switched to roles

- all tasks/* have been moved to their own roles in roles/* - each file && template is now oragnized per-role - annotated each task which still isn't idempotent !TODO!
2025-10-15 21:50:09 +00:00 · 2023-01-14 17:26:17 -06:00
parent d435ab80ac
commit abaa4c9639
23 changed files with 33 additions and 24 deletions
--- a/roles/blog/tasks/main.yml
+++ b/roles/blog/tasks/main.yml
@@ -0,0 +1,24 @@
+---
+- name: Clone blog repository
+  git:
+    repo: "https://github.com/CPunch/openpunk.git"
+    dest: "/var/www/{{ domain }}"
+
+# TODO: make idempotent
+- name: Build blog
+  command:
+    cmd: hugo
+    chdir: "/var/www/{{ domain }}"
+
+- name: Install updateBlog script
+  template:
+    src: templates/updateBlog
+    dest: /usr/local/bin/updateBlog
+    mode: u+rx
+
+# Rebuild blog every hour
+- name: Setup blog cron job
+  cron:
+    name: Build blog every hour
+    minute: 0
+    job: /usr/local/bin/updateBlog
--- a/roles/blog/templates/updateBlog
+++ b/roles/blog/templates/updateBlog
@@ -0,0 +1,5 @@
+#!/bin/bash
+cd /var/www/{{ domain }}
+/usr/bin/git fetch origin
+/usr/bin/git reset --hard origin/main
+/usr/bin/hugo
--- a/roles/deadswitch/files/deadswitch
+++ b/roles/deadswitch/files/deadswitch
@@ -0,0 +1,26 @@
+#!/bin/bash
+# This is meant to be run by cron, just setup a cronjob to run this script every day or so
+# This script checks if a file ($fileSwitch) is last modified > $dayLimit days ago & if so a script is run
+# On your computer or laptop, setup a cronjob to run an ssh command to modify $fileSwitch every couple hours or so.
+
+fileTrigger="$HOME/.deadtrigger"
+fileLock="$HOME/.deadlock" # if this file exists, the deadmans switch will be disabled. This file is automatically created when the switch is pulled
+scriptToRun="$HOME/deadman/imdead.sh"
+dayLimit=14 # 14 day trigger
+
+# if our file lock exists, we already ran OR the switch has been disabled on purpose
+if [ -f "$fileLock" ]; then
+    exit 0
+fi
+
+# time has to be in seconds so dayLimit (days) * 24 (hours in a day) * 60 (mins in an hour) * 60 (seconds in a min)
+let "triggerTime=$dayLimit * 24 * 60 * 60"
+let "lastPing=$(stat -c %Y $fileTrigger)"
+let "currTime=$(date +%s)"
+let "dTime=$currTime-$lastPing"
+echo $dTime
+if [ $dTime -gt $triggerTime ]
+then 
+    touch $fileLock
+    bash $scriptToRun
+fi
--- a/roles/deadswitch/files/imdead.sh
+++ b/roles/deadswitch/files/imdead.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+cd $HOME/deadman
+
+postPatch='dead.patch'
+pageName='content/pages/dead.md'
+currDate=$(date '+%Y-%m-%d')
+
+git clone git@github.com:CPunch/openpunk.git
+
+# commit & push the post
+cd openpunk
+git am postPatch
+# replace our --DATE-- with the current date
+sed -i 's/--DATE--/'$currDate'/g' $pageName
+git add .
