mirror of
				https://github.com/CPunch/openpunk-ansible.git
				synced 2025-10-26 02:20:06 +00:00 
			
		
		
		
	Compare commits
	
		
			22 Commits
		
	
	
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 52d526bf5c | |||
| 3047267d19 | |||
| bea9cb3592 | |||
| 06548bf135 | |||
| feaea47028 | |||
| bf198f9d63 | |||
| af53eb4637 | |||
| e8fe024b77 | |||
| 3d75ac18e7 | |||
| c6ea8eaf38 | |||
| e3d3ec37fd | |||
| 2d3fbfe484 | |||
| 5cdc63e35a | |||
| 1747125b67 | |||
| 41ef83bb4e | |||
| 4359544b6a | |||
| ca6fdaeff3 | |||
| 1028023b8b | |||
| 5e2c4850e1 | |||
| a971e7d065 | |||
| abaa4c9639 | |||
| d435ab80ac | 
							
								
								
									
										27
									
								
								.github/workflows/deploy.yaml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										27
									
								
								.github/workflows/deploy.yaml
									
									
									
									
										vendored
									
									
								
							| @@ -1,27 +0,0 @@ | ||||
| name: Run Playbook | ||||
|  | ||||
| on: | ||||
|   push: | ||||
|     tags: | ||||
|       - "v*.*.*" | ||||
|  | ||||
| jobs: | ||||
|   deploy: | ||||
|     runs-on: ubuntu-latest | ||||
|     steps: | ||||
|       - name: Set up Git repository | ||||
|         uses: actions/checkout@v3 | ||||
|         with: | ||||
|           ssh-key: ${{ secrets.SSH_PRIVATE_KEY }} | ||||
|           submodules: recursive | ||||
|       - name: Run Ansible-Playbook | ||||
|         uses: dawidd6/action-ansible-playbook@v2 | ||||
|         with: | ||||
|           playbook: run.yml | ||||
|           key: ${{ secrets.SSH_PRIVATE_KEY }} | ||||
|           inventory: | | ||||
|             [hosts] | ||||
|             openpunk-vps ansible_host=96.30.199.68 ansible_user=root ansible_connection=ssh | ||||
|           vault_password: ${{ secrets.VAULT_PASSWORD }} | ||||
|           options: | | ||||
|             --extra-vars domain=openpunk.com | ||||
							
								
								
									
										3
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										3
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @@ -1 +1,2 @@ | ||||
| hosts | ||||
| hosts | ||||
| backups | ||||
							
								
								
									
										5
									
								
								.vscode/settings.json
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								.vscode/settings.json
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | ||||
| { | ||||
|     "yaml.schemas": { | ||||
|         "https://raw.githubusercontent.com/ansible/ansible-lint/main/src/ansiblelint/schemas/ansible.json#/$defs/tasks": "file:///home/cpunch/projects/openpunk-ansible/roles/nginx/tasks/main.yml" | ||||
|     } | ||||
| } | ||||
							
								
								
									
										37
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										37
									
								
								README.md
									
									
									
									
									
								
							| @@ -1,31 +1,54 @@ | ||||
| # OpenPunk's Ansible playbook | ||||
| <p align="center"> | ||||
|     <a href="https://github.com/CPunch/openpunk-ansible/actions/workflows/deploy.yaml"><img src="https://github.com/CPunch/openpunk-ansible/actions/workflows/deploy.yaml/badge.svg?branch=main" alt="Workflow"></a> | ||||
| </p> | ||||
|  | ||||
| This is my failsafe (and also my helpful migration tool) for restoring the OpenPunk server. This handles setting everything back up, including: | ||||
|  | ||||
| - gitea | ||||
|     - backup and restoring are also supported | ||||
| - blog | ||||
|     - cron job for grabbing the `HEAD` of https://github.com/CPunch/openpunk && building the hugo site | ||||
| - tor mirror | ||||
| - nginx (for the above mentioned) | ||||
|     - certbot's Let's Encrypt | ||||
| - my shell theme (zsh + powerlevel10k) | ||||
| - deadswitch (& the ssh + git config to allow pushes) | ||||
|  | ||||
| This playbook assumes the target VPS is running the latest debian stable release. | ||||
|  | ||||
| ## Automatic deployment | ||||
| On new release tags the playbook is automatically ran on the production openpunk vps. For more info checkout the `.github/workflows/deploy.yaml` workflow | ||||
|  | ||||
| ## Notes to my future self | ||||
| The deadswitch has the deadtrigger setup every run, so you have a 14-day timer to add a one-liner to your crontab to keep that deadtrigger set. | ||||
| Add this to your local machine's crontab: | ||||
|  | ||||
| ```sh | ||||
| ssh openpunk 'touch /root/.deadtrigger' | ||||
| ``` | ||||
|  | ||||
| Some DNS records also need to be set: | ||||
| - an A record with a `git.*` subdomain | ||||
|  | ||||
| ## Usage | ||||
| First, make sure to install the requirements: | ||||
| ```sh | ||||
| ansible-galaxy install -r requirements.yml | ||||
| ``` | ||||
|  | ||||
| Then, run the playbook: | ||||
|  | ||||
| ```sh | ||||
| ansible-playbook -i hosts --ask-vault-pass run.yml | ||||
| ``` | ||||
| > NOTE: The 'secrets' directory has been omitted from this repo (so it's not going to run without the provided files) | ||||
|  | ||||
| ## Backup and restore | ||||
|  | ||||
| Backup Gitea using the 'backup' tag | ||||
| ```sh | ||||
| ansible-playbook -i hosts run.yml --tags backup | ||||
| ``` | ||||
|  | ||||
| then, restore from the backup using the 'restore' tag | ||||
| ```sh | ||||
| ansible-playbook -i hosts run.yml --tags restore | ||||
| ``` | ||||
|  | ||||
| ## Example hosts file | ||||
| ``` | ||||
| [hosts] | ||||
|   | ||||
| @@ -1,2 +1,4 @@ | ||||
| --- | ||||
| contact_email: openpunk@proton.me | ||||
| domain: openpunk.com | ||||
| contact_email: openpunk@proton.me | ||||
| onionDomain: opnpnk6eutjiqy4ndpyvwxd5pncj2g2cmz6fkocr5uh3omnn4utvspad.onion | ||||
							
