From b360c6f62c3a99bbe57b7d0c7f5fa55f9336a563 Mon Sep 17 00:00:00 2001
From: Nate Buttke <nate-web@riseup.net>
Date: Mon, 27 Dec 2021 19:11:27 -0800
Subject: restart repo

---
 .gitignore                    |   1 +
 ansible.cfg                   |   3 +
 bootstrap_nategb.yml          | 187 ++++++++++++++++++++++++++++++++++++++++++
 bootstrap_nategb_debian.yml   | 180 ++++++++++++++++++++++++++++++++++++++++
 files/conf.d/cgit.conf        |  25 ++++++
 files/conf.d/cgit.conf.debian |  26 ++++++
 files/conf.d/nategb.conf      |  15 ++++
 files/etc/cgitrc              |  18 ++++
 files/etc/cgitrc.debian       |  17 ++++
 files/etc/nginx.conf          |  31 +++++++
 files/nategb-root/index.html  |  57 +++++++++++++
 files/nategb-root/style.css   |  14 ++++
 sh/update_packages.sh         |   1 +
 update_packages.yml           |  20 +++++
 14 files changed, 595 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 ansible.cfg
 create mode 100644 bootstrap_nategb.yml
 create mode 100644 bootstrap_nategb_debian.yml
 create mode 100644 files/conf.d/cgit.conf
 create mode 100644 files/conf.d/cgit.conf.debian
 create mode 100644 files/conf.d/nategb.conf
 create mode 100644 files/etc/cgitrc
 create mode 100644 files/etc/cgitrc.debian
 create mode 100644 files/etc/nginx.conf
 create mode 100644 files/nategb-root/index.html
 create mode 100644 files/nategb-root/style.css
 create mode 100644 sh/update_packages.sh
 create mode 100644 update_packages.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e845c18
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+inventory
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..01658a1
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,3 @@
+[defaults]
+inventory = inventory
+private_key_file = ~/.ssh/ansible
diff --git a/bootstrap_nategb.yml b/bootstrap_nategb.yml
new file mode 100644
index 0000000..72421e0
--- /dev/null
+++ b/bootstrap_nategb.yml
@@ -0,0 +1,187 @@
+---
+
+- hosts: nategb
+  become: true
+  vars:
+   sudoers:
+    - n8
+  tasks:
+
+   - name: pacman -Syu
+     tags: nategb
+     pacman:
+      upgrade: yes
+      update_cache: yes
+     when: ansible_distribution == "Archlinux"
+
+   - name: pacman -S nginx, etc.
+     tags: nategb
+     pacman:
+      name:
+       - base-devel
+       - git
+       - tmux
+       - tor
+       - rsync
+       - neovim
+       - nginx
+       - cgit
+       - fcgiwrap
+       - certbot
+       - certbot-nginx
+      update_cache: yes
+      state: present
+     when: ansible_distribution == "Archlinux"
+
+   - name: gather package facts
+     tags: nategb
+     package_facts:
+      manager: pacman
+     when: ansible_distribution == "Archlinux"
+
+   - name: install sudo if not already installed
+     tags: nategb
+     pacman:
+      name:
+       - sudo
+      update_cache: yes
+      state: present
+     when: "'sudo' not in ansible_facts.packages"
+
+   - name: Make sure 'wheel' group exists
+     group:
+      name: wheel
+      state: present
+
+   - name: Allow 'wheel' group to use sudo
+     tags: nategb, sudo
+     lineinfile:
+      dest: /etc/sudoers
+      state: present
+      regexp: '^%wheel'
+      line: '%wheel ALL=(ALL) ALL'
+      validate: 'visudo -cf %s'
+     when: "'sudo' in ansible_facts.packages"
+
+   - name: add users
+     tags: nategb
+     user:
+      name: "{{ item }}"