+git commit -m "DeadSwitch: No response from CPunch in 14 days, posting dead.md"
+git push --force
--- a/roles/deadswitch/tasks/main.yml
+++ b/roles/deadswitch/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- name: Create deadman directory
+  file:
+    name: /root/deadman
+    state: directory
+
+- name: Install deadswitch script
+  copy:
+    src: deadswitch
+    dest: /usr/local/bin/deadswitch
+    mode: u+rx
+
+- name: Install imdead.sh
+  copy:
+    src: imdead.sh
+    dest: /root/deadman/imdead.sh
+    mode: u+rx
+
+- name: Copy dead patch
+  copy:
+    src: secrets/dead.patch
+    dest: /root/deadman/dead.patch
+    mode: u+rw
+
+# TODO: make idempotent
+- name: Install deadtrigger
+  file:
+    name: /root/.deadtrigger
+    state: touch
+
+# Run deadswitch daily at 1am
+- name: Install deadlock cronjob
+  cron:
+    name: Run deadswitch
+    minute: 0
+    hour: 1
+    job: /usr/local/bin/deadswitch
--- a/roles/essential/files/.zshrc
+++ b/roles/essential/files/.zshrc
@@ -0,0 +1 @@
+source /root/powerlevel10k/powerlevel10k.zsh-theme
--- a/roles/essential/tasks/main.yml
+++ b/roles/essential/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+# TODO: make idempotent
+- name: Add Gitea repo key
+  shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import
+
+# TODO: make idempotent
+- name: Set key perms
+  shell: sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
+
+- name: Add Gitea repo
+  apt_repository:
+    filename: morph027-gitea
+    repo: deb https://packaging.gitlab.io/gitea gitea main
+
+- name: Upgrade Packages
+  apt:
+    update_cache: yes
+    upgrade: full
+
+- name: Install required software
+  package:
+    name:
+      - hugo
+      - gitea
+      - git
+      - nginx
+      - tor
+      - ufw
+      - fail2ban
+      - goaccess
+      - htop
+      - zsh # :D
+      - python3-certbot-nginx
+
+# TODO: make idempotent
+- name: Setup default shell (zsh)
+  shell: chsh -s /usr/bin/zsh
+
+- name: Clone Powerlevel10k theme
+  git:
+    repo: "https://github.com/romkatv/powerlevel10k.git"
+    dest: "/root/powerlevel10k"
+    depth: 1
+
+- name: Install .zshrc
+  copy:
+    src: .zshrc
+    dest: /root/.zshrc
+    force: no
--- a/roles/firewall/files/jails.local
+++ b/roles/firewall/files/jails.local
@@ -0,0 +1,8 @@
+[sshd]
+enabled = true
+
+[nginx-http-auth]
+enabled = true
+
+[nginx-botsearch]
+enabled = true
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -0,0 +1,33 @@
+---
+- name: Allow port 22
+  community.general.ufw:
+    rule: allow
+    port: '22'
+    proto: tcp
+
+- name: Allow port 80
+  community.general.ufw:
+    rule: allow
+    port: '80'
+    proto: tcp
+
+- name: Allow port 443
+  community.general.ufw:
+    rule: allow
+    port: '443'
+    proto: tcp
+
+- name: Startup UFW
+  community.general.ufw:
+    state: enabled
+
+- name: Copy fail2ban jail config
+  copy:
+    src: jails.local
+    dest: /etc/fail2ban/jail.d/jails.local
+
+- name: Enable fail2ban service
+  systemd:
+    name: fail2ban
+    enabled: yes
+    state: started
--- a/roles/git/files/.gitconfig
+++ b/roles/git/files/.gitconfig
@@ -0,0 +1,7 @@
+[user]
+        email = openpunk@proton.me
+        name = OpenPunk
+[core]
+        editor = nano
+[pull]
+        rebase = true
--- a/roles/git/tasks/main.yml
+++ b/roles/git/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- name: Setup git config
+  copy:
+    src: .gitconfig
+    dest: /root/.gitconfig
+    owner: root
+    mode: u=rw,g=,o=
+
+# make sure our vps trusts the github.com key signature. we pipe the output
+# of ssh-keyscan into .ssh/known_hosts
+
+# TODO: make idempotent
+- name: Scan for SSH host keys
+  command: ssh-keyscan github.com 2>/dev/null
+  register: ssh_scan
+
+- name: Update known_hosts
+  copy:
+    content: "{{ ssh_scan.stdout_lines|join('\n')  }}"
+    dest: /root/.ssh/known_hosts
+    owner: root
+    mode: u=rw,g=,o=
+    force: no # if we already have a known_hosts file, ignore!
+
+# this keypair is trusted under my github account, so it allows my vps to make pushes
+# to the main branch of my openpunk repository. (for my deadswitch: see static/blog/imdead.sh)
+
+- name: Install ssh priv key
+  copy:
+    src: secrets/id_ed25519
+    dest: /root/.ssh/id_ed25519
+    mode: u=rw,g=,o=
+
+- name: Install ssh pub key
+  copy:
+    src: secrets/id_ed25519.pub
+    dest: /root/.ssh/id_ed25519.pub
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- name: Configure Gitea
+  template:
+    src: app.ini
+    dest: /etc/gitea/app.ini
+    owner: gitea
+    force: no # we don't want to kill our existing config D:
+
+- name: Reload Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: started
--- a/roles/gitea/templates/app.ini
+++ b/roles/gitea/templates/app.ini
@@ -0,0 +1,60 @@
+APP_NAME = OpenPunk Gitea
+RUN_USER = gitea
+RUN_MODE = prod
+
+[database]
+DB_TYPE  = sqlite3
+HOST     = 127.0.0.1:5432
+NAME     = gitea
+USER     = gitea
+PASSWD   = 
+SSL_MODE = disable
+CHARSET  = utf8
+PATH     = /var/lib/gitea/data/gitea.db
+
+[repository]
+ROOT = /var/lib/gitea/gitea-repositories
+
+[server]
+SSH_DOMAIN       = git.{{ domain }}
+DOMAIN           = git.{{ domain }}
+HTTP_PORT        = 3000
+ROOT_URL         = https://git.{{ domain }}/
+DISABLE_SSH      = false
+SSH_PORT         = 22
+LFS_START_SERVER = false
+OFFLINE_MODE     = false
+
+[mailer]
+ENABLED = false
+
+[service]
+REGISTER_EMAIL_CONFIRM            = false
+ENABLE_NOTIFY_MAIL                = false
+DISABLE_REGISTRATION              = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+ENABLE_CAPTCHA                    = false
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING       = true
+NO_REPLY_ADDRESS                  = noreply.localhost
+
+[picture]
+DISABLE_GRAVATAR        = true
+ENABLE_FEDERATED_AVATAR = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[session]
+PROVIDER = file
+
+[log]
+MODE      = file
+LEVEL     = info
+ROOT_PATH = /var/lib/gitea/log
+
+[ui]
+DEFAULT_THEME = arc-green
--- a/roles/goaccess/files/goaccess.conf
+++ b/roles/goaccess/files/goaccess.conf
@@ -0,0 +1,718 @@
+######################################
+# Time Format Options (required)
+######################################
+#
+# The hour (24-hour clock) [00,23]; leading zeros are permitted but not required.