								
								
									
										6
									
								
								requirements.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								requirements.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | ||||
| - src: l3d.gitea | ||||
|   version: v3.3.0 | ||||
| - src: geerlingguy.nginx | ||||
|   version: 3.1.4 | ||||
| - src: geerlingguy.certbot | ||||
|   version: 5.1.0 | ||||
| @@ -4,17 +4,18 @@ | ||||
|     repo: "https://github.com/CPunch/openpunk.git" | ||||
|     dest: "/var/www/{{ domain }}" | ||||
| 
 | ||||
| - name: Build blog | ||||
|   command: | ||||
|     cmd: hugo | ||||
|     chdir: "/var/www/{{ domain }}" | ||||
| 
 | ||||
| - name: Install updateBlog script | ||||
|   template: | ||||
|     src: templates/blog/updateBlog | ||||
|     src: templates/updateBlog | ||||
|     dest: /usr/local/bin/updateBlog | ||||
|     mode: u+rx | ||||
| 
 | ||||
| - name: Build blog | ||||
|   command: | ||||
|     cmd: updateBlog | ||||
|   register: blog_out | ||||
|   changed_when: blog_out.stdout != "up to date" | ||||
| 
 | ||||
| # Rebuild blog every hour | ||||
| - name: Setup blog cron job | ||||
|   cron: | ||||
							
								
								
									
										32
									
								
								roles/blog/templates/updateBlog
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										32
									
								
								roles/blog/templates/updateBlog
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,32 @@ | ||||
| #!/bin/bash | ||||
| cd /var/www/{{ domain }} | ||||
|  | ||||
| PUBLIC_DIR=public | ||||
| TOR_DIR=tor | ||||
|  | ||||
| buildBlog () { | ||||
|     hugo --cleanDestinationDir --minify -d $PUBLIC_DIR -b https://{{ domain }} | ||||
|     hugo --cleanDestinationDir --minify -d $TOR_DIR -b http://{{ onionDomain }} | ||||
| } | ||||
|  | ||||
| git fetch origin | ||||
| UPSTREAM=${1:-'@{u}'} | ||||
| LOCAL=$(git rev-parse @) | ||||
| REMOTE=$(git rev-parse "$UPSTREAM") | ||||
| BASE=$(git merge-base @ "$UPSTREAM") | ||||
| if [ $LOCAL = $REMOTE ]; then | ||||
|     # this string is hardcoded && checked by the 'Build blog' task | ||||
|     # to check for changes (changed_when) | ||||
|     echo "up to date" | ||||
| elif [ $LOCAL = $BASE ]; then | ||||
|     # there are changes to reset to so we need to rebuild | ||||
|     echo "missing changes !!" | ||||
|     git reset --hard origin/main | ||||
|     buildBlog | ||||
| fi | ||||
|  | ||||
| if [ ! -d "$PUBLIC_DIR" ] || [ ! -d "$TOR_DIR" ]; then | ||||
|     # probably first time setup | ||||
|     echo "missing directories !!" | ||||
|     buildBlog | ||||
| fi | ||||
| @@ -22,5 +22,5 @@ echo $dTime | ||||
| if [ $dTime -gt $triggerTime ] | ||||
| then  | ||||
|     touch $fileLock | ||||
|     bash $scriptToRun | ||||
|     source $scriptToRun | ||||
| fi | ||||
| @@ -1,8 +1,7 @@ | ||||
| #!/bin/bash | ||||
| 
 | ||||
| cd $HOME/deadman | ||||
| 
 | ||||
| postPatch='../dead.patch' | ||||
| postPatch='dead.patch' | ||||
| pageName='content/pages/dead.md' | ||||
| currDate=$(date '+%Y-%m-%d') | ||||
| 
 | ||||
| @@ -10,9 +9,11 @@ git clone git@github.com:CPunch/openpunk.git | ||||
| 
 | ||||
| # commit & push the post | ||||
| cd openpunk | ||||
| git am postPatch | ||||
| git am $postPatch | ||||
| # replace our --DATE-- with the current date | ||||
| sed -i 's/--DATE--/'$currDate'/g' $pageName | ||||
| git add . | ||||
| git commit -m "DeadSwitch: No response from CPunch in 14 days, posting dead.md" | ||||
| git push --force | ||||
| 
 | ||||
| updateBlog | ||||
| @@ -6,13 +6,13 @@ | ||||
| 
 | ||||
| - name: Install deadswitch script | ||||
|   copy: | ||||
|     src: static/blog/deadswitch | ||||
|     src: deadswitch | ||||
|     dest: /usr/local/bin/deadswitch | ||||
|     mode: u+rx | ||||
| 
 | ||||
| - name: Install imdead.sh | ||||
|   copy: | ||||
|     src: static/blog/imdead.sh | ||||
|     src: imdead.sh | ||||
|     dest: /root/deadman/imdead.sh | ||||
|     mode: u+rx | ||||
| 
 | ||||
| @@ -22,10 +22,17 @@ | ||||
|     dest: /root/deadman/dead.patch | ||||
|     mode: u+rw | ||||
| 
 | ||||
| # TODO: deadtrigger path should be a variable, no? | ||||
| - name: Check deadtrigger | ||||
|   stat: | ||||
|     path: /root/.deadtrigger | ||||
|   register: deadstat | ||||
| 
 | ||||
| - name: Install deadtrigger | ||||
|   file: | ||||
|     name: /root/.deadtrigger | ||||
|     path: /root/.deadtrigger | ||||
|     state: touch | ||||
|   when: deadstat.stat.exists == false | ||||
| 
 | ||||
| # Run deadswitch daily at 1am | ||||
| - name: Install deadlock cronjob | ||||
							
