From 9a32d8e93a70e9b39a28cb1fd54c756447a35656 Mon Sep 17 00:00:00 2001
From: wasabi <webmaster@sassysalamander.net>
Date: Thu, 31 Jul 2025 18:46:03 -0500
Subject: [PATCH] Added ansible for standing up the influx server

---
 .gitignore                               |  7 ++
 ansible/.gitkeep                         |  0
 ansible/README.md                        | 90 ++++++++++++++++++++++++
 ansible/install.sh                       |  1 +
 ansible/inventory                        |  2 +
 ansible/roles/.gitkeep                   |  0
 ansible/roles/apt/.gitkeep               |  0
 ansible/roles/apt/tasks/.gitkeep         |  0
 ansible/roles/firewall/.gitkeep          |  0
 ansible/roles/firewall/tasks/.gitkeep    |  0
 ansible/roles/influx-user/.gitkeep       |  0
 ansible/roles/influx-user/tasks/.gitkeep |  0
 ansible/roles/influxdb/.gitkeep          |  0
 ansible/roles/influxdb/tasks/.gitkeep    |  0
 ansible/roles/permissions/.gitkeep       |  0
 ansible/roles/permissions/tasks/.gitkeep |  0
 ansible/roles/sshd/.gitkeep              |  0
 ansible/roles/sshd/files/.gitkeep        |  0
 ansible/roles/sshd/tasks/.gitkeep        |  0
 ansible/roles/volume/.gitkeep            |  0
 ansible/roles/volume/tasks/.gitkeep      |  0
 ansible/run.sh                           | 61 ++++++++++++++++
 ansible/vars/.gitkeep                    |  0
 ansible/vars/main.yml                    | 47 +++++++++++++
 ansible/vars/secrets.example.yml         |  0
 25 files changed, 208 insertions(+)
 create mode 100644 ansible/.gitkeep
 create mode 100644 ansible/README.md
 create mode 100644 ansible/install.sh
 create mode 100644 ansible/inventory
 create mode 100644 ansible/roles/.gitkeep
 create mode 100644 ansible/roles/apt/.gitkeep
 create mode 100644 ansible/roles/apt/tasks/.gitkeep
 create mode 100644 ansible/roles/firewall/.gitkeep
 create mode 100644 ansible/roles/firewall/tasks/.gitkeep
 create mode 100644 ansible/roles/influx-user/.gitkeep
 create mode 100644 ansible/roles/influx-user/tasks/.gitkeep
 create mode 100644 ansible/roles/influxdb/.gitkeep
 create mode 100644 ansible/roles/influxdb/tasks/.gitkeep
 create mode 100644 ansible/roles/permissions/.gitkeep
 create mode 100644 ansible/roles/permissions/tasks/.gitkeep
 create mode 100644 ansible/roles/sshd/.gitkeep
 create mode 100644 ansible/roles/sshd/files/.gitkeep
 create mode 100644 ansible/roles/sshd/tasks/.gitkeep
 create mode 100644 ansible/roles/volume/.gitkeep
 create mode 100644 ansible/roles/volume/tasks/.gitkeep
 create mode 100644 ansible/run.sh
 create mode 100644 ansible/vars/.gitkeep
 create mode 100644 ansible/vars/main.yml
 create mode 100644 ansible/vars/secrets.example.yml

diff --git a/.gitignore b/.gitignore
index ef6e94c..09b6c00 100644
--- a/.gitignore
+++ b/.gitignore
@@ -208,3 +208,10 @@ __marimo__/
 
 # sqlite stuff
 *.db
+
+# SSH Stuff
+*.pub
+ansible/inventory-actual
+*.retry
+.ansible/
+ansible/vars/secrets.yml
diff --git a/ansible/.gitkeep b/ansible/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/README.md b/ansible/README.md
new file mode 100644
index 0000000..15664cd
--- /dev/null
+++ b/ansible/README.md
@@ -0,0 +1,90 @@
+# Ansible playbook for server configuration
+
+## A word of warning about the volume task
+
+The volumes task creates, formats, and mounts volumes on your machine. It's expected that the influxdb database
+lives on it's own volume, preferably ssd storage. This will vastly impact the performance of the whole app, and
+is *highly* recommended. It is not suggested that you store this volume on the root disk. This allows influxdb
+to have exclusive bandwidth for the database, and if you want to make fast actions, this is very recommended.
+
+Creating and formatting volumes is an **inherently destructive** action, and therefore this task should only
+be performed on the first run, or if you do not care about your database. By default this task will only be 
+performed once, and the file responsible for allowing this to run will be removed for future runs.