+# The minute [00,59]; leading zeros are permitted but not required.
+# The seconds [00,60]; leading zeros are permitted but not required.
+# See `man strftime` for more details
+#
+# The following time format works with any of the
+# Apache/NGINX's log formats below.
+#
+#time-format %H:%M:%S
+#
+# Google Cloud Storage or
+# The time in microseconds since the Unix epoch.
+#
+#time-format %f
+
+# Squid native log format
+#
+#time-format %s
+
+######################################
+# Date Format Options (required)
+######################################
+#
+# The date-format variable followed by a space, specifies
+# the log format date containing any combination of regular
+# characters and special format specifiers. They all begin with a
+# percentage (%) sign. See `man strftime`
+#
+# The following date format works with any of the
+# Apache/NGINX's log formats below.
+#
+#date-format %d/%b/%Y
+#
+# AWS | Amazon CloudFront (Download Distribution)
+# AWS | Elastic Load Balancing
+# W3C (IIS)
+#
+#date-format %Y-%m-%d
+#
+# Google Cloud Storage or
+# The time in microseconds since the Unix epoch.
+#
+#date-format %f
+
+# Squid native log format
+#
+#date-format %s
+
+######################################
+# Log Format Options (required)
+######################################
+#
+# The log-format variable followed by a space or \t for
+# tab-delimited, specifies the log format string.
+#
+# NOTE: If the time/date is a timestamp in seconds or microseconds
+# %x must be used instead of %d & %t to represent the date & time.
+
+# NCSA Combined Log Format
+#log-format %h %^[%d:%t %^] "%r" %s %b "%R" "%u"
+
+# NCSA Combined Log Format with Virtual Host
+#log-format %v:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u"
+
+# Common Log Format (CLF)
+#log-format %h %^[%d:%t %^] "%r" %s %b
+
+# Common Log Format (CLF) with Virtual Host
+#log-format %v:%^ %h %^[%d:%t %^] "%r" %s %b
+
+# W3C
+#log-format %d %t %h %^ %^ %^ %^ %r %^ %s %b %^ %^ %u %R
+
+# Squid native log format
+#log-format %^ %^ %^ %v %^: %x.%^ %~%L %h %^/%s %b %m %U
+
+# AWS | Amazon CloudFront (Download Distribution)
+#log-format %d\t%t\t%^\t%b\t%h\t%m\t%^\t%r\t%s\t%R\t%u\t%^
+
+# Google Cloud Storage
+#log-format "%x","%h",%^,%^,"%m","%U","%s",%^,"%b","%D",%^,"%R","%u"
+
+# AWS | Elastic Load Balancing
+#log-format %dT%t.%^ %^ %h:%^ %^ %T %^ %^ %^ %s %^ %b "%r" "%u"
+
+# AWSS3 | Amazon Simple Storage Service (S3)
+#log-format %^[%d:%t %^] %h %^"%r" %s %^ %b %^ %L %^ "%R" "%u"
+
+# Virtualmin Log Format with Virtual Host
+#log-format %h %^ %v %^[%d:%t %^] "%r" %s %b "%R" "%u"
+
+# Kubernetes Nginx Ingress Log Format
+#log-format %^ %^ [%h] %^ %^ [%d:%t %^] "%r" %s %b "%R" "%u" %^ %^ [%v] %^:%^ %^ %T %^ %^
+
+# In addition to specifying the raw log/date/time formats, for
+# simplicity, any of the following predefined log format names can be
+# supplied to the log/date/time-format variables. GoAccess  can  also
+# handle  one  predefined name in one variable and another predefined
+# name in another variable.