								
								
									
										42
									
								
								roles/essential/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										42
									
								
								roles/essential/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,42 @@ | ||||
| --- | ||||
| - name: Upgrade Packages | ||||
|   apt: | ||||
|     update_cache: yes | ||||
|     upgrade: full | ||||
|  | ||||
| - name: Install required software | ||||
|   package: | ||||
|     name: | ||||
|       - hugo | ||||
|       - git | ||||
|       - nginx | ||||
|       - tor | ||||
|       - ufw | ||||
|       - fail2ban | ||||
|       - goaccess | ||||
|       - htop | ||||
|       - sqlite3 | ||||
|       - zsh # :D | ||||
|       - python3-certbot-nginx | ||||
|  | ||||
| - name: Grab package facts | ||||
|   package_facts: | ||||
|     manager: auto | ||||
|   tags: always | ||||
|  | ||||
| - name: Setup zsh | ||||
|   user: | ||||
|     name: "{{ ansible_user }}" | ||||
|     shell: /usr/bin/zsh | ||||
|  | ||||
| - name: Clone Powerlevel10k theme | ||||
|   git: | ||||
|     repo: "https://github.com/romkatv/powerlevel10k.git" | ||||
|     dest: "/root/powerlevel10k" | ||||
|     depth: 1 | ||||
|  | ||||
| - name: Install .zshrc | ||||
|   copy: | ||||
|     src: .zshrc | ||||
|     dest: /root/.zshrc | ||||
|     force: no | ||||
| @@ -23,7 +23,7 @@ | ||||
| 
 | ||||
| - name: Copy fail2ban jail config | ||||
|   copy: | ||||
|     src: static/fail2ban/jails.local | ||||
|     src: jails.local | ||||
|     dest: /etc/fail2ban/jail.d/jails.local | ||||
| 
 | ||||
| - name: Enable fail2ban service | ||||
							
								
								
