '/unattended-upgrades/unattended-upgrades.twig',
+                'dest' => '/etc/apt/apt.conf.d/50unattended-upgrades',
+                'vars' => $config,
+                'owner' => 'root',
+                'group' => 'root',
+                'mode' => 0644,
+            ])),
+
+            # setup user
+            (new Task())->setModule(new AptModule([
+                'package' => 'zsh',
+            ])),
+            (new Task())->setModule(new UserModule([
+                'username' => $config['username'],
+                'password' => $config['password'],
+                'groups' => ['sudo'],
+                'append' => true,
+                'shell' => '/bin/zsh',
+            ])),
+            (new Task())->setModule(new CopyModule([
+                'src' => '~/.ssh',
+                'dest' => '/home/' . $config['username'],
+                'owner' => $config['username'],
+                'group' => $config['username'],
+                'remoteSrc' => true,
+            ])),
+            (new Task())->setModule(new GitModule([
+                'repo' => 'https://github.com/ohmyzsh/ohmyzsh.git',
+                'dest' => "/home/$config[username]/.oh-my-zsh",
+                'owner' => $config['username'],
+                'group' => $config['username'],
+            ])),
+            (new Task())->setModule(new CopyModule([
+                'src' => "/home/$config[username]/.oh-my-zsh/templates/zshrc.zsh-template",
+                'dest' => "/home/$config[username]/.zshrc",
+                'owner' => $config['username'],
+                'group' => $config['username'],
+                'remoteSrc' => true,
+            ])),
+
+            # setup firewall
+            (new Task())->setModule(new UfwModule([
+                'rule' => 'allow',
+                'name' => 'OpenSSH',
+                'state' => State::ENABLED,
+            ])),
+        ];
+    }
+}
diff --git a/src/unattended-upgrades/auto-upgrades.twig b/src/unattended-upgrades/auto-upgrades.twig
new file mode 100644
index 0000000..388a028
--- /dev/null
+++ b/src/unattended-upgrades/auto-upgrades.twig
@@ -0,0 +1,25 @@
+APT::Periodic::Unattended-Upgrade "1";
+
+{% if unattended_update_package_list is defined %}
+APT::Periodic::Update-Package-Lists "{{unattended_update_package_list}}";
+{% endif %}
+
+{% if unattended_download_upgradeable is defined %}
+APT::Periodic::Download-Upgradeable-Packages "{{unattended_download_upgradeable}}";
+{% endif %}
+
+{% if unattended_autoclean_interval is defined %}
+APT::Periodic::AutocleanInterval "{{unattended_autoclean_interval}}";
+{% endif %}
+
+{% if unattended_clean_interval is defined %}
+APT::Periodic::CleanInterval "{{unattended_clean_interval}}";
+{% endif %}
+
+{% if unattended_verbose is defined %}
+APT::Periodic::Verbose "{{unattended_verbose}}";
+{% endif %}
+
+{% if unattended_random_sleep is defined %}
+APT::Periodic::RandomSleep "{{unattended_random_sleep}}";
+{% endif %}
diff --git a/src/unattended-upgrades/unattended-upgrades.php b/src/unattended-upgrades/unattended-upgrades.php
new file mode 100644
index 0000000..1c3f73c
--- /dev/null
+++ b/src/unattended-upgrades/unattended-upgrades.php
@@ -0,0 +1,140 @@
+<?php
+
+return [
+    # Cache update time for apt module
+    'unattended_cache_valid_time' => 3600,
+
+    #Unattended-Upgrade::Origins-Pattern
+    # Automatically upgrade packages from these origin patterns
+    # e.g.: 'o=Debian,a=stable', 'o=Debian,a=stable-updates'
+    #
+    # Left unset, distribution-specific defaults will be used through
+    # __unattended_origins_patterns variable only if this variable
+    #   is not provided externally
+    # REFS https://github.com/ansible/ansible/issues/8121
+    #'unattended_origins_patterns' => [],
+
+    #Unattended-Upgrade::Package-Blacklist
+    # List of packages to not update
+    'unattended_package_blacklist' => [],
+
+    #Unattended-Upgrade::AutoFixInterruptedDpkg
+    # On a unclean dpkg exit unattended-upgrades will run
+    #   dpkg --force-confold --configure -a
+    # The default is true, to ensure updates keep getting installed
+    'unattended_autofix_interrupted_dpkg' => true,
+
+    #Unattended-Upgrade::MinimalSteps
+    # Split the upgrade into the smallest possible chunks so that
+    # they can be interrupted with SIGUSR1. This makes the upgrade
+    # a bit slower but it has the benefit that shutdown while a upgrade
+    # is running is possible (with a small delay)
+    'unattended_minimal_steps' => true,
+
+    #Unattended-Upgrade::InstallOnShutdown
+    # Install all unattended-upgrades when the machine is shuting down
+    # instead of doing it in the background while the machine is running
+    # This will (obviously) make shutdown slower
+    'unattended_install_on_shutdown' => false,
+
+    #Unattended-Upgrade::Mail
+    # Send email to this address for problems or packages upgrades
+    # If empty or unset then no email is sent, make sure that you
+    # have a working mail setup on your system. A package that provides
+    # 'mailx' must be installed.