+
+**IF YOU SHOOT YOURSELF IN THE FOOT WITH THIS, THIS IS YOUR FAULT**
+
+You should **NEVER** enable the influx-volume task on successive runs unless you **WISH TO DESTROY** your influx
+install and database volume.
+
+## A note about Security
+
+As we are talking about access to your kraken account api keys with this playbook, you should be very careful 
+and read as much of the playbook you can and *ensure you understand what is happening*. We are human developers 
+and humans make mistakes. Be very careful with your api keys, as they can be used to make trades and transfer 
+funds. We do not wish for you to lose your crypto. Take care. Be safe. Read the code, and the documentation fully
+before deciding to give this software your api key. If you decide not to trust this playbook, that's fine. Move the
+vars/secrets.example.yml to vars/secrets.yml and do not fill in the `kraken_api_key` field. Install your api key 
+manually. We will provide examples on how to do this at a later date.
+
+Also, because of how this program is written, it is *not recommended* that you run the playbook manually. Use our
+wrapper script, it will ensure that you don't accidentally wipe your database or expose your kraken api keys by
+leaving them on a hard drive. We recommend never storing your api keys to your crypto accounts *anywhere* you don't
+*expressly need to*. Not in a password vault, not on your hard drive, not in your email, not in a text file, nowhere. 
+As long as you maintain access to your kraken account, you should be able to create a new api key. Unfortunately,
+your api key *must* be available to the software this playbook installs, (that is, on the machine you are running 
+this script against) so you should take every effort to *guard that key like it's worth all the money in your kraken 
+account*, because, well, it is. If you don't trust us, fine. Don't. That's your choice. Find another piece of software,
+or write your own. We won't be upset about this. At the end of the day, you must take responsibility for your own 
+financial wellbeing.
+
+## A note about SSH keys
+
+SSH keys are access to the server, and thus access to your api key, and thus access to your kraken account balance.
+**Password protect them for the love of all that is holy**. Or, if you don't believe anything is holy, password
+protect them for the love of your own money. We recommend following the 
+[NIST Password Guidelines](https://pages.nist.gov/800-63-4/sp800-63b/passwords/) at the very **minimum**. Ideally, the
+password on your key should be 50-100% *longer* than what's recommended in these guidelines. Yes, this is a pain.
+Yes, it's necessary. If you ever lose your key, or worse, accidentally send it to someone, or worse, have it stolen
+from you, you *should* still be safe if you password protect it, but it depends entirely on the strength of your 
+password.
+
+## Variables
+
+Before running this playbook, make sure to fill in the empty variables in the vars/main.yml and vars/secrets.yml
+files. These files contain the variables that will define the behavior of this playbook. They are expected and
+necessary for proper behavior of the playbook.
+
+## Server requirements
+
+Recommended server setup is the latest version of Debian stable, but you could probably get away with Ubuntu as 
+well. We have not, nor will we, field questions about Ubuntu. Just use Debian if you have questions. That's what
+this is tested on, and that is what we will answer questions about.
+
+Current VPS setup:
+
+    1 core shared cpu with 10gb root volume and 10gb database volume with snapshots enabled
+
+Database size:
+
+    At this time, unknown, likely variable. 10gb volume is what we are testing, but this may need to be expanded
+
+## Setup
+
+To set up the environment necessary for this playbook, you can run the install.sh file. Like any code you run on 
+your computer, you should make sure you trust it. Read it, preferrably *before* you execute it.
+
+    chmod u+x install.sh
+    ./install.sh
+
+## Running the playbook
+
+**First time you run this playbook *only***
+
+    DESTROY_DATABASE_VOLUME=true ./run.sh
+
+
+**Subsequent runs of the playbook**
+
+    ./run.sh
+    
+Good luck, and happy tuning.