+#
+#log-format COMBINED
+#log-format VCOMBINED
+#log-format COMMON
+#log-format VCOMMON
+#log-format W3C
+#log-format SQUID
+#log-format CLOUDFRONT
+#log-format CLOUDSTORAGE
+#log-format AWSELB
+#log-format AWSS3
+
+######################################
+# UI Options
+######################################
+
+# Choose among color schemes
+# 1 : Monochrome
+# 2 : Green
+# 3 : Monokai (if 256-colors supported)
+#
+#color-scheme 3
+
+# Prompt log/date configuration window on program start.
+#
+config-dialog false
+
+# Color highlight active panel.
+#
+hl-header true
+
+# Specify a custom CSS file in the HTML report.
+#
+#html-custom-css /path/file.css
+
+# Specify a custom JS file in the HTML report.
+#
+#html-custom-js /path/file.js
+
+# Set default HTML preferences.
+#
+# NOTE: A valid JSON object is required.
+# DO NOT USE A MULTILINE JSON OBJECT.
+# The parser will only parse the value next to `html-prefs` (single line)
+# It allows the ability to customize each panel plot. See example below.
+#
+#html-prefs {"theme":"bright","perPage":5,"layout":"horizontal","showTables":true,"visitors":{"plot":{"chartType":"bar"}}}
+
+# Set HTML report page title and header.
+#
+#html-report-title My Awesome Web Stats
+
+# Format JSON output using tabs and newlines.
+#
+json-pretty-print false
+
+# Turn off colored output. This is the  default output on
+# terminals that do not support colors.
+# true  : for no color output
+# false : use color-scheme
+#
+no-color false
+
+# Don't write column names in the terminal output. By default, it displays
+# column names for each available metric in every panel.
+#
+no-column-names false
+
+# Disable summary metrics on the CSV output.
+#
+no-csv-summary false
+
+# Disable progress metrics.
+#
+no-progress false
+
+# Disable scrolling through panels on TAB.
+#
+no-tab-scroll false
+
+# Disable progress metrics and parsing spinner.
+#
+#no-parsing-spinner true
+
+# Do not show the last updated field displayed in the HTML generated report.
+#
+#no-html-last-updated true
+
+# Enable mouse support on main dashboard.
+#
+with-mouse false
+
+# Maximum number of items to show per panel.
+# Note: Only the CSV and JSON outputs allow a maximum greater than the
+# default value of 366.
+#
+#max-items 366
+
+# Custom colors for the terminal output
+# Tailor GoAccess to suit your own tastes.
+#
+# Color Syntax:
+# DEFINITION space/tab colorFG#:colorBG# [[attributes,] PANEL]
+#
+# FG# = foreground color number [-1...255] (-1 = default terminal color)
+# BG# = background color number [-1...255] (-1 = default terminal color)
+#
+# Optionally:
+#
+# It is possible to apply color attributes, such as:
+# bold,underline,normal,reverse,blink.
+# Multiple attributes are comma separated
+#
+# If desired, it is possible to apply custom colors per panel, that is, a
+# metric in the REQUESTS panel can be of color A, while the same metric in the
+# BROWSERS panel can be of color B.
+#
+# The following is a 256 color scheme (hybrid palette)
+#
+#color COLOR_MTRC_HITS              color110:color-1
+#color COLOR_MTRC_VISITORS          color173:color-1
+#color COLOR_MTRC_DATA              color221:color-1
+#color COLOR_MTRC_BW                color167:color-1
+#color COLOR_MTRC_AVGTS             color143:color-1
+#color COLOR_MTRC_CUMTS             color247:color-1
+#color COLOR_MTRC_MAXTS             color186:color-1
+#color COLOR_MTRC_PROT              color109:color-1
+#color COLOR_MTRC_MTHD              color139:color-1
+#color COLOR_MTRC_HITS_PERC         color186:color-1
+#color COLOR_MTRC_HITS_PERC_MAX     color139:color-1
+#color COLOR_MTRC_HITS_PERC_MAX     color139:color-1 VISITORS
+#color COLOR_MTRC_HITS_PERC_MAX     color139:color-1 OS
+#color COLOR_MTRC_HITS_PERC_MAX     color139:color-1 BROWSERS
+#color COLOR_MTRC_HITS_PERC_MAX     color139:color-1 VISIT_TIMES
+#color COLOR_MTRC_VISITORS_PERC     color186:color-1
+#color COLOR_MTRC_VISITORS_PERC_MAX color139:color-1
+#color COLOR_PANEL_COLS             color243:color-1
+#color COLOR_BARS                   color250:color-1
+#color COLOR_ERROR                  color231:color167
+#color COLOR_SELECTED               color7:color167
+#color COLOR_PANEL_ACTIVE           color7:color237
+#color COLOR_PANEL_HEADER           color250:color235
+#color COLOR_PANEL_DESC             color242:color-1
+#color COLOR_OVERALL_LBLS           color243:color-1
+#color COLOR_OVERALL_VALS           color167:color-1
+#color COLOR_OVERALL_PATH           color186:color-1
+#color COLOR_ACTIVE_LABEL           color139:color235 bold underline
+#color COLOR_BG                     color250:color-1
+#color COLOR_DEFAULT                color243:color-1
+#color COLOR_PROGRESS               color7:color110
+
+######################################
+# Server Options
+######################################
+
+# Specify IP address to bind server to.