+      groups: wheel
+      append: yes
+      state: present
+     with_items: "{{ sudoers }}"
+
+   - name: add ssh keys to users
+     tags: nategb
+     authorized_key:
+      user: "{{ item }}"
+      state: present
+      key: "{{ lookup('file', '/home/n8/.ssh/id_ed25519.pub') }}"
+     with_items: "{{ sudoers }}"
+
+
+   - name: secure sshd
+     lineinfile:
+      dest: /etc/ssh/sshd_config
+      regexp: "{{ item.regexp }}"
+      line: "{{ item.line }}"
+      state: present
+      validate: 'sshd -T -f %s'
+     with_items:
+      - regexp: "^PasswordAuthentication"
+        line: "PasswordAuthentication no"
+      - regexp: "^PermitRootLogin"
+        line: "PermitRootLogin prohibit-password"
+
+   - name: copy nginx.conf to nginx on server
+     tags: nginx, nategb
+     copy:
+      src: files/etc/nginx.conf
+      dest: /etc/nginx/nginx.conf
+      owner: root
+      group: root
+      mode: 0644
+
+   - name: mkdir conf.d
+     tags: nginx, nategb
+     file:
+      path: /etc/nginx/conf.d
+      state: directory
+      mode: 0755
+
+   - name: copy nategb.conf to nginx on server
+     tags: nginx, nategb
+     copy:
+      force: no
+      src: files/conf.d/nategb.conf
+      dest: /etc/nginx/conf.d/nategb.conf
+      owner: root
+      group: root
+      mode: 0644
+
+   - name: copy cgit.conf to nginx on server
+     tags: nginx, nategb
+     copy:
+      force: no
+      src: files/conf.d/cgit.conf
+      dest: /etc/nginx/conf.d/cgit.conf
+      owner: root
+      group: root
+      mode: 0644
+
+   - name: copy cgitrc to server
+     tags: nginx, cgit, nategb
+     copy:
+      src: files/etc/cgitrc
+      dest: /etc/cgitrc
+      owner: root
+      group: root
+      mode: 0644
+
+   - name: create /var/www/nategb
+     tags: nginx, nategb
+     file:
+      path: /var/www/nategb
+      state: directory
+      mode: 0755
+
+#can an absolute path be given here?
+   - name: copy web files
+     synchronize:
+      src: files/nategb-root/
+      dest: /var/www/nategb
+      rsync_opts:
+       - "-r"
+       - "-d"
+       - "-v"
+       - "-l"
+       - "-P"
+       - "--delete"
+
+   - name: start nginx service
+     tags: nginx, nategb
+     service:
+      name: nginx
+      enabled: yes
+      state: started
+
+   - name: reload nginx service
+     tags: nginx, nategb
+     service:
+      name: nginx
+      state: reloaded
+
+   - name: start fcgiwrap service
+     tags: nategb
+     service:
+      name: fcgiwrap
+      enabled: yes
+      state: started
+
+   - name: start fcgiwrap socket
+     tags: nategb
+     service:
+      name: fcgiwrap.socket
+      enabled: yes
+      state: started
diff --git a/bootstrap_nategb_debian.yml b/bootstrap_nategb_debian.yml
new file mode 100644
index 0000000..1134a50
--- /dev/null
+++ b/bootstrap_nategb_debian.yml
@@ -0,0 +1,180 @@
+---
+
+# caveats: ufw will mess with this. the default nginx vhost in sites-enabled
+# may mess with this. the server_name causes a 502 error unless DNS is set up.
+# cgit has not been extensively tested
+
+- hosts: nategb
+  become: true
+  vars:
+   sudoers:
+    - n8
+  tasks:
+
+   - name: Install updates (apt)
+     ansible.builtin.apt:
+      name: "*"
+      state: latest
+      update_cache: yes
+     when:
+      - ansible_os_family == "Debian"
+
+   - name: apt install nginx, etc.
