gitea: added act runner

wrong repos path

README.md

@@ -3,7 +3,7 @@
 This is my failsafe (and also my helpful migration tool) for restoring the OpenPunk server. This handles setting everything back up, including:
 
 - gitea
-    - sadly, no db migration is supported right now. maybe a future todo?
+    - backup and restoring are also supported
 - blog
     - cron job for grabbing the `HEAD` of https://github.com/CPunch/openpunk && building the hugo site
 - tor mirror
@@ -24,14 +24,35 @@ ssh openpunk 'touch /root/.deadtrigger'
 Some DNS records also need to be set:
 - an A record with a `git.*` subdomain
 
+A Gitea Act Runner is also setup if the `giteaRunnerToken` variable is defined in your hosts file.
+
 ## Usage
+First, make sure to install the requirements:
+```sh
+ansible-galaxy install -r requirements.yml
+```
+
+Then, run the playbook:
+
 ```sh
 ansible-playbook -i hosts --ask-vault-pass run.yml
 ```
 > NOTE: The 'secrets' directory has been omitted from this repo (so it's not going to run without the provided files)
 
+## Backup and restore
+
+Backup Gitea using the 'backup' tag
+```sh
+ansible-playbook -i hosts run.yml --tags backup
+```
+
+then, restore from the backup using the 'restore' tag
+```sh
+ansible-playbook -i hosts run.yml --tags restore
+```
+
 ## Example hosts file
 ```
 [hosts]
-openpunk-vps ansible_host=104.238.138.76 ansible_user=root ansible_connection=ssh
+openpunk-vps ansible_host=104.238.138.76 ansible_user=root ansible_connection=ssh giteaRunnerToken=my-token-yayy
 ```

group_vars/all.yml

@@ -1,4 +1,5 @@
 ---
 domain: openpunk.com
 contact_email: openpunk@proton.me
-onionDomain: http://opnpnk6eutjiqy4ndpyvwxd5pncj2g2cmz6fkocr5uh3omnn4utvspad.onion
+onionDomain: opnpnk6eutjiqy4ndpyvwxd5pncj2g2cmz6fkocr5uh3omnn4utvspad.onion
+giteaPort: 3000

requirements.yml

@@ -0,0 +1,12 @@
+- src: https://github.com/roles-ansible/ansible_role_gitea.git
+  scm: git
+  version: v3.5.0
+  name: l3d.gitea
+- src: https://github.com/geerlingguy/ansible-role-nginx.git
+  scm: git
+  version: 3.2.0
+  name: geerlingguy.nginx
+- src: https://github.com/geerlingguy/ansible-role-certbot.git
+  scm: git
+  version: 5.1.1
+  name: geerlingguy.certbot

roles/blog/templates/updateBlog

@@ -6,7 +6,7 @@ TOR_DIR=tor
 
 buildBlog () {
     hugo --cleanDestinationDir --minify -d $PUBLIC_DIR -b https://{{ domain }}
-    hugo --cleanDestinationDir --minify -d $TOR_DIR -b {{ onionDomain }}
+    hugo --cleanDestinationDir --minify -d $TOR_DIR -b http://{{ onionDomain }}
 }
 
 git fetch origin

roles/essential/tasks/main.yml

@@ -15,9 +15,40 @@
       - fail2ban
       - goaccess
       - htop
+      - sqlite3
       - zsh # :D
       - python3-certbot-nginx
 
+- name: Add Docker GPG apt Key
+  apt_key:
+    url: https://download.docker.com/linux/ubuntu/gpg
+    state: present
+
+- name: Add Docker Repository
+  apt_repository:
+    repo: deb https://download.docker.com/linux/ubuntu focal stable
+    state: present
+
+- name: Update apt and install Docker packages
+  apt:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-compose
+    state: latest
+    update_cache: true
+
+- name: Start docker 
+  systemd:
+    name: docker
+    state: started
+
+- name: Grab package facts
+  package_facts:
+    manager: auto
+  tags: always
+
 - name: Setup zsh
   user:
     name: "{{ ansible_user }}"

roles/gitea/defaults/main.yml

@@ -1,2 +1,4 @@
 ---
 giteaPort: 3000
+giteaBackup: backups/gitea-dump.zip # local path
+runnerPath: "{{ ansible_env.HOME }}/runner"

