39 Commits

Author SHA1 Message Date
1acd6411cb gitea: added act runner 2024-11-22 20:10:41 -06:00
c9cd0c3c12 essential: install docker from docker repository 2024-11-22 03:03:02 -06:00
899dc392df fix requirements 2024-11-22 03:02:21 -06:00
f71c3f6233 gitea: fix outdated theme for v1.22.0^ 2024-07-10 21:23:22 -05:00
219bd304d6 gitea: enable LFS server 2024-05-17 00:19:05 -05:00
5171a308be gitea backup: fix wrong dump cleanup path 2024-04-09 16:39:10 -05:00
2686eddf88 fix gitea backup 2024-04-09 16:32:01 -05:00
ab5b7c1d29 nginx: add http redirect to https 2024-03-10 13:52:04 -05:00
540f63cd85 nginx: fix gitea proxy headers 2024-02-27 18:11:03 -06:00
262e350f7b run: fix deprecated vars dictionary, moved giteaPort to group_vars 2024-02-24 15:51:25 -06:00
454d91977c nginx/tor: fix http proxy listen 2024-02-24 15:50:32 -06:00
74e55ef1b9 gitea: fixed restore
wrong repos path
2024-02-21 16:55:17 -06:00
5212ca61bd Merge pull request #1 from CPunch/rewrite
REFACTOR: lots of changes
2024-02-21 15:58:24 -06:00
52d526bf5c REFACTOR: lots of changes, using ansible-galaxy roles for certbot, nginx & gitea 2024-02-21 15:56:43 -06:00
3047267d19 update README 2023-02-03 15:43:52 -06:00
bea9cb3592 gitea: backup and restore based on tags 2023-02-03 15:40:59 -06:00
06548bf135 removed giteaUninstall var 2023-02-02 16:04:44 -06:00
feaea47028 gitea: can now backup the database remotely 2023-02-01 23:30:14 -06:00
bf198f9d63 minor typos 2023-02-01 18:01:52 -06:00
af53eb4637 roles/gitea: support giteaUninstall variable 2023-01-21 18:25:02 -06:00
e8fe024b77 roles/git: ssh known_hosts is now idempotent
- roles/git now uses blockinfile to ensure the github ssh keypairs are trusted, and to allow subsequent ssh keypairs to be trusted and not overwritten by future runs.
- this commit marks idempotency for all roles. after a successful run of this playbook, subsequent runs will result in a change=0 !!!!!
2023-01-19 20:50:30 -06:00
3d75ac18e7 roles/gitea: better gitea installation condition 2023-01-19 18:03:49 -06:00
c6ea8eaf38 roles: minor idempotency changes 2023-01-19 18:02:55 -06:00
e3d3ec37fd roles/gitea: installing gitea is now idempotent 2023-01-19 15:11:22 -06:00
2d3fbfe484 removed stale github workflow 2023-01-18 20:36:30 -06:00
5cdc63e35a roles/deadswitch: role is now idempotent 2023-01-18 01:10:40 -06:00
1747125b67 roles/blog: fix updateBlog 2023-01-17 17:52:47 -06:00
41ef83bb4e roles/blog: run updateBlog; now idempotent! 2023-01-17 17:41:25 -06:00
4359544b6a blog: updateBlog now checks for changes before building 2023-01-17 17:32:47 -06:00
ca6fdaeff3 blog: maintain two separate builds of the site; one for tor, one for https 2023-01-16 17:17:07 -06:00
1028023b8b roles/nginx: made idempotent 2023-01-15 21:54:03 -06:00
5e2c4850e1 minor README changes 2023-01-14 17:36:51 -06:00
a971e7d065 github: disabled deploy workflow 2023-01-14 17:31:46 -06:00
abaa4c9639 switched to roles
- all tasks/* have been moved to their own roles in roles/*
- each file && template is now oragnized per-role
- annotated each task which still isn't idempotent !TODO!
2023-01-14 17:26:17 -06:00
d435ab80ac fix: wrong paths in imdead.sh (oops) 2022-10-04 13:13:46 -05:00
bf5763a42f updated to latest secrets 2022-10-04 13:09:36 -05:00
6325e393b3 updated readme 2022-10-04 12:51:54 -05:00
ec89c70336 Deploy ansible playbook automagically 2022-10-04 12:21:22 -05:00
281e98f030 better file permissions 2022-10-04 11:29:40 -05:00
41 changed files with 622 additions and 320 deletions