									
										7
									
								
								roles/git/files/.gitconfig
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								roles/git/files/.gitconfig
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | ||||
| [user] | ||||
| email = openpunk@proton.me | ||||
| name = OpenPunk | ||||
| [core] | ||||
| editor = nano | ||||
| [pull] | ||||
| rebase = true | ||||
| @@ -1,7 +1,7 @@ | ||||
| --- | ||||
| - name: Setup git config | ||||
|   copy: | ||||
|     src: static/.gitconfig | ||||
|     src: .gitconfig | ||||
|     dest: /root/.gitconfig | ||||
|     owner: root | ||||
|     mode: u=rw,g=,o= | ||||
| @@ -12,17 +12,19 @@ | ||||
| - name: Scan for SSH host keys | ||||
|   command: ssh-keyscan github.com 2>/dev/null | ||||
|   register: ssh_scan | ||||
|   changed_when: false | ||||
| 
 | ||||
| - name: Update known_hosts | ||||
|   copy: | ||||
|     content: "{{ ssh_scan.stdout_lines|join('\n')  }}" | ||||
|     dest: /root/.ssh/known_hosts | ||||
| - name: Update .ssh/known_hosts | ||||
|   blockinfile: | ||||
|     path: /root/.ssh/known_hosts | ||||
|     block: "{{ ssh_scan.stdout_lines|join('\n') }}" | ||||
|     insertbefore: BOF | ||||
|     create: yes | ||||
|     owner: root | ||||
|     mode: u=rw,g=,o= | ||||
|     force: no # if we already have a known_hosts file, ignore! | ||||
| 
 | ||||
| # this keypair is trusted under my github account, so it allows my vps to make pushes | ||||
| # to the main branch of my openpunk repository. (for my deadswitch: see static/blog/imdead.sh) | ||||
| # to the main branch of my openpunk repository. (see roles/deadswitch/files/imdead.sh) | ||||
| 
 | ||||
| - name: Install ssh priv key | ||||
|   copy: | ||||
							
								
								
									
										3
									
								
								roles/gitea/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								roles/gitea/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | ||||
| --- | ||||
| giteaPort: 3000 | ||||
| giteaBackup: backups/gitea-dump.zip | ||||
							
								
								
									
										51
									
								
								roles/gitea/tasks/backup.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										51
									
								
								roles/gitea/tasks/backup.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,51 @@ | ||||
| --- | ||||
| # based on advice from https://docs.gitea.io/en-us/backup-and-restore/ | ||||
|  | ||||
| - name: Stop Gitea | ||||
|   systemd: | ||||
|     name: gitea | ||||
|     enabled: yes | ||||
|     state: stopped | ||||
|   tags: backup | ||||
|  | ||||
| - name: Make Temp dir | ||||
|   file: | ||||
|     path: /etc/gitea/temp | ||||
|     state: directory | ||||
|     owner: gitea | ||||
|   tags: backup | ||||
|  | ||||
| - name: Dump Gitea | ||||
|   shell: | ||||
|     cmd: gitea dump -c /etc/gitea/app.ini --work-path=/etc/gitea --file=gitea-dump.zip --tempdir=/etc/gitea/temp | ||||
|     chdir: /etc/gitea | ||||
|   become: true | ||||
|   become_method: su | ||||
|   become_user: gitea | ||||
|   tags: backup | ||||
|  | ||||
| - name: Fetch backup | ||||
|   fetch: | ||||
|     src: /etc/gitea/gitea-dump.zip | ||||
|     dest: "{{ giteaBackup }}" | ||||
|     flat: true | ||||
|   tags: backup | ||||
|  | ||||
| - name: Remove remote dump | ||||
|   file: | ||||
|     path: "{{ giteaBackup }}" | ||||
|     state: absent | ||||
|   tags: backup | ||||
|  | ||||
| - name: Remove Temp | ||||
|   file: | ||||
|     path: /etc/gitea/temp | ||||
|     state: absent | ||||
|   tags: backup | ||||
|  | ||||
| - name: Start Gitea | ||||
|   systemd: | ||||
|     name: gitea | ||||
|     enabled: yes | ||||
|     state: started | ||||
|   tags: backup | ||||
							
								
								
									
										29
									
								
								roles/gitea/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										29
									
								
								roles/gitea/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,29 @@ | ||||
| --- | ||||
| - name: "Install gitea" | ||||
|   include_role: | ||||
|     name: l3d.gitea | ||||
|   vars: | ||||
|     gitea_fqdn: 'git.{{ domain }}' | ||||
|     gitea_home: '/var/lib/gitea' | ||||
|     gitea_db_type: 'sqlite3' | ||||
|     gitea_theme_default: 'arc-green' | ||||
|     gitea_root_url: 'https://git.{{ domain }}' | ||||
|     gitea_protocol: http | ||||
|     gitea_http_port: "{{ giteaPort }}" | ||||
|     gitea_ssh_port: 22 | ||||
|     gitea_start_ssh: false | ||||
|     gitea_allow_only_internal_registration: true | ||||
|     gitea_disable_registration: true | ||||
|     gitea_require_signin: false | ||||
|  | ||||
| - name: Backup db | ||||
|   include_tasks: backup.yml | ||||
|   tags: | ||||
|     - never | ||||
|     - backup | ||||
|  | ||||
| - name: Restore db | ||||
|   include_tasks: restore.yml | ||||
|   tags: | ||||
|     - never | ||||
|     - restore | ||||
							
								
								
