minor README changes

- all tasks/* have been moved to their own roles in roles/*
- each file && template is now oragnized per-role
- annotated each task which still isn't idempotent !TODO!

.github/workflows/deploy.yaml

@@ -1,27 +1,27 @@
-name: Run Playbook
+# name: Run Playbook
 
-on:
-  push:
-    tags:
-      - "v*.*.*"
+# on:
+#   push:
+#     tags:
+#       - "v*.*.*"
 
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Set up Git repository
-        uses: actions/checkout@v3
-        with:
-          ssh-key: ${{ secrets.SSH_PRIVATE_KEY }}
-          submodules: recursive
-      - name: Run Ansible-Playbook
-        uses: dawidd6/action-ansible-playbook@v2
-        with:
-          playbook: run.yml
-          key: ${{ secrets.SSH_PRIVATE_KEY }}
-          inventory: |
-            [hosts]
-            openpunk-vps ansible_host=96.30.199.68 ansible_user=root ansible_connection=ssh
-          vault_password: ${{ secrets.VAULT_PASSWORD }}
-          options: |
-            --extra-vars domain=openpunk.com
+# jobs:
+#   deploy:
+#     runs-on: ubuntu-latest
+#     steps:
+#       - name: Set up Git repository
+#         uses: actions/checkout@v3
+#         with:
+#           ssh-key: ${{ secrets.SSH_PRIVATE_KEY }}
+#           submodules: recursive
+#       - name: Run Ansible-Playbook
+#         uses: dawidd6/action-ansible-playbook@v2
+#         with:
+#           playbook: run.yml
+#           key: ${{ secrets.SSH_PRIVATE_KEY }}
+#           inventory: |
+#             [hosts]
+#             openpunk-vps ansible_host=96.30.199.68 ansible_user=root ansible_connection=ssh
+#           vault_password: ${{ secrets.VAULT_PASSWORD }}
+#           options: |
+#             --extra-vars domain=openpunk.com

README.md

@@ -1,8 +1,11 @@
 # OpenPunk's Ansible playbook
+
 This is my failsafe (and also my helpful migration tool) for restoring the OpenPunk server. This handles setting everything back up, including:
 
 - gitea
+    - sadly, no db migration is supported right now. maybe a future todo?
 - blog
+    - cron job for grabbing the `HEAD` of https://github.com/CPunch/openpunk && building the hugo site
 - tor mirror
 - nginx (for the above mentioned)
 - my shell theme (zsh + powerlevel10k)
@@ -13,6 +16,9 @@ This playbook assumes the target VPS is running the latest debian stable release
 ## Notes to my future self
 The deadswitch has the deadtrigger setup every run, so you have a 14-day timer to add a one-liner to your crontab to keep that deadtrigger set.
 