1
.gitignore vendored
View File

@@ -1 +1,2 @@
hosts
backups

5
.vscode/settings.json vendored Normal file
View File

@@ -0,0 +1,5 @@
{
"yaml.schemas": {
"https://raw.githubusercontent.com/ansible/ansible-lint/main/src/ansiblelint/schemas/ansible.json#/$defs/tasks": "file:///home/cpunch/projects/openpunk-ansible/roles/nginx/tasks/main.yml"
}
}

View File

@@ -3,28 +3,56 @@
This is my failsafe (and also my helpful migration tool) for restoring the OpenPunk server. This handles setting everything back up, including:
- gitea
- backup and restoring are also supported
- blog
- cron job for grabbing the `HEAD` of https://github.com/CPunch/openpunk && building the hugo site
- tor mirror
- nginx (for the above mentioned)
- certbot's Let's Encrypt
- my shell theme (zsh + powerlevel10k)
- deadswitch (& the ssh + git config to allow pushes)
This playbook assumes the target VPS is running the latest debian stable release.
## Notes to my future self
Add this to your local machine's crontab:
The deadswitch has the deadtrigger setup every run, so you have a 14-day timer to add a one-liner to your crontab to keep that deadtrigger set.
```sh
ssh openpunk 'touch /root/.deadtrigger'
```
Some DNS records also need to be set:
- an A record with a `git.*` subdomain
A Gitea Act Runner is also setup if the `giteaRunnerToken` variable is defined in your hosts file.
## Usage
First, make sure to install the requirements:
```sh
ansible-galaxy install -r requirements.yml
```
Then, run the playbook:
```sh
ansible-playbook -i hosts --ask-vault-pass run.yml
```
> NOTE: The 'secrets' directory has been omitted from this repo (so it's not going to run without the provided files)
## Example hosts file
## Backup and restore
Backup Gitea using the 'backup' tag
```sh
ansible-playbook -i hosts run.yml --tags backup
```
then, restore from the backup using the 'restore' tag
```sh
ansible-playbook -i hosts run.yml --tags restore
```
## Example hosts file
```
[hosts]
openpunk-vps ansible_host=104.238.138.76 ansible_user=root ansible_connection=ssh
openpunk-vps ansible_host=104.238.138.76 ansible_user=root ansible_connection=ssh giteaRunnerToken=my-token-yayy
```

View File

@@ -1,2 +1,5 @@
---
domain: openpunk.com
contact_email: openpunk@proton.me
onionDomain: opnpnk6eutjiqy4ndpyvwxd5pncj2g2cmz6fkocr5uh3omnn4utvspad.onion
giteaPort: 3000

12
requirements.yml Normal file
View File

@@ -0,0 +1,12 @@
- src: https://github.com/roles-ansible/ansible_role_gitea.git
scm: git
version: v3.5.0
name: l3d.gitea
- src: https://github.com/geerlingguy/ansible-role-nginx.git
scm: git
version: 3.2.0
name: geerlingguy.nginx
- src: https://github.com/geerlingguy/ansible-role-certbot.git
scm: git
version: 5.1.1
name: geerlingguy.certbot

View File

@@ -4,16 +4,17 @@
repo: "https://github.com/CPunch/openpunk.git"
dest: "/var/www/{{ domain }}"
- name: Build blog
command:
cmd: hugo
chdir: "/var/www/{{ domain }}"
- name: Install updateBlog script
template:
src: templates/blog/updateBlog
src: templates/updateBlog
dest: /usr/local/bin/updateBlog
mode: u+rwx
mode: u+rx
- name: Build blog
command:
cmd: updateBlog
register: blog_out
changed_when: blog_out.stdout != "up to date"
# Rebuild blog every hour
- name: Setup blog cron job