+     tags: nategb
+     apt:
+      name:
+       - git
+       - tmux
+       - tor
+       - rsync
+       - neovim
+       - nginx
+       - cgit
+       - fcgiwrap
+       - python3-certbot-nginx
+      update_cache: yes
+     when: ansible_os_family == "Debian"
+
+   - name: gather package facts
+     tags: nategb
+     package_facts:
+      manager: apt
+     when: ansible_os_family == "Debian"
+
+   - name: install sudo if not already installed
+     tags: nategb
+     apt:
+      name:
+       - sudo
+      update_cache: yes
+     when: "'sudo' not in ansible_facts.packages"
+
+   - name: Make sure 'sudo' group exists
+     group:
+      name: sudo
+      state: present
+
+   - name: Allow 'sudo' group to use sudo
+     tags: nategb, sudo
+     lineinfile:
+      dest: /etc/sudoers
+      state: present
+      regexp: '^%sudo'
+      line: '%sudo ALL=(ALL) ALL'
+      validate: 'visudo -cf %s'
+     when: "'sudo' in ansible_facts.packages"
+
+   - name: add users
+     tags: nategb
+     user:
+      name: "{{ item }}"
+      groups: sudo
+      append: yes
+     with_items: "{{ sudoers }}"
+
+   - name: add ssh keys to users
+     tags: nategb
+     authorized_key:
+      user: "{{ item }}"
+      state: present
+      key: "{{ lookup('file', '/home/n8/.ssh/id_ed25519.pub') }}"
+     with_items: "{{ sudoers }}"
+
+
+   - name: secure sshd
+     lineinfile:
+      dest: /etc/ssh/sshd_config
+      regexp: "{{ item.regexp }}"
+      line: "{{ item.line }}"
+      state: present
+      validate: 'sshd -T -f %s'
+     with_items:
+      - regexp: "^PasswordAuthentication"
+        line: "PasswordAuthentication no"
+      - regexp: "^PermitRootLogin"
+        line: "PermitRootLogin prohibit-password"
+
+   - name: copy nategb.conf to nginx on server
+     tags: nginx, nategb
+     copy:
+      src: files/conf.d/nategb.conf
+      dest: /etc/nginx/sites-available/nategb.conf
+      owner: root
+      group: root
+      mode: 0644
+
+   - name: copy cgit.conf to nginx on server
+     tags: nginx, nategb
+     copy:
+      src: files/conf.d/cgit.conf.debian
+      dest: /etc/nginx/sites-available/cgit.conf
+      owner: root
+      group: root
+      mode: 0644
+
+   - name: copy cgitrc to server
+     tags: nginx, cgit, nategb
+     copy:
+      src: files/etc/cgitrc.debian
+      dest: /etc/cgitrc
+      owner: root
+      group: root
+      mode: 0644
+
+   - name: create /var/www/nategb
+     tags: nginx, nategb
+     file:
+      path: /var/www/nategb
+      state: directory
+      mode: 0755
+
+
+   - name: copy web files
+     synchronize:
+      src: files/nategb-root/
+      dest: /var/www/nategb
+      rsync_opts:
+       - "-r"
+       - "-d"
+       - "-v"
+       - "-l"
+       - "-P"
+       - "--delete"
+
+# https://badzilla.co.uk/ansible-tasks-create-symbolic-links-nginx-apache-sites-enabled-directory
+   - name: Apply symlinks in sites-enabled
+     file:
+      dest: /etc/nginx/sites-enabled/{{ item }}
+      src: /etc/nginx/sites-available/{{ item }}
+      state: link
+      force: yes
+     with_items:
+     - nategb.conf
+     - cgit.conf
+
+   - name: start nginx service
+     tags: nginx, nategb
+     service:
+      name: nginx
+      enabled: yes
+      state: started
+
+   - name: reload nginx service
+     tags: nginx, nategb
+     service:
+      name: nginx
+      state: reloaded
+
+   - name: start fcgiwrap service
+     tags: nategb
+     service:
+      name: fcgiwrap
+      enabled: yes
+      state: started
+
+   - name: start fcgiwrap socket
+     tags: nategb
+     service:
+      name: fcgiwrap.socket
+      enabled: yes