									
										96
									
								
								roles/gitea/tasks/restore.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										96
									
								
								roles/gitea/tasks/restore.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,96 @@ | ||||
| --- | ||||
| # based on advice from https://docs.gitea.io/en-us/backup-and-restore/ | ||||
|  | ||||
| - name: Stop Gitea | ||||
|   systemd: | ||||
|     name: gitea | ||||
|     enabled: yes | ||||
|     state: stopped | ||||
|   tags: restore | ||||
|  | ||||
| - name: Make restore dir | ||||
|   file: | ||||
|     path: /etc/gitea/gitea-dump | ||||
|     state: directory | ||||
|     owner: gitea | ||||
|   tags: restore | ||||
|  | ||||
| - name: Extract backup to host | ||||
|   unarchive: | ||||
|     src: "{{ giteaBackup }}" | ||||
|     dest: /etc/gitea/gitea-dump | ||||
|     owner: gitea | ||||
|   tags: restore | ||||
|  | ||||
| - name: Delete Gitea | ||||
|   file: | ||||
|     path: /var/lib/gitea | ||||
|     state: absent | ||||
|   tags: restore | ||||
|  | ||||
| - name: Create Gitea | ||||
|   file: | ||||
|     path: /var/lib/gitea | ||||
|     state: directory | ||||
|     owner: gitea | ||||
|   tags: restore | ||||
|  | ||||
| - name: Install data | ||||
|   copy: | ||||
|     src: /etc/gitea/gitea-dump/data/ | ||||
|     dest: /var/lib/gitea/data | ||||
|     remote_src: true | ||||
|     owner: gitea | ||||
|   tags: restore | ||||
|  | ||||
| - name: Install log | ||||
|   copy: | ||||
|     src: /etc/gitea/gitea-dump/log/ | ||||
|     dest: /var/lib/gitea/log/ | ||||
|     remote_src: true | ||||
|     owner: gitea | ||||
|   tags: restore | ||||
|   ignore_errors: true | ||||
|  | ||||
| - name: Install repositories | ||||
|   copy: | ||||
|     src: /etc/gitea/gitea-dump/repos/ | ||||
|     dest: /var/lib/gitea/gitea-repositories/ | ||||
|     remote_src: true | ||||
|     owner: gitea | ||||
|   tags: restore | ||||
|  | ||||
| # - name: Install config | ||||
| #   copy: | ||||
| #     src: /etc/gitea/gitea-dump/app.ini | ||||
| #     dest: /etc/gitea/app.ini | ||||
| #     owner: gitea | ||||
| #     remote_src: true | ||||
| #   tags: restore | ||||
|  | ||||
| - name: Remove sqlite3 db | ||||
|   file: | ||||
|     path: /var/lib/gitea/data/gitea.db | ||||
|     state: absent | ||||
|   tags: restore | ||||
|  | ||||
| - name: Generate sqlite3 db | ||||
|   shell: sqlite3 /var/lib/gitea/data/gitea.db </etc/gitea/gitea-dump/gitea-db.sql | ||||
|   become: true | ||||
|   become_method: su | ||||
|   become_user: gitea | ||||
|   tags: restore | ||||
|  | ||||
| - name: Start Gitea | ||||
|   systemd: | ||||
|     name: gitea | ||||
|     enabled: yes | ||||
|     state: started | ||||
|   tags: restore | ||||
|  | ||||
| - name: Finalize | ||||
|   shell: gitea admin regenerate hooks -c /etc/gitea/gitea.ini | ||||
|   become: true | ||||
|   become_method: su | ||||
|   become_user: gitea | ||||
|   tags: restore | ||||
| @@ -1,5 +1,5 @@ | ||||
| --- | ||||
| - name: Copy goaccess config | ||||
|   copy: | ||||
|     src: static/goaccess/goaccess.conf | ||||
|     src: goaccess.conf | ||||
|     dest: /etc/goaccess/goaccess.conf | ||||
							
								
								