View File

@@ -0,0 +1,32 @@
#!/bin/bash
cd /var/www/{{ domain }}
PUBLIC_DIR=public
TOR_DIR=tor
buildBlog () {
hugo --cleanDestinationDir --minify -d $PUBLIC_DIR -b https://{{ domain }}
hugo --cleanDestinationDir --minify -d $TOR_DIR -b http://{{ onionDomain }}
}
git fetch origin
UPSTREAM=${1:-'@{u}'}
LOCAL=$(git rev-parse @)
REMOTE=$(git rev-parse "$UPSTREAM")
BASE=$(git merge-base @ "$UPSTREAM")
if [ $LOCAL = $REMOTE ]; then
# this string is hardcoded && checked by the 'Build blog' task
# to check for changes (changed_when)
echo "up to date"
elif [ $LOCAL = $BASE ]; then
# there are changes to reset to so we need to rebuild
echo "missing changes !!"
git reset --hard origin/main
buildBlog
fi
if [ ! -d "$PUBLIC_DIR" ] || [ ! -d "$TOR_DIR" ]; then
# probably first time setup
echo "missing directories !!"
buildBlog
fi

View File

@@ -22,5 +22,5 @@ echo $dTime
if [ $dTime -gt $triggerTime ]
then
touch $fileLock
bash $scriptToRun
source $scriptToRun
fi

View File

@@ -1,8 +1,7 @@
#!/bin/bash
cd $HOME/deadman
postPatch='../dead.patch'
postPatch='dead.patch'
pageName='content/pages/dead.md'
currDate=$(date '+%Y-%m-%d')
@@ -10,9 +9,11 @@ git clone git@github.com:CPunch/openpunk.git
# commit & push the post
cd openpunk
git am postPatch
git am $postPatch
# replace our --DATE-- with the current date
sed -i 's/--DATE--/'$currDate'/g' $pageName
git add .
git commit -m "DeadSwitch: No response from CPunch in 14 days, posting dead.md"
git push --force
updateBlog

View File

@@ -6,26 +6,33 @@
- name: Install deadswitch script
copy:
src: static/blog/deadswitch
src: deadswitch
dest: /usr/local/bin/deadswitch
mode: u+rwx
mode: u+rx
- name: Install imdead.sh
copy:
src: static/blog/imdead.sh
src: imdead.sh
dest: /root/deadman/imdead.sh
mode: u+rwx
mode: u+rx
- name: Copy dead patch
copy:
src: secrets/dead.patch
dest: /root/deadman/dead.patch
mode: u+rwx
mode: u+rw
# TODO: deadtrigger path should be a variable, no?
- name: Check deadtrigger
stat:
path: /root/.deadtrigger
register: deadstat
- name: Install deadtrigger
file:
name: /root/.deadtrigger
path: /root/.deadtrigger
state: touch
when: deadstat.stat.exists == false
# Run deadswitch daily at 1am
- name: Install deadlock cronjob

View File

@@ -0,0 +1,67 @@
---
- name: Upgrade Packages
apt:
update_cache: yes
upgrade: full
- name: Install required software
package:
name:
- hugo
- git
- nginx
- tor
- ufw
- fail2ban
- goaccess
- htop
- sqlite3
- zsh # :D
- python3-certbot-nginx
- name: Add Docker GPG apt Key
apt_key:
url: https://download.docker.com/linux/ubuntu/gpg
state: present
- name: Add Docker Repository
apt_repository:
repo: deb https://download.docker.com/linux/ubuntu focal stable
state: present
- name: Update apt and install Docker packages
apt:
name:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-compose
state: latest
update_cache: true
- name: Start docker
systemd:
name: docker
state: started
- name: Grab package facts
package_facts:
manager: auto
tags: always
- name: Setup zsh
user:
name: "{{ ansible_user }}"
shell: /usr/bin/zsh
- name: Clone Powerlevel10k theme
git:
repo: "https://github.com/romkatv/powerlevel10k.git"
dest: "/root/powerlevel10k"
depth: 1
- name: Install .zshrc
copy:
src: .zshrc
dest: /root/.zshrc
force: no

View File

@@ -23,7 +23,7 @@
- name: Copy fail2ban jail config
copy:
src: static/fail2ban/jails.local
src: jails.local
dest: /etc/fail2ban/jail.d/jails.local
- name: Enable fail2ban service

