mockupAWS/infrastructure/ansible/playbooks/setup-server.yml

---
- name: Configure mockupAWS Production Server
  hosts: production
  become: yes
  vars:
    app_name: mockupaws
    app_user: mockupaws
    app_group: mockupaws
    app_dir: /opt/mockupaws
    data_dir: /data/mockupaws
    
  tasks:
    #------------------------------------------------------------------------------
    # System Updates
    #------------------------------------------------------------------------------
    - name: Update system packages
      apt:
        update_cache: yes
        upgrade: dist
        autoremove: yes
      when: ansible_os_family == "Debian"
      tags: [system]

    - name: Install required packages
      apt:
        name:
          - apt-transport-https
          - ca-certificates
          - curl
          - gnupg
          - lsb-release
          - software-properties-common
          - python3-pip
          - python3-venv
          - nginx
          - fail2ban
          - ufw
          - htop
          - iotop
          - ncdu
          - tree
          - jq
        state: present
        update_cache: yes
      when: ansible_os_family == "Debian"
      tags: [system]

    #------------------------------------------------------------------------------
    # User Setup
    #------------------------------------------------------------------------------
    - name: Create application group
      group:
        name: "{{ app_group }}"
        state: present
      tags: [user]

    - name: Create application user
      user:
        name: "{{ app_user }}"
        group: "{{ app_group }}"
        home: "{{ app_dir }}"
        shell: /bin/bash
        state: present
      tags: [user]

    #------------------------------------------------------------------------------
    # Docker Installation
    #------------------------------------------------------------------------------
    - name: Add Docker GPG key
      apt_key:
        url: https://download.docker.com/linux/ubuntu/gpg
        state: present
      when: ansible_os_family == "Debian"
      tags: [docker]

    - name: Add Docker repository
      apt_repository:
        repo: "deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
        state: present
      when: ansible_os_family == "Debian"
      tags: [docker]

    - name: Install Docker
      apt:
        name:
          - docker-ce
          - docker-ce-cli
          - containerd.io
          - docker-compose-plugin
        state: present
        update_cache: yes
      when: ansible_os_family == "Debian"
      tags: [docker]

    - name: Add user to docker group
      user:
        name: "{{ app_user }}"
        groups: docker
        append: yes
      tags: [docker]

    - name: Enable and start Docker
      systemd:
        name: docker
        enabled: yes
        state: started
      tags: [docker]

    #------------------------------------------------------------------------------
    # Directory Structure
    #------------------------------------------------------------------------------
    - name: Create application directories
      file:
        path: "{{ item }}"
        state: directory
        owner: "{{ app_user }}"
        group: "{{ app_group }}"
        mode: '0755'
      loop:
        - "{{ app_dir }}"
        - "{{ app_dir }}/config"
        - "{{ app_dir }}/logs"
        - "{{ data_dir }}"
        - "{{ data_dir }}/postgres"
        - "{{ data_dir }}/redis"
        - "{{ data_dir }}/backups"
        - "{{ data_dir }}/reports"
      tags: [directories]

    #------------------------------------------------------------------------------
    # Firewall Configuration
    #------------------------------------------------------------------------------
    - name: Configure UFW
      ufw:
        rule: "{{ item.rule }}"
        port: "{{ item.port }}"
        proto: "{{ item.proto | default('tcp') }}"
      loop:
        - { rule: allow, port: 22 }
        - { rule: allow, port: 80 }
        - { rule: allow, port: 443 }
      tags: [firewall]

    - name: Enable UFW
      ufw:
        state: enabled
        default_policy: deny
      tags: [firewall]

    #------------------------------------------------------------------------------
    # Fail2ban Configuration
    #------------------------------------------------------------------------------
    - name: Configure fail2ban
      template:
        src: fail2ban.local.j2
        dest: /etc/fail2ban/jail.local
        mode: '0644'
      notify: restart fail2ban
      tags: [security]

    - name: Enable and start fail2ban
      systemd:
        name: fail2ban
        enabled: yes
        state: started
      tags: [security]