+#
+#addr 0.0.0.0
+
+# Run GoAccess as daemon (if --real-time-html enabled).
+#
+#daemonize false
+
+# Ensure clients send the specified origin header upon the WebSocket
+# handshake.
+#
+#origin http://example.org
+
+# The port to which the connection is being attempted to connect.
+# By default GoAccess' WebSocket server listens on port 7890
+# See man page or http://gwsocket.io for details.
+#
+#port 7890
+
+# Write the PID to a file when used along the daemonize option.
+#
+#pid-file /var/run/goaccess.pid
+
+# Enable real-time HTML output.
+#
+#real-time-html true
+
+# Path to TLS/SSL certificate.
+# Note that ssl-cert and ssl-key need to be used to enable TLS/SSL.
+#
+#ssl-cert /path/ssl/domain.crt
+
+# Path to TLS/SSL private key.
+# Note that ssl-cert and ssl-key need to be used to enable TLS/SSL.
+#
+#ssl-key /path/ssl/domain.key
+
+# URL to which the WebSocket server responds. This is the URL supplied
+# to the WebSocket constructor on the client side.
+#
+# Optionally, it is possible to specify the WebSocket URI scheme, such as ws://
+# or wss:// for unencrypted and encrypted connections.
+# e.g., ws-url wss://goaccess.io
+#
+# If GoAccess is running behind a proxy, you could set the client side
+# to connect to a different port by specifying the host followed by a
+# colon and the port.
+# e.g., ws-url goaccess.io:9999
+#
+# By default, it will attempt to connect to localhost. If GoAccess is
+# running on a remote server, the host of the remote server should be
+# specified here. Also, make sure it is a valid host and NOT an http
+# address.
+#
+#ws-url goaccess.io
+
+# Path to read named pipe (FIFO).
+#
+#fifo-in /tmp/wspipein.fifo
+
+# Path to write named pipe (FIFO).
+#
+#fifo-out /tmp/wspipeout.fifo
+
+######################################
+# File Options
+######################################
+
+# Specify the path to the input log file. If set, it will take
+# priority over -f from the command line.
+#
+#log-file /var/log/apache2/access.log
+
+# Send all debug messages to the specified file.
+#
+#debug-file debug.log
+
+# Specify a custom configuration file to use. If set, it will take
+# priority over the global configuration file (if any).
+#
+#config-file <filename>
+
+# Log invalid requests to the specified file.
+#
+#invalid-requests <filename>
+
+# Do not load the global configuration file.
+#
+#no-global-config false
+
+######################################
+# Parse Options
+######################################
+
+# Enable a list of user-agents by host. For faster parsing, do not
+# enable this flag.
+#
+agent-list false
+
+#  Enable IP resolver on HTML|JSON|CSV output.
+#
+with-output-resolver false
+
+# Exclude an IPv4 or IPv6 from being counted.
+# Ranges can be included as well using a dash in between
+# the IPs (start-end).
+#
+#exclude-ip 127.0.0.1
+#exclude-ip 192.168.0.1-192.168.0.100
+#exclude-ip ::1
+#exclude-ip 0:0:0:0:0:ffff:808:804-0:0:0:0:0:ffff:808:808
+
+# Include HTTP request method if found. This will create a
+# request key containing the request method + the actual request.
+#
+# <yes|no> [default: yes]
+#
+http-method yes
+
+# Include HTTP request protocol if found. This will create a
+# request key containing the request protocol + the actual request.
+#
+# <yes|no> [default: yes]
+#
+http-protocol yes
+
+# Write  output to stdout given one of the following files and the
+# corresponding extension for the output format:
+#
+# /path/file.csv  - Comma-separated values (CSV)
+# /path/file.json - JSON (JavaScript Object Notation)
+# /path/file.html - HTML
+#
+# output /path/file.html
+
+# Ignore request's query string.
+# i.e.,  www.google.com/page.htm?query => www.google.com/page.htm
+#
+# Note: Removing the query string can greatly decrease memory
+# consumption, especially on timestamped requests.
+#
+no-query-string false
+
+# Disable IP resolver on terminal output.
+#
+no-term-resolver false
+
+# Treat non-standard status code 444 as 404.
+#
+444-as-404 false
+
+# Add 4xx client errors to the unique visitors count.
+#
+4xx-to-unique-count false
+
+# IP address anonymization
+# The IP anonymization option sets the last octet of IPv4 user IP addresses and
+# the last 80 bits of IPv6 addresses to zeros.
