REFACTOR: lots of changes, using ansible-galaxy roles for certbot, nginx & gitea

- roles/git now uses blockinfile to ensure the github ssh keypairs are trusted, and to allow subsequent ssh keypairs to be trusted and not overwritten by future runs.
- this commit marks idempotency for all roles. after a successful run of this playbook, subsequent runs will result in a change=0 !!!!!

.github/workflows/deploy.yaml

@@ -1,27 +0,0 @@
-# name: Run Playbook
-
-# on:
-#   push:
-#     tags:
-#       - "v*.*.*"
-
-# jobs:
-#   deploy:
-#     runs-on: ubuntu-latest
-#     steps:
-#       - name: Set up Git repository
-#         uses: actions/checkout@v3
-#         with:
-#           ssh-key: ${{ secrets.SSH_PRIVATE_KEY }}
-#           submodules: recursive
-#       - name: Run Ansible-Playbook
-#         uses: dawidd6/action-ansible-playbook@v2
-#         with:
-#           playbook: run.yml
-#           key: ${{ secrets.SSH_PRIVATE_KEY }}
-#           inventory: |
-#             [hosts]
-#             openpunk-vps ansible_host=96.30.199.68 ansible_user=root ansible_connection=ssh
-#           vault_password: ${{ secrets.VAULT_PASSWORD }}
-#           options: |
-#             --extra-vars domain=openpunk.com

.gitignore

@@ -1 +1,2 @@
-hosts
+hosts
+backups

README.md

@@ -3,28 +3,52 @@
 This is my failsafe (and also my helpful migration tool) for restoring the OpenPunk server. This handles setting everything back up, including:
 
 - gitea
-    - sadly, no db migration is supported right now. maybe a future todo?
+    - backup and restoring are also supported
 - blog
     - cron job for grabbing the `HEAD` of https://github.com/CPunch/openpunk && building the hugo site
 - tor mirror
 - nginx (for the above mentioned)
+    - certbot's Let's Encrypt
 - my shell theme (zsh + powerlevel10k)
 - deadswitch (& the ssh + git config to allow pushes)
 
 This playbook assumes the target VPS is running the latest debian stable release.
 
 ## Notes to my future self
-The deadswitch has the deadtrigger setup every run, so you have a 14-day timer to add a one-liner to your crontab to keep that deadtrigger set.
+Add this to your local machine's crontab:
+
+```sh
+ssh openpunk 'touch /root/.deadtrigger'
+```
 
 Some DNS records also need to be set:
 - an A record with a `git.*` subdomain
 
 ## Usage
+First, make sure to install the requirements:
+```sh
+ansible-galaxy install -r requirements.yml
+```
+
+Then, run the playbook:
+
 ```sh
 ansible-playbook -i hosts --ask-vault-pass run.yml
 ```
 > NOTE: The 'secrets' directory has been omitted from this repo (so it's not going to run without the provided files)
 