diff --git a/ansible/install.sh b/ansible/install.sh
new file mode 100644
index 0000000..907b308
--- /dev/null
+++ b/ansible/install.sh
@@ -0,0 +1 @@
+blah
diff --git a/ansible/inventory b/ansible/inventory
new file mode 100644
index 0000000..75498b5
--- /dev/null
+++ b/ansible/inventory
@@ -0,0 +1,2 @@
+[influxdb]
+localhost
\ No newline at end of file
diff --git a/ansible/roles/.gitkeep b/ansible/roles/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/apt/.gitkeep b/ansible/roles/apt/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/apt/tasks/.gitkeep b/ansible/roles/apt/tasks/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/firewall/.gitkeep b/ansible/roles/firewall/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/firewall/tasks/.gitkeep b/ansible/roles/firewall/tasks/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/influx-user/.gitkeep b/ansible/roles/influx-user/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/influx-user/tasks/.gitkeep b/ansible/roles/influx-user/tasks/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/influxdb/.gitkeep b/ansible/roles/influxdb/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/influxdb/tasks/.gitkeep b/ansible/roles/influxdb/tasks/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/permissions/.gitkeep b/ansible/roles/permissions/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/permissions/tasks/.gitkeep b/ansible/roles/permissions/tasks/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/sshd/.gitkeep b/ansible/roles/sshd/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/sshd/files/.gitkeep b/ansible/roles/sshd/files/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/sshd/tasks/.gitkeep b/ansible/roles/sshd/tasks/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/volume/.gitkeep b/ansible/roles/volume/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/volume/tasks/.gitkeep b/ansible/roles/volume/tasks/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/run.sh b/ansible/run.sh
new file mode 100644
index 0000000..7218be5
--- /dev/null
+++ b/ansible/run.sh
@@ -0,0 +1,61 @@
+#!/usr/bin/env sh
+
+## Set inventory to the first option
+inventory="${1}"
+
+## Give options if none passed
+if [ -z "$#" ]; then
+    echo "Usage:"
+    echo "${0} <inventory_file"
+    exit 0
+fi
+
+## If $END is unspecified by the environment, or is not a number,
+## then set a default value that allows interaction
+if [ -z "${END}" || ! ${END} =~ '^[0-9]+$' ]; then
+    END=10
+fi
+
+## Do you wish to set a root password?
+read -p "Do you wish to set a secure root password value for the machine? [y/N]: " answer
+
+## Does the user want it?
+if [ "${answer}" =~ '^[yY]' ]; then
+    ## Get hash
+    root_hash=$(mkpasswd -m sha-512)
+
+    ## Create the sed script
+    cat > /tmp/hash.sed <<EOF
+s/root_password_hash:.?$/root_password_hash: ${root_hash}/
+EOF
+
+    ## Modify the secrets.yml file
+    sed -i -s /tmp/hash.sed vars/secrets.yml
+
+    ## clean up after ourselves
+    rm /tmp/hash.sed
+fi
+
+## Check for whether or not $DESTORY_DATABASE_VOLUME is set
+if [ "$DESTROY_DATABASE_VOLUME" -eq "true" ]; then
+    read -p "Are you sure you wish to destroy the database volume? [y/N]" answer
+    ## Ask if they're sure
+    if [ ${answer} =~ '^[yY]' ]; then
+        echo "Choice ${answer} confirmed, running without volume task"
+        ## Run the playbook
+        ansible-playbook -i "${inventory}" playbooks/no_destroy_volume.yml
+        exit $?
+    else
+        ## Give them one last chance to opt out
+        echo "Choice ${answer} confirmed, continuing with database volume destruction"
+        echo "You may cancel in the next ${END} seconds with ctrl+c"
+        for i in {1..${END}}; do
+            echo -n "${i}."
+            sleep 1
+        done
+        ## Run the playbook
+        echo "\nExecuting playbook with database volume destruction"
+        ansible-playbook -i "${inventory}" playbooks/yes_destroy_volume.yml
+        exit $?
+    fi
+fi
\ No newline at end of file
diff --git a/ansible/vars/.gitkeep b/ansible/vars/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/vars/main.yml b/ansible/vars/main.yml
new file mode 100644
index 0000000..a08cf50
--- /dev/null
+++ b/ansible/vars/main.yml
@@ -0,0 +1,47 @@
+---
+influx-user:
+  name: influx
+  locked: true
+  create_home: true
+  ssh_pub_keys:
+    - "id_ed25519.pub"
+
+sshd:
+  generate_config_snippet: false
+  root_key_only: true
+
+dbvolume:
+  mount_location: "/home/{{ influx-user.name }}"
+  lvm:
+    volume_devices:
+      - "/dev/blah" # expects a dictionary
+    physical_volumes:
+    vgname: home
+    lvname: influx
+
+
+
+fstab:
+
+
+apt:
+  packages:
+    - ufw
+    - vim
+
+    - lvm2
+
+firewall:
+  default:
+    rule: deny
+    delete: false
+  additional_rules:
+    - rule_name: "allow ssh"
+      rule: allow
+      to_port: "22/tcp"
+      from_ip: "0.0.0.0"
+      delete: false
+
+influx:
+
+permissions:
diff --git a/ansible/vars/secrets.example.yml b/ansible/vars/secrets.example.yml
new file mode 100644
index 0000000..e69de29