mirror of
https://github.com/CPunch/openpunk-ansible.git
synced 2024-11-22 23:40:06 +00:00
Compare commits
No commits in common. "74e55ef1b933d1fc67520fe3412361945a662186" and "3047267d195bcb67bf7ccbddc5ba71708ff04cbb" have entirely different histories.
74e55ef1b9
...
3047267d19
@ -25,13 +25,6 @@ Some DNS records also need to be set:
|
|||||||
- an A record with a `git.*` subdomain
|
- an A record with a `git.*` subdomain
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
First, make sure to install the requirements:
|
|
||||||
```sh
|
|
||||||
ansible-galaxy install -r requirements.yml
|
|
||||||
```
|
|
||||||
|
|
||||||
Then, run the playbook:
|
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
ansible-playbook -i hosts --ask-vault-pass run.yml
|
ansible-playbook -i hosts --ask-vault-pass run.yml
|
||||||
```
|
```
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
---
|
---
|
||||||
domain: openpunk.com
|
domain: openpunk.com
|
||||||
contact_email: openpunk@proton.me
|
contact_email: openpunk@proton.me
|
||||||
onionDomain: opnpnk6eutjiqy4ndpyvwxd5pncj2g2cmz6fkocr5uh3omnn4utvspad.onion
|
onionDomain: http://opnpnk6eutjiqy4ndpyvwxd5pncj2g2cmz6fkocr5uh3omnn4utvspad.onion
|
@ -1,6 +0,0 @@
|
|||||||
- src: l3d.gitea
|
|
||||||
version: v3.3.0
|
|
||||||
- src: geerlingguy.nginx
|
|
||||||
version: 3.1.4
|
|
||||||
- src: geerlingguy.certbot
|
|
||||||
version: 5.1.0
|
|
@ -6,7 +6,7 @@ TOR_DIR=tor
|
|||||||
|
|
||||||
buildBlog () {
|
buildBlog () {
|
||||||
hugo --cleanDestinationDir --minify -d $PUBLIC_DIR -b https://{{ domain }}
|
hugo --cleanDestinationDir --minify -d $PUBLIC_DIR -b https://{{ domain }}
|
||||||
hugo --cleanDestinationDir --minify -d $TOR_DIR -b http://{{ onionDomain }}
|
hugo --cleanDestinationDir --minify -d $TOR_DIR -b {{ onionDomain }}
|
||||||
}
|
}
|
||||||
|
|
||||||
git fetch origin
|
git fetch origin
|
||||||
|
@ -1,20 +1,30 @@
|
|||||||
---
|
---
|
||||||
- name: "Install gitea"
|
- name: Check for Gitea gpg key
|
||||||
include_role:
|
stat:
|
||||||
name: l3d.gitea
|
path: /etc/apt/trusted.gpg.d/morph027-gitea.gpg
|
||||||
vars:
|
register: gitea_key
|
||||||
gitea_fqdn: 'git.{{ domain }}'
|
|
||||||
gitea_home: '/var/lib/gitea'
|
- name: Add Gitea key, repository && install
|
||||||
gitea_db_type: 'sqlite3'
|
block:
|
||||||
gitea_theme_default: 'arc-green'
|
- name: Import Gitea key
|
||||||
gitea_root_url: 'https://git.{{ domain }}'
|
shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import && sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
|
||||||
gitea_protocol: http
|
when: gitea_key.stat.exists == false or gitea_key.stat.mode != "0644"
|
||||||
gitea_http_port: "{{ giteaPort }}"
|
|
||||||
gitea_ssh_port: 22
|
- name: Add Gitea repository
|
||||||
gitea_start_ssh: false
|
apt_repository:
|
||||||
gitea_allow_only_internal_registration: true
|
filename: morph027-gitea
|
||||||
gitea_disable_registration: true