+## Backup and restore
+
+Backup Gitea using the 'backup' tag
+```sh
+ansible-playbook -i hosts run.yml --tags backup
+```
+
+then, restore from the backup using the 'restore' tag
+```sh
+ansible-playbook -i hosts run.yml --tags restore
+```
+
 ## Example hosts file
 ```
 [hosts]

group_vars/all.yml

@@ -1,3 +1,4 @@
 ---
+domain: openpunk.com
 contact_email: openpunk@proton.me
-onionDomain: http://opnpnk6eutjiqy4ndpyvwxd5pncj2g2cmz6fkocr5uh3omnn4utvspad.onion
+onionDomain: opnpnk6eutjiqy4ndpyvwxd5pncj2g2cmz6fkocr5uh3omnn4utvspad.onion

requirements.yml

@@ -0,0 +1,6 @@
+- src: l3d.gitea
+  version: v3.3.0
+- src: geerlingguy.nginx
+  version: 3.1.4
+- src: geerlingguy.certbot
+  version: 5.1.0

roles/blog/templates/updateBlog

@@ -6,7 +6,7 @@ TOR_DIR=tor
 
 buildBlog () {
     hugo --cleanDestinationDir --minify -d $PUBLIC_DIR -b https://{{ domain }}
-    hugo --cleanDestinationDir --minify -d $TOR_DIR -b {{ onionDomain }}
+    hugo --cleanDestinationDir --minify -d $TOR_DIR -b http://{{ onionDomain }}
 }
 
 git fetch origin
@@ -19,7 +19,7 @@ if [ $LOCAL = $REMOTE ]; then
     # to check for changes (changed_when)
     echo "up to date"
 elif [ $LOCAL = $BASE ]; then
-    # there are changes to reset too so we need to rebuild
+    # there are changes to reset to so we need to rebuild
     echo "missing changes !!"
     git reset --hard origin/main
     buildBlog

roles/deadswitch/files/deadswitch

@@ -22,5 +22,5 @@ echo $dTime
 if [ $dTime -gt $triggerTime ]
 then 
     touch $fileLock
-    bash $scriptToRun
+    source $scriptToRun
 fi

roles/deadswitch/files/imdead.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
-
 cd $HOME/deadman
 
 postPatch='dead.patch'
@@ -10,7 +9,7 @@ git clone git@github.com:CPunch/openpunk.git
 
 # commit & push the post
 cd openpunk
-git am postPatch
+git am $postPatch
 # replace our --DATE-- with the current date
 sed -i 's/--DATE--/'$currDate'/g' $pageName
 git add .

roles/deadswitch/tasks/main.yml

@@ -22,11 +22,17 @@
     dest: /root/deadman/dead.patch
     mode: u+rw
 
-# TODO: make idempotent
+# TODO: deadtrigger path should be a variable, no?
+- name: Check deadtrigger
+  stat:
+    path: /root/.deadtrigger
+  register: deadstat
+
 - name: Install deadtrigger
   file:
-    name: /root/.deadtrigger
+    path: /root/.deadtrigger
     state: touch
+  when: deadstat.stat.exists == false
 
 # Run deadswitch daily at 1am
 - name: Install deadlock cronjob

roles/essential/tasks/main.yml

@@ -1,17 +1,4 @@
 ---
-# TODO: make idempotent
-- name: Add Gitea repo key
-  shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import
-
-# TODO: make idempotent
-- name: Set key perms
-  shell: sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
-
-- name: Add Gitea repo
-  apt_repository:
-    filename: morph027-gitea
-    repo: deb https://packaging.gitlab.io/gitea gitea main
-
 - name: Upgrade Packages
   apt:
     update_cache: yes
@@ -21,7 +8,6 @@
   package:
     name:
       - hugo
-      - gitea
       - git
       - nginx
       - tor
@@ -29,12 +15,19 @@
       - fail2ban
       - goaccess
       - htop
+      - sqlite3
       - zsh # :D
       - python3-certbot-nginx
 
-# TODO: make idempotent
+- name: Grab package facts
-- name: Setup default shell (zsh)
+  package_facts:
-  shell: chsh -s /usr/bin/zsh
+    manager: auto
+  tags: always
+
+- name: Setup zsh
+  user:
+    name: "{{ ansible_user }}"
+    shell: /usr/bin/zsh
 
 - name: Clone Powerlevel10k theme
   git:

roles/git/files/.gitconfig

@@ -1,7 +1,7 @@
 [user]
-        email = openpunk@proton.me
+email = openpunk@proton.me
-        name = OpenPunk
+name = OpenPunk
 [core]
-        editor = nano
+editor = nano
 [pull]
-        rebase = true
+rebase = true

roles/git/tasks/main.yml

@@ -9,21 +9,22 @@
 # make sure our vps trusts the github.com key signature. we pipe the output
 # of ssh-keyscan into .ssh/known_hosts
 
-# TODO: make idempotent
 - name: Scan for SSH host keys
   command: ssh-keyscan github.com 2>/dev/null
   register: ssh_scan
+  changed_when: false
 
-- name: Update known_hosts