+# e.g., 192.168.20.100 => 192.168.20.0
+# e.g., 2a03:2880:2110:df07:face:b00c::1 => 2a03:2880:2110:df07::
+#
+#anonymize-ip false
+
+# Include static files that contain a query string in the static files
+# panel.
+# e.g., /fonts/fontawesome-webfont.woff?v=4.0.3
+#
+all-static-files false
+
+# Include an additional delimited list of browsers/crawlers/feeds etc.
+# See config/browsers.list for an example or
+# https://raw.githubusercontent.com/allinurl/goaccess/master/config/browsers.list
+#
+#browsers-file <filename>
+
+# Date specificity. Possible values: `date` (default), or `hr`.
+#
+#date-spec hr
+
+# Decode double-encoded values.
+#
+double-decode false
+
+# Enable parsing/displaying the given panel.
+#
+#enable-panel VISITORS
+#enable-panel REQUESTS
+#enable-panel REQUESTS_STATIC
+#enable-panel NOT_FOUND
+#enable-panel HOSTS
+#enable-panel OS
+#enable-panel BROWSERS
+#enable-panel VISIT_TIMES
+#enable-panel VIRTUAL_HOSTS
+#enable-panel REFERRERS
+#enable-panel REFERRING_SITES
+#enable-panel KEYPHRASES
+#enable-panel STATUS_CODES
+#enable-panel REMOTE_USER
+#enable-panel CACHE_STATUS
+#enable-panel GEO_LOCATION
+
+# Hide a referer but still count it. Wild cards are allowed. i.e., *.bing.com
+#
+#hide-referer *.google.com
+#hide-referer bing.com
+
+# Hour specificity. Possible values: `hr` (default), or `min` (tenth
+# of a minute).
+#
+#hour-spec min
+
+# Ignore crawlers from being counted.
+# This will ignore robots listed under browsers.c
+# Note that it will count them towards the total
+# number of requests, but excluded from any of the panels.
+#
+ignore-crawlers false
+
+# Parse and display crawlers only.
+# This will ignore all hosts except robots listed under browsers.c
+# Note that it will count them towards the total
+# number of requests, but excluded from any of the panels.
+#
+crawlers-only false
+
+# Ignore static file requests.
+# req : Only ignore request from valid requests
+# panels : Ignore request from panels.
+# Note that it will count them towards the total number of requests
+# ignore-statics req
+
+# Ignore parsing and displaying the given panel.
+#
+#ignore-panel VISITORS
+#ignore-panel REQUESTS
+#ignore-panel REQUESTS_STATIC
+#ignore-panel NOT_FOUND
+#ignore-panel HOSTS
+#ignore-panel OS
+#ignore-panel BROWSERS
+#ignore-panel VISIT_TIMES
+#ignore-panel VIRTUAL_HOSTS
+ignore-panel REFERRERS
+#ignore-panel REFERRING_SITES
+ignore-panel KEYPHRASES
+#ignore-panel STATUS_CODES
+#ignore-panel REMOTE_USER
+#ignore-panel CACHE_STATUS
+#ignore-panel GEO_LOCATION
+
+# Ignore referers from being counted.
+# This supports wild cards. For instance,
+# '*' matches 0 or more characters (including spaces)
+# '?' matches exactly one character
+#
+#ignore-referer *.domain.com
+#ignore-referer ww?.domain.*
+
+# Ignore parsing and displaying one or multiple status code(s)
+#
+#ignore-status 400
+#ignore-status 502
+
+# Keep the last specified number of days in storage. This will recycle the
+# storage tables. e.g., keep & show only the last 7 days.
+#
+# keep-last 7
+
+# Disable client IP validation. Useful if IP addresses have been
+# obfuscated before being logged.
+#
+# no-ip-validation true
+
+# Number of lines from the access log to test against the provided
+# log/date/time format. By default, the parser is set to test 10
+# lines. If set to 0, the parser won't test  any  lines and will parse
+# the whole access log.
+#
+#num-tests 10
+
+# Parse log and exit without outputting data.
+#
+#process-and-exit false
+
+# Display real OS names. e.g, Windows XP, Snow Leopard.
+#
+real-os true
+
+# Sort panel on initial load.
+# Sort options are separated by comma.
