removed giteaUninstall var

- roles/git now uses blockinfile to ensure the github ssh keypairs are trusted, and to allow subsequent ssh keypairs to be trusted and not overwritten by future runs.
- this commit marks idempotency for all roles. after a successful run of this playbook, subsequent runs will result in a change=0 !!!!!

.github/workflows/deploy.yaml

@@ -1,27 +0,0 @@
-name: Run Playbook
-
-on:
-  push:
-    tags:
-      - "v*.*.*"
-
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Set up Git repository
-        uses: actions/checkout@v3
-        with:
-          ssh-key: ${{ secrets.SSH_PRIVATE_KEY }}
-          submodules: recursive
-      - name: Run Ansible-Playbook
-        uses: dawidd6/action-ansible-playbook@v2
-        with:
-          playbook: run.yml
-          key: ${{ secrets.SSH_PRIVATE_KEY }}
-          inventory: |
-            [hosts]
-            openpunk-vps ansible_host=96.30.199.68 ansible_user=root ansible_connection=ssh
-          vault_password: ${{ secrets.VAULT_PASSWORD }}
-          options: |
-            --extra-vars domain=openpunk.com

.gitignore

@@ -1 +1,2 @@
 hosts
+backups

.vscode/settings.json

@@ -0,0 +1,5 @@
+{
+    "yaml.schemas": {
+        "https://raw.githubusercontent.com/ansible/ansible-lint/main/src/ansiblelint/schemas/ansible.json#/$defs/tasks": "file:///home/cpunch/projects/openpunk-ansible/roles/nginx/tasks/main.yml"
+    }
+}

README.md

@@ -1,17 +1,28 @@
 # OpenPunk's Ansible playbook
+
 This is my failsafe (and also my helpful migration tool) for restoring the OpenPunk server. This handles setting everything back up, including:
 
 - gitea
+    - sadly, no db migration is supported right now. maybe a future todo?
 - blog
+    - cron job for grabbing the `HEAD` of https://github.com/CPunch/openpunk && building the hugo site
 - tor mirror
 - nginx (for the above mentioned)
+    - certbot's Let's Encrypt
 - my shell theme (zsh + powerlevel10k)
 - deadswitch (& the ssh + git config to allow pushes)
 
 This playbook assumes the target VPS is running the latest debian stable release.
 
 ## Notes to my future self
-The deadswitch has the deadtrigger setup every run, so you have a 14-day timer to add a one-liner to your crontab to keep that deadtrigger set.
+Add this to your local machine's crontab:
+
+```sh
+ssh openpunk 'touch /root/.deadtrigger'
+```
+
+Some DNS records also need to be set:
+- an A record with a `git.*` subdomain
 