+- name: Update .ssh/known_hosts
-  copy:
+  blockinfile:
-    content: "{{ ssh_scan.stdout_lines|join('\n')  }}"
+    path: /root/.ssh/known_hosts
-    dest: /root/.ssh/known_hosts
+    block: "{{ ssh_scan.stdout_lines|join('\n') }}"
+    insertbefore: BOF
+    create: yes
     owner: root
     mode: u=rw,g=,o=
-    force: no # if we already have a known_hosts file, ignore!
 
 # this keypair is trusted under my github account, so it allows my vps to make pushes
-# to the main branch of my openpunk repository. (for my deadswitch: see static/blog/imdead.sh)
+# to the main branch of my openpunk repository. (see roles/deadswitch/files/imdead.sh)
 
 - name: Install ssh priv key
   copy:

roles/gitea/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+giteaPort: 3000
+giteaBackup: backups/gitea-dump.zip

roles/gitea/tasks/backup.yml

@@ -0,0 +1,51 @@
+---
+# based on advice from https://docs.gitea.io/en-us/backup-and-restore/
+
+- name: Stop Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: stopped
+  tags: backup
+
+- name: Make Temp dir
+  file:
+    path: /etc/gitea/temp
+    state: directory
+    owner: gitea
+  tags: backup
+
+- name: Dump Gitea
+  shell:
+    cmd: gitea dump -c /etc/gitea/app.ini --work-path=/etc/gitea --file=gitea-dump.zip --tempdir=/etc/gitea/temp
+    chdir: /etc/gitea
+  become: true
+  become_method: su
+  become_user: gitea
+  tags: backup
+
+- name: Fetch backup
+  fetch:
+    src: /etc/gitea/gitea-dump.zip
+    dest: "{{ giteaBackup }}"
+    flat: true
+  tags: backup
+
+- name: Remove remote dump
+  file:
+    path: "{{ giteaBackup }}"
+    state: absent
+  tags: backup
+
+- name: Remove Temp
+  file:
+    path: /etc/gitea/temp
+    state: absent
+  tags: backup
+
+- name: Start Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: started
+  tags: backup

roles/gitea/tasks/main.yml

@@ -1,13 +1,29 @@
 ---
-- name: Configure Gitea
+- name: "Install gitea"
-  template:
+  include_role:
-    src: app.ini
+    name: l3d.gitea
-    dest: /etc/gitea/app.ini
+  vars:
-    owner: gitea
+    gitea_fqdn: 'git.{{ domain }}'
-    force: no # we don't want to kill our existing config D:
+    gitea_home: '/var/lib/gitea'
+    gitea_db_type: 'sqlite3'
+    gitea_theme_default: 'arc-green'
+    gitea_root_url: 'https://git.{{ domain }}'
+    gitea_protocol: http
+    gitea_http_port: "{{ giteaPort }}"
+    gitea_ssh_port: 22
+    gitea_start_ssh: false
+    gitea_allow_only_internal_registration: true
+    gitea_disable_registration: true
+    gitea_require_signin: false
 
-- name: Reload Gitea
+- name: Backup db
-  systemd:
+  include_tasks: backup.yml
-    name: gitea
+  tags:
-    enabled: yes
+    - never
-    state: started
+    - backup
+
+- name: Restore db
+  include_tasks: restore.yml
+  tags:
+    - never
+    - restore

roles/gitea/tasks/restore.yml

@@ -0,0 +1,96 @@
+---
+# based on advice from https://docs.gitea.io/en-us/backup-and-restore/
+
+- name: Stop Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: stopped
+  tags: restore
+
+- name: Make restore dir
+  file:
+    path: /etc/gitea/gitea-dump
+    state: directory
+    owner: gitea
+  tags: restore
+
+- name: Extract backup to host
+  unarchive:
+    src: "{{ giteaBackup }}"
+    dest: /etc/gitea/gitea-dump
+    owner: gitea
+  tags: restore
+
+- name: Delete Gitea
+  file:
+    path: /var/lib/gitea
+    state: absent
+  tags: restore
+
+- name: Create Gitea
+  file:
+    path: /var/lib/gitea
+    state: directory
+    owner: gitea
+  tags: restore
+
+- name: Install data
+  copy:
+    src: /etc/gitea/gitea-dump/data/
+    dest: /var/lib/gitea/data
+    remote_src: true
+    owner: gitea
+  tags: restore
+
+- name: Install log
+  copy:
+    src: /etc/gitea/gitea-dump/log/
+    dest: /var/lib/gitea/log/
+    remote_src: true
+    owner: gitea
+  tags: restore
+  ignore_errors: true
+
+- name: Install repositories
+  copy:
+    src: /etc/gitea/gitea-dump/repos/
+    dest: /var/lib/gitea/gitea-repositories/
+    remote_src: true
+    owner: gitea
+  tags: restore
+
+# - name: Install config
+#   copy:
+#     src: /etc/gitea/gitea-dump/app.ini
+#     dest: /etc/gitea/app.ini
+#     owner: gitea
+#     remote_src: true
+#   tags: restore
+
+- name: Remove sqlite3 db
+  file:
+    path: /var/lib/gitea/data/gitea.db
+    state: absent
+  tags: restore
+
+- name: Generate sqlite3 db
+  shell: sqlite3 /var/lib/gitea/data/gitea.db </etc/gitea/gitea-dump/gitea-db.sql
+  become: true
+  become_method: su
+  become_user: gitea
+  tags: restore
+
+- name: Start Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: started
+  tags: restore
+
+- name: Finalize
+  shell: gitea admin regenerate hooks -c /etc/gitea/gitea.ini
+  become: true
+  become_method: su
+  become_user: gitea
+  tags: restore

roles/gitea/templates/app.ini

@@ -1,60 +0,0 @@
-APP_NAME = OpenPunk Gitea
-RUN_USER = gitea
-RUN_MODE = prod
-
-[database]
-DB_TYPE  = sqlite3
-HOST     = 127.0.0.1:5432
-NAME     = gitea
-USER     = gitea
-PASSWD   = 
-SSL_MODE = disable
-CHARSET  = utf8
-PATH     = /var/lib/gitea/data/gitea.db
-
-[repository]
-ROOT = /var/lib/gitea/gitea-repositories
-
-[server]
-SSH_DOMAIN       = git.{{ domain }}
-DOMAIN           = git.{{ domain }}
-HTTP_PORT        = 3000
-ROOT_URL         = https://git.{{ domain }}/
-DISABLE_SSH      = false
-SSH_PORT         = 22
-LFS_START_SERVER = false
-OFFLINE_MODE     = false
-
-[mailer]
-ENABLED = false
-
-[service]
-REGISTER_EMAIL_CONFIRM            = false
-ENABLE_NOTIFY_MAIL                = false
-DISABLE_REGISTRATION              = true
-ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
-ENABLE_CAPTCHA                    = false
-REQUIRE_SIGNIN_VIEW               = false
-DEFAULT_KEEP_EMAIL_PRIVATE        = false
-DEFAULT_ALLOW_CREATE_ORGANIZATION = true
-DEFAULT_ENABLE_TIMETRACKING       = true
-NO_REPLY_ADDRESS                  = noreply.localhost
-
-[picture]
-DISABLE_GRAVATAR        = true
-ENABLE_FEDERATED_AVATAR = false
-
-[openid]
-ENABLE_OPENID_SIGNIN = false
-ENABLE_OPENID_SIGNUP = false
-
-[session]
-PROVIDER = file
-
-[log]
-MODE      = file
-LEVEL     = info
-ROOT_PATH = /var/lib/gitea/log
-
-[ui]
-DEFAULT_THEME = arc-green

roles/nginx/files/nginx.conf

@@ -1,52 +0,0 @@
-user www-data;
-worker_processes auto;
-include /etc/nginx/modules-enabled/*.conf;
-pid /run/nginx.pid;
- 
-events {
-    worker_connections 768;
-}
-
-http {
-
-    ##
-    # Basic Settings
-    ##
-
-    sendfile on;
-    tcp_nopush on;
-    tcp_nodelay on;
-    keepalive_timeout 65;
-    types_hash_max_size 2048;
-
-    include /etc/nginx/mime.types;
-    default_type application/octet-stream;
-
-    ##
-    # SSL Settings
-    ##
-
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
-    ssl_prefer_server_ciphers on;
-
-    ##
-    # Logging Settings
-    ##
-
-    access_log /var/log/nginx/access.log;
-    error_log /var/log/nginx/error.log;
-
-    ##
-    # Gzip Settings
-    ##
-
-    gzip on;
-    gzip_disable "msie6";
-
-    ##
-    # Virtual Host Configs
-    ##
-
-    include /etc/nginx/conf.d/*.conf;
-    include /etc/nginx/sites-enabled/*;
-}

roles/nginx/handlers/main.yml

@@ -1,4 +0,0 @@
----
-- name: setup-nginx
-  include_tasks: setup.yml
-  listen: "setup nginx"

roles/nginx/tasks/main.yml

@@ -1,35 +1,63 @@
 ---
-- name: Install system nginx config
+- name: "Stop Nginx"
-  copy:
-    src: nginx.conf
-    dest: /etc/nginx/nginx.conf
-  notify: setup nginx
-
-# setup our configs for each host (we don't want to 
-# overwrite certbot's changes, so if it already exists,
-# don't copy!)
-
-- name: Install nginx config for {{ domain }}
-  template:
-    src: templates/site.conf
-    dest: /etc/nginx/conf.d/{{ domain }}.conf
-    force: no
-  notify: setup nginx
-
-- name: Install nginx config for git.{{ domain }}
-  template:
-    src: templates/gitea.conf
-    dest: /etc/nginx/conf.d/git.{{ domain }}.conf
-    force: no
-  notify: setup nginx
-
-- name: Install nginx config for our Hidden Service
-  template:
-    src: templates/tor.conf
-    dest: /etc/nginx/conf.d/tor-{{ domain }}.conf
-
-- name: Enable Nginx
   systemd:
     name: nginx
-    enabled: yes