+# Options are in the form: PANEL,METRIC,ORDER
+#
+# Available metrics:
+#  BY_HITS     - Sort by hits
+#  BY_VISITORS - Sort by unique visitors
+#  BY_DATA     - Sort by data
+#  BY_BW       - Sort by bandwidth
+#  BY_AVGTS    - Sort by average time served
+#  BY_CUMTS    - Sort by cumulative time served
+#  BY_MAXTS    - Sort by maximum time served
+#  BY_PROT     - Sort by http protocol
+#  BY_MTHD     - Sort by http method
+# Available orders:
+#  ASC
+#  DESC
+#
+#sort-panel VISITORS,BY_DATA,ASC
+#sort-panel REQUESTS,BY_HITS,ASC
+#sort-panel REQUESTS_STATIC,BY_HITS,ASC
+#sort-panel NOT_FOUND,BY_HITS,ASC
+#sort-panel HOSTS,BY_HITS,ASC
+#sort-panel OS,BY_HITS,ASC
+#sort-panel BROWSERS,BY_HITS,ASC
+#sort-panel VISIT_TIMES,BY_DATA,DESC
+#sort-panel VIRTUAL_HOSTS,BY_HITS,ASC
+#sort-panel REFERRERS,BY_HITS,ASC
+#sort-panel REFERRING_SITES,BY_HITS,ASC
+#sort-panel KEYPHRASES,BY_HITS,ASC
+#sort-panel STATUS_CODES,BY_HITS,ASC
+#sort-panel REMOTE_USER,BY_HITS,ASC
+#sort-panel CACHE_STATUS,BY_HITS,ASC
+#sort-panel GEO_LOCATION,BY_HITS,ASC
+
+# Consider the following extensions as static files
+# The actual '.' is required and extensions are case sensitive
+# For a full list, uncomment the less common static extensions below.
+#
+static-file .css
+static-file .js
+static-file .jpg
+static-file .png
+static-file .gif
+static-file .ico
+static-file .jpeg
+static-file .pdf
+static-file .csv
+static-file .mpeg
+static-file .mpg
+static-file .swf
+static-file .woff
+static-file .woff2
+static-file .xls
+static-file .xlsx
+static-file .doc
+static-file .docx
+static-file .ppt
+static-file .pptx
+static-file .txt
+static-file .zip
+static-file .ogg
+static-file .mp3
+static-file .mp4
+static-file .exe
+static-file .iso
+static-file .gz
+static-file .rar
+static-file .svg
+static-file .bmp
+static-file .tar
+static-file .tgz
+static-file .tiff
+static-file .tif
+static-file .ttf
+static-file .flv
+#static-file .less
+#static-file .ac3
+#static-file .avi
+#static-file .bz2
+#static-file .class
+#static-file .cue
+#static-file .dae
+#static-file .dat
+#static-file .dts
+#static-file .ejs
+#static-file .eot
+#static-file .eps
+#static-file .img
+#static-file .jar
+#static-file .map
+#static-file .mid
+#static-file .midi
+#static-file .ogv
+#static-file .webm
+#static-file .mkv
+#static-file .odp
+#static-file .ods
+#static-file .odt
+#static-file .otf
+#static-file .pict
+#static-file .pls
+#static-file .ps
+#static-file .qt
+#static-file .rm
+#static-file .svgz
+#static-file .wav
+#static-file .webp
+
+######################################
+# GeoIP Options
+# Only if configured with --enable-geoip
+######################################
+
+# To feed a database either through GeoIP Legacy or GeoIP2, you need to use the
+# geoip-database flag below.
+#
+# === GeoIP Legacy
+# Legacy GeoIP has been discontinued. If your Linux distribution does not ship
+# with the legacy databases, you may still be able to find them through
+# different sources. Make sure to download the .dat files.
+#
+# Distributed with Creative Commons Attribution-ShareAlike 4.0 International License.
+# https://mailfud.org/geoip-legacy/
+
+# IPv4 Country database:
+# Download the GeoIP.dat.gz
+# gunzip GeoIP.dat.gz
+#
+# IPv4 City database:
+# Download the GeoIPCity.dat.gz
+# gunzip GeoIPCity.dat.gz
+
+# Standard GeoIP database for less memory usage (GeoIP Legacy).
+#
+#std-geoip false
+
+# === GeoIP2
+# For GeoIP2 databases, you can use DB-IP Lite databases.
+# DB-IP is licensed under a Creative Commons Attribution 4.0 International License.
+# https://db-ip.com/db/lite.php
+
+# Or you can download them from MaxMind
+# https://dev.maxmind.com/geoip/geoip2/geolite2/
+
+# For GeoIP2 City database:
+# Download the GeoLite2-City.mmdb.gz
+# gunzip GeoLite2-City.mmdb.gz
+#
+# For GeoIP2 Country database:
+# Download the GeoLite2-Country.mmdb.gz
+# gunzip GeoLite2-Country.mmdb.gz
+#
+#geoip-database /usr/local/share/GeoIP/GeoLiteCity.dat
+
+######################################
+# Persistence Options
+######################################
+
+# Path where the persisted database files are stored on disk.
+# The default value is the /tmp/ directory
+# Note the trailing forward-slash.
+#
+#db-path /tmp
+
+# Persist parsed data into disk.
+#persist true
+
+# Load previously stored data from disk.
+# Database files need to exist. See `persist`.
