Inital commit

.gitignore

@@ -0,0 +1,2 @@
+secrets
+hosts

README.md

@@ -0,0 +1,22 @@
+# Openpunk's ansible recovery
+
+This is my failsafe (and also my helpful migration tool) for restoring the OpenPunk server. This handles setting everything back up, including:
+
+- gitea
+- blog
+- nginx
+- tor mirror
+
+## Usage
+
+```sh
+ansible-playbook -i hosts --ask-vault-pass run.yml
+```
+> NOTE: The 'secrets' directory has been omitted from the repo
+
+## Example hosts file
+
+```
+[hosts]
+openpunk-vps ansible_host=104.238.138.76 ansible_user=root ansible_connection=ssh
+```

group_vars/all.yml

@@ -0,0 +1,2 @@
+---
+contact_email: openpunk@proton.me

run.yml

@@ -0,0 +1,18 @@
+---
+- hosts: all
+  become: yes
+  vars_files:
+    - group_vars/all.yml
+
+  vars_prompt:
+    - name: domain
+      prompt: domain pointing to the vps
+      private: no
+
+  tasks:
+    - import_tasks: tasks/essential.yml
+    - import_tasks: tasks/firewall.yml
+    - import_tasks: tasks/blog-setup.yml
+    - import_tasks: tasks/gitea.yml
+    - import_tasks: tasks/tor.yml
+    - import_tasks: tasks/nginx.yml

tasks/blog-setup.yml

@@ -0,0 +1,11 @@
+- name: Clone blog repository
+  git:
+    repo: "https://github.com/CPunch/openpunk.git"
+    dest: "/var/www/{{ domain }}"
+
+- name: Build blog
+  command:
+    cmd: hugo
+    chdir: "/var/www/{{ domain }}"
+
+# TODO: missing cron job for regenerating the static blog every hour

tasks/essential.yml

@@ -0,0 +1,28 @@
+---
+- name: Add Gitea repo key
+  shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import
+
+- name: Set key perms
+  shell: sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
+
+- name: Add Gitea repo
+  apt_repository:
+    filename: morph027-gitea
+    repo: deb https://packaging.gitlab.io/gitea gitea main
+
+- name: Upgrade Packages
+  apt:
+    update_cache: yes
+    upgrade: full
+
+- name: Install required software
+  package:
+    name:
+      - hugo
+      - gitea
+      - git
+      - nginx
+      - tor
+      - ufw
+      - htop
+      - python3-certbot-nginx

tasks/firewall.yml

@@ -0,0 +1,18 @@
+---
+- name: Allow port 22
+  community.general.ufw:
+    rule: allow
+    port: '22'
+    proto: tcp
+
+- name: Allow port 80
+  community.general.ufw:
+    rule: allow
+    port: '80'
+    proto: tcp
+
+- name: Allow port 443
+  community.general.ufw:
+    rule: allow
+    port: '443'
+    proto: tcp

tasks/gitea.yml

@@ -0,0 +1,12 @@
+- name: Configure Gitea
+  become: yes
+  become_user: gitea
+  template:
+    src: templates/gitea/app.ini
+    dest: /etc/gitea/app.ini
+
+- name: Reload Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: restarted

tasks/nginx.yml

@@ -0,0 +1,43 @@
+- name: Remove default nginx config
+  file:
+    name: /etc/nginx/sites-enabled
+    state: absent
+
+- name: Restore sites-enabled
+  file:
+    name: /etc/nginx/sites-enabled
+    state: directory
+
+- name: Install system nginx config
+  template:
+    src: templates/nginx/nginx.conf
+    dest: /etc/nginx/nginx.conf
+
+- name: Install nginx config for {{ domain }}
+  template:
+    src: templates/nginx/site.conf
+    dest: /etc/nginx/conf.d/{{ domain }}.conf
+
+- name: Install nginx config for git.{{ domain }}
+  template:
+    src: templates/nginx/gitea.conf
+    dest: /etc/nginx/conf.d/git.{{ domain }}.conf
+
+- name: Install nginx config for our Hidden Service
+  template:
+    src: templates/nginx/tor.conf
+    dest: /etc/nginx/conf.d/tor-{{ domain }}.conf
+
+- name: Reload nginx to activate specified site
+  service:
+    name: nginx
+    state: restarted
+
+- name: Setup certbot
+  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d {{ domain }} -d git.{{ domain }}"
+
+- name: Reload Nginx
+  systemd:
+    name: nginx
+    enabled: yes
+    state: restarted