+    'unattended_mail' => false,
+
+    #Unattended-Upgrade::MailOnlyOnError
+    # Set this value to "true" to get emails only on errors. Default
+    # is to always send a mail if Unattended-Upgrade::Mail is set
+    'unattended_mail_only_on_error' => false,
+
+    #Unattended-Upgrade::Remove-Unused-Dependencies
+    # Do automatic removal of all unused dependencies after the upgrade
+    # (equivalent to apt-get autoremove)
+    'unattended_remove_unused_dependencies' => false,
+
+    #Unattended-Upgrade::Remove-New-Unused-Dependencies
+    # Remove any new unused dependencies after the upgrade
+    'unattended_remove_new_unused_dependencies' => true,
+
+    #Unattended-Upgrade::Automatic-Reboot
+    # Automatically reboot *WITHOUT CONFIRMATION* if a
+    # the file /var/run/reboot-required is found after the upgrade
+    'unattended_automatic_reboot' => false,
+
+    #Unattended-Upgrade::Automatic-Reboot-Time
+    # If automatic reboot is enabled and needed, reboot at the specific
+    # time instead of immediately
+    'unattended_automatic_reboot_time' => false,
+
+    #Unattended-Upgrade::IgnoreAppsRequireRestart
+    # Do upgrade application even if it requires restart after upgrade
+    # I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file
+    'unattended_ignore_apps_require_restart' => false,
+
+    #Unattended-Upgrade::SyslogEnable
+    # Write events to syslog, which is useful in environments where syslog
+    # messages are sent to a central store.
+    'unattended_syslog_enable' => false,
+
+    #Unattended-Upgrade::SyslogFacility
+    # Write events to the specified syslog facility, or the daemon facility if
+    # not specified. Requires the Unattended-Upgrade::SyslogEnable option to be
+    # set to true.
+    #'unattended_syslog_facility' => 'daemon',
+
+    ### APT::Periodic configuration
+    # Snatched from /usr/lib/apt/apt.systemd.daily
+
+    #APT::Periodic::Update-Package-Lists "0";
+    # - Do "apt-get update" automatically every n-days (0=disable)
+    'unattended_update_package_list' => 1,
+
+    #APT::Periodic::Download-Upgradeable-Packages "0";
+    # - Do "apt-get upgrade --download-only" every n-days (0=disable)
+    #'unattended_download_upgradeable' => 0,
+
+    #APT::Periodic::AutocleanInterval "0";
+    # - Do "apt-get autoclean" every n-days (0=disable)
+    'unattended_autoclean_interval' => 7,
+
+    #APT::Periodic::CleanInterval "0";
+    # - Do "apt-get clean" every n-days (0=disable)
+    #'unattended_clean_interval' => 0,
+
+    #APT::Periodic::Verbose "0";
+    # - Send report mail to root
+    #     0:  no report             (or null string)
+    #     1:  progress report       (actually any string)
+    #     2:  + command outputs     (remove -qq, remove 2>/dev/null, add -d)
+    #     3:  + trace on
+    #'unattended_verbose' => 0,
+
+    ## Cron systems only
+
+    #APT::Periodic::RandomSleep
+    # When the apt job starts, it will sleep for a random period between 0
+    # and APT::Periodic::RandomSleep seconds
+    # The default value is "1800" so that the script will stall for up to 30
+    # minutes (1800 seconds) so that the mirror servers are not crushed by
+    # everyone running their updates all at the same time
+    # Kept undefined to allow default (1800)
+    #'unattended_random_sleep' => 0,
+
+    #Dpkg::Options
+    # Provide dpkg options that take effect during unattended upgrades.