View File

@@ -0,0 +1,7 @@
[user]
email = openpunk@proton.me
name = OpenPunk
[core]
editor = nano
[pull]
rebase = true

View File

@@ -1,7 +1,7 @@
---
- name: Setup git config
copy:
src: static/.gitconfig
src: .gitconfig
dest: /root/.gitconfig
owner: root
mode: u=rw,g=,o=
@@ -12,17 +12,19 @@
- name: Scan for SSH host keys
command: ssh-keyscan github.com 2>/dev/null
register: ssh_scan
changed_when: false
- name: Update known_hosts
copy:
content: "{{ ssh_scan.stdout_lines|join('\n') }}"
dest: /root/.ssh/known_hosts
- name: Update .ssh/known_hosts
blockinfile:
path: /root/.ssh/known_hosts
block: "{{ ssh_scan.stdout_lines|join('\n') }}"
insertbefore: BOF
create: yes
owner: root
mode: u=rw,g=,o=
force: no # if we already have a known_hosts file, ignore!
# this keypair is trusted under my github account, so it allows my vps to make pushes
# to the main branch of my openpunk repository. (for my deadswitch: see static/blog/imdead.sh)
# to the main branch of my openpunk repository. (see roles/deadswitch/files/imdead.sh)
- name: Install ssh priv key
copy:

View File

@@ -0,0 +1,4 @@
---
giteaPort: 3000
giteaBackup: backups/gitea-dump.zip # local path
runnerPath: "{{ ansible_env.HOME }}/runner"

View File

@@ -0,0 +1,94 @@
# Example configuration file, it's safe to copy this as the default config file without any modification.
# You don't have to copy this file to your instance,
# just run `./act_runner generate-config > config.yaml` to generate a config file.
log:
# The level of logging, can be trace, debug, info, warn, error, fatal
level: info
runner:
# Where to store the registration result.
file: .runner
# Execute how many tasks concurrently at the same time.
capacity: 2
# Extra environment variables to run jobs from a file.
# It will be ignored if it's empty or the file doesn't exist.
env_file: .env
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 2s
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
# Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
# If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `daemon`, will use labels in `.runner` file.
labels:
- "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
- "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
- "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
cache:
# Enable cache server to use actions/cache.
enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
dir: "/data"
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
host: ""
# The port of the cache server.
# 0 means to use a random available port.
port: 18088
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
external_server: ""
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: "runner-cache"
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: false
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options:
# The parent directory of a job's working directory.
# NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically.
# If the path starts with '/', the '/' will be trimmed.
# For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes: []
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
# Pull docker image(s) even if already present
force_pull: true
# Rebuild docker image(s) even if already present
force_rebuild: false
host:
# The parent directory of a job's working directory.
# If it's empty, $HOME/.cache/act/ will be used.
workdir_parent:

View File

@@ -0,0 +1,51 @@
---
# based on advice from https://docs.gitea.io/en-us/backup-and-restore/
- name: Stop Gitea
systemd:
name: gitea
enabled: yes
state: stopped
tags: backup
- name: Make Temp dir
file:
path: /etc/gitea/temp
state: directory
owner: gitea
tags: backup
- name: Dump Gitea
shell:
cmd: gitea dump -c /etc/gitea/gitea.ini --work-path=/etc/gitea --file=gitea-dump.zip --tempdir=/etc/gitea/temp
chdir: /etc/gitea
become: true
become_method: su
become_user: gitea
tags: backup
- name: Fetch backup
fetch:
src: /etc/gitea/gitea-dump.zip
dest: "{{ giteaBackup }}"
flat: true
tags: backup
- name: Remove remote dump
file:
path: /etc/gitea/gitea-dump.zip
state: absent
tags: backup
- name: Remove Temp
file:
path: /etc/gitea/temp
state: absent
tags: backup
- name: Start Gitea
systemd:
name: gitea
enabled: yes
state: started
tags: backup