+    state: stopped
-    state: started
+
+- name: "Setup Certbot"
+  include_role:
+    name: geerlingguy.certbot
+  vars:
+    certbot_admin_email: "{{ contact_email }}"
+    certbot_create_if_missing: true
+    certbot_create_standalone_stop_services: []
+    certbot_certs:
+      - domains:
+          - "{{ domain }}"
+          - "git.{{ domain }}"
+
+- name: "Install Nginx"
+  include_role:
+    name: geerlingguy.nginx
+  vars:
+    nginx_listen_ipv6: true
+    nginx_vhosts:
+      - listen: "443 ssl http2"
+        server_name: "{{ domain }}"
+        root: "/var/www/{{ domain }}/public"
+        index: "index.html index.htm"
+        extra_parameters: |
+          location / {
+            add_header Permissions-Policy interest-cohort=();
+            try_files $uri $uri/ =404;
+          }
+          ssl_certificate     /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
+          ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
+          ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
+          ssl_ciphers         HIGH:!aNULL:!MD5;
+      - listen: "443 ssl http2"
+        server_name: "git.{{ domain }}"
+        client_max_body_size: "100M"
+        extra_parameters: |
+          location / {
+            add_header Permissions-Policy interest-cohort=();
+            proxy_pass http://localhost:{{ giteaPort }};
+          }
+          ssl_certificate     /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
+          ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
+          ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
+          ssl_ciphers         HIGH:!aNULL:!MD5;
+      - listen: "2171"
+        server_name: "{{ onionDomain }}"
+        root: "/var/www/{{ domain }}/tor"
+        index: "index.html index.htm"
+        extra_parameters: |
+          location / {
+            add_header Permissions-Policy interest-cohort=();
+            try_files $uri $uri/ =404;
+          }
+
+- name: "Start Nginx"
+  systemd:
+    name: nginx
+    state: started

roles/nginx/tasks/setup.yml

@@ -1,9 +0,0 @@
----
-- name: Setup certbot
-  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d {{ domain }} -d git.{{ domain }}"
-
-- name: Reload Nginx
-  systemd:
-    name: nginx
-    enabled: yes
-    state: restarted

roles/nginx/templates/gitea.conf

@@ -1,11 +0,0 @@
-server {
-    server_name git.{{ domain }};
-    listen 80;
-
-    location / {
-        add_header Permissions-Policy interest-cohort=();
-        proxy_pass http://localhost:3000;
-    }
-
-    client_max_body_size 100M;
-}

roles/nginx/templates/site.conf

@@ -1,13 +0,0 @@
-server {
-    server_name {{ domain }};
-    listen 80;
-
-    root /var/www/{{ domain }}/public;
-    index index.html index.htm;
-
-    location / {
-        add_header Permissions-Policy interest-cohort=();
-        add_header Referrer-Policy: "no-referrer";
-        try_files $uri $uri/ =404;
-    }
-}

roles/nginx/templates/tor.conf

@@ -1,12 +0,0 @@
-server {
-    root /var/www/{{ domain }}/tor;
-    index index.html index.htm;
-
-    location / {
-        add_header Permissions-Policy interest-cohort=();
-        try_files $uri $uri/ =404;
-    }
-
-    # our tor hidden service is hosted on this port
-    listen 2171;
-}

roles/tor/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: Install torrc
   template:
-    src: torrc
+    src: templates/torrc
     dest: /etc/tor/torrc
     owner: root
     group: root

run.yml

@@ -1,21 +1,22 @@
 ---
 - hosts: all
   become: yes
+  vars:
+    - giteaPort: 3000
+
   vars_files:
     - group_vars/all.yml
 
-  vars_prompt:
-    - name: domain
-      prompt: domain pointing to the vps
-      private: no
-
   roles:
-    - essential
+    - role: essential
-    - git
+    - role: firewall
-    - deadswitch
+    - role: git
-    - firewall
+      tags: secrets
-    - blog
+    - role: deadswitch
-    - gitea
+      tags: secrets
-    - nginx
+    - role: blog
-    - goaccess
+    - role: gitea
-    - tor
+    - role: nginx
+    - role: goaccess
+    - role: tor
+      tags: secrets