									
										63
									
								
								roles/nginx/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										63
									
								
								roles/nginx/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,63 @@ | ||||
| --- | ||||
| - name: "Stop Nginx" | ||||
|   systemd: | ||||
|     name: nginx | ||||
|     state: stopped | ||||
|  | ||||
| - name: "Setup Certbot" | ||||
|   include_role: | ||||
|     name: geerlingguy.certbot | ||||
|   vars: | ||||
|     certbot_admin_email: "{{ contact_email }}" | ||||
|     certbot_create_if_missing: true | ||||
|     certbot_create_standalone_stop_services: [] | ||||
|     certbot_certs: | ||||
|       - domains: | ||||
|           - "{{ domain }}" | ||||
|           - "git.{{ domain }}" | ||||
|  | ||||
| - name: "Install Nginx" | ||||
|   include_role: | ||||
|     name: geerlingguy.nginx | ||||
|   vars: | ||||
|     nginx_listen_ipv6: true | ||||
|     nginx_vhosts: | ||||
|       - listen: "443 ssl http2" | ||||
|         server_name: "{{ domain }}" | ||||
|         root: "/var/www/{{ domain }}/public" | ||||
|         index: "index.html index.htm" | ||||
|         extra_parameters: | | ||||
|           location / { | ||||
|             add_header Permissions-Policy interest-cohort=(); | ||||
|             try_files $uri $uri/ =404; | ||||
|           } | ||||
|           ssl_certificate     /etc/letsencrypt/live/{{ domain }}/fullchain.pem; | ||||
|           ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem; | ||||
|           ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3; | ||||
|           ssl_ciphers         HIGH:!aNULL:!MD5; | ||||
|       - listen: "443 ssl http2" | ||||
|         server_name: "git.{{ domain }}" | ||||
|         client_max_body_size: "100M" | ||||
|         extra_parameters: | | ||||
|           location / { | ||||
|             add_header Permissions-Policy interest-cohort=(); | ||||
|             proxy_pass http://localhost:{{ giteaPort }}; | ||||
|           } | ||||
|           ssl_certificate     /etc/letsencrypt/live/{{ domain }}/fullchain.pem; | ||||
|           ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem; | ||||
|           ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3; | ||||
|           ssl_ciphers         HIGH:!aNULL:!MD5; | ||||
|       - listen: "2171" | ||||
|         server_name: "{{ onionDomain }}" | ||||
|         root: "/var/www/{{ domain }}/tor" | ||||
|         index: "index.html index.htm" | ||||
|         extra_parameters: | | ||||
|           location / { | ||||
|             add_header Permissions-Policy interest-cohort=(); | ||||
|             try_files $uri $uri/ =404; | ||||
|           } | ||||
|  | ||||
| - name: "Start Nginx" | ||||
|   systemd: | ||||
|     name: nginx | ||||
|     state: started | ||||
| @@ -1,7 +1,7 @@ | ||||
| --- | ||||
| - name: Install torrc | ||||
|   template: | ||||
|     src: templates/tor/torrc | ||||
|     src: templates/torrc | ||||
|     dest: /etc/tor/torrc | ||||
|     owner: root | ||||
|     group: root | ||||
| @@ -23,7 +23,7 @@ | ||||
|     group: debian-tor | ||||
|     mode: u=rw,g=,o= | ||||
| 
 | ||||
| - name: Reload Tor | ||||
| - name: Enable Tor Service | ||||
|   systemd: | ||||
|     name: tor | ||||
|     enabled: yes | ||||
							
								
								
									
										31
									
								
								run.yml
									
									
									
									
									
								
							
							
						
						
									
										31
									
								
								run.yml
									
									
									
									
									
								
							| @@ -1,21 +1,22 @@ | ||||
| --- | ||||
| - hosts: all | ||||
|   become: yes | ||||
|   vars: | ||||
|     - giteaPort: 3000 | ||||
|  | ||||
|   vars_files: | ||||
|     - group_vars/all.yml | ||||
|  | ||||
|   vars_prompt: | ||||
|     - name: domain | ||||
|       prompt: domain pointing to the vps | ||||
|       private: no | ||||
|  | ||||
|   tasks: | ||||
|     - import_tasks: tasks/essential.yml | ||||
|     - import_tasks: tasks/firewall.yml | ||||
|     - import_tasks: tasks/blog.yml | ||||
|     - import_tasks: tasks/gitea.yml | ||||
|     - import_tasks: tasks/tor.yml | ||||
|     - import_tasks: tasks/nginx.yml | ||||
|     - import_tasks: tasks/git.yml | ||||
|     - import_tasks: tasks/goaccess.yml | ||||
|     - import_tasks: tasks/deadswitch.yml | ||||
|   roles: | ||||
|     - role: essential | ||||
|     - role: firewall | ||||
|     - role: git | ||||
|       tags: secrets | ||||
|     - role: deadswitch | ||||
|       tags: secrets | ||||
|     - role: blog | ||||
|     - role: gitea | ||||
|     - role: nginx | ||||
|     - role: goaccess | ||||
|     - role: tor | ||||
|       tags: secrets | ||||
							
								
								
									
										2
									
								
								secrets
									
									
									
									
									
								
							
							
								
								
								
								
								
							
						
						
									
										2
									
								
								secrets
									
									
									
									
									
