From 05943624b9a801070084d31189b9b22fccfc4667 Mon Sep 17 00:00:00 2001
From: CPunch <sethtstubbs@gmail.com>
Date: Mon, 30 May 2022 10:46:36 -0500
Subject: [PATCH] Inital commit

---
 .gitignore                 |  2 ++
 README.md                  | 22 ++++++++++++++++
 group_vars/all.yml         |  2 ++
 run.yml                    | 18 +++++++++++++
 tasks/blog-setup.yml       | 11 ++++++++
 tasks/essential.yml        | 28 ++++++++++++++++++++
 tasks/firewall.yml         | 18 +++++++++++++
 tasks/gitea.yml            | 12 +++++++++
 tasks/nginx.yml            | 43 +++++++++++++++++++++++++++++++
 tasks/tor.yml              | 29 +++++++++++++++++++++
 templates/gitea/app.ini    | 50 ++++++++++++++++++++++++++++++++++++
 templates/nginx/gitea.conf | 11 ++++++++
 templates/nginx/nginx.conf | 52 ++++++++++++++++++++++++++++++++++++++
 templates/nginx/site.conf  | 12 +++++++++
 templates/nginx/tor.conf   | 12 +++++++++
 templates/tor/torrc        |  2 ++
 16 files changed, 324 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 group_vars/all.yml
 create mode 100644 run.yml
 create mode 100644 tasks/blog-setup.yml
 create mode 100644 tasks/essential.yml
 create mode 100644 tasks/firewall.yml
 create mode 100644 tasks/gitea.yml
 create mode 100644 tasks/nginx.yml
 create mode 100644 tasks/tor.yml
 create mode 100644 templates/gitea/app.ini
 create mode 100644 templates/nginx/gitea.conf
 create mode 100644 templates/nginx/nginx.conf
 create mode 100644 templates/nginx/site.conf
 create mode 100644 templates/nginx/tor.conf
 create mode 100644 templates/tor/torrc

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..62303fd
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+secrets
+hosts
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..1cf99cd
--- /dev/null
+++ b/README.md
@@ -0,0 +1,22 @@
+# Openpunk's ansible recovery
+
+This is my failsafe (and also my helpful migration tool) for restoring the OpenPunk server. This handles setting everything back up, including:
+
+- gitea
+- blog
+- nginx
+- tor mirror
+
+## Usage
+
+```sh
+ansible-playbook -i hosts --ask-vault-pass run.yml
+```
+> NOTE: The 'secrets' directory has been omitted from the repo
+
+## Example hosts file
+
+```
+[hosts]
+openpunk-vps ansible_host=104.238.138.76 ansible_user=root ansible_connection=ssh
+```
\ No newline at end of file
diff --git a/group_vars/all.yml b/group_vars/all.yml
new file mode 100644
index 0000000..02e040a
--- /dev/null
+++ b/group_vars/all.yml
@@ -0,0 +1,2 @@
+---
+contact_email: openpunk@proton.me
\ No newline at end of file
diff --git a/run.yml b/run.yml
new file mode 100644
index 0000000..2d17fc5
--- /dev/null
+++ b/run.yml
@@ -0,0 +1,18 @@
+---
+- hosts: all
+  become: yes
+  vars_files:
+    - group_vars/all.yml
+
+  vars_prompt:
+    - name: domain
+      prompt: domain pointing to the vps
+      private: no
+
+  tasks:
+    - import_tasks: tasks/essential.yml
+    - import_tasks: tasks/firewall.yml
+    - import_tasks: tasks/blog-setup.yml
+    - import_tasks: tasks/gitea.yml
+    - import_tasks: tasks/tor.yml
+    - import_tasks: tasks/nginx.yml
\ No newline at end of file
diff --git a/tasks/blog-setup.yml b/tasks/blog-setup.yml
new file mode 100644
index 0000000..3841a40
--- /dev/null
+++ b/tasks/blog-setup.yml
@@ -0,0 +1,11 @@
+- name: Clone blog repository
+  git:
+    repo: "https://github.com/CPunch/openpunk.git"
+    dest: "/var/www/{{ domain }}"
+
+- name: Build blog
+  command:
+    cmd: hugo
+    chdir: "/var/www/{{ domain }}"
+
+# TODO: missing cron job for regenerating the static blog every hour
\ No newline at end of file