    #------------------------------------------------------------------------------
    # Nginx Configuration
    #------------------------------------------------------------------------------
    - name: Remove default Nginx site
      file:
        path: /etc/nginx/sites-enabled/default
        state: absent
      tags: [nginx]

    - name: Configure Nginx
      template:
        src: nginx.conf.j2
        dest: /etc/nginx/nginx.conf
        mode: '0644'
      notify: restart nginx
      tags: [nginx]

    - name: Create Nginx site configuration
      template:
        src: mockupaws.conf.j2
        dest: /etc/nginx/sites-available/mockupaws
        mode: '0644'
      tags: [nginx]

    - name: Enable Nginx site
      file:
        src: /etc/nginx/sites-available/mockupaws
        dest: /etc/nginx/sites-enabled/mockupaws
        state: link
      notify: reload nginx
      tags: [nginx]

    - name: Enable and start Nginx
      systemd:
        name: nginx
        enabled: yes
        state: started
      tags: [nginx]

    #------------------------------------------------------------------------------
    # SSL Certificate (Let's Encrypt)
    #------------------------------------------------------------------------------
    - name: Install certbot
      apt:
        name: certbot
        state: present
      tags: [ssl]

    - name: Check if certificate exists
      stat:
        path: "/etc/letsencrypt/live/{{ domain_name }}/fullchain.pem"
      register: cert_file
      tags: [ssl]

    - name: Obtain SSL certificate
      command: >
        certbot certonly --standalone 
        -d {{ domain_name }} 
        -d www.{{ domain_name }}
        --agree-tos 
        --non-interactive 
        --email {{ admin_email }}
      when: not cert_file.stat.exists
      tags: [ssl]

    - name: Setup certbot renewal cron
      cron:
        name: "Certbot Renewal"
        minute: "0"
        hour: "3"
        job: "/usr/bin/certbot renew --quiet --deploy-hook 'systemctl reload nginx'"
      tags: [ssl]

    #------------------------------------------------------------------------------
    # Backup Scripts
    #------------------------------------------------------------------------------
    - name: Create backup script
      template:
        src: backup.sh.j2
        dest: "{{ app_dir }}/scripts/backup.sh"
        owner: "{{ app_user }}"
        group: "{{ app_group }}"
        mode: '0750'
      tags: [backup]

    - name: Setup backup cron
      cron:
        name: "mockupAWS Backup"
        minute: "0"
        hour: "2"
        user: "{{ app_user }}"
        job: "{{ app_dir }}/scripts/backup.sh"
      tags: [backup]

    #------------------------------------------------------------------------------
    # Log Rotation
    #------------------------------------------------------------------------------
    - name: Configure logrotate
      template:
        src: logrotate.conf.j2
        dest: /etc/logrotate.d/mockupaws
        mode: '0644'
      tags: [logging]

    #------------------------------------------------------------------------------
    # Monitoring Agent
    #------------------------------------------------------------------------------
    - name: Download Prometheus Node Exporter
      get_url:
        url: "https://github.com/prometheus/node_exporter/releases/download/v1.7.0/node_exporter-1.7.0.linux-amd64.tar.gz"
        dest: /tmp/node_exporter.tar.gz
      tags: [monitoring]

    - name: Extract Node Exporter
      unarchive:
        src: /tmp/node_exporter.tar.gz
        dest: /usr/local/bin
        remote_src: yes
        extra_opts: [--strip-components=1]
        include: ["*/node_exporter"]
      tags: [monitoring]

    - name: Create Node Exporter service
      template:
        src: node-exporter.service.j2
        dest: /etc/systemd/system/node-exporter.service
        mode: '0644'
      tags: [monitoring]

    - name: Enable and start Node Exporter
      systemd:
        name: node-exporter
        enabled: yes
        state: started
        daemon_reload: yes
      tags: [monitoring]

  handlers:
    - name: restart fail2ban
      systemd:
        name: fail2ban
        state: restarted

    - name: restart nginx
      systemd:
        name: nginx
        state: restarted

    - name: reload nginx
      systemd:
        name: nginx
        state: reloaded