diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | ansible.cfg | 3 | ||||
-rw-r--r-- | bootstrap_nategb.yml | 187 | ||||
-rw-r--r-- | bootstrap_nategb_debian.yml | 180 | ||||
-rw-r--r-- | files/conf.d/cgit.conf | 25 | ||||
-rw-r--r-- | files/conf.d/cgit.conf.debian | 26 | ||||
-rw-r--r-- | files/conf.d/nategb.conf | 15 | ||||
-rw-r--r-- | files/etc/cgitrc | 18 | ||||
-rw-r--r-- | files/etc/cgitrc.debian | 17 | ||||
-rw-r--r-- | files/etc/nginx.conf | 31 | ||||
-rw-r--r-- | files/nategb-root/index.html | 57 | ||||
-rw-r--r-- | files/nategb-root/style.css | 14 | ||||
-rw-r--r-- | sh/update_packages.sh | 1 | ||||
-rw-r--r-- | update_packages.yml | 20 |
14 files changed, 595 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e845c18 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +inventory diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..01658a1 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] +inventory = inventory +private_key_file = ~/.ssh/ansible diff --git a/bootstrap_nategb.yml b/bootstrap_nategb.yml new file mode 100644 index 0000000..72421e0 --- /dev/null +++ b/bootstrap_nategb.yml @@ -0,0 +1,187 @@ +--- + +- hosts: nategb + become: true + vars: + sudoers: + - n8 + tasks: + + - name: pacman -Syu + tags: nategb + pacman: + upgrade: yes + update_cache: yes + when: ansible_distribution == "Archlinux" + + - name: pacman -S nginx, etc. + tags: nategb + pacman: + name: + - base-devel + - git + - tmux + - tor + - rsync + - neovim + - nginx + - cgit + - fcgiwrap + - certbot + - certbot-nginx + update_cache: yes + state: present + when: ansible_distribution == "Archlinux" + + - name: gather package facts + tags: nategb + package_facts: + manager: pacman + when: ansible_distribution == "Archlinux" + + - name: install sudo if not already installed + tags: nategb + pacman: + name: + - sudo + update_cache: yes + state: present + when: "'sudo' not in ansible_facts.packages" + + - name: Make sure 'wheel' group exists + group: + name: wheel + state: present + + - name: Allow 'wheel' group to use sudo + tags: nategb, sudo + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^%wheel' + line: '%wheel ALL=(ALL) ALL' + validate: 'visudo -cf %s' + when: "'sudo' in ansible_facts.packages" + + - name: add users + tags: nategb + user: + name: "{{ item }}" + groups: wheel + append: yes + state: present + with_items: "{{ sudoers }}" + + - name: add ssh keys to users + tags: nategb + authorized_key: + user: "{{ item }}" + state: present + key: "{{ lookup('file', '/home/n8/.ssh/id_ed25519.pub') }}" + with_items: "{{ sudoers }}" + + + - name: secure sshd + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + validate: 'sshd -T -f %s' + with_items: + - regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + - regexp: "^PermitRootLogin" + line: "PermitRootLogin prohibit-password" + + - name: copy nginx.conf to nginx on server + tags: nginx, nategb + copy: + src: files/etc/nginx.conf + dest: /etc/nginx/nginx.conf + owner: root + group: root + mode: 0644 + + - name: mkdir conf.d + tags: nginx, nategb + file: + path: /etc/nginx/conf.d + state: directory + mode: 0755 + + - name: copy nategb.conf to nginx on server + tags: nginx, nategb + copy: + force: no + src: files/conf.d/nategb.conf + dest: /etc/nginx/conf.d/nategb.conf + owner: root + group: root + mode: 0644 + + - name: copy cgit.conf to nginx on server + tags: nginx, nategb + copy: + force: no + src: files/conf.d/cgit.conf + dest: /etc/nginx/conf.d/cgit.conf + owner: root + group: root + mode: 0644 + + - name: copy cgitrc to server + tags: nginx, cgit, nategb + copy: + src: files/etc/cgitrc + dest: /etc/cgitrc + owner: root + group: root + mode: 0644 + + - name: create /var/www/nategb + tags: nginx, nategb + file: + path: /var/www/nategb + state: directory + mode: 0755 + +#can an absolute path be given here? + - name: copy web files + synchronize: + src: files/nategb-root/ + dest: /var/www/nategb + rsync_opts: + - "-r" + - "-d" + - "-v" + - "-l" + - "-P" + - "--delete" + + - name: start nginx service + tags: nginx, nategb + service: + name: nginx + enabled: yes + state: started + + - name: reload nginx service + tags: nginx, nategb + service: + name: nginx + state: reloaded + + - name: start fcgiwrap service + tags: nategb + service: + name: fcgiwrap + enabled: yes + state: started + + - name: start fcgiwrap socket + tags: nategb + service: + name: fcgiwrap.socket + enabled: yes + state: started diff --git a/bootstrap_nategb_debian.yml b/bootstrap_nategb_debian.yml new file mode 100644 index 0000000..1134a50 --- /dev/null +++ b/bootstrap_nategb_debian.yml @@ -0,0 +1,180 @@ +--- + +# caveats: ufw will mess with this. the default nginx vhost in sites-enabled +# may mess with this. the server_name causes a 502 error unless DNS is set up. +# cgit has not been extensively tested + +- hosts: nategb + become: true + vars: + sudoers: + - n8 + tasks: + + - name: Install updates (apt) + ansible.builtin.apt: + name: "*" + state: latest + update_cache: yes + when: + - ansible_os_family == "Debian" + + - name: apt install nginx, etc. + tags: nategb + apt: + name: + - git + - tmux + - tor + - rsync + - neovim + - nginx + - cgit + - fcgiwrap + - python3-certbot-nginx + update_cache: yes + when: ansible_os_family == "Debian" + + - name: gather package facts + tags: nategb + package_facts: + manager: apt + when: ansible_os_family == "Debian" + + - name: install sudo if not already installed + tags: nategb + apt: + name: + - sudo + update_cache: yes + when: "'sudo' not in ansible_facts.packages" + + - name: Make sure 'sudo' group exists + group: + name: sudo + state: present + + - name: Allow 'sudo' group to use sudo + tags: nategb, sudo + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^%sudo' + line: '%sudo ALL=(ALL) ALL' + validate: 'visudo -cf %s' + when: "'sudo' in ansible_facts.packages" + + - name: add users + tags: nategb + user: + name: "{{ item }}" + groups: sudo + append: yes + with_items: "{{ sudoers }}" + + - name: add ssh keys to users + tags: nategb + authorized_key: + user: "{{ item }}" + state: present + key: "{{ lookup('file', '/home/n8/.ssh/id_ed25519.pub') }}" + with_items: "{{ sudoers }}" + + + - name: secure sshd + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + validate: 'sshd -T -f %s' + with_items: + - regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + - regexp: "^PermitRootLogin" + line: "PermitRootLogin prohibit-password" + + - name: copy nategb.conf to nginx on server + tags: nginx, nategb + copy: + src: files/conf.d/nategb.conf + dest: /etc/nginx/sites-available/nategb.conf + owner: root + group: root + mode: 0644 + + - name: copy cgit.conf to nginx on server + tags: nginx, nategb + copy: + src: files/conf.d/cgit.conf.debian + dest: /etc/nginx/sites-available/cgit.conf + owner: root + group: root + mode: 0644 + + - name: copy cgitrc to server + tags: nginx, cgit, nategb + copy: + src: files/etc/cgitrc.debian + dest: /etc/cgitrc + owner: root + group: root + mode: 0644 + + - name: create /var/www/nategb + tags: nginx, nategb + file: + path: /var/www/nategb + state: directory + mode: 0755 + + + - name: copy web files + synchronize: + src: files/nategb-root/ + dest: /var/www/nategb + rsync_opts: + - "-r" + - "-d" + - "-v" + - "-l" + - "-P" + - "--delete" + +# https://badzilla.co.uk/ansible-tasks-create-symbolic-links-nginx-apache-sites-enabled-directory + - name: Apply symlinks in sites-enabled + file: + dest: /etc/nginx/sites-enabled/{{ item }} + src: /etc/nginx/sites-available/{{ item }} + state: link + force: yes + with_items: + - nategb.conf + - cgit.conf + + - name: start nginx service + tags: nginx, nategb + service: + name: nginx + enabled: yes + state: started + + - name: reload nginx service + tags: nginx, nategb + service: + name: nginx + state: reloaded + + - name: start fcgiwrap service + tags: nategb + service: + name: fcgiwrap + enabled: yes + state: started + + - name: start fcgiwrap socket + tags: nategb + service: + name: fcgiwrap.socket + enabled: yes + state: started diff --git a/files/conf.d/cgit.conf b/files/conf.d/cgit.conf new file mode 100644 index 0000000..d4ae100 --- /dev/null +++ b/files/conf.d/cgit.conf @@ -0,0 +1,25 @@ +server { + listen [::]:80; + listen 80; + + server_name git.nategb.xyz git.natebuttke.com; + + # Path to the static web resources of cgit + root /usr/share/webapps/cgit; + + try_files $uri @cgit; + + location @cgit { + include fastcgi_params; + + # Path to the CGI script that comes with cgit + fastcgi_param SCRIPT_FILENAME /usr/share/webapps/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + + # Path to the socket file that is created/used by fcgiwrap + fastcgi_pass unix:/run/fcgiwrap.sock; + } + +} diff --git a/files/conf.d/cgit.conf.debian b/files/conf.d/cgit.conf.debian new file mode 100644 index 0000000..c2e4259 --- /dev/null +++ b/files/conf.d/cgit.conf.debian @@ -0,0 +1,26 @@ +server { + listen [::]:80; + listen 80; + + server_name git.nategb.xyz git.natebuttke.com; + + # Path to the static web resources of cgit + root /usr/share/cgit; + + try_files $uri @cgit; + + location @cgit { + include fastcgi_params; + + # Path to the CGI script that comes with cgit + fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; + + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + + # Path to the socket file that is created/used by fcgiwrap + fastcgi_pass unix:/run/fcgiwrap.socket; + } + +} diff --git a/files/conf.d/nategb.conf b/files/conf.d/nategb.conf new file mode 100644 index 0000000..313befc --- /dev/null +++ b/files/conf.d/nategb.conf @@ -0,0 +1,15 @@ +server { + listen 80 ; + listen [::]:80 ; + server_name nategb.xyz natebuttke.com ; + root /var/www/nategb ; + index index.html index.htm index.nginx-debian.html ; + + add_header Onion-Location http://nategbee2zejhurhw3fbhbc5pzgu2hzerydy7ajs2tclnbxhwoc6icqd.onion$request_uri ; + expires 1y; + add_header Cache-Control "public, no-transform"; + + location / { + try_files $uri.html $uri $uri/ =404 ; + } +} diff --git a/files/etc/cgitrc b/files/etc/cgitrc new file mode 100644 index 0000000..809851b --- /dev/null +++ b/files/etc/cgitrc @@ -0,0 +1,18 @@ +# +# cgit config +# see cgitrc(5) for details + +#paths within /usr/share/webapps/cgit +css=/cgit.css +logo= + #/cgit.png + +#Folder with all git repositories +scan-path=/srv/git/ + +# root for all cgit links +virtual-root=/ + +#customization +root-title=git.nategb.xyz +root-desc=software projects of Nate Buttke diff --git a/files/etc/cgitrc.debian b/files/etc/cgitrc.debian new file mode 100644 index 0000000..1d12da9 --- /dev/null +++ b/files/etc/cgitrc.debian @@ -0,0 +1,17 @@ +# cgit config +# see cgitrc(5) for details + +#paths within /usr/share/cgit +css=/cgit.css +logo= + #/cgit.png + +#Folder with all git repositories +scan-path=/srv/git/ + +# root for all cgit links +virtual-root=/ + +#customization +root-title=git.nategb.xyz +root-desc=software