 ## Usage
 ```sh

group_vars/all.yml

@@ -1,2 +1,4 @@
 ---
+domain: openpunk.com
 contact_email: openpunk@proton.me
+onionDomain: http://opnpnk6eutjiqy4ndpyvwxd5pncj2g2cmz6fkocr5uh3omnn4utvspad.onion

roles/blog/tasks/main.yml

@@ -4,17 +4,18 @@
     repo: "https://github.com/CPunch/openpunk.git"
     dest: "/var/www/{{ domain }}"
 
-- name: Build blog
-  command:
-    cmd: hugo
-    chdir: "/var/www/{{ domain }}"
-
 - name: Install updateBlog script
   template:
-    src: templates/blog/updateBlog
+    src: templates/updateBlog
     dest: /usr/local/bin/updateBlog
     mode: u+rx
 
+- name: Build blog
+  command:
+    cmd: updateBlog
+  register: blog_out
+  changed_when: blog_out.stdout != "up to date"
+
 # Rebuild blog every hour
 - name: Setup blog cron job
   cron:

roles/blog/templates/updateBlog

@@ -0,0 +1,32 @@
+#!/bin/bash
+cd /var/www/{{ domain }}
+
+PUBLIC_DIR=public
+TOR_DIR=tor
+
+buildBlog () {
+    hugo --cleanDestinationDir --minify -d $PUBLIC_DIR -b https://{{ domain }}
+    hugo --cleanDestinationDir --minify -d $TOR_DIR -b {{ onionDomain }}
+}
+
+git fetch origin
+UPSTREAM=${1:-'@{u}'}
+LOCAL=$(git rev-parse @)
+REMOTE=$(git rev-parse "$UPSTREAM")
+BASE=$(git merge-base @ "$UPSTREAM")
+if [ $LOCAL = $REMOTE ]; then
+    # this string is hardcoded && checked by the 'Build blog' task
+    # to check for changes (changed_when)
+    echo "up to date"
+elif [ $LOCAL = $BASE ]; then
+    # there are changes to reset to so we need to rebuild
+    echo "missing changes !!"
+    git reset --hard origin/main
+    buildBlog
+fi
+
+if [ ! -d "$PUBLIC_DIR" ] || [ ! -d "$TOR_DIR" ]; then
+    # probably first time setup
+    echo "missing directories !!"
+    buildBlog
+fi

roles/deadswitch/files/deadswitch

@@ -22,5 +22,5 @@ echo $dTime
 if [ $dTime -gt $triggerTime ]
 then 
     touch $fileLock
-    bash $scriptToRun
+    source $scriptToRun
 fi

roles/deadswitch/files/imdead.sh

@@ -1,8 +1,7 @@
 #!/bin/bash
-
 cd $HOME/deadman
 
-postPatch='../dead.patch'
+postPatch='dead.patch'
 pageName='content/pages/dead.md'
 currDate=$(date '+%Y-%m-%d')
 
@@ -10,9 +9,11 @@ git clone git@github.com:CPunch/openpunk.git
 
 # commit & push the post
 cd openpunk
-git am postPatch
+git am $postPatch
 # replace our --DATE-- with the current date
 sed -i 's/--DATE--/'$currDate'/g' $pageName
 git add .
 git commit -m "DeadSwitch: No response from CPunch in 14 days, posting dead.md"
 git push --force
+
+updateBlog

roles/deadswitch/tasks/main.yml

@@ -6,13 +6,13 @@
 
 - name: Install deadswitch script
   copy:
-    src: static/blog/deadswitch
+    src: deadswitch
     dest: /usr/local/bin/deadswitch
     mode: u+rx
 
 - name: Install imdead.sh
   copy:
-    src: static/blog/imdead.sh
+    src: imdead.sh
     dest: /root/deadman/imdead.sh
     mode: u+rx
 
@@ -22,10 +22,17 @@
     dest: /root/deadman/dead.patch
     mode: u+rw
 
+# TODO: deadtrigger path should be a variable, no?
+- name: Check deadtrigger
+  stat:
+    path: /root/.deadtrigger
+  register: deadstat
+
 - name: Install deadtrigger
   file:
-    name: /root/.deadtrigger
+    path: /root/.deadtrigger
     state: touch
+  when: deadstat.stat.exists == false
 
 # Run deadswitch daily at 1am
 - name: Install deadlock cronjob

roles/essential/tasks/main.yml

@@ -0,0 +1,36 @@
+---
+- name: Upgrade Packages
+  apt:
+    update_cache: yes
+    upgrade: full
+
+- name: Install required software
+  package:
+    name:
+      - hugo
+      - git
+      - nginx
+      - tor
+      - ufw
+      - fail2ban
+      - goaccess
+      - htop
+      - zsh # :D
+      - python3-certbot-nginx
+
+- name: Setup zsh
+  user:
+    name: "{{ ansible_user }}"
+    shell: /usr/bin/zsh
+
+- name: Clone Powerlevel10k theme
+  git:
+    repo: "https://github.com/romkatv/powerlevel10k.git"
+    dest: "/root/powerlevel10k"
+    depth: 1
+
+- name: Install .zshrc
+  copy:
+    src: .zshrc
+    dest: /root/.zshrc
+    force: no

roles/firewall/tasks/main.yml

@@ -23,7 +23,7 @@
 
 - name: Copy fail2ban jail config
   copy:
-    src: static/fail2ban/jails.local
+    src: jails.local
     dest: /etc/fail2ban/jail.d/jails.local
 
 - name: Enable fail2ban service

roles/git/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: Setup git config
   copy:
-    src: static/.gitconfig
+    src: .gitconfig
     dest: /root/.gitconfig
     owner: root
     mode: u=rw,g=,o=
@@ -12,17 +12,19 @@
 - name: Scan for SSH host keys
   command: ssh-keyscan github.com 2>/dev/null
   register: ssh_scan
+  changed_when: false
 
-- name: Update known_hosts
+- name: Update .ssh/known_hosts
-  copy:
+  blockinfile:
-    content: "{{ ssh_scan.stdout_lines|join('\n')  }}"