roles/gitea/files/runner-config.yml

@@ -0,0 +1,94 @@
+# Example configuration file, it's safe to copy this as the default config file without any modification.
+
+# You don't have to copy this file to your instance,
+# just run `./act_runner generate-config > config.yaml` to generate a config file.
+
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 2
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+  # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `daemon`, will use labels in `.runner` file.
+  labels:
+    - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+    - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
+    - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: "/data"
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: ""
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 18088
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: "runner-cache"
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
+  # If the path starts with '/', the '/' will be trimmed.
+  # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: true
+  # Rebuild docker image(s) even if already present
+  force_rebuild: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

roles/gitea/tasks/backup.yml

@@ -1,26 +1,51 @@
 ---
+# based on advice from https://docs.gitea.io/en-us/backup-and-restore/
+
 - name: Stop Gitea
   systemd:
     name: gitea
     enabled: yes
     state: stopped
+  tags: backup
+
+- name: Make Temp dir
+  file:
+    path: /etc/gitea/temp
+    state: directory
+    owner: gitea
+  tags: backup
 
 - name: Dump Gitea
   shell:
-    cmd: gitea dump -c /etc/gitea/app.ini --work-path=/etc/gitea --file=gitea-dump.zip
+    cmd: gitea dump -c /etc/gitea/gitea.ini --work-path=/etc/gitea --file=gitea-dump.zip --tempdir=/etc/gitea/temp
     chdir: /etc/gitea
   become: true
   become_method: su
   become_user: gitea
+  tags: backup
+
+- name: Fetch backup
+  fetch:
+    src: /etc/gitea/gitea-dump.zip
+    dest: "{{ giteaBackup }}"
+    flat: true
+  tags: backup
+
+- name: Remove remote dump
+  file:
+    path: /etc/gitea/gitea-dump.zip
+    state: absent
+  tags: backup
+
+- name: Remove Temp
+  file:
+    path: /etc/gitea/temp
+    state: absent
+  tags: backup
 
 - name: Start Gitea
   systemd:
     name: gitea
     enabled: yes
     state: started
-
-- name: Fetch backup
-  fetch:
-    src: /etc/gitea/gitea-dump.zip
-    dest: backups/gitea-dump.zip
-    flat: true
+  tags: backup

roles/gitea/tasks/main.yml

@@ -1,45 +1,34 @@
 ---
-- name: Check for Gitea gpg key
-  stat:
-    path: /etc/apt/trusted.gpg.d/morph027-gitea.gpg
-  register: gitea_key
+- name: "Install gitea"
+  include_role:
+    name: l3d.gitea
+  vars:
+    gitea_fqdn: 'git.{{ domain }}'
+    gitea_home: '/var/lib/gitea'
+    gitea_db_type: 'sqlite3'
+    gitea_theme_default: 'gitea-dark'
+    gitea_root_url: 'https://git.{{ domain }}'
+    gitea_protocol: http
+    gitea_http_port: "{{ giteaPort }}"
+    gitea_ssh_port: 22
+    gitea_start_ssh: false
+    gitea_allow_only_internal_registration: true
+    gitea_disable_registration: true
+    gitea_require_signin: false
+    gitea_lfs_server_enabled: true
 
-- name: Grab package facts
-  package_facts:
-    manager: auto
-
-- name: Install Gitea
-  block:
-    - name: Add Gitea key, repository && install
-      block:
-        - name: Import Gitea key
-          shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import && sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
-          when: gitea_key.stat.exists == false or gitea_key.stat.mode != "0644"
-
-        - name: Add Gitea repository
-          apt_repository:
-            filename: morph027-gitea
-            repo: deb https://packaging.gitlab.io/gitea gitea main
-
-        - name: Add Gitea package
-          package:
-            name: gitea
-      when: "'gitea' not in ansible_facts.packages"
-
-    - name: Configure Gitea
-      template:
-        src: templates/app.ini
-        dest: /etc/gitea/app.ini
-        owner: gitea
-        force: no # we don't want to kill our existing config D:
-
-    - name: Reload Gitea
-      systemd:
-        name: gitea
-        enabled: yes
-        state: started
+- name: "Start Gitea Act Runner"
+  include_tasks: runner.yml
+  when: giteaRunnerToken is defined
 
