OpenNeo/openneo-code
OpenNeo/openneo-code
1
0
Fork 0
Code Pull requests Activity

initial commit: it runs!

Browse source
This commit is contained in:
Emi Matchu 2024-01-13 21:47:50 -08:00
commit db09f95ac1
6 changed files with 293 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

88
files/forgejo.service Normal file
View file

@ -0,0 +1,88 @@
# Adapted from https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service
[Unit]
Description=Forgejo (Beyond coding. We forge.)
After=syslog.target
After=network.target
###
# Don't forget to add the database service dependencies
###
#
#Wants=mysql.service
#After=mysql.service
#
#Wants=mariadb.service
#After=mariadb.service
#
#Wants=postgresql.service
#After=postgresql.service
#
#Wants=memcached.service
#After=memcached.service
#
#Wants=redis.service
#After=redis.service
#
###
# If using socket activation for main http/s
###
#
#After=forgejo.main.socket
#Requires=forgejo.main.socket
#
###
# (You can also provide forgejo an http fallback and/or ssh socket too)
#
# An example of /etc/systemd/system/forgejo.main.socket
###
##
## [Unit]
## Description=Forgejo Web Socket
## PartOf=forgejo.service
##
## [Socket]
## Service=forgejo.service
## ListenStream=<some_port>
## NoDelay=true
##
## [Install]
## WantedBy=sockets.target
##
###
[Service]
# Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
# LimitNOFILE=524288:524288
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/var/lib/forgejo/
# If using Unix socket: tells systemd to create the /run/forgejo folder, which will contain the forgejo.sock file
# (manually creating /run/forgejo doesn't work, because it would not persist across reboots)
#RuntimeDirectory=forgejo
ExecStart=/usr/local/bin/forgejo web --config /etc/forgejo/app.ini
Restart=always
Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/forgejo
# If you install Git to directory prefix other than default PATH (which happens
# for example if you install other versions of Git side-to-side with
# distribution version), uncomment below line and add that prefix to PATH
# Don't forget to place git-lfs binary on the PATH below if you want to enable
# Git LFS support
#Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin
# If you want to bind Forgejo to a port below 1024, uncomment
# the two values below, or use socket activation to pass Forgejo its ports as above
###
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
###
# In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to
# set the following value to false to allow capabilities to be applied on Forgejo process. The following
# value if set to true sandboxes Forgejo service and prevent any processes from running with privileges
# in the host user namespace.
###
#PrivateUsers=false
###
[Install]
WantedBy=multi-user.target

2
inventory.cfg Executable file
View file

@ -0,0 +1,2 @@
[webserver]
code.openneo.net

1
run.sh Executable file
View file

@ -0,0 +1 @@
ansible-playbook -i inventory.cfg --ask-become-pass $1

73
setup-forgejo.yml Normal file
View file

@ -0,0 +1,73 @@
---
# Adapted from https://forgejo.org/docs/latest/admin/installation-binary/
- name: Install Forgejo
hosts: webserver
become: yes
become_user: root
tasks:
- name: Download Forgejo binary to /usr/local/bin (and verify its checksum)
get_url:
url: https://codeberg.org/forgejo/forgejo/releases/download/v1.21.3-0/forgejo-1.21.3-0-linux-amd64
dest: /usr/local/bin/forgejo
checksum: "sha256:8c8f34e889f968b4f9357701ceee7daab5b47ea605793325da8e3e740457b45a"
mode: "755"
- name: Update apt cache
apt:
update_cache: true
- name: Install git and git-lfs
apt:
name:
- git
- git-lfs
- name: Create git user
user:
name: git
password: "!" # disables password login
home: /home/git
shell: /bin/bash
comment: Git Version Control
- name: Create Forgejo's data directory
file:
path: /var/lib/forgejo
state: directory
mode: "750"
owner: git
group: git
- name: Create Forgejo's config directory
file:
path: /etc/forgejo
state: directory
mode: "770"
owner: root
group: git
- name: Install systemd service for Forgejo
copy:
src: files/forgejo.service
dest: /etc/systemd/system/forgejo.service
notify:
- Reload Forgejo's service file and restart Forgejo
- name: Start Forgejo service
systemd_service:
name: forgejo
state: started
- name: Print hint to go configure
debug:
msg: >
Forgejo is now running on port 3000! Run `ssh -L 3000:localhost:3000
code.openneo.net` to be able to open `localhost:3000` in your local
browser and have it redirect to Forgejo's setup page!
handlers:
- name: Reload Forgejo's service file and restart Forgejo
systemd_service:
name: forgejo
state: restarted
daemon_reload: true

