from pyinfra import host from pyinfra.operations import apt, server, files, systemd SUDO = True server.user( name='Add user benpro', user='benpro', groups=['sudo'], public_keys='ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFs7yO0auvwFL8HTLMUq6lET6DMYLhqhd32rqFfZUsjL openpgp:0xA32E99AD', shell='/bin/bash', present=True, ) server.hostname( name='Set the hostname', hostname='dns.benpro.fr', ) apt.update( name='Update apt repositories', ) apt.upgrade( name='Upgrade apt packages', ) apt.packages( name='Install ufw', packages=['ufw'], update=False, ) files.line( name='Set port 28 for SSH', path='/etc/ssh/sshd_config', line=r'Port .*', replace='Port 28', ) systemd.service( name='Reload sshd', service='ssh.service', reloaded=True, ) server.shell( name='Add ufw rules', commands=['ufw limit 28', 'ufw allow 80', 'ufw allow 443', 'ufw allow 853'], ) server.shell( name='Enable ufw', commands=['yes | ufw enable'], ) apt.packages( name='Install certbot', packages=['certbot'], update=False, ) if not host.fact.directory('/etc/letsencrypt/live/dns.benpro.fr'): server.shell( name='Add certificate', commands=['certbot certonly --non-interactive --email certbot@benpro.fr --agree-tos --standalone -d dns.benpro.fr'], ) server.group( name='Add group adguard', group=host.data.app_user, system=True, present=True, ) server.user( name='Add user adguard', user=host.data.app_user, group=host.data.app_user, home=host.data.app_dir, ensure_home=True, system=True, present=True, ) for items in ['fullchain.pem', 'privkey.pem']: server.shell( name='Make certificate available for Adguard ({})'.format(items), chdir=host.data.app_dir, commands=['cp -L /etc/letsencrypt/live/dns.benpro.fr/{} .'.format(items), 'chown adguard: {}'.format(items)] ) files.download( name='Download AdGuard', src='https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz', dest='/home/adguard/AdGuardHome_linux_amd64.tar.gz', user=host.data.app_user, group=host.data.app_user, mode='640', cache_time=604800, ) server.shell( name='Extract Adguard release file', chdir=host.data.app_dir, commands=['tar zxf AdGuardHome_linux_amd64.tar.gz','chown -R adguard: AdGuardHome'], ) server.shell( name='Setcap on Adguard binary', chdir=host.data.app_dir, commands=['setcap \'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip\' AdGuardHome/AdGuardHome'], ) if host.fact.systemd_enabled['AdGuardHome.service'] == False: server.shell( name='Install Adguard systemd service file', chdir=host.data.app_dir, commands=['AdGuardHome/AdGuardHome -s install'], ) files.put( name='Update systemd service file', src='files/AdGuardHome.service', dest='/etc/systemd/system/AdGuardHome.service', mode='644', ) files.put( name='Push AdGuardHome config', src='files/AdGuardHome.yaml', dest='/home/adguard/AdGuardHome/AdGuardHome.yaml', mode='640', user='adguard', group='adguard', ) systemd.daemon_reload( name='Reload systemd', user_mode=False, ) systemd.service( name='Restart and enable adguard service', service='AdGuardHome.service', running=True, restarted=True, enabled=True, ) files.put( name='Set LE pre renewal-hook', src='files/stop-adguard.sh', dest='/etc/letsencrypt/renewal-hooks/pre/stop-adguard.sh', mode='755', ) files.put( name='Set LE post renewal-hook', src='files/start-adguard.sh', dest='/etc/letsencrypt/renewal-hooks/post/start-adguard.sh', mode='755', )