 - name: Backup db
   include_tasks: backup.yml
-      tags: ['never', 'backup']
-  tags: ['gitea', 'backup']
+  tags:
+    - never
+    - backup
+
+- name: Restore db
+  include_tasks: restore.yml
+  tags:
+    - never
+    - restore

roles/gitea/tasks/restore.yml

@@ -0,0 +1,96 @@
+---
+# based on advice from https://docs.gitea.io/en-us/backup-and-restore/
+
+- name: Stop Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: stopped
+  tags: restore
+
+- name: Make restore dir
+  file:
+    path: /etc/gitea/gitea-dump
+    state: directory
+    owner: gitea
+  tags: restore
+
+- name: Extract backup to host
+  unarchive:
+    src: "{{ giteaBackup }}"
+    dest: /etc/gitea/gitea-dump
+    owner: gitea
+  tags: restore
+
+- name: Delete Gitea
+  file:
+    path: /var/lib/gitea
+    state: absent
+  tags: restore
+
+- name: Create Gitea
+  file:
+    path: /var/lib/gitea
+    state: directory
+    owner: gitea
+  tags: restore
+
+- name: Install data
+  copy:
+    src: /etc/gitea/gitea-dump/data/
+    dest: /var/lib/gitea/data
+    remote_src: true
+    owner: gitea
+  tags: restore
+
+- name: Install log
+  copy:
+    src: /etc/gitea/gitea-dump/log/
+    dest: /var/lib/gitea/log/
+    remote_src: true
+    owner: gitea
+  tags: restore
+  ignore_errors: true
+
+- name: Install repositories
+  copy:
+    src: /etc/gitea/gitea-dump/repos/
+    dest: /var/lib/gitea/repos/
+    remote_src: true
+    owner: gitea
+  tags: restore
+
+# - name: Install config
+#   copy:
+#     src: /etc/gitea/gitea-dump/app.ini
+#     dest: /etc/gitea/app.ini
+#     owner: gitea
+#     remote_src: true
+#   tags: restore
+
+- name: Remove sqlite3 db
+  file:
+    path: /var/lib/gitea/data/gitea.db
+    state: absent
+  tags: restore
+
+- name: Generate sqlite3 db
+  shell: sqlite3 /var/lib/gitea/data/gitea.db </etc/gitea/gitea-dump/gitea-db.sql
+  become: true
+  become_method: su
+  become_user: gitea
+  tags: restore
+
+- name: Start Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: started
+  tags: restore
+
+- name: Finalize
+  shell: gitea admin regenerate hooks -c /etc/gitea/gitea.ini
+  become: true
+  become_method: su
+  become_user: gitea
+  tags: restore

roles/gitea/tasks/runner.yml

@@ -0,0 +1,27 @@
+- name: Make dirs for runner
+  file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - "{{ runnerPath }}"
+    - "{{ runnerPath }}/data"
+
+- name: Copy docker-compose.yml to server
+  template:
+    src: ./templates/runner-docker-compose.yml
+    dest: "{{ runnerPath }}/docker-compose.yml"
+
+- name: Copy runner.env to server
+  template:
+    src: ./templates/runner.env
+    dest: "{{ runnerPath }}/runner.env"
+
+- name: Copy runner-config.yml to server
+  copy:
+    src: ./files/runner-config.yml
+    dest: "{{ runnerPath }}/config.yaml"
+
+- name: Start Gitea runner service
+  community.docker.docker_compose_v2:
+    project_src: "{{ runnerPath }}"
+    state: present

roles/gitea/templates/app.ini

@@ -1,60 +0,0 @@
-APP_NAME = OpenPunk Gitea
-RUN_USER = gitea
-RUN_MODE = prod
-
-[database]
-DB_TYPE  = sqlite3
-HOST     = 127.0.0.1:5432
-NAME     = gitea
-USER     = gitea
-PASSWD   = 
-SSL_MODE = disable
-CHARSET  = utf8
-PATH     = /var/lib/gitea/data/gitea.db
-
-[repository]
-ROOT = /var/lib/gitea/gitea-repositories
-
-[server]
-SSH_DOMAIN       = git.{{ domain }}
-DOMAIN           = git.{{ domain }}
-HTTP_PORT        = {{ giteaPort }}
-ROOT_URL         = https://git.{{ domain }}/
-DISABLE_SSH      = false
-SSH_PORT         = 22
-LFS_START_SERVER = false
-OFFLINE_MODE     = false
-
-[mailer]
-ENABLED = false
-
-[service]
-REGISTER_EMAIL_CONFIRM            = false
-ENABLE_NOTIFY_MAIL                = false
-DISABLE_REGISTRATION              = true
-ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
-ENABLE_CAPTCHA                    = false
-REQUIRE_SIGNIN_VIEW               = false
-DEFAULT_KEEP_EMAIL_PRIVATE        = false
-DEFAULT_ALLOW_CREATE_ORGANIZATION = true
-DEFAULT_ENABLE_TIMETRACKING       = true
-NO_REPLY_ADDRESS                  = noreply.localhost
-
-[picture]
-DISABLE_GRAVATAR        = true
-ENABLE_FEDERATED_AVATAR = false
-
-[openid]
-ENABLE_OPENID_SIGNIN = false
-ENABLE_OPENID_SIGNUP = false
-
-[session]
-PROVIDER = file
-
-[log]
-MODE      = file
-LEVEL     = info
-ROOT_PATH = /var/lib/gitea/log
-
-[ui]
-DEFAULT_THEME = arc-green