+#restore true
--- a/roles/goaccess/tasks/main.yml
+++ b/roles/goaccess/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Copy goaccess config
+  copy:
+    src: goaccess.conf
+    dest: /etc/goaccess/goaccess.conf
--- a/roles/nginx/files/nginx.conf
+++ b/roles/nginx/files/nginx.conf
@@ -0,0 +1,52 @@
+user www-data;
+worker_processes auto;
+include /etc/nginx/modules-enabled/*.conf;
+pid /run/nginx.pid;
+
+events {
+    worker_connections 768;
+}
+
+http {
+
+    ##
+    # Basic Settings
+    ##
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ##
+    # SSL Settings
+    ##
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+    ssl_prefer_server_ciphers on;
+
+    ##
+    # Logging Settings
+    ##
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    ##
+    # Gzip Settings
+    ##
+
+    gzip on;
+    gzip_disable "msie6";
+
+    ##
+    # Virtual Host Configs
+    ##
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,55 @@
+---
+
+# TODO: make idempotent
+- name: Remove default nginx config
+  file:
+    name: /etc/nginx/sites-enabled
+    state: absent
+
+# TODO: make idempotent
+- name: Restore sites-enabled
+  file:
+    name: /etc/nginx/sites-enabled
+    state: directory
+
+- name: Install system nginx config
+  copy:
+    src: nginx.conf
+    dest: /etc/nginx/nginx.conf
+
+# setup our configs for each host (we don't want to 
+# overwrite certbot's changes, so if it already exists,
+# don't copy!)
+
+- name: Install nginx config for {{ domain }}
+  template:
+    src: templates/site.conf
+    dest: /etc/nginx/conf.d/{{ domain }}.conf
+    force: no
+
+- name: Install nginx config for git.{{ domain }}
+  template:
+    src: templates/gitea.conf
+    dest: /etc/nginx/conf.d/git.{{ domain }}.conf
+    force: no
+
+- name: Install nginx config for our Hidden Service
+  template:
+    src: templates/tor.conf
+    dest: /etc/nginx/conf.d/tor-{{ domain }}.conf
+    force: no
+
+- name: Reload Nginx to install LetsEncrypt
+  service:
+    name: nginx
+    state: restarted
+
+# certbot is a life saver. thank you certbot devs!
+- name: Setup certbot
+  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d {{ domain }} -d git.{{ domain }}"
+
+- name: Reload Nginx with LetsEncrypt installed
+  systemd:
+    name: nginx
+    enabled: yes
+    state: restarted
--- a/roles/nginx/templates/gitea.conf
+++ b/roles/nginx/templates/gitea.conf
@@ -0,0 +1,11 @@
+server {
+    server_name git.{{ domain }};
+    listen 80;
+
+    location / {
+        add_header Permissions-Policy interest-cohort=();
+        proxy_pass http://localhost:3000;
+    }
+
+    client_max_body_size 100M;
+}
--- a/roles/nginx/templates/site.conf
+++ b/roles/nginx/templates/site.conf
@@ -0,0 +1,13 @@
+server {
+    server_name {{ domain }};
+    listen 80;
+
+    root /var/www/{{ domain }}/public;
+    index index.html index.htm;
+
+    location / {
+        add_header Permissions-Policy interest-cohort=();
+        add_header Referrer-Policy: "no-referrer";
+        try_files $uri $uri/ =404;
+    }
+}
--- a/roles/nginx/templates/tor.conf
+++ b/roles/nginx/templates/tor.conf
@@ -0,0 +1,12 @@
+server {
+    root /var/www/{{ domain }}/public;
+    index index.html index.htm;
+
+    location / {
+        add_header Permissions-Policy interest-cohort=();
+        try_files $uri $uri/ =404;
+    }
+
+    # our tor hidden service is hosted on this port
+    listen 2171;
+}
--- a/roles/tor/tasks/main.yml
+++ b/roles/tor/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: Install torrc
+  template:
+    src: torrc
+    dest: /etc/tor/torrc
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: Create Tor HS directory
+  file:
+    path: /var/lib/tor/{{ domain }}
+    state: directory
+    owner: debian-tor
+    group: debian-tor
+    mode: u=rwx,g=,o=
+
+- name: Set Tor HS keys
+  copy:
+    src: secrets/hs_ed25519_secret_key
+    dest: /var/lib/tor/{{ domain }}/hs_ed25519_secret_key
+    owner: debian-tor
+    group: debian-tor
+    mode: u=rw,g=,o=
+
+- name: Enable Tor Service
+  systemd:
+    name: tor
+    enabled: yes
+    state: started
--- a/roles/tor/templates/torrc
+++ b/roles/tor/templates/torrc
@@ -0,0 +1,2 @@
+HiddenServiceDir /var/lib/tor/{{ domain }}
+HiddenServicePort 80 127.0.0.1:2171
				`@@ -0,0 +1 @@`
				`source /root/powerlevel10k/powerlevel10k.zsh-theme`