								
							 Submodule secrets updated: 585d0fd7dd...e643deb62e
									
								
							| @@ -1,7 +0,0 @@ | ||||
| [user] | ||||
|         email = openpunk@proton.me | ||||
|         name = OpenPunk | ||||
| [core] | ||||
|         editor = nano | ||||
| [pull] | ||||
|         rebase = true | ||||
| @@ -1,52 +0,0 @@ | ||||
| user www-data; | ||||
| worker_processes auto; | ||||
| include /etc/nginx/modules-enabled/*.conf; | ||||
| pid /run/nginx.pid; | ||||
|  | ||||
| events { | ||||
|     worker_connections 768; | ||||
| } | ||||
|  | ||||
| http { | ||||
|  | ||||
|     ## | ||||
|     # Basic Settings | ||||
|     ## | ||||
|  | ||||
|     sendfile on; | ||||
|     tcp_nopush on; | ||||
|     tcp_nodelay on; | ||||
|     keepalive_timeout 65; | ||||
|     types_hash_max_size 2048; | ||||
|  | ||||
|     include /etc/nginx/mime.types; | ||||
|     default_type application/octet-stream; | ||||
|  | ||||
|     ## | ||||
|     # SSL Settings | ||||
|     ## | ||||
|  | ||||
|     ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE | ||||
|     ssl_prefer_server_ciphers on; | ||||
|  | ||||
|     ## | ||||
|     # Logging Settings | ||||
|     ## | ||||
|  | ||||
|     access_log /var/log/nginx/access.log; | ||||
|     error_log /var/log/nginx/error.log; | ||||
|  | ||||
|     ## | ||||
|     # Gzip Settings | ||||
|     ## | ||||
|  | ||||
|     gzip on; | ||||
|     gzip_disable "msie6"; | ||||
|  | ||||
|     ## | ||||
|     # Virtual Host Configs | ||||
|     ## | ||||
|  | ||||
|     include /etc/nginx/conf.d/*.conf; | ||||
|     include /etc/nginx/sites-enabled/*; | ||||
| } | ||||
| @@ -1,46 +0,0 @@ | ||||
| --- | ||||
| - name: Add Gitea repo key | ||||
|   shell: curl -s https://packaging.gitlab.io/gitea/gpg.key | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/morph027-gitea.gpg --import | ||||
|  | ||||
| - name: Set key perms | ||||
|   shell: sudo chmod 644 /etc/apt/trusted.gpg.d/morph027-gitea.gpg | ||||
|  | ||||
| - name: Add Gitea repo | ||||
|   apt_repository: | ||||
|     filename: morph027-gitea | ||||
|     repo: deb https://packaging.gitlab.io/gitea gitea main | ||||
|  | ||||
| - name: Upgrade Packages | ||||
|   apt: | ||||
|     update_cache: yes | ||||
|     upgrade: full | ||||
|  | ||||
| - name: Install required software | ||||
|   package: | ||||
|     name: | ||||
|       - hugo | ||||
|       - gitea | ||||
|       - git | ||||
|       - nginx | ||||
|       - tor | ||||
|       - ufw | ||||
|       - fail2ban | ||||
|       - goaccess | ||||
|       - htop | ||||
|       - zsh # :D | ||||
|       - python3-certbot-nginx | ||||
|  | ||||
| - name: Setup default shell (zsh) | ||||
|   shell: chsh -s /usr/bin/zsh | ||||
|  | ||||
| - name: Clone Powerlevel10k theme | ||||
|   git: | ||||
|     repo: "https://github.com/romkatv/powerlevel10k.git" | ||||
|     dest: "/root/powerlevel10k" | ||||
|     depth: 1 | ||||
|  | ||||
| - name: Install .zshrc | ||||
|   copy: | ||||
|     src: static/.zshrc | ||||
|     dest: /root/.zshrc | ||||
|     force: no | ||||
| @@ -1,13 +0,0 @@ | ||||
| --- | ||||
| - name: Configure Gitea | ||||
|   template: | ||||
|     src: templates/gitea/app.ini | ||||
|     dest: /etc/gitea/app.ini | ||||
|     owner: gitea | ||||
|     force: no # we don't want to kill our existing config D: | ||||
|  | ||||
| - name: Reload Gitea | ||||
|   systemd: | ||||
|     name: gitea | ||||
|     enabled: yes | ||||
|     state: started | ||||
| @@ -1,52 +0,0 @@ | ||||
| --- | ||||
| - name: Remove default nginx config | ||||
|   file: | ||||
|     name: /etc/nginx/sites-enabled | ||||
|     state: absent | ||||
|  | ||||
| - name: Restore sites-enabled | ||||
|   file: | ||||
|     name: /etc/nginx/sites-enabled | ||||
|     state: directory | ||||
|  | ||||
| - name: Install system nginx config | ||||
|   copy: | ||||
|     src: static/nginx/nginx.conf | ||||
|     dest: /etc/nginx/nginx.conf | ||||
|  | ||||
| # setup our configs for each host (we don't want to  | ||||
| # overwrite certbot's changes, so if it already exists, | ||||
| # don't copy!) | ||||
|  | ||||
| - name: Install nginx config for {{ domain }} | ||||
|   template: | ||||
|     src: templates/nginx/site.conf | ||||
|     dest: /etc/nginx/conf.d/{{ domain }}.conf | ||||
