diff --git a/README.md b/README.md index 15d961c..c6c8010 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,13 @@ Some DNS records also need to be set: - an A record with a `git.*` subdomain ## Usage +First, make sure to install the requirements: +```sh +ansible-galaxy install -r requirements.yml +``` + +Then, run the playbook: + ```sh ansible-playbook -i hosts --ask-vault-pass run.yml ``` diff --git a/group_vars/all.yml b/group_vars/all.yml index 5125599..c27c462 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,4 +1,4 @@ --- domain: openpunk.com contact_email: openpunk@proton.me -onionDomain: http://opnpnk6eutjiqy4ndpyvwxd5pncj2g2cmz6fkocr5uh3omnn4utvspad.onion \ No newline at end of file +onionDomain: opnpnk6eutjiqy4ndpyvwxd5pncj2g2cmz6fkocr5uh3omnn4utvspad.onion \ No newline at end of file diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..d4f86c4 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,6 @@ +- src: l3d.gitea + version: v3.3.0 +- src: geerlingguy.nginx + version: 3.1.4 +- src: geerlingguy.certbot + version: 5.1.0 \ No newline at end of file diff --git a/roles/blog/templates/updateBlog b/roles/blog/templates/updateBlog index 1fd1d76..a3f74b2 100644 --- a/roles/blog/templates/updateBlog +++ b/roles/blog/templates/updateBlog @@ -6,7 +6,7 @@ TOR_DIR=tor buildBlog () { hugo --cleanDestinationDir --minify -d $PUBLIC_DIR -b https://{{ domain }} - hugo --cleanDestinationDir --minify -d $TOR_DIR -b {{ onionDomain }} + hugo --cleanDestinationDir --minify -d $TOR_DIR -b http://{{ onionDomain }} } git fetch origin diff --git a/roles/git/files/.gitconfig b/roles/git/files/.gitconfig index 632ed4d..5f0d64a 100644 --- a/roles/git/files/.gitconfig +++ b/roles/git/files/.gitconfig @@ -1,7 +1,7 @@ [user] - email = openpunk@proton.me - name = OpenPunk +email = openpunk@proton.me +name = OpenPunk [core] - editor = nano +editor = nano [pull] - rebase = true +rebase = true diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index 1ca63e2..536b4f7 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -1,30 +1,20 @@ --- -- name: Check for Gitea gpg key - stat: - path: /etc/apt/trusted.gpg.d/morph027-gitea.gpg - register: gitea_key - -- name: Add Gitea key, repository && install - block: - - name: Import Gitea key - shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import && sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg - when: gitea_key.stat.exists == false or gitea_key.stat.mode != "0644" - - - name: Add Gitea repository - apt_repository: - filename: morph027-gitea - repo: deb https://packaging.gitlab.io/gitea gitea main - - - name: Add Gitea package - package: - name: gitea - - - name: Configure Gitea - template: - src: templates/app.ini - dest: /etc/gitea/app.ini - owner: gitea - when: "'gitea' not in ansible_facts.packages" +- name: "Install gitea" + include_role: + name: l3d.gitea + vars: + gitea_fqdn: 'git.{{ domain }}' + gitea_home: '/var/lib/gitea' + gitea_db_type: 'sqlite3' + gitea_theme_default: 'arc-green' + gitea_root_url: 'https://git.{{ domain }}' + gitea_protocol: http + gitea_http_port: "{{ giteaPort }}" + gitea_ssh_port: 22 + gitea_start_ssh: false + gitea_allow_only_internal_registration: true + gitea_disable_registration: true + gitea_require_signin: false - name: Backup db include_tasks: backup.yml diff --git a/roles/gitea/tasks/restore.yml b/roles/gitea/tasks/restore.yml index b1452eb..82ebbdd 100644 --- a/roles/gitea/tasks/restore.yml +++ b/roles/gitea/tasks/restore.yml @@ -60,12 +60,18 @@ owner: gitea tags: restore -- name: Install config - copy: - src: /etc/gitea/gitea-dump/app.ini - dest: /etc/gitea/app.ini - owner: gitea - remote_src: true +# - name: Install config +# copy: +# src: /etc/gitea/gitea-dump/app.ini +# dest: /etc/gitea/app.ini +# owner: gitea +# remote_src: true +# tags: restore + +- name: Remove sqlite3 db + file: + path: /var/lib/gitea/data/gitea.db + state: absent tags: restore - name: Generate sqlite3 db @@ -83,9 +89,7 @@ tags: restore - name: Finalize - shell: - cmd: ./gitea admin regenerate hooks -c /etc/gitea/app.ini - chdir: /usr/bin + shell: gitea admin regenerate hooks -c /etc/gitea/gitea.ini become: true become_method: su become_user: gitea diff --git a/roles/gitea/templates/app.ini b/roles/gitea/templates/app.ini deleted file mode 100644 index 17d5dc6..0000000 --- a/roles/gitea/templates/app.ini +++ /dev/null @@ -1,61 +0,0 @@ -APP_NAME = OpenPunk Gitea -RUN_USER = gitea -RUN_MODE = prod - -[database] -DB_TYPE = sqlite3 -HOST = 127.0.0.1:5432 -NAME = gitea -USER = gitea -PASSWD = -SSL_MODE = disable -CHARSET = utf8 -PATH = /var/lib/gitea/data/gitea.db - -[repository] -ROOT = /var/lib/gitea/gitea-repositories - -[server] -SSH_DOMAIN = git.{{ domain }} -DOMAIN = git.{{ domain }} -HTTP_PORT = {{ giteaPort }} -ROOT_URL = https://git.{{ domain }}/ -DISABLE_SSH = false -SSH_PORT = 22 -LFS_START_SERVER = false -OFFLINE_MODE = false - -[mailer] -ENABLED = false - -[service] -REGISTER_EMAIL_CONFIRM = false -ENABLE_NOTIFY_MAIL = false -DISABLE_REGISTRATION = true -ALLOW_ONLY_EXTERNAL_REGISTRATION = false -ENABLE_CAPTCHA = false -REQUIRE_SIGNIN_VIEW = false -DEFAULT_KEEP_EMAIL_PRIVATE = false -DEFAULT_ALLOW_CREATE_ORGANIZATION = true -DEFAULT_ENABLE_TIMETRACKING = true -NO_REPLY_ADDRESS = noreply.localhost - -[picture] -DISABLE_GRAVATAR = true -ENABLE_FEDERATED_AVATAR = false -REPOSITORY_AVATAR_FALLBACK = random - -[openid] -ENABLE_OPENID_SIGNIN = false -ENABLE_OPENID_SIGNUP = false - -[session] -PROVIDER = file - -[log] -MODE = file -LEVEL = info -ROOT_PATH = /var/lib/gitea/log - -[ui] -DEFAULT_THEME = arc-green \ No newline at end of file diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml deleted file mode 100644 index 780b99d..0000000 --- a/roles/nginx/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -giteaPort: 3000 \ No newline at end of file diff --git a/roles/nginx/files/nginx.conf b/roles/nginx/files/nginx.conf deleted file mode 100644 index ad5b66e..0000000 --- a/roles/nginx/files/nginx.conf +++ /dev/null @@ -1,52 +0,0 @@ -user www-data; -worker_processes auto; -include /etc/nginx/modules-enabled/*.conf; -pid /run/nginx.pid; - -events { - worker_connections 768; -} - -http { - - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - ## - # SSL Settings - ## - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on; - - ## - # Logging Settings - ## - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - ## - # Gzip Settings - ## - - gzip on; - gzip_disable "msie6"; - - ## - # Virtual Host Configs - ## - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; -} \ No newline at end of file diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml deleted file mode 100644 index 4a1573a..0000000 --- a/roles/nginx/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- name: setup-nginx - include_tasks: setup.yml - listen: "setup nginx" \ No newline at end of file diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index ac7a85e..fb28807 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,35 +1,63 @@ --- -- name: Install system nginx config - copy: - src: nginx.conf - dest: /etc/nginx/nginx.conf - notify: setup nginx - -# setup our configs for each host (we don't want to -# overwrite certbot's changes, so if it already exists, -# don't copy!) - -- name: Install nginx config for {{ domain }} - template: - src: templates/site.conf - dest: /etc/nginx/conf.d/{{ domain }}.conf - force: no - notify: setup nginx - -- name: Install nginx config for git.