|
repo: deb https://packaging.gitlab.io/gitea gitea main
|
||||||
gitea_require_signin: false
|
|
||||||
|
- name: Add Gitea package
|
||||||
|
package:
|
||||||
|
name: gitea
|
||||||
|
|
||||||
|
- name: Configure Gitea
|
||||||
|
template:
|
||||||
|
src: templates/app.ini
|
||||||
|
dest: /etc/gitea/app.ini
|
||||||
|
owner: gitea
|
||||||
|
when: "'gitea' not in ansible_facts.packages"
|
||||||
|
|
||||||
- name: Backup db
|
- name: Backup db
|
||||||
include_tasks: backup.yml
|
include_tasks: backup.yml
|
||||||
|
@ -55,23 +55,17 @@
|
|||||||
- name: Install repositories
|
- name: Install repositories
|
||||||
copy:
|
copy:
|
||||||
src: /etc/gitea/gitea-dump/repos/
|
src: /etc/gitea/gitea-dump/repos/
|
||||||
dest: /var/lib/gitea/repos/
|
dest: /var/lib/gitea/gitea-repositories/
|
||||||
remote_src: true
|
remote_src: true
|
||||||
owner: gitea
|
owner: gitea
|
||||||
tags: restore
|
tags: restore
|
||||||
|
|
||||||
# - name: Install config
|
- name: Install config
|
||||||
# copy:
|
copy:
|
||||||
# src: /etc/gitea/gitea-dump/app.ini
|
src: /etc/gitea/gitea-dump/app.ini
|
||||||
# dest: /etc/gitea/app.ini
|
dest: /etc/gitea/app.ini
|
||||||
# owner: gitea
|
owner: gitea
|
||||||
# remote_src: true
|
remote_src: true
|
||||||
# tags: restore
|
|
||||||
|
|
||||||
- name: Remove sqlite3 db
|
|
||||||
file:
|
|
||||||
path: /var/lib/gitea/data/gitea.db
|
|
||||||
state: absent
|
|
||||||
tags: restore
|
tags: restore
|
||||||
|
|
||||||
- name: Generate sqlite3 db
|
- name: Generate sqlite3 db
|
||||||
@ -89,7 +83,9 @@
|
|||||||
tags: restore
|
tags: restore
|
||||||
|
|
||||||
- name: Finalize
|
- name: Finalize
|
||||||
shell: gitea admin regenerate hooks -c /etc/gitea/gitea.ini
|
shell:
|
||||||
|
cmd: ./gitea admin regenerate hooks -c /etc/gitea/app.ini
|
||||||
|
chdir: /usr/bin
|
||||||
become: true
|
become: true
|
||||||
become_method: su
|
become_method: su
|
||||||
become_user: gitea
|
become_user: gitea
|
||||||
|
61
roles/gitea/templates/app.ini
Normal file
61
roles/gitea/templates/app.ini
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
APP_NAME = OpenPunk Gitea
|
||||||
|
RUN_USER = gitea
|
||||||
|
RUN_MODE = prod
|
||||||
|
|
||||||
|
[database]
|
||||||
|
DB_TYPE = sqlite3
|
||||||
|
HOST = 127.0.0.1:5432
|
||||||
|
NAME = gitea
|
||||||
|
USER = gitea
|
||||||
|
PASSWD =
|
||||||
|
SSL_MODE = disable
|
||||||
|
CHARSET = utf8
|
||||||
|
PATH = /var/lib/gitea/data/gitea.db
|
||||||
|
|
||||||
|
[repository]
|
||||||
|
ROOT = /var/lib/gitea/gitea-repositories
|
||||||
|
|
||||||
|
[server]
|
||||||
|
SSH_DOMAIN = git.{{ domain }}
|
||||||
|
DOMAIN = git.{{ domain }}
|
||||||
|
HTTP_PORT = {{ giteaPort }}
|
||||||
|
ROOT_URL = https://git.{{ domain }}/
|
||||||
|
DISABLE_SSH = false
|
||||||
|
SSH_PORT = 22
|
||||||
|
LFS_START_SERVER = false
|
||||||
|
OFFLINE_MODE = false
|
||||||
|
|
||||||
|
[mailer]
|
||||||
|
ENABLED = false