+    path: /root/.ssh/known_hosts
-    dest: /root/.ssh/known_hosts
+    block: "{{ ssh_scan.stdout_lines|join('\n') }}"
+    insertbefore: BOF
+    create: yes
     owner: root
     mode: u=rw,g=,o=
-    force: no # if we already have a known_hosts file, ignore!
 
 # this keypair is trusted under my github account, so it allows my vps to make pushes
-# to the main branch of my openpunk repository. (for my deadswitch: see static/blog/imdead.sh)
+# to the main branch of my openpunk repository. (see roles/deadswitch/files/imdead.sh)
 
 - name: Install ssh priv key
   copy:

roles/gitea/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+giteaPort: 3000

roles/gitea/tasks/backup.yml

@@ -0,0 +1,26 @@
+---
+- name: Stop Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: stopped
+
+- name: Dump Gitea
+  shell:
+    cmd: gitea dump -c /etc/gitea/app.ini --work-path=/etc/gitea --file=gitea-dump.zip
+    chdir: /etc/gitea
+  become: true
+  become_method: su
+  become_user: gitea
+
+- name: Start Gitea
+  systemd:
+    name: gitea
+    enabled: yes
+    state: started
+
+- name: Fetch backup
+  fetch:
+    src: /etc/gitea/gitea-dump.zip
+    dest: backups/gitea-dump.zip
+    flat: true

roles/gitea/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+- name: Check for Gitea gpg key
+  stat:
+    path: /etc/apt/trusted.gpg.d/morph027-gitea.gpg
+  register: gitea_key
+
+- name: Grab package facts
+  package_facts:
+    manager: auto
+
+- name: Install Gitea
+  block:
+    - name: Add Gitea key, repository && install
+      block:
+        - name: Import Gitea key
+          shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import && sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
+          when: gitea_key.stat.exists == false or gitea_key.stat.mode != "0644"
+
+        - name: Add Gitea repository
+          apt_repository:
+            filename: morph027-gitea
+            repo: deb https://packaging.gitlab.io/gitea gitea main
+
+        - name: Add Gitea package
+          package:
+            name: gitea
+      when: "'gitea' not in ansible_facts.packages"
+
+    - name: Configure Gitea
+      template:
+        src: templates/app.ini
+        dest: /etc/gitea/app.ini
+        owner: gitea
+        force: no # we don't want to kill our existing config D:
+
+    - name: Reload Gitea
+      systemd:
+        name: gitea
+        enabled: yes
+        state: started
+
+    - name: Backup db
+      include_tasks: backup.yml
+      tags: ['never', 'backup']
+  tags: ['gitea', 'backup']

roles/gitea/templates/app.ini

@@ -18,7 +18,7 @@ ROOT = /var/lib/gitea/gitea-repositories
 [server]
 SSH_DOMAIN       = git.{{ domain }}
 DOMAIN           = git.{{ domain }}
-HTTP_PORT        = 3000
+HTTP_PORT        = {{ giteaPort }}
 ROOT_URL         = https://git.{{ domain }}/
 DISABLE_SSH      = false
 SSH_PORT         = 22

roles/goaccess/tasks/main.yml

@@ -1,5 +1,5 @@
 ---
 - name: Copy goaccess config
   copy:
-    src: static/goaccess/goaccess.conf
+    src: goaccess.conf
     dest: /etc/goaccess/goaccess.conf

roles/nginx/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+giteaPort: 3000

roles/nginx/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: setup-nginx
+  include_tasks: setup.yml
+  listen: "setup nginx"

roles/nginx/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: Install system nginx config
+  copy:
+    src: nginx.conf
+    dest: /etc/nginx/nginx.conf
+  notify: setup nginx
+
+# setup our configs for each host (we don't want to 
+# overwrite certbot's changes, so if it already exists,
+# don't copy!)
+
+- name: Install nginx config for {{ domain }}
+  template:
+    src: templates/site.conf
+    dest: /etc/nginx/conf.d/{{ domain }}.conf
+    force: no
+  notify: setup nginx
+
+- name: Install nginx config for git.{{ domain }}
+  template:
+    src: templates/gitea.conf
+    dest: /etc/nginx/conf.d/git.{{ domain }}.conf
+    force: no
+  notify: setup nginx
+
+- name: Uninstall nginx config for git.{{ domain }}
+  file:
+    path: /etc/nginx/conf.d/git.{{ domain }}.conf
+    state: absent
+  notify: setup nginx
+
+- name: Install nginx config for our Hidden Service
+  template:
+    src: templates/tor.conf
+    dest: /etc/nginx/conf.d/tor-{{ domain }}.conf
+
+- name: Enable Nginx
+  systemd:
+    name: nginx
+    enabled: yes
+    state: started

roles/nginx/tasks/setup.yml

@@ -0,0 +1,12 @@
+---
+- name: Setup certbot for {{ domain }}
+  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d {{ domain }}"
+
+- name: Setup certbot for git.{{ domain }}