{{ domain }} - template: - src: templates/gitea.conf - dest: /etc/nginx/conf.d/git.{{ domain }}.conf - force: no - notify: setup nginx - -- name: Install nginx config for our Hidden Service - template: - src: templates/tor.conf - dest: /etc/nginx/conf.d/tor-{{ domain }}.conf - -- name: Enable Nginx +- name: "Stop Nginx" systemd: name: nginx - enabled: yes - state: started \ No newline at end of file + state: stopped + +- name: "Setup Certbot" + include_role: + name: geerlingguy.certbot + vars: + certbot_admin_email: "{{ contact_email }}" + certbot_create_if_missing: true + certbot_create_standalone_stop_services: [] + certbot_certs: + - domains: + - "{{ domain }}" + - "git.{{ domain }}" + +- name: "Install Nginx" + include_role: + name: geerlingguy.nginx + vars: + nginx_listen_ipv6: true + nginx_vhosts: + - listen: "443 ssl http2" + server_name: "{{ domain }}" + root: "/var/www/{{ domain }}/public" + index: "index.html index.htm" + extra_parameters: | + location / { + add_header Permissions-Policy interest-cohort=(); + try_files $uri $uri/ =404; + } + ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem; + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + - listen: "443 ssl http2" + server_name: "git.{{ domain }}" + client_max_body_size: "100M" + extra_parameters: | + location / { + add_header Permissions-Policy interest-cohort=(); + proxy_pass http://localhost:{{ giteaPort }}; + } + ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem; + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + - listen: "2171" + server_name: "{{ onionDomain }}" + root: "/var/www/{{ domain }}/tor" + index: "index.html index.htm" + extra_parameters: | + location / { + add_header Permissions-Policy interest-cohort=(); + try_files $uri $uri/ =404; + } + +- name: "Start Nginx" + systemd: + name: nginx + state: started diff --git a/roles/nginx/tasks/setup.yml b/roles/nginx/tasks/setup.yml deleted file mode 100644 index 26d5dd2..0000000 --- a/roles/nginx/tasks/setup.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Setup certbot - shell: "certbot --nginx --non-interactive --agree-tos --email {{ contact_email }} -d {{ domain }} -d git.{{ domain }}" - -- name: Reload Nginx - systemd: - name: nginx - enabled: yes - state: restarted \ No newline at end of file diff --git a/roles/nginx/templates/gitea.conf b/roles/nginx/templates/gitea.conf deleted file mode 100644 index 15dedec..0000000 --- a/roles/nginx/templates/gitea.conf +++ /dev/null @@ -1,11 +0,0 @@ -server { - server_name git.{{ domain }}; - listen 80; - - location / { - add_header Permissions-Policy interest-cohort=(); - proxy_pass http://localhost:{{ giteaPort }}; - } - - client_max_body_size 100M; -} diff --git a/roles/nginx/templates/site.conf b/roles/nginx/templates/site.conf deleted file mode 100644 index d470887..0000000 --- a/roles/nginx/templates/site.conf +++ /dev/null @@ -1,13 +0,0 @@ -server { - server_name {{ domain }}; - listen 80; - - root /var/www/{{ domain }}/public; - index index.html index.htm; - - location / { - add_header Permissions-Policy interest-cohort=(); - add_header Referrer-Policy: "no-referrer"; - try_files $uri $uri/ =404; - } -} \ No newline at end of file diff --git a/roles/nginx/templates/tor.conf b/roles/nginx/templates/tor.conf deleted file mode 100644 index 0b6e67a..0000000 --- a/roles/nginx/templates/tor.conf +++ /dev/null @@ -1,12 +0,0 @@ -server { - root /var/www/{{ domain }}/tor; - index index.html index.htm; - - location / { - add_header Permissions-Policy interest-cohort=(); - try_files $uri $uri/ =404; - } - - # our tor hidden service is hosted on this port - listen 2171; -}