|     force: no | ||||
|  | ||||
| - name: Install nginx config for git.{{ domain }} | ||||
|   template: | ||||
|     src: templates/nginx/gitea.conf | ||||
|     dest: /etc/nginx/conf.d/git.{{ domain }}.conf | ||||
|     force: no | ||||
|  | ||||
| - name: Install nginx config for our Hidden Service | ||||
|   template: | ||||
|     src: templates/nginx/tor.conf | ||||
|     dest: /etc/nginx/conf.d/tor-{{ domain }}.conf | ||||
|     force: no | ||||
|  | ||||
| - name: Reload Nginx to install LetsEncrypt | ||||
|   service: | ||||
|     name: nginx | ||||
|     state: restarted | ||||
|  | ||||
| # certbot is a life saver. thank you certbot devs! | ||||
| - name: Setup certbot | ||||
|   shell: "certbot --nginx --non-interactive --agree-tos -m {{ contact_email }} -d {{ domain }} -d git.{{ domain }}" | ||||
|  | ||||
| - name: Reload Nginx with LetsEncrypt installed | ||||
|   systemd: | ||||
|     name: nginx | ||||
|     enabled: yes | ||||
|     state: restarted | ||||
| @@ -1,5 +0,0 @@ | ||||
| #!/bin/bash | ||||
| cd /var/www/{{ domain }} | ||||
| /usr/bin/git fetch origin | ||||
| /usr/bin/git reset --hard origin/main | ||||
| /usr/bin/hugo | ||||
| @@ -1,60 +0,0 @@ | ||||
| APP_NAME = OpenPunk Gitea | ||||
| RUN_USER = gitea | ||||
| RUN_MODE = prod | ||||
|  | ||||
| [database] | ||||
| DB_TYPE  = sqlite3 | ||||
| HOST     = 127.0.0.1:5432 | ||||
| NAME     = gitea | ||||
| USER     = gitea | ||||
| PASSWD   =  | ||||
| SSL_MODE = disable | ||||
| CHARSET  = utf8 | ||||
| PATH     = /var/lib/gitea/data/gitea.db | ||||
|  | ||||
| [repository] | ||||
| ROOT = /var/lib/gitea/gitea-repositories | ||||
|  | ||||
| [server] | ||||
| SSH_DOMAIN       = git.{{ domain }} | ||||
| DOMAIN           = git.{{ domain }} | ||||
| HTTP_PORT        = 3000 | ||||
| ROOT_URL         = https://git.{{ domain }}/ | ||||
| DISABLE_SSH      = false | ||||
| SSH_PORT         = 22 | ||||
| LFS_START_SERVER = false | ||||
| OFFLINE_MODE     = false | ||||
|  | ||||
| [mailer] | ||||
| ENABLED = false | ||||
|  | ||||
| [service] | ||||
| REGISTER_EMAIL_CONFIRM            = false | ||||
| ENABLE_NOTIFY_MAIL                = false | ||||
| DISABLE_REGISTRATION              = true | ||||
| ALLOW_ONLY_EXTERNAL_REGISTRATION  = false | ||||
| ENABLE_CAPTCHA                    = false | ||||
| REQUIRE_SIGNIN_VIEW               = false | ||||
| DEFAULT_KEEP_EMAIL_PRIVATE        = false | ||||
| DEFAULT_ALLOW_CREATE_ORGANIZATION = true | ||||
| DEFAULT_ENABLE_TIMETRACKING       = true | ||||
| NO_REPLY_ADDRESS                  = noreply.localhost | ||||
|  | ||||
| [picture] | ||||
| DISABLE_GRAVATAR        = true | ||||
| ENABLE_FEDERATED_AVATAR = false | ||||
|  | ||||
| [openid] | ||||
| ENABLE_OPENID_SIGNIN = false | ||||
| ENABLE_OPENID_SIGNUP = false | ||||
|  | ||||
| [session] | ||||
| PROVIDER = file | ||||
|  | ||||
| [log] | ||||
| MODE      = file | ||||
| LEVEL     = info | ||||
| ROOT_PATH = /var/lib/gitea/log | ||||
|  | ||||
| [ui] | ||||
| DEFAULT_THEME = arc-green | ||||
| @@ -1,11 +0,0 @@ | ||||
| server { | ||||
|     server_name git.{{ domain }}; | ||||
|     listen 80; | ||||
|  | ||||
|     location / { | ||||
|         add_header Permissions-Policy interest-cohort=(); | ||||
|         proxy_pass http://localhost:3000; | ||||
|     } | ||||
|  | ||||
|     client_max_body_size 100M; | ||||
| } | ||||
| @@ -1,13 +0,0 @@ | ||||
| server { | ||||
|     server_name {{ domain }}; | ||||
|     listen 80; | ||||
|  | ||||
|     root /var/www/{{ domain }}/public; | ||||
|     index index.html index.htm; | ||||
|  | ||||
|     location / { | ||||
|         add_header Permissions-Policy interest-cohort=(); | ||||
|         add_header Referrer-Policy: "no-referrer"; | ||||
|         try_files $uri $uri/ =404; | ||||
|     } | ||||
| } | ||||
| @@ -1,12 +0,0 @@ | ||||
| server { | ||||
|     root /var/www/{{ domain }}/public; | ||||
|     index index.html index.htm; | ||||
|  | ||||
|     location / { | ||||
|         add_header Permissions-Policy interest-cohort=(); | ||||
|         try_files $uri $uri/ =404; | ||||
|     } | ||||
|  | ||||
|     # our tor hidden service is hosted on this port | ||||
|     listen 2171; | ||||
| } | ||||
		Reference in New Issue
	
	Block a user