diff --git a/tasks/essential.yml b/tasks/essential.yml
new file mode 100644
index 0000000..074af78
--- /dev/null
+++ b/tasks/essential.yml
@@ -0,0 +1,28 @@
+---
+- name: Add Gitea repo key
+  shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import
+
+- name: Set key perms
+  shell: sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
+
+- name: Add Gitea repo
+  apt_repository:
+    filename: morph027-gitea
+    repo: deb https://packaging.gitlab.io/gitea gitea main
+
+- name: Upgrade Packages
+  apt:
+    update_cache: yes
+    upgrade: full
+
+- name: Install required software
+  package:
+    name:
+      - hugo
+      - gitea
+      - git
+      - nginx
+      - tor
+      - ufw
+      - htop
+      - python3-certbot-nginx
diff --git a/tasks/firewall.yml b/tasks/firewall.yml
new file mode 100644
index 0000000..4a50228
--- /dev/null
+++ b/tasks/firewall.yml
@@ -0,0 +1,18 @@
+---
+- name: Allow port 22
+  community.general.ufw:
+    rule: allow
+    port: '22'
+    proto: tcp
+
+- name: Allow port 80
+  community.general.ufw:
+    rule: allow
+    port: '80'
+    proto: tcp
+
+- name: Allow port 443
+  community.general.ufw:
+    rule: allow
+    port: '443'
+    proto: tcp
\ No newline at end of file
diff --git a/tasks/gitea.yml b/tasks/gitea.yml
new file mode 100644
index 0000000..e087ba3
--- /dev/null
+++ b/tasks/gitea.yml
@@ -0,0 +1,12 @@
+- name: Configure Gitea
+  become: yes
+  become_user: gitea
+  template:
+    src: templates/gitea/app.ini
+    dest: /etc/gitea/app.ini
+
+- name: Reload Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: restarted
\ No newline at end of file
diff --git a/tasks/nginx.yml b/tasks/nginx.yml
new file mode 100644
index 0000000..906bb8a
--- /dev/null
+++ b/tasks/nginx.yml
@@ -0,0 +1,43 @@
+- name: Remove default nginx config
+  file:
+    name: /etc/nginx/sites-enabled
+    state: absent
+
+- name: Restore sites-enabled
+  file:
+    name: /etc/nginx/sites-enabled
+    state: directory
+
+- name: Install system nginx config
+  template:
+    src: templates/nginx/nginx.conf
+    dest: /etc/nginx/nginx.conf
+
+- name: Install nginx config for {{ domain }}
+  template:
+    src: templates/nginx/site.conf
+    dest: /etc/nginx/conf.d/{{ domain }}.conf
+
+- name: Install nginx config for git.{{ domain }}
+  template:
+    src: templates/nginx/gitea.conf
+    dest: /etc/nginx/conf.d/git.{{ domain }}.conf
+
+- name: Install nginx config for our Hidden Service
+  template:
+    src: templates/nginx/tor.conf
+    dest: /etc/nginx/conf.d/tor-{{ domain }}.conf
+
+- name: Reload nginx to activate specified site
+  service:
+    name: nginx
+    state: restarted
+
+- name: Setup certbot
+  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d {{ domain }} -d git.{{ domain }}"
+
+- name: Reload Nginx
+  systemd:
+    name: nginx
+    enabled: yes
+    state: restarted
\ No newline at end of file
diff --git a/tasks/tor.yml b/tasks/tor.yml
new file mode 100644
index 0000000..2069816
--- /dev/null
+++ b/tasks/tor.yml
@@ -0,0 +1,29 @@
+- name: Install torrc
+  template:
+    src: templates/tor/torrc
+    dest: /etc/tor/torrc
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: Create Tor HS directory
+  file:
+    path: /var/lib/tor/{{ domain }}
+    state: directory
+    owner: debian-tor
+    group: debian-tor
+    mode: u=rwx,g=,o=
+
+- name: Set Tor HS keys
+  copy:
+    src: secrets/hs_ed25519_secret_key
+    dest: /var/lib/tor/{{ domain }}/hs_ed25519_secret_key
+    owner: debian-tor
+    group: debian-tor
+    mode: u=rw,g=,o=
+
+- name: Reload Tor
+  systemd:
+    name: tor
+    enabled: yes
+    state: restarted
\ No newline at end of file