tasks/tor.yml

@@ -0,0 +1,29 @@
+- name: Install torrc
+  template:
+    src: templates/tor/torrc
+    dest: /etc/tor/torrc
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: Create Tor HS directory
+  file:
+    path: /var/lib/tor/{{ domain }}
+    state: directory
+    owner: debian-tor
+    group: debian-tor
+    mode: u=rwx,g=,o=
+
+- name: Set Tor HS keys
+  copy:
+    src: secrets/hs_ed25519_secret_key
+    dest: /var/lib/tor/{{ domain }}/hs_ed25519_secret_key
+    owner: debian-tor
+    group: debian-tor
+    mode: u=rw,g=,o=
+
+- name: Reload Tor
+  systemd:
+    name: tor
+    enabled: yes
+    state: restarted

templates/gitea/app.ini

@@ -0,0 +1,50 @@
+APP_NAME = OpenPunk Gitea
+RUN_USER = gitea
+RUN_MODE = prod
+
+[repository]
+ROOT = /var/lib/gitea/gitea-repositories
+
+[server]
+SSH_DOMAIN       = git.{{ domain }}
+DOMAIN           = git.{{ domain }}
+HTTP_PORT        = 3000
+ROOT_URL         = https://git.{{ domain }}/
+DISABLE_SSH      = false
+SSH_PORT         = 22
+LFS_START_SERVER = false
+OFFLINE_MODE     = false
+
+[mailer]
+ENABLED = false
+
+[service]
+REGISTER_EMAIL_CONFIRM            = false
+ENABLE_NOTIFY_MAIL                = false
+DISABLE_REGISTRATION              = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+ENABLE_CAPTCHA                    = false
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING       = true
+NO_REPLY_ADDRESS                  = noreply.localhost
+
+[picture]
+DISABLE_GRAVATAR        = true
+ENABLE_FEDERATED_AVATAR = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[session]
+PROVIDER = file
+
+[log]
+MODE      = file
+LEVEL     = info
+ROOT_PATH = /var/lib/gitea/log
+
+[ui]
+DEFAULT_THEME = arc-green

templates/nginx/gitea.conf

@@ -0,0 +1,11 @@
+server {
+    server_name git.{{ domain }};
+    listen 80;
+
+    location / {
+        add_header Permissions-Policy interest-cohort=();
+        proxy_pass http://localhost:3000;
+    }
+
+    client_max_body_size 100M;
+}

templates/nginx/nginx.conf

@@ -0,0 +1,52 @@
+user www-data;
+worker_processes auto;
+include /etc/nginx/modules-enabled/*.conf;
+pid /run/nginx.pid;
+
+events {
+    worker_connections 768;
+}
+
+http {
+
+    ##
+    # Basic Settings
+    ##
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ##
+    # SSL Settings
+    ##
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+    ssl_prefer_server_ciphers on;
+
+    ##
+    # Logging Settings
+    ##
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    ##
+    # Gzip Settings
+    ##
+
+    gzip on;
+    gzip_disable "msie6";
+
+    ##
+    # Virtual Host Configs
+    ##
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}

templates/nginx/site.conf

@@ -0,0 +1,12 @@
+server {
+    server_name {{ domain }};
+    listen 80;
+
+    root /var/www/{{ domain }}/public;
+    index index.html index.htm;
+
+    location / {
+        add_header Permissions-Policy interest-cohort=();
+        try_files $uri $uri/ =404;
+    }
+}

templates/nginx/tor.conf

@@ -0,0 +1,12 @@
+server {
+    root /var/www/{{ domain }}/public;
+    index index.html index.htm;
+
+    location / {
+        add_header Permissions-Policy interest-cohort=();
+        try_files $uri $uri/ =404;
+    }
+
+    # our tor hidden service is hosted on this port
+    listen 2171;
+}

templates/tor/torrc

@@ -0,0 +1,2 @@
+HiddenServiceDir /var/lib/tor/{{ domain }}
+HiddenServicePort 80 127.0.0.1:2171