View File

@@ -0,0 +1,34 @@
---
- name: "Install gitea"
include_role:
name: l3d.gitea
vars:
gitea_fqdn: 'git.{{ domain }}'
gitea_home: '/var/lib/gitea'
gitea_db_type: 'sqlite3'
gitea_theme_default: 'gitea-dark'
gitea_root_url: 'https://git.{{ domain }}'
gitea_protocol: http
gitea_http_port: "{{ giteaPort }}"
gitea_ssh_port: 22
gitea_start_ssh: false
gitea_allow_only_internal_registration: true
gitea_disable_registration: true
gitea_require_signin: false
gitea_lfs_server_enabled: true
- name: "Start Gitea Act Runner"
include_tasks: runner.yml
when: giteaRunnerToken is defined
- name: Backup db
include_tasks: backup.yml
tags:
- never
- backup
- name: Restore db
include_tasks: restore.yml
tags:
- never
- restore

View File

@@ -0,0 +1,96 @@
---
# based on advice from https://docs.gitea.io/en-us/backup-and-restore/
- name: Stop Gitea
systemd:
name: gitea
enabled: yes
state: stopped
tags: restore
- name: Make restore dir
file:
path: /etc/gitea/gitea-dump
state: directory
owner: gitea
tags: restore
- name: Extract backup to host
unarchive:
src: "{{ giteaBackup }}"
dest: /etc/gitea/gitea-dump
owner: gitea
tags: restore
- name: Delete Gitea
file:
path: /var/lib/gitea
state: absent
tags: restore
- name: Create Gitea
file:
path: /var/lib/gitea
state: directory
owner: gitea
tags: restore
- name: Install data
copy:
src: /etc/gitea/gitea-dump/data/
dest: /var/lib/gitea/data
remote_src: true
owner: gitea
tags: restore
- name: Install log
copy:
src: /etc/gitea/gitea-dump/log/
dest: /var/lib/gitea/log/
remote_src: true
owner: gitea
tags: restore
ignore_errors: true
- name: Install repositories
copy:
src: /etc/gitea/gitea-dump/repos/
dest: /var/lib/gitea/repos/
remote_src: true
owner: gitea
tags: restore
# - name: Install config
# copy:
# src: /etc/gitea/gitea-dump/app.ini
# dest: /etc/gitea/app.ini
# owner: gitea
# remote_src: true
# tags: restore
- name: Remove sqlite3 db
file:
path: /var/lib/gitea/data/gitea.db
state: absent
tags: restore
- name: Generate sqlite3 db
shell: sqlite3 /var/lib/gitea/data/gitea.db </etc/gitea/gitea-dump/gitea-db.sql
become: true
become_method: su
become_user: gitea
tags: restore
- name: Start Gitea
systemd:
name: gitea
enabled: yes
state: started
tags: restore
- name: Finalize
shell: gitea admin regenerate hooks -c /etc/gitea/gitea.ini
become: true
become_method: su
become_user: gitea
tags: restore

View File

@@ -0,0 +1,27 @@
- name: Make dirs for runner
file:
path: "{{ item }}"
state: directory
loop:
- "{{ runnerPath }}"
- "{{ runnerPath }}/data"
- name: Copy docker-compose.yml to server
template:
src: ./templates/runner-docker-compose.yml
dest: "{{ runnerPath }}/docker-compose.yml"
- name: Copy runner.env to server
template:
src: ./templates/runner.env
dest: "{{ runnerPath }}/runner.env"
- name: Copy runner-config.yml to server
copy:
src: ./files/runner-config.yml
dest: "{{ runnerPath }}/config.yaml"
- name: Start Gitea runner service
community.docker.docker_compose_v2:
project_src: "{{ runnerPath }}"
state: present

View File

@@ -0,0 +1,21 @@
services:
runner:
image: gitea/act_runner:latest
environment:
CONFIG_FILE: /config.yaml
GITEA_INSTANCE_URL: "https://git.{{ domain }}"
env_file:
- ./runner.env
volumes:
- ./config.yaml:/config.yaml
- ./data:/data
- /var/run/docker.sock:/var/run/docker.sock
ports:
- 18088:18088
networks:
- runner-cache
networks:
runner-cache:
name: runner-cache
driver: bridge

View File

@@ -0,0 +1 @@
GITEA_RUNNER_REGISTRATION_TOKEN="{{ giteaRunnerToken }}"

View File

@@ -1,5 +1,5 @@
---
- name: Copy goaccess config
copy:
src: static/goaccess/goaccess.conf
src: goaccess.conf
dest: /etc/goaccess/goaccess.conf