diff --git a/templates/gitea/app.ini b/templates/gitea/app.ini
new file mode 100644
index 0000000..20cdb32
--- /dev/null
+++ b/templates/gitea/app.ini
@@ -0,0 +1,50 @@
+APP_NAME = OpenPunk Gitea
+RUN_USER = gitea
+RUN_MODE = prod
+
+[repository]
+ROOT = /var/lib/gitea/gitea-repositories
+
+[server]
+SSH_DOMAIN       = git.{{ domain }}
+DOMAIN           = git.{{ domain }}
+HTTP_PORT        = 3000
+ROOT_URL         = https://git.{{ domain }}/
+DISABLE_SSH      = false
+SSH_PORT         = 22
+LFS_START_SERVER = false
+OFFLINE_MODE     = false
+
+[mailer]
+ENABLED = false
+
+[service]
+REGISTER_EMAIL_CONFIRM            = false
+ENABLE_NOTIFY_MAIL                = false
+DISABLE_REGISTRATION              = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+ENABLE_CAPTCHA                    = false
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING       = true
+NO_REPLY_ADDRESS                  = noreply.localhost
+
+[picture]
+DISABLE_GRAVATAR        = true
+ENABLE_FEDERATED_AVATAR = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[session]
+PROVIDER = file
+
+[log]
+MODE      = file
+LEVEL     = info
+ROOT_PATH = /var/lib/gitea/log
+
+[ui]
+DEFAULT_THEME = arc-green
\ No newline at end of file
diff --git a/templates/nginx/gitea.conf b/templates/nginx/gitea.conf
new file mode 100644
index 0000000..699aca6
--- /dev/null
+++ b/templates/nginx/gitea.conf
@@ -0,0 +1,11 @@
+server {
+    server_name git.{{ domain }};
+    listen 80;
+
+    location / {
+        add_header Permissions-Policy interest-cohort=();
+        proxy_pass http://localhost:3000;
+    }
+
+    client_max_body_size 100M;
+}
diff --git a/templates/nginx/nginx.conf b/templates/nginx/nginx.conf
new file mode 100644
index 0000000..d098f1c
--- /dev/null
+++ b/templates/nginx/nginx.conf
@@ -0,0 +1,52 @@
+user www-data;
+worker_processes auto;
+include /etc/nginx/modules-enabled/*.conf;
+pid /run/nginx.pid;
+
+events {
+    worker_connections 768;
+}
+
+http {
+
+    ##
+    # Basic Settings
+    ##
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ##
+    # SSL Settings
+    ##
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+    ssl_prefer_server_ciphers on;
+
+    ##
+    # Logging Settings
+    ##
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    ##
+    # Gzip Settings
+    ##
+
+    gzip on;
+    gzip_disable "msie6";
+
+    ##
+    # Virtual Host Configs
+    ##
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
\ No newline at end of file
diff --git a/templates/nginx/site.conf b/templates/nginx/site.conf
new file mode 100644
index 0000000..fdf27bf
--- /dev/null
+++ b/templates/nginx/site.conf
@@ -0,0 +1,12 @@
+server {
+    server_name {{ domain }};
+    listen 80;
+
+    root /var/www/{{ domain }}/public;
+    index index.html index.htm;
+
+    location / {
+        add_header Permissions-Policy interest-cohort=();
+        try_files $uri $uri/ =404;
+    }
+}
\ No newline at end of file
diff --git a/templates/nginx/tor.conf b/templates/nginx/tor.conf
new file mode 100644
index 0000000..2ec0dc2
--- /dev/null
+++ b/templates/nginx/tor.conf
@@ -0,0 +1,12 @@
+server {
+    root /var/www/{{ domain }}/public;
+    index index.html index.htm;
+
+    location / {
+        add_header Permissions-Policy interest-cohort=();
+        try_files $uri $uri/ =404;
+    }
+
+    # our tor hidden service is hosted on this port
+    listen 2171;
+}
diff --git a/templates/tor/torrc b/templates/tor/torrc
new file mode 100644
index 0000000..73c3bcd
--- /dev/null
+++ b/templates/tor/torrc
@@ -0,0 +1,2 @@
+HiddenServiceDir /var/lib/tor/{{ domain }}
+HiddenServicePort 80 127.0.0.1:2171