+      state: started
diff --git a/files/conf.d/cgit.conf b/files/conf.d/cgit.conf
new file mode 100644
index 0000000..d4ae100
--- /dev/null
+++ b/files/conf.d/cgit.conf
@@ -0,0 +1,25 @@
+server {
+    listen [::]:80;
+    listen 80;
+
+    server_name git.nategb.xyz git.natebuttke.com;
+
+    # Path to the static web resources of cgit
+    root /usr/share/webapps/cgit;
+
+    try_files $uri @cgit;
+
+    location @cgit {
+        include             fastcgi_params;
+
+        # Path to the CGI script that comes with cgit
+        fastcgi_param       SCRIPT_FILENAME /usr/share/webapps/cgit/cgit.cgi;
+        fastcgi_param       PATH_INFO       $uri;
+        fastcgi_param       QUERY_STRING    $args;
+        fastcgi_param       HTTP_HOST       $server_name;
+
+        # Path to the socket file that is created/used by fcgiwrap
+        fastcgi_pass        unix:/run/fcgiwrap.sock;
+    }
+
+}
diff --git a/files/conf.d/cgit.conf.debian b/files/conf.d/cgit.conf.debian
new file mode 100644
index 0000000..c2e4259
--- /dev/null
+++ b/files/conf.d/cgit.conf.debian
@@ -0,0 +1,26 @@
+server {
+    listen [::]:80;
+    listen 80;
+ 
+    server_name git.nategb.xyz git.natebuttke.com;
+
+    # Path to the static web resources of cgit
+    root /usr/share/cgit;
+
+    try_files $uri @cgit;
+
+    location @cgit {
+        include             fastcgi_params;
+
+        # Path to the CGI script that comes with cgit
+        fastcgi_param       SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi;
+
+        fastcgi_param       PATH_INFO       $uri;
+        fastcgi_param       QUERY_STRING    $args;
+        fastcgi_param       HTTP_HOST       $server_name;
+
+        # Path to the socket file that is created/used by fcgiwrap
+        fastcgi_pass        unix:/run/fcgiwrap.socket;
+    }
+ 
+}
diff --git a/files/conf.d/nategb.conf b/files/conf.d/nategb.conf
new file mode 100644
index 0000000..313befc
--- /dev/null
+++ b/files/conf.d/nategb.conf
@@ -0,0 +1,15 @@
+server {
+        listen 80 ;
+        listen [::]:80 ;
+        server_name nategb.xyz natebuttke.com ;
+        root /var/www/nategb ;
+        index index.html index.htm index.nginx-debian.html ;
+
+		add_header Onion-Location http://nategbee2zejhurhw3fbhbc5pzgu2hzerydy7ajs2tclnbxhwoc6icqd.onion$request_uri ;
+		expires 1y; 
+		add_header Cache-Control "public, no-transform";
+
+        location / {
+				try_files $uri.html $uri $uri/ =404 ;
+        }
+}
diff --git a/files/etc/cgitrc b/files/etc/cgitrc
new file mode 100644
index 0000000..809851b
--- /dev/null
+++ b/files/etc/cgitrc
@@ -0,0 +1,18 @@
+#
+# cgit config
+# see cgitrc(5) for details
+
+#paths within /usr/share/webapps/cgit
+css=/cgit.css
+logo=
+	#/cgit.png
+
+#Folder with all git repositories
+scan-path=/srv/git/
+
+# root for all cgit links
+virtual-root=/
+
+#customization
+root-title=git.nategb.xyz
+root-desc=software projects of Nate Buttke
diff --git a/files/etc/cgitrc.debian b/files/etc/cgitrc.debian
new file mode 100644
index 0000000..1d12da9
--- /dev/null
+++ b/files/etc/cgitrc.debian
@@ -0,0 +1,17 @@
+# cgit config
+# see cgitrc(5) for details
+
+#paths within /usr/share/cgit
+css=/cgit.css
+logo=
+        #/cgit.png
+
+#Folder with all git repositories
+scan-path=/srv/git/
+
+# root for all cgit links
+virtual-root=/
+
+#customization
+root-title=git.nategb.xyz
+root-desc=software projects of Nate Buttke
diff --git a/files/etc/nginx.conf b/files/etc/nginx.conf
new file mode 100644
index 0000000..67739d4
--- /dev/null
+++ b/files/etc/nginx.conf
@@ -0,0 +1,31 @@
+user http;
+worker_processes auto;
+worker_cpu_affinity auto;
+
+events {
+    multi_accept on;