+    # By default no flags are appended. Configuration file changes can
+    # block installation of certain packages. Passing the flags
+    # "--force-confdef" and "--force-confold" will ensure updates are applied
+    # and old configuration files are preserved.
+    'unattended_dpkg_options' => [],
+
+    # 'unattended_dpkg_options' => [
+    #   '--force-confdef',
+    #   '--force-confold',
+    # ],
+
+    # Use apt bandwidth limit feature, this example limits the download speed to 70kb/sec
+    #'unattended_dl_limit' => 70,
+];
diff --git a/src/unattended-upgrades/unattended-upgrades.twig b/src/unattended-upgrades/unattended-upgrades.twig
new file mode 100644
index 0000000..0796f6b
--- /dev/null
+++ b/src/unattended-upgrades/unattended-upgrades.twig
@@ -0,0 +1,117 @@
+// Unattended-Upgrade::Origins-Pattern controls which packages are
+// upgraded.
+Unattended-Upgrade::Origins-Pattern {
+{% if unattended_origins_patterns is defined %}
+{% for origin in unattended_origins_patterns %}
+    "{{ origin }}";
+{% endfor %}
+{% endif %}
+};
+
+// List of packages to not update (regexp are supported)
+Unattended-Upgrade::Package-Blacklist {
+{% for package in unattended_package_blacklist %}
+    "{{ package }}";
+{% endfor %}
+};
+
+{% if not unattended_autofix_interrupted_dpkg %}
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+{% endif %}
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGUSR1. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+Unattended-Upgrade::MinimalSteps "{{ unattended_minimal_steps | lower }}";
+
+{% if unattended_install_on_shutdown %}
+// Install all unattended-upgrades when the machine is shuting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+Unattended-Upgrade::InstallOnShutdown "true";
+{% endif %}
+
+{% if unattended_mail %}
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed.
+Unattended-Upgrade::Mail "{{ unattended_mail }}";
+{% endif %}
+
+{% if unattended_mail_only_on_error %}
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+Unattended-Upgrade::MailOnlyOnError "true";
+{% endif %}
+
+{% if unattended_remove_unused_dependencies %}
+// Do automatic removal of all unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+{% endif %}
+
+{% if not unattended_remove_new_unused_dependencies %}
+// Do automatic removal of new unused dependencies after the upgrade
+Unattended-Upgrade::Remove-New-Unused-Dependencies "false";
+{% endif %}
+
+{% if unattended_automatic_reboot %}
+// Automatically reboot *WITHOUT CONFIRMATION* if a
+// the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "true";
+{% endif %}
+
+{% if unattended_automatic_reboot_time %}
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_automatic_reboot_time }}";
+{% endif %}
+
+{% if unattended_update_days is defined %}
+// Set the days of the week that updates should be applied. The days can be specified
+// as localized abbreviated or full names. Or as integers where "0" is Sunday, "1" is
+// Monday etc.
+// Example - apply updates only on Monday and Friday:
+// {"Mon";"Fri"};
+Unattended-Upgrade::Update-Days {{ unattended_update_days }};
+{% endif %}
+
+{% if unattended_ignore_apps_require_restart %}
+// Do upgrade application even if it requires restart after upgrade
+// I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file
+Unattended-Upgrade::IgnoreAppsRequireRestart "true";
+{% endif %}
+
+{% if unattended_syslog_enable %}
+// Write events to syslog, which is useful in environments where syslog
+// messages are sent to a central store.
+Unattended-Upgrade::SyslogEnable "{{ unattended_syslog_enable }}";
+{% if unattended_syslog_facility is defined %}
+// Write events to the specified syslog facility, or the daemon facility
+// if not specified. Requires the Unattended-Upgrade::SyslogEnable option
+// to be set to true.
+Unattended-Upgrade::SyslogFacility "{{ unattended_syslog_facility }}";
+{% endif %}
+{% endif %}
+
+{% if unattended_dpkg_options %}
+// Append options for governing dpkg behavior, e.g. --force-confdef.
+Dpkg::Options {
+{% for dpkg_option in unattended_dpkg_options %}
+    "{{ dpkg_option }}";
+{% endfor %}
+};
+{% endif %}
+
+{% if unattended_dl_limit is defined %}
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+Acquire::http::Dl-Limit "{{ unattended_dl_limit }}";
+{% endif %}