roles/gitea/templates/runner-docker-compose.yml

@@ -0,0 +1,21 @@
+services:
+  runner:
+    image: gitea/act_runner:latest
+    environment:
+      CONFIG_FILE: /config.yaml
+      GITEA_INSTANCE_URL: "https://git.{{ domain }}"
+    env_file:
+      - ./runner.env
+    volumes:
+      - ./config.yaml:/config.yaml
+      - ./data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - 18088:18088
+    networks:
+      - runner-cache
+
+networks:
+  runner-cache:
+    name: runner-cache
+    driver: bridge

roles/gitea/templates/runner.env

@@ -0,0 +1 @@
+GITEA_RUNNER_REGISTRATION_TOKEN="{{ giteaRunnerToken }}"

roles/nginx/defaults/main.yml

@@ -1,2 +0,0 @@
----
-giteaPort: 3000

roles/nginx/files/nginx.conf

@@ -1,52 +0,0 @@
-user www-data;
-worker_processes auto;
-include /etc/nginx/modules-enabled/*.conf;
-pid /run/nginx.pid;
- 
-events {
-    worker_connections 768;
-}
-
-http {
-
-    ##
-    # Basic Settings
-    ##
-
-    sendfile on;
-    tcp_nopush on;
-    tcp_nodelay on;
-    keepalive_timeout 65;
-    types_hash_max_size 2048;
-
-    include /etc/nginx/mime.types;
-    default_type application/octet-stream;
-
-    ##
-    # SSL Settings
-    ##
-
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
-    ssl_prefer_server_ciphers on;
-
-    ##
-    # Logging Settings
-    ##
-
-    access_log /var/log/nginx/access.log;
-    error_log /var/log/nginx/error.log;
-
-    ##
-    # Gzip Settings
-    ##
-
-    gzip on;
-    gzip_disable "msie6";
-
-    ##
-    # Virtual Host Configs
-    ##
-
-    include /etc/nginx/conf.d/*.conf;
-    include /etc/nginx/sites-enabled/*;
-}

roles/nginx/handlers/main.yml

@@ -1,4 +0,0 @@
----
-- name: setup-nginx
-  include_tasks: setup.yml
-  listen: "setup nginx"