projects of Nate Buttke diff --git a/files/etc/nginx.conf b/files/etc/nginx.conf new file mode 100644 index 0000000..67739d4 --- /dev/null +++ b/files/etc/nginx.conf @@ -0,0 +1,31 @@ +user http; +worker_processes auto; +worker_cpu_affinity auto; + +events { + multi_accept on; + worker_connections 1024; +} + +http { + charset utf-8; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + server_tokens off; + log_not_found off; + types_hash_max_size 4096; + client_max_body_size 16M; + + # MIME + include mime.types; + default_type application/octet-stream; + + # logging + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log warn; + + # load configs + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/files/nategb-root/index.html b/files/nategb-root/index.html new file mode 100644 index 0000000..9c72239 --- /dev/null +++ b/files/nategb-root/index.html @@ -0,0 +1,57 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> + <title>Nate Buttke</title> + <meta name="author" content="Nate Buttke"> + <meta name="viewport" content="width=device-width"> + <link rel="stylesheet" href="style.css"> + </head> + + <body> + <!-- heavily inspired by john ankarstrom http://john.ankarstrom.se --> + <img class="me" alt="me at the beach :)" src="me.png"> + <div style="max-width: 27em;"> + <h1>Nate Buttke</h1> + <p style="line-height: 2.2;"><img style="width: 1.5em;" src="pc.gif" align="left" alt="cute CRT and keyboard"> <strong class="welcome" style="color:tomato;">Welcome to my new website!</strong></p> + <p> + I'm Nate, a Computer Science student in Northern California. My current + interests include UNIX system administration, C programming, and cycling. + </p> + </div> + + <hr> + <table class="blocks"> + <tr valign="top"> + <td> + <h2>Self</h2> + <ul class="list"> + <li> to be added </li> + </ul> + </td> + <td> + <h2>Projects</h2> + <ul class="list"> + <li><a href="http://git.nategb.xyz/">git server frontend</a> </li> + </ul> + </td> + <td> + <h2>Articles</h2> + <ul class="list"> + <li> to be added </li> + </ul> + </ul> + </td> + </tr> + </table> + + <hr> + + <footer> + <p> + content is <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC-BY-SA.</a> homepage inspired by <a href="http://john.ankarstrom.se">John.</a> + </p> + </footer> + + </body> +</html> diff --git a/files/nategb-root/style.css b/files/nategb-root/style.css new file mode 100644 index 0000000..7e05f17 --- /dev/null +++ b/files/nategb-root/style.css @@ -0,0 +1,14 @@ +body{font-size: 1.1em; max-width:100%; padding: 1em; margin: 0 auto; width: 37em;} +.me{width: 9em; float: right; margin: 2em 0 1em 1em;} + +table.blocks { margin: 0 -8px; } + table.blocks td { padding: 0 8px; } + ul.list, ul.list ul { margin-left: 1.375em /* 22px */; padding-left: 0; } + +footer{font-size: 0.7em;} + +@media only screen and (max-width: 640px){ + body{font-size: 1em;} + .me{width:6.5em;} + /*.welcome{font-size: 0.9em}*/ +} diff --git a/sh/update_packages.sh b/sh/update_packages.sh new file mode 100644 index 0000000..34b5d10 --- /dev/null +++ b/sh/update_packages.sh @@ -0,0 +1 @@ +ansible-playbook --ask-become-pass update_packages.yml diff --git a/update_packages.yml b/update_packages.yml new file mode 100644 index 0000000..f5a1b88 --- /dev/null +++ b/update_packages.yml @@ -0,0 +1,20 @@ +--- +- hosts: all +# strategy: free + become: true + tasks: + + - name: Install updates (apt) + ansible.builtin.apt: + name: "*" + state: latest + update_cache: yes + when: + - ansible_os_family == "Debian" + + - name: Install updates (pacman) + community.general.pacman: + upgrade: yes + update_cache: yes + when: + - ansible_os_family == "Archlinux" |