+    worker_connections 1024;
+}
+
+http {
+    charset utf-8;
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    server_tokens off;
+    log_not_found off;
+    types_hash_max_size 4096;
+    client_max_body_size 16M;
+
+    # MIME
+    include mime.types;
+    default_type application/octet-stream;
+
+    # logging
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log warn;
+
+    # load configs
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
diff --git a/files/nategb-root/index.html b/files/nategb-root/index.html
new file mode 100644
index 0000000..9c72239
--- /dev/null
+++ b/files/nategb-root/index.html
@@ -0,0 +1,57 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+	<head>
+		<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+		<title>Nate Buttke</title>
+		<meta name="author" content="Nate Buttke">
+		<meta name="viewport" content="width=device-width">
+		<link rel="stylesheet" href="style.css">
+	</head>
+
+	<body>
+		<!-- heavily inspired by john ankarstrom http://john.ankarstrom.se -->
+		<img class="me" alt="me at the beach :)" src="me.png">
+		<div style="max-width: 27em;">
+			<h1>Nate Buttke</h1>
+			<p style="line-height: 2.2;"><img style="width: 1.5em;" src="pc.gif" align="left" alt="cute CRT and keyboard">&nbsp;&nbsp;<strong class="welcome" style="color:tomato;">Welcome to my new website!</strong></p>
+			<p>
+			I'm Nate, a Computer Science student in Northern California. My current
+			interests include UNIX system administration, C programming, and cycling.
+			</p>
+		</div>
+
+		<hr>
+		<table class="blocks">
+		<tr valign="top">
+			<td>
+			<h2>Self</h2>
+			<ul class="list">
+				<li> to be added </li>
+			</ul>
+			</td>
+			<td>
+			<h2>Projects</h2>
+			<ul class="list">
+				<li><a href="http://git.nategb.xyz/">git server frontend</a> </li>
+			</ul>
+			</td>
+			<td>
+			<h2>Articles</h2>
+			<ul class="list">
+				<li> to be added </li>
+			</ul>
+			</ul>
+			</td>
+		</tr>
+		</table>
+
+		<hr>
+
+		<footer>
+			<p>
+			content is <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC-BY-SA.</a> homepage inspired by <a href="http://john.ankarstrom.se">John.</a>
+			</p>
+		</footer>
+
+	</body>
+</html>
diff --git a/files/nategb-root/style.css b/files/nategb-root/style.css
new file mode 100644
index 0000000..7e05f17
--- /dev/null
+++ b/files/nategb-root/style.css
@@ -0,0 +1,14 @@
+body{font-size: 1.1em; max-width:100%; padding: 1em; margin: 0 auto; width: 37em;}
+.me{width: 9em; float: right; margin: 2em 0 1em 1em;}
+
+table.blocks { margin: 0 -8px; }
+	 table.blocks td { padding: 0 8px; }
+	 ul.list, ul.list ul { margin-left: 1.375em /* 22px */; padding-left: 0; }
+
+footer{font-size: 0.7em;}
+
+@media only screen and (max-width: 640px){
+	body{font-size: 1em;}
+	.me{width:6.5em;}
+	/*.welcome{font-size: 0.9em}*/
+}
diff --git a/sh/update_packages.sh b/sh/update_packages.sh
new file mode 100644
index 0000000..34b5d10
--- /dev/null
+++ b/sh/update_packages.sh
@@ -0,0 +1 @@
+ansible-playbook --ask-become-pass update_packages.yml
diff --git a/update_packages.yml b/update_packages.yml
new file mode 100644
index 0000000..f5a1b88
--- /dev/null
+++ b/update_packages.yml
@@ -0,0 +1,20 @@
+---
+- hosts: all
+# strategy: free
+  become: true
+  tasks:
+
+    - name: Install updates (apt)
+      ansible.builtin.apt:
+        name: "*"
+        state: latest
+        update_cache: yes
+      when:
+        - ansible_os_family == "Debian"
+
+    - name: Install updates (pacman)
+      community.general.pacman:
+        upgrade: yes
+        update_cache: yes
+      when:
+        - ansible_os_family == "Archlinux"
-- 
cgit v1.2.3