+  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d git.{{ domain }}"
+
+- name: Reload Nginx
+  systemd:
+    name: nginx
+    enabled: yes
+    state: restarted

roles/nginx/templates/gitea.conf

@@ -4,7 +4,7 @@ server {
 
     location / {
         add_header Permissions-Policy interest-cohort=();
-        proxy_pass http://localhost:3000;
+        proxy_pass http://localhost:{{ giteaPort }};
     }
 
     client_max_body_size 100M;

roles/nginx/templates/tor.conf

@@ -1,5 +1,5 @@
 server {
-    root /var/www/{{ domain }}/public;
+    root /var/www/{{ domain }}/tor;
     index index.html index.htm;
 
     location / {

roles/tor/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: Install torrc
   template:
-    src: templates/tor/torrc
+    src: templates/torrc
     dest: /etc/tor/torrc
     owner: root
     group: root
@@ -23,7 +23,7 @@
     group: debian-tor
     mode: u=rw,g=,o=
 
-- name: Reload Tor
+- name: Enable Tor Service
   systemd:
     name: tor
     enabled: yes

run.yml

@@ -1,21 +1,20 @@
 ---
 - hosts: all
   become: yes
+  vars:
+    - giteaPort: 3000
+
   vars_files:
     - group_vars/all.yml
 
-  vars_prompt:
+  roles:
-    - name: domain
+    - role: essential
-      prompt: domain pointing to the vps
+    - role: firewall
-      private: no
+    - role: git
-
+    - role: deadswitch
-  tasks:
+    - role: blog
-    - import_tasks: tasks/essential.yml
+    - role: gitea
-    - import_tasks: tasks/firewall.yml
+      tags: [backup]
-    - import_tasks: tasks/blog.yml
+    - role: nginx
-    - import_tasks: tasks/gitea.yml
+    - role: goaccess
-    - import_tasks: tasks/tor.yml
+    - role: tor
-    - import_tasks: tasks/nginx.yml
-    - import_tasks: tasks/git.yml
-    - import_tasks: tasks/goaccess.yml
-    - import_tasks: tasks/deadswitch.yml

tasks/essential.yml

@@ -1,46 +0,0 @@
----
-- name: Add Gitea repo key
-  shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import
-
-- name: Set key perms
-  shell: sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
-
-- name: Add Gitea repo
-  apt_repository:
-    filename: morph027-gitea
-    repo: deb https://packaging.gitlab.io/gitea gitea main
-
-- name: Upgrade Packages
-  apt:
-    update_cache: yes
-    upgrade: full
-
-- name: Install required software
-  package:
-    name:
-      - hugo
-      - gitea
-      - git
-      - nginx
-      - tor
-      - ufw
-      - fail2ban
-      - goaccess
-      - htop
-      - zsh # :D
-      - python3-certbot-nginx
-
-- name: Setup default shell (zsh)
-  shell: chsh -s /usr/bin/zsh
-
-- name: Clone Powerlevel10k theme
-  git:
-    repo: "https://github.com/romkatv/powerlevel10k.git"
-    dest: "/root/powerlevel10k"
-    depth: 1
-
-- name: Install .zshrc
-  copy:
-    src: static/.zshrc
-    dest: /root/.zshrc
-    force: no

tasks/gitea.yml

@@ -1,13 +0,0 @@
----
-- name: Configure Gitea
-  template:
-    src: templates/gitea/app.ini
-    dest: /etc/gitea/app.ini
-    owner: gitea
-    force: no # we don't want to kill our existing config D:
-
-- name: Reload Gitea
-  systemd:
-    name: gitea
-    enabled: yes
-    state: started

tasks/nginx.yml

@@ -1,52 +0,0 @@
----
-- name: Remove default nginx config
-  file:
-    name: /etc/nginx/sites-enabled
-    state: absent
-
-- name: Restore sites-enabled
-  file:
-    name: /etc/nginx/sites-enabled
-    state: directory
-
-- name: Install system nginx config
-  copy:
-    src: static/nginx/nginx.conf
-    dest: /etc/nginx/nginx.conf
-
-# setup our configs for each host (we don't want to 
-# overwrite certbot's changes, so if it already exists,
-# don't copy!)
-
-- name: Install nginx config for {{ domain }}
-  template:
-    src: templates/nginx/site.conf
-    dest: /etc/nginx/conf.d/{{ domain }}.conf
-    force: no
-
-- name: Install nginx config for git.{{ domain }}
-  template:
-    src: templates/nginx/gitea.conf
-    dest: /etc/nginx/conf.d/git.{{ domain }}.conf
-    force: no
-
-- name: Install nginx config for our Hidden Service
-  template:
-    src: templates/nginx/tor.conf
-    dest: /etc/nginx/conf.d/tor-{{ domain }}.conf
-    force: no
-
-- name: Reload Nginx to install LetsEncrypt
-  service:
-    name: nginx
-    state: restarted
-
-# certbot is a life saver. thank you certbot devs!
-- name: Setup certbot
-  shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d {{ domain }} -d git.{{ domain }}"
-
-- name: Reload Nginx with LetsEncrypt installed
-  systemd:
-    name: nginx
-    enabled: yes
-    state: restarted

templates/blog/updateBlog

@@ -1,5 +0,0 @@
-#!/bin/bash
-cd /var/www/{{ domain }}
-/usr/bin/git fetch origin
-/usr/bin/git reset --hard origin/main
-/usr/bin/hugo