+Some DNS records also need to be set:
+- an A record with a `git.*` subdomain
+
 ## Usage
 ```sh
 ansible-playbook -i hosts --ask-vault-pass run.yml

roles/blog/tasks/main.yml

@@ -4,6 +4,7 @@
     repo: "https://github.com/CPunch/openpunk.git"
     dest: "/var/www/{{ domain }}"
 
+# TODO: make idempotent
 - name: Build blog
   command:
     cmd: hugo
@@ -11,7 +12,7 @@
 
 - name: Install updateBlog script
   template:
-    src: templates/blog/updateBlog
+    src: templates/updateBlog
     dest: /usr/local/bin/updateBlog
     mode: u+rx
 

roles/deadswitch/files/imdead.sh

@@ -2,7 +2,7 @@
 
 cd $HOME/deadman
 
-postPatch='../dead.patch'
+postPatch='dead.patch'
 pageName='content/pages/dead.md'
 currDate=$(date '+%Y-%m-%d')
 

roles/deadswitch/tasks/main.yml

@@ -6,13 +6,13 @@
 
 - name: Install deadswitch script
   copy:
-    src: static/blog/deadswitch
+    src: deadswitch
     dest: /usr/local/bin/deadswitch
     mode: u+rx
 
 - name: Install imdead.sh
   copy:
-    src: static/blog/imdead.sh
+    src: imdead.sh
     dest: /root/deadman/imdead.sh
     mode: u+rx
 
@@ -22,6 +22,7 @@
     dest: /root/deadman/dead.patch
     mode: u+rw
 
+# TODO: make idempotent
 - name: Install deadtrigger
   file:
     name: /root/.deadtrigger

roles/essential/tasks/main.yml

@@ -1,7 +1,9 @@
 ---
+# TODO: make idempotent
 - name: Add Gitea repo key
   shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import
 
+# TODO: make idempotent
 - name: Set key perms
   shell: sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg
 
@@ -30,6 +32,7 @@
       - zsh # :D
       - python3-certbot-nginx
 
+# TODO: make idempotent
 - name: Setup default shell (zsh)
   shell: chsh -s /usr/bin/zsh
 
@@ -41,6 +44,6 @@
 
 - name: Install .zshrc
   copy:
-    src: static/.zshrc
+    src: .zshrc
     dest: /root/.zshrc
     force: no

roles/firewall/tasks/main.yml

@@ -23,7 +23,7 @@
 
 - name: Copy fail2ban jail config
   copy:
-    src: static/fail2ban/jails.local
+    src: jails.local
     dest: /etc/fail2ban/jail.d/jails.local
 
 - name: Enable fail2ban service

roles/git/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: Setup git config
   copy:
-    src: static/.gitconfig
+    src: .gitconfig
     dest: /root/.gitconfig
     owner: root
     mode: u=rw,g=,o=
@@ -9,6 +9,7 @@
 # make sure our vps trusts the github.com key signature. we pipe the output
 # of ssh-keyscan into .ssh/known_hosts
 
+# TODO: make idempotent
 - name: Scan for SSH host keys
   command: ssh-keyscan github.com 2>/dev/null
   register: ssh_scan

roles/gitea/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: Configure Gitea
   template:
-    src: templates/gitea/app.ini
+    src: app.ini
     dest: /etc/gitea/app.ini
     owner: gitea
     force: no # we don't want to kill our existing config D:

roles/goaccess/tasks/main.yml

@@ -1,5 +1,5 @@
 ---
 - name: Copy goaccess config
   copy:
-    src: static/goaccess/goaccess.conf
+    src: goaccess.conf
     dest: /etc/goaccess/goaccess.conf

roles/nginx/tasks/main.yml

@@ -1,9 +1,12 @@
 ---
+
+# TODO: make idempotent
 - name: Remove default nginx config
   file:
     name: /etc/nginx/sites-enabled
     state: absent
 
+# TODO: make idempotent
 - name: Restore sites-enabled
   file:
     name: /etc/nginx/sites-enabled
@@ -11,7 +14,7 @@
 
 - name: Install system nginx config
   copy:
-    src: static/nginx/nginx.conf
+    src: nginx.conf
     dest: /etc/nginx/nginx.conf
 
 # setup our configs for each host (we don't want to 
@@ -20,19 +23,19 @@
 
 - name: Install nginx config for {{ domain }}
   template:
-    src: templates/nginx/site.conf
+    src: templates/site.conf
     dest: /etc/nginx/conf.d/{{ domain }}.conf
     force: no
 
 - name: Install nginx config for git.{{ domain }}
   template:
-    src: templates/nginx/gitea.conf
+    src: templates/gitea.conf
     dest: /etc/nginx/conf.d/git.{{ domain }}.conf
     force: no
 
 - name: Install nginx config for our Hidden Service
   template:
-    src: templates/nginx/tor.conf
+    src: templates/tor.conf
     dest: /etc/nginx/conf.d/tor-{{ domain }}.conf
     force: no
 

roles/tor/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: Install torrc
   template:
-    src: templates/tor/torrc
+    src: torrc
     dest: /etc/tor/torrc
     owner: root
     group: root
@@ -23,7 +23,7 @@
     group: debian-tor
     mode: u=rw,g=,o=
 
-- name: Reload Tor
+- name: Enable Tor Service
   systemd:
     name: tor
     enabled: yes

run.yml

@@ -9,13 +9,13 @@
       prompt: domain pointing to the vps
       private: no
 
-  tasks:
-    - import_tasks: tasks/essential.yml
-    - import_tasks: tasks/firewall.yml
-    - import_tasks: tasks/blog.yml
-    - import_tasks: tasks/gitea.yml
-    - import_tasks: tasks/tor.yml
-    - import_tasks: tasks/nginx.yml
-    - import_tasks: tasks/git.yml
-    - import_tasks: tasks/goaccess.yml
-    - import_tasks: tasks/deadswitch.yml
+  roles:
+    - essential
+    - git
+    - deadswitch
+    - firewall
+    - blog
+    - gitea
+    - nginx
+    - goaccess
+    - tor