Inital commit

tasks/blog-setup.yml

@@ -0,0 +1,11 @@
+- name: Clone blog repository
+  git:
+    repo: "https://github.com/CPunch/openpunk.git"
+    dest: "/var/www/{{ domain }}"
+
+- name: Build blog
+  command:
+    cmd: hugo
+    chdir: "/var/www/{{ domain }}"
+
+# TODO: missing cron job for regenerating the static blog every hour

tasks/essential.yml

@@ -0,0 +1,28 @@
+---
+- name: Add Gitea repo key
+  shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import
+
+- name: Set key perms
+  shell: sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
+
+- name: Add Gitea repo
+  apt_repository:
+    filename: morph027-gitea
+    repo: deb https://packaging.gitlab.io/gitea gitea main
+
+- name: Upgrade Packages
+  apt:
+    update_cache: yes
+    upgrade: full
+
+- name: Install required software
+  package:
+    name:
+      - hugo
+      - gitea
+      - git
+      - nginx
+      - tor
+      - ufw
+      - htop
+      - python3-certbot-nginx

tasks/firewall.yml

@@ -0,0 +1,18 @@
+---
+- name: Allow port 22
+  community.general.ufw:
+    rule: allow
+    port: '22'
+    proto: tcp
+
+- name: Allow port 80
+  community.general.ufw:
+    rule: allow
+    port: '80'
+    proto: tcp
+
+- name: Allow port 443
+  community.general.ufw:
+    rule: allow
+    port: '443'
+    proto: tcp

tasks/gitea.yml

@@ -0,0 +1,12 @@
+- name: Configure Gitea
+  become: yes
+  become_user: gitea
+  template:
+    src: templates/gitea/app.ini
+    dest: /etc/gitea/app.ini
+
+- name: Reload Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: restarted

tasks/nginx.yml

@@ -0,0 +1,43 @@
+- name: Remove default nginx config
+  file:
+    name: /etc/nginx/sites-enabled
+    state: absent
+
+- name: Restore sites-enabled
+  file:
+    name: /etc/nginx/sites-enabled
+    state: directory
+
+- name: Install system nginx config
+  template:
+    src: templates/nginx/nginx.conf
+    dest: /etc/nginx/nginx.conf
+
+- name: Install nginx config for {{ domain }}
+  template:
+    src: templates/nginx/site.conf
+    dest: /etc/nginx/conf.d/{{ domain }}.conf
+
+- name: Install nginx config for git.{{ domain }}
+  template:
+    src: templates/nginx/gitea.conf
+    dest: /etc/nginx/conf.d/git.{{ domain }}.conf
+
+- name: Install nginx config for our Hidden Service
+  template:
+    src: templates/nginx/tor.conf
+    dest: /etc/nginx/conf.d/tor-{{ domain }}.conf
+
+- name: Reload nginx to activate specified site
+  service:
+    name: nginx
+    state: restarted
+
+- name: Setup certbot
+  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d {{ domain }} -d git.{{ domain }}"
+
+- name: Reload Nginx
+  systemd:
+    name: nginx
+    enabled: yes
+    state: restarted

tasks/tor.yml

@@ -0,0 +1,29 @@
+- name: Install torrc
+  template:
+    src: templates/tor/torrc
+    dest: /etc/tor/torrc
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: Create Tor HS directory
+  file:
+    path: /var/lib/tor/{{ domain }}
+    state: directory
+    owner: debian-tor
+    group: debian-tor
+    mode: u=rwx,g=,o=
+
+- name: Set Tor HS keys
+  copy:
+    src: secrets/hs_ed25519_secret_key
+    dest: /var/lib/tor/{{ domain }}/hs_ed25519_secret_key
+    owner: debian-tor
+    group: debian-tor
+    mode: u=rw,g=,o=
+
+- name: Reload Tor
+  systemd:
+    name: tor
+    enabled: yes
+    state: restarted