roles/nginx/tasks/main.yml

@@ -1,41 +1,81 @@
 ---
-- name: Install system nginx config
-  copy:
-    src: nginx.conf
-    dest: /etc/nginx/nginx.conf
-  notify: setup nginx
-
-# setup our configs for each host (we don't want to 
-# overwrite certbot's changes, so if it already exists,
-# don't copy!)
-
-- name: Install nginx config for {{ domain }}
-  template:
-    src: templates/site.conf
-    dest: /etc/nginx/conf.d/{{ domain }}.conf
-    force: no
-  notify: setup nginx
-
-- name: Install nginx config for git.{{ domain }}
-  template:
-    src: templates/gitea.conf
-    dest: /etc/nginx/conf.d/git.{{ domain }}.conf
-    force: no
-  notify: setup nginx
-
-- name: Uninstall nginx config for git.{{ domain }}
-  file:
-    path: /etc/nginx/conf.d/git.{{ domain }}.conf
-    state: absent
-  notify: setup nginx
-
-- name: Install nginx config for our Hidden Service
-  template:
-    src: templates/tor.conf
-    dest: /etc/nginx/conf.d/tor-{{ domain }}.conf
-
-- name: Enable Nginx
+- name: "Stop Nginx"
+  systemd:
+    name: nginx
+    state: stopped
+
+- name: "Setup Certbot"
+  include_role:
+    name: geerlingguy.certbot
+  vars:
+    certbot_admin_email: "{{ contact_email }}"
+    certbot_create_if_missing: true
+    certbot_create_standalone_stop_services: []
+    certbot_certs:
+      - domains:
+          - "{{ domain }}"
+          - "git.{{ domain }}"
+
+- name: "Install Nginx"
+  include_role:
+    name: geerlingguy.nginx
+  vars:
+    nginx_listen_ipv6: false
+    nginx_vhosts:
+      - listen: "443 ssl http2"
+        server_name: "{{ domain }}"
+        root: "/var/www/{{ domain }}/public"
+        index: "index.html index.htm"
+        extra_parameters: |
+          listen [::]:443 ssl http2;
+          location / {
+            add_header Permissions-Policy interest-cohort=();
+            try_files $uri $uri/ =404;
+          }
+          ssl_certificate     /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
+          ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
+          ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
+          ssl_ciphers         HIGH:!aNULL:!MD5;
+      - listen: "80" # redirect http requests to https
+        server_name: "{{ domain }}"
+        return: "301 https://{{ domain }}$request_uri"
+        filename: "{{ domain }}.80.conf"
+      - listen: "443 ssl http2"
+        server_name: "git.{{ domain }}"
+        client_max_body_size: "512M"
+        extra_parameters: |
+          listen [::]:443 ssl http2;
+          listen 80;
+          listen [::]:80;
+          location / {
+            add_header Permissions-Policy interest-cohort=();
+            proxy_pass http://localhost:{{ giteaPort }};
+            proxy_set_header Connection $http_connection;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+          }
+          ssl_certificate     /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
+          ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
+          ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
+          ssl_ciphers         HIGH:!aNULL:!MD5;
+      - listen: "80" # redirect http requests to https
+        server_name: "git.{{ domain }}"
+        return: "301 https://git.{{ domain }}$request_uri"
+        filename: "git.{{ domain }}.80.conf"
+      - listen: "127.0.0.1:2171"
+        server_name: "{{ onionDomain }}"
+        root: "/var/www/{{ domain }}/tor"
+        index: "index.html index.htm"
+        extra_parameters: |
+          location / {
+            add_header Permissions-Policy interest-cohort=();
+            try_files $uri $uri/ =404;
+          }
+
+- name: "Start Nginx"
   systemd:
     name: nginx
-    enabled: yes
     state: started

roles/nginx/tasks/setup.yml

@@ -1,12 +0,0 @@
----
-- name: Setup certbot for {{ domain }}
-  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d {{ domain }}"
-
-- name: Setup certbot for git.{{ domain }}
-  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d git.{{ domain }}"
-
-- name: Reload Nginx
-  systemd:
-    name: nginx
-    enabled: yes
-    state: restarted

roles/nginx/templates/gitea.conf

@@ -1,11 +0,0 @@
-server {
-    server_name git.{{ domain }};
-    listen 80;
-
-    location / {
-        add_header Permissions-Policy interest-cohort=();
-        proxy_pass http://localhost:{{ giteaPort }};
-    }
-
-    client_max_body_size 100M;
-}

roles/nginx/templates/site.conf

@@ -1,13 +0,0 @@
-server {
-    server_name {{ domain }};
-    listen 80;
-
-    root /var/www/{{ domain }}/public;
-    index index.html index.htm;
-
-    location / {
-        add_header Permissions-Policy interest-cohort=();
-        add_header Referrer-Policy: "no-referrer";
-        try_files $uri $uri/ =404;
-    }
-}

roles/nginx/templates/tor.conf

@@ -1,12 +0,0 @@
-server {
-    root /var/www/{{ domain }}/tor;
-    index index.html index.htm;
-
-    location / {
-        add_header Permissions-Policy interest-cohort=();
-        try_files $uri $uri/ =404;
-    }
-
-    # our tor hidden service is hosted on this port
-    listen 2171;
-}

run.yml

@@ -1,9 +1,6 @@
 ---
 - hosts: all
   become: yes
-  vars:
-    - giteaPort: 3000
-
   vars_files:
     - group_vars/all.yml
 
@@ -11,10 +8,12 @@
     - role: essential
     - role: firewall
     - role: git
+      tags: secrets
     - role: deadswitch
+      tags: secrets
     - role: blog
     - role: gitea
-      tags: [backup]
     - role: nginx
     - role: goaccess
     - role: tor
+      tags: secrets