|
||||||
|
|
||||||
|
[service]
|
||||||
|
REGISTER_EMAIL_CONFIRM = false
|
||||||
|
ENABLE_NOTIFY_MAIL = false
|
||||||
|
DISABLE_REGISTRATION = true
|
||||||
|
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
|
||||||
|
ENABLE_CAPTCHA = false
|
||||||
|
REQUIRE_SIGNIN_VIEW = false
|
||||||
|
DEFAULT_KEEP_EMAIL_PRIVATE = false
|
||||||
|
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
|
||||||
|
DEFAULT_ENABLE_TIMETRACKING = true
|
||||||
|
NO_REPLY_ADDRESS = noreply.localhost
|
||||||
|
|
||||||
|
[picture]
|
||||||
|
DISABLE_GRAVATAR = true
|
||||||
|
ENABLE_FEDERATED_AVATAR = false
|
||||||
|
REPOSITORY_AVATAR_FALLBACK = random
|
||||||
|
|
||||||
|
[openid]
|
||||||
|
ENABLE_OPENID_SIGNIN = false
|
||||||
|
ENABLE_OPENID_SIGNUP = false
|
||||||
|
|
||||||
|
[session]
|
||||||
|
PROVIDER = file
|
||||||
|
|
||||||
|
[log]
|
||||||
|
MODE = file
|
||||||
|
LEVEL = info
|
||||||
|
ROOT_PATH = /var/lib/gitea/log
|
||||||
|
|
||||||
|
[ui]
|
||||||
|
DEFAULT_THEME = arc-green
|
2
roles/nginx/defaults/main.yml
Normal file
2
roles/nginx/defaults/main.yml
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
---
|
||||||
|
giteaPort: 3000
|
52
roles/nginx/files/nginx.conf
Normal file
52
roles/nginx/files/nginx.conf
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
user www-data;
|
||||||
|
worker_processes auto;
|
||||||
|
include /etc/nginx/modules-enabled/*.conf;
|
||||||
|
pid /run/nginx.pid;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 768;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
|
||||||
|
##
|
||||||
|
# Basic Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
keepalive_timeout 65;
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
##
|
||||||
|
# SSL Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Logging Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access.log;
|
||||||
|
error_log /var/log/nginx/error.log;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Gzip Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
gzip_disable "msie6";
|
||||||
|
|
||||||
|
##
|
||||||
|
# Virtual Host Configs
|
||||||
|
##
|
||||||
|
|
||||||
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
include /etc/nginx/sites-enabled/*;
|
||||||
|
}
|
4
roles/nginx/handlers/main.yml
Normal file
4
roles/nginx/handlers/main.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
- name: setup-nginx
|
||||||
|
include_tasks: setup.yml
|
||||||
|
listen: "setup nginx"
|
@ -1,63 +1,35 @@
|
|||||||
---
|
---
|
||||||
- name: "Stop Nginx"
|
- name: Install system nginx config
|
||||||
systemd:
|
copy:
|
||||||
name: nginx
|
src: nginx.conf
|
||||||
state: stopped
|
dest: /etc/nginx/nginx.conf
|
||||||
|
notify: setup nginx
|
||||||
- name: "Setup Certbot"
|
|
||||||
include_role:
|
# setup our configs for each host (we don't want to
|
||||||
name: geerlingguy.certbot
|
# overwrite certbot's changes, so if it already exists,
|
||||||
vars:
|
# don't copy!)
|
||||||
certbot_admin_email: "{{ contact_email }}"
|
|
||||||
certbot_create_if_missing: true
|
- name: Install nginx config for {{ domain }}
|
||||||
certbot_create_standalone_stop_services: []
|
template:
|
||||||
certbot_certs:
|
src: templates/site.conf
|
||||||
- domains:
|
dest: /etc/nginx/conf.d/{{ domain }}.conf
|
||||||
- "{{ domain }}"
|
force: no
|
||||||
- "git.{{ domain }}"
|
notify: setup nginx
|
||||||
|
|
||||||
- name: "Install Nginx"
|
- name: Install nginx config for git.{{ domain }}
|
||||||
include_role:
|
template:
|
||||||
name: geerlingguy.nginx
|
src: templates/gitea.conf
|
||||||
vars:
|
dest: /etc/nginx/conf.d/git.{{ domain }}.conf
|
||||||
nginx_listen_ipv6: true
|
force: no
|
||||||
nginx_vhosts:
|
notify: setup nginx
|
||||||
- listen: "443 ssl http2"
|
|
||||||
server_name: "{{ domain }}"
|
- name: Install nginx config for our Hidden Service
|
||||||
root: "/var/www/{{ domain }}/public"
|
template:
|
||||||
index: "index.html index.htm"
|
src: templates/tor.conf
|
||||||
extra_parameters: |
|
dest: /etc/nginx/conf.d/tor-{{ domain }}.conf
|
||||||
location / {
|
|
||||||
add_header Permissions-Policy interest-cohort=();
|
- name: Enable Nginx
|
||||||
try_files $uri $uri/ =404;
|
|
||||||
}
|
|
||||||
ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
|
|
||||||
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
|
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
||||||
- listen: "443 ssl http2"
|
|
||||||
server_name: "git.{{ domain }}"
|
|
||||||
client_max_body_size: "100M"
|
|
||||||
extra_parameters: |
|
|
||||||
location / {
|
|
||||||
add_header Permissions-Policy interest-cohort=();
|
|
||||||
proxy_pass http://localhost:{{ giteaPort }};
|
|
||||||
}
|
|
||||||
ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
|
|
||||||
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
|
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
||||||
- listen: "2171"
|
|
||||||
server_name: "{{ onionDomain }}"
|
|
||||||
root: "/var/www/{{ domain }}/tor"
|
|
||||||
index: "index.html index.htm"
|
|
||||||
extra_parameters: |
|
|
||||||
location / {
|
|
||||||
add_header Permissions-Policy interest-cohort=();
|
|
||||||
try_files $uri $uri/ =404;
|
|
||||||
}
|
|
||||||
|
|
||||||
- name: "Start Nginx"
|
|
||||||
systemd:
|
systemd:
|
||||||
name: nginx
|
name: nginx
|
||||||
|
enabled: yes
|
||||||
state: started
|
state: started
|
9
roles/nginx/tasks/setup.yml
Normal file
9
roles/nginx/tasks/setup.yml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
- name: Setup certbot
|
||||||
|
shell: "certbot --nginx --non-interactive --agree-tos --email {{ contact_email }} -d {{ domain }} -d git.{{ domain }}"
|
||||||
|
|
||||||
|
- name: Reload Nginx
|
||||||
|
systemd:
|
||||||
|
name: nginx
|
||||||
|
enabled: yes
|
||||||
|
state: restarted
|
11
roles/nginx/templates/gitea.conf
Normal file
11
roles/nginx/templates/gitea.conf
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
server {
|
||||||
|
server_name git.{{ domain }};
|
||||||
|
listen 80;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
add_header Permissions-Policy interest-cohort=();
|
||||||
|
proxy_pass http://localhost:{{ giteaPort }};
|
||||||
|
}
|
||||||
|
|
||||||
|
client_max_body_size 100M;
|
||||||
|
}
|
13
roles/nginx/templates/site.conf
Normal file
13
roles/nginx/templates/site.conf
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
server {
|
||||||
|
server_name {{ domain }};
|
||||||
|
listen 80;
|
||||||
|
|
||||||
|
root /var/www/{{ domain }}/public;
|
||||||
|
index index.html index.htm;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
add_header Permissions-Policy interest-cohort=();
|
||||||
|
add_header Referrer-Policy: "no-referrer";
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
}
|
12
roles/nginx/templates/tor.conf
Normal file
12
roles/nginx/templates/tor.conf
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
server {
|
||||||
|
root /var/www/{{ domain }}/tor;
|
||||||
|
index index.html index.htm;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
add_header Permissions-Policy interest-cohort=();
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
# our tor hidden service is hosted on this port
|
||||||
|
listen 2171;
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user