View File

@@ -0,0 +1,81 @@
---
- name: "Stop Nginx"
systemd:
name: nginx
state: stopped
- name: "Setup Certbot"
include_role:
name: geerlingguy.certbot
vars:
certbot_admin_email: "{{ contact_email }}"
certbot_create_if_missing: true
certbot_create_standalone_stop_services: []
certbot_certs:
- domains:
- "{{ domain }}"
- "git.{{ domain }}"
- name: "Install Nginx"
include_role:
name: geerlingguy.nginx
vars:
nginx_listen_ipv6: false
nginx_vhosts:
- listen: "443 ssl http2"
server_name: "{{ domain }}"
root: "/var/www/{{ domain }}/public"
index: "index.html index.htm"
extra_parameters: |
listen [::]:443 ssl http2;
location / {
add_header Permissions-Policy interest-cohort=();
try_files $uri $uri/ =404;
}
ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
- listen: "80" # redirect http requests to https
server_name: "{{ domain }}"
return: "301 https://{{ domain }}$request_uri"
filename: "{{ domain }}.80.conf"
- listen: "443 ssl http2"
server_name: "git.{{ domain }}"
client_max_body_size: "512M"
extra_parameters: |
listen [::]:443 ssl http2;
listen 80;
listen [::]:80;
location / {
add_header Permissions-Policy interest-cohort=();
proxy_pass http://localhost:{{ giteaPort }};
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
- listen: "80" # redirect http requests to https
server_name: "git.{{ domain }}"
return: "301 https://git.{{ domain }}$request_uri"
filename: "git.{{ domain }}.80.conf"
- listen: "127.0.0.1:2171"
server_name: "{{ onionDomain }}"
root: "/var/www/{{ domain }}/tor"
index: "index.html index.htm"
extra_parameters: |
location / {
add_header Permissions-Policy interest-cohort=();
try_files $uri $uri/ =404;
}
- name: "Start Nginx"
systemd:
name: nginx
state: started

View File

@@ -1,7 +1,7 @@
---
- name: Install torrc
template:
src: templates/tor/torrc
src: templates/torrc
dest: /etc/tor/torrc
owner: root
group: root
@@ -23,7 +23,7 @@
group: debian-tor
mode: u=rw,g=,o=
- name: Reload Tor
- name: Enable Tor Service
systemd:
name: tor
enabled: yes

28
run.yml
View File

@@ -4,18 +4,16 @@
vars_files:
- group_vars/all.yml
vars_prompt:
- name: domain
prompt: domain pointing to the vps
private: no
tasks:
- import_tasks: tasks/essential.yml
- import_tasks: tasks/firewall.yml
- import_tasks: tasks/blog.yml
- import_tasks: tasks/gitea.yml
- import_tasks: tasks/tor.yml
- import_tasks: tasks/nginx.yml
- import_tasks: tasks/git.yml
- import_tasks: tasks/goaccess.yml
- import_tasks: tasks/deadswitch.yml
roles:
- role: essential
- role: firewall
- role: git
tags: secrets
- role: deadswitch
tags: secrets
- role: blog
- role: gitea
- role: nginx
- role: goaccess
- role: tor
tags: secrets

Submodule secrets updated: d71665b85e...e643deb62e

View File

@@ -1,7 +0,0 @@
[user]
email = openpunk@proton.me
name = OpenPunk
[core]
editor = nano
[pull]
rebase = true

View File

@@ -1,52 +0,0 @@
user www-data;
worker_processes auto;
include /etc/nginx/modules-enabled/*.conf;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

View File

@@ -1,46 +0,0 @@
---
- name: Add Gitea repo key
shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import
- name: Set key perms
shell: sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
- name: Add Gitea repo
apt_repository:
filename: morph027-gitea
repo: deb https://packaging.gitlab.io/gitea gitea main
- name: Upgrade Packages
apt:
update_cache: yes
upgrade: full
- name: Install required software
package:
name:
- hugo
- gitea
- git
- nginx
- tor
- ufw
- fail2ban
- goaccess
- htop
- zsh # :D
- python3-certbot-nginx
- name: Setup default shell (zsh)
shell: chsh -s /usr/bin/zsh
- name: Clone Powerlevel10k theme
git:
repo: "https://github.com/romkatv/powerlevel10k.git"
dest: "/root/powerlevel10k"
depth: 1
- name: Install .zshrc
copy:
src: static/.zshrc
dest: /root/.zshrc
force: no

