From db09f95ac1454410dc95209fb374a2d0b67387f8 Mon Sep 17 00:00:00 2001 From: Emi Matchu Date: Sat, 13 Jan 2024 21:47:50 -0800 Subject: [PATCH] initial commit: it runs! --- files/forgejo.service | 88 ++++++++++++++++++++++++++++++++++++ inventory.cfg | 2 + run.sh | 1 + setup-forgejo.yml | 73 ++++++++++++++++++++++++++++++ setup-security.yml | 101 ++++++++++++++++++++++++++++++++++++++++++ setup-users.yml | 28 ++++++++++++ 6 files changed, 293 insertions(+) create mode 100644 files/forgejo.service create mode 100755 inventory.cfg create mode 100755 run.sh create mode 100644 setup-forgejo.yml create mode 100755 setup-security.yml create mode 100755 setup-users.yml diff --git a/files/forgejo.service b/files/forgejo.service new file mode 100644 index 0000000..ad80645 --- /dev/null +++ b/files/forgejo.service @@ -0,0 +1,88 @@ +# Adapted from https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service + +[Unit] +Description=Forgejo (Beyond coding. We forge.) +After=syslog.target +After=network.target +### +# Don't forget to add the database service dependencies +### +# +#Wants=mysql.service +#After=mysql.service +# +#Wants=mariadb.service +#After=mariadb.service +# +#Wants=postgresql.service +#After=postgresql.service +# +#Wants=memcached.service +#After=memcached.service +# +#Wants=redis.service +#After=redis.service +# +### +# If using socket activation for main http/s +### +# +#After=forgejo.main.socket +#Requires=forgejo.main.socket +# +### +# (You can also provide forgejo an http fallback and/or ssh socket too) +# +# An example of /etc/systemd/system/forgejo.main.socket +### +## +## [Unit] +## Description=Forgejo Web Socket +## PartOf=forgejo.service +## +## [Socket] +## Service=forgejo.service +## ListenStream= +## NoDelay=true +## +## [Install] +## WantedBy=sockets.target +## +### + +[Service] +# Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that +# LimitNOFILE=524288:524288 +RestartSec=2s +Type=simple +User=git +Group=git +WorkingDirectory=/var/lib/forgejo/ +# If using Unix socket: tells systemd to create the /run/forgejo folder, which will contain the forgejo.sock file +# (manually creating /run/forgejo doesn't work, because it would not persist across reboots) +#RuntimeDirectory=forgejo +ExecStart=/usr/local/bin/forgejo web --config /etc/forgejo/app.ini +Restart=always +Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/forgejo +# If you install Git to directory prefix other than default PATH (which happens +# for example if you install other versions of Git side-to-side with +# distribution version), uncomment below line and add that prefix to PATH +# Don't forget to place git-lfs binary on the PATH below if you want to enable +# Git LFS support +#Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin +# If you want to bind Forgejo to a port below 1024, uncomment +# the two values below, or use socket activation to pass Forgejo its ports as above +### +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +### +# In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to +# set the following value to false to allow capabilities to be applied on Forgejo process. The following +# value if set to true sandboxes Forgejo service and prevent any processes from running with privileges +# in the host user namespace. +### +#PrivateUsers=false +### + +[Install] +WantedBy=multi-user.target diff --git a/inventory.cfg b/inventory.cfg new file mode 100755 index 0000000..7089ada --- /dev/null +++ b/inventory.cfg @@ -0,0 +1,2 @@ +[webserver] +code.openneo.net diff --git a/run.sh b/run.sh new file mode 100755 index 0000000..3342888 --- /dev/null +++ b/run.sh @@ -0,0 +1 @@ +ansible-playbook -i inventory.cfg --ask-become-pass $1 diff --git a/setup-forgejo.yml b/setup-forgejo.yml new file mode 100644 index 0000000..24d3905 --- /dev/null +++ b/setup-forgejo.yml @@ -0,0 +1,73 @@ +--- +# Adapted from https://forgejo.org/docs/latest/admin/installation-binary/ +- name: Install Forgejo + hosts: webserver + become: yes + become_user: root + tasks: + - name: Download Forgejo binary to /usr/local/bin (and verify its checksum) + get_url: + url: https://codeberg.org/forgejo/forgejo/releases/download/v1.21.3-0/forgejo-1.21.3-0-linux-amd64 + dest: /usr/local/bin/forgejo + checksum: "sha256:8c8f34e889f968b4f9357701ceee7daab5b47ea605793325da8e3e740457b45a" + mode: "755" + + - name: Update apt cache + apt: + update_cache: true + + - name: Install git and git-lfs + apt: + name: + - git + - git-lfs + + - name: Create git user + user: + name: git + password: "!" # disables password login + home: /home/git + shell: /bin/bash + comment: Git Version Control + + - name: Create Forgejo's data directory + file: + path: /var/lib/forgejo + state: directory + mode: "750" + owner: git + group: git + + - name: Create Forgejo's config directory + file: + path: /etc/forgejo + state: directory + mode: "770" + owner: root + group: git + + - name: Install systemd service for Forgejo + copy: + src: files/forgejo.service + dest: /etc/systemd/system/forgejo.service + notify: + - Reload Forgejo's service file and restart Forgejo + + - name: Start Forgejo service + systemd_service: + name: forgejo + state: started + + - name: Print hint to go configure + debug: + msg: > + Forgejo is now running on port 3000! Run `ssh -L 3000:localhost:3000 + code.openneo.net` to be able to open `localhost:3000` in your local + browser and have it redirect to Forgejo's setup page! + + handlers: + - name: Reload Forgejo's service file and restart Forgejo + systemd_service: + name: forgejo + state: restarted + daemon_reload: true diff --git a/setup-security.yml b/setup-security.yml new file mode 100755 index 0000000..c75261f --- /dev/null +++ b/setup-security.yml @@ -0,0 +1,101 @@ +--- +- name: Set up security defaults + hosts: webserver + become: yes + become_user: root + tasks: + - name: Disable root SSH login + lineinfile: + dest: /etc/ssh/sshd_config + regexp: ^#?PermitRootLogin + line: PermitRootLogin no + + - name: Disable password-based SSH authentication + lineinfile: + dest: /etc/ssh/sshd_config + regexp: ^#?PasswordAuthentication + line: PasswordAuthentication no + + - name: Enable public-key SSH authentication + lineinfile: + dest: /etc/ssh/sshd_config + regexp: ^#?PubkeyAuthentication + line: PubkeyAuthentication yes + + - name: Update the apt cache + apt: + update_cache: yes + + - name: Install fail2ban firewall with default settings + apt: + name: fail2ban + + - name: Install ufw firewall + apt: + name: ufw + + - name: Configure ufw firewall to allow SSH connections on port 22 + community.general.ufw: + rule: allow + port: "22" + + - name: Configure ufw firewall to allow HTTP connections on port 80 + community.general.ufw: + rule: allow + port: "80" + + - name: Configure ufw firewall to allow HTTPS connections on port 443 + community.general.ufw: + rule: allow + port: "443" + + - name: Configure ufw firewall to deny access to ChatGPT-User's IP range + community.general.ufw: + rule: deny + src: 23.98.142.176/28 + comment: ChatGPT-User (https://platform.openai.com/docs/plugins/bot) + + - name: Load GPTBot IP ranges + uri: + url: https://openai.com/gptbot.json + register: gptbot_info + + - name: Configure ufw firewall to deny access to each of GPTBot's IP ranges + community.general.ufw: + rule: deny + src: "{{ item }}" + comment: GPTBot (https://platform.openai.com/docs/gptbot) + loop: "{{ gptbot_info['json'] | + community.general.json_query('prefixes[*].ipv4Prefix') }}" + + - name: Enable ufw firewall with all other ports closed by default + community.general.ufw: + state: enabled + policy: deny + + - name: Install unattended-upgrades + apt: + name: unattended-upgrades + + - name: Enable unattended-upgrades to auto-upgrade our system + copy: + content: | + APT::Periodic::Update-Package-Lists "1"; + APT::Periodic::Unattended-Upgrade "1"; + dest: /etc/apt/apt.conf.d/20auto-upgrades + + - name: Configure unattended-upgrades to auto-reboot our server when necessary + lineinfile: + regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot ".*";$ + line: Unattended-Upgrade::Automatic-Reboot "true"; + dest: /etc/apt/apt.conf.d/50unattended-upgrades + + - name: Configure the system timezone to be US Pacific time + community.general.timezone: + name: America/Los_Angeles + + - name: Configure unattended-upgrades to delay necessary reboots to 3am + lineinfile: + regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot-Time ".*";$ + line: Unattended-Upgrade::Automatic-Reboot-Time "03:00"; + dest: /etc/apt/apt.conf.d/50unattended-upgrades diff --git a/setup-users.yml b/setup-users.yml new file mode 100755 index 0000000..a55a878 --- /dev/null +++ b/setup-users.yml @@ -0,0 +1,28 @@ +--- +- name: Set up user accounts + hosts: webserver + become: yes + become_user: root + tasks: + - name: Create user account for matchu + user: + name: matchu + comment: Emi Matchu + + - name: Create matchu's .ssh folder + file: + name: /home/matchu/.ssh + mode: "700" + owner: matchu + group: matchu + state: directory + + - name: Set up matchu's public SSH keys + copy: + dest: /home/matchu/.ssh/authorized_keys + mode: "600" + owner: matchu + group: matchu + content: | + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFwWryq6slOQqkrJ7HIig7BvEQVQeH19hFwb+9VpXgz Matchu's Laptop (Ebon Hawk) + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu5a+mp2KKSGkOGWQPrARCrsqJS4g2vK7TmRIbj/YBh Matchu's Desktop (Leviathan 2023)