101
setup-security.yml Executable file
View file

@ -0,0 +1,101 @@
---
- name: Set up security defaults
hosts: webserver
become: yes
become_user: root
tasks:
- name: Disable root SSH login
lineinfile:
dest: /etc/ssh/sshd_config
regexp: ^#?PermitRootLogin
line: PermitRootLogin no
- name: Disable password-based SSH authentication
lineinfile:
dest: /etc/ssh/sshd_config
regexp: ^#?PasswordAuthentication
line: PasswordAuthentication no
- name: Enable public-key SSH authentication
lineinfile:
dest: /etc/ssh/sshd_config
regexp: ^#?PubkeyAuthentication
line: PubkeyAuthentication yes
- name: Update the apt cache
apt:
update_cache: yes
- name: Install fail2ban firewall with default settings
apt:
name: fail2ban
- name: Install ufw firewall
apt:
name: ufw
- name: Configure ufw firewall to allow SSH connections on port 22
community.general.ufw:
rule: allow
port: "22"
- name: Configure ufw firewall to allow HTTP connections on port 80
community.general.ufw:
rule: allow
port: "80"
- name: Configure ufw firewall to allow HTTPS connections on port 443
community.general.ufw:
rule: allow
port: "443"
- name: Configure ufw firewall to deny access to ChatGPT-User's IP range
community.general.ufw:
rule: deny
src: 23.98.142.176/28
comment: ChatGPT-User (https://platform.openai.com/docs/plugins/bot)
- name: Load GPTBot IP ranges
uri:
url: https://openai.com/gptbot.json
register: gptbot_info
- name: Configure ufw firewall to deny access to each of GPTBot's IP ranges
community.general.ufw:
rule: deny
src: "{{ item }}"
comment: GPTBot (https://platform.openai.com/docs/gptbot)
loop: "{{ gptbot_info['json'] |
community.general.json_query('prefixes[*].ipv4Prefix') }}"
- name: Enable ufw firewall with all other ports closed by default
community.general.ufw:
state: enabled
policy: deny
- name: Install unattended-upgrades
apt:
name: unattended-upgrades
- name: Enable unattended-upgrades to auto-upgrade our system
copy:
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
dest: /etc/apt/apt.conf.d/20auto-upgrades
- name: Configure unattended-upgrades to auto-reboot our server when necessary
lineinfile:
regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot ".*";$
line: Unattended-Upgrade::Automatic-Reboot "true";
dest: /etc/apt/apt.conf.d/50unattended-upgrades
- name: Configure the system timezone to be US Pacific time
community.general.timezone:
name: America/Los_Angeles
- name: Configure unattended-upgrades to delay necessary reboots to 3am
lineinfile:
regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot-Time ".*";$
line: Unattended-Upgrade::Automatic-Reboot-Time "03:00";
dest: /etc/apt/apt.conf.d/50unattended-upgrades

28
setup-users.yml Executable file
View file

@ -0,0 +1,28 @@
---
- name: Set up user accounts
hosts: webserver
become: yes
become_user: root
tasks:
- name: Create user account for matchu
user:
name: matchu
comment: Emi Matchu
- name: Create matchu's .ssh folder
file:
name: /home/matchu/.ssh
mode: "700"
owner: matchu
group: matchu
state: directory
- name: Set up matchu's public SSH keys
copy:
dest: /home/matchu/.ssh/authorized_keys
mode: "600"
owner: matchu
group: matchu
content: |
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFwWryq6slOQqkrJ7HIig7BvEQVQeH19hFwb+9VpXgz Matchu's Laptop (Ebon Hawk)
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu5a+mp2KKSGkOGWQPrARCrsqJS4g2vK7TmRIbj/YBh Matchu's Desktop (Leviathan 2023)