View File

@@ -1,13 +0,0 @@
---
- name: Configure Gitea
template:
src: templates/gitea/app.ini
dest: /etc/gitea/app.ini
owner: gitea
force: no # we don't want to kill our existing config D:
- name: Reload Gitea
systemd:
name: gitea
enabled: yes
state: started

View File

@@ -1,52 +0,0 @@
---
- name: Remove default nginx config
file:
name: /etc/nginx/sites-enabled
state: absent
- name: Restore sites-enabled
file:
name: /etc/nginx/sites-enabled
state: directory
- name: Install system nginx config
copy:
src: static/nginx/nginx.conf
dest: /etc/nginx/nginx.conf
# setup our configs for each host (we don't want to
# overwrite certbot's changes, so if it already exists,
# don't copy!)
- name: Install nginx config for {{ domain }}
template:
src: templates/nginx/site.conf
dest: /etc/nginx/conf.d/{{ domain }}.conf
force: no
- name: Install nginx config for git.{{ domain }}
template:
src: templates/nginx/gitea.conf
dest: /etc/nginx/conf.d/git.{{ domain }}.conf
force: no
- name: Install nginx config for our Hidden Service
template:
src: templates/nginx/tor.conf
dest: /etc/nginx/conf.d/tor-{{ domain }}.conf
force: no
- name: Reload Nginx to install LetsEncrypt
service:
name: nginx
state: restarted
# certbot is a life saver. thank you certbot devs!
- name: Setup certbot
shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d {{ domain }} -d git.{{ domain }}"
- name: Reload Nginx with LetsEncrypt installed
systemd:
name: nginx
enabled: yes
state: restarted

View File

@@ -1,5 +0,0 @@
#!/bin/bash
cd /var/www/{{ domain }}
/usr/bin/git fetch origin
/usr/bin/git reset --hard origin/main
/usr/bin/hugo

View File

@@ -1,60 +0,0 @@
APP_NAME = OpenPunk Gitea
RUN_USER = gitea
RUN_MODE = prod
[database]
DB_TYPE = sqlite3
HOST = 127.0.0.1:5432
NAME = gitea
USER = gitea
PASSWD =
SSL_MODE = disable
CHARSET = utf8
PATH = /var/lib/gitea/data/gitea.db
[repository]
ROOT = /var/lib/gitea/gitea-repositories
[server]
SSH_DOMAIN = git.{{ domain }}
DOMAIN = git.{{ domain }}
HTTP_PORT = 3000
ROOT_URL = https://git.{{ domain }}/
DISABLE_SSH = false
SSH_PORT = 22
LFS_START_SERVER = false
OFFLINE_MODE = false
[mailer]
ENABLED = false
[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost
[picture]
DISABLE_GRAVATAR = true
ENABLE_FEDERATED_AVATAR = false
[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = false
[session]
PROVIDER = file
[log]
MODE = file
LEVEL = info
ROOT_PATH = /var/lib/gitea/log
[ui]
DEFAULT_THEME = arc-green

View File

@@ -1,11 +0,0 @@
server {
server_name git.{{ domain }};
listen 80;
location / {
add_header Permissions-Policy interest-cohort=();
proxy_pass http://localhost:3000;
}
client_max_body_size 100M;
}

View File

@@ -1,13 +0,0 @@
server {
server_name {{ domain }};
listen 80;
root /var/www/{{ domain }}/public;
index index.html index.htm;
location / {
add_header Permissions-Policy interest-cohort=();
add_header Referrer-Policy: "no-referrer";
try_files $uri $uri/ =404;
}
}

View File

@@ -1,12 +0,0 @@
server {
root /var/www/{{ domain }}/public;
index index.html index.htm;
location / {
add_header Permissions-Policy interest-cohort=();
try_files $uri $uri/ =404;
}
# our tor hidden service is hosted on this port
listen 2171;
}