initial commit: it runs!

2024-01-13 21:47:50 -08:00 · 2024-01-13 21:47:50 -08:00 · db09f95ac1
commit db09f95ac1
6 changed files with 293 additions and 0 deletions
--- a/files/forgejo.service
+++ b/files/forgejo.service
@ -0,0 +1,88 @@
+# Adapted from https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service
+
+[Unit]
+Description=Forgejo (Beyond coding. We forge.)
+After=syslog.target
+After=network.target
+###
+# Don't forget to add the database service dependencies
+###
+#
+#Wants=mysql.service
+#After=mysql.service
+#
+#Wants=mariadb.service
+#After=mariadb.service
+#
+#Wants=postgresql.service
+#After=postgresql.service
+#
+#Wants=memcached.service
+#After=memcached.service
+#
+#Wants=redis.service
+#After=redis.service
+#
+###
+# If using socket activation for main http/s
+###
+#
+#After=forgejo.main.socket
+#Requires=forgejo.main.socket
+#
+###
+# (You can also provide forgejo an http fallback and/or ssh socket too)
+#
+# An example of /etc/systemd/system/forgejo.main.socket
+###
+##
+## [Unit]
+## Description=Forgejo Web Socket
+## PartOf=forgejo.service
+##
+## [Socket]
+## Service=forgejo.service
+## ListenStream=<some_port>
+## NoDelay=true
+##
+## [Install]
+## WantedBy=sockets.target
+##
+###
+
+[Service]
+# Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
+# LimitNOFILE=524288:524288
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/var/lib/forgejo/
+# If using Unix socket: tells systemd to create the /run/forgejo folder, which will contain the forgejo.sock file
+# (manually creating /run/forgejo doesn't work, because it would not persist across reboots)
+#RuntimeDirectory=forgejo
+ExecStart=/usr/local/bin/forgejo web --config /etc/forgejo/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/forgejo
+# If you install Git to directory prefix other than default PATH (which happens
+# for example if you install other versions of Git side-to-side with
+# distribution version), uncomment below line and add that prefix to PATH
+# Don't forget to place git-lfs binary on the PATH below if you want to enable
+# Git LFS support
+#Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin
+# If you want to bind Forgejo to a port below 1024, uncomment
+# the two values below, or use socket activation to pass Forgejo its ports as above
+###
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+###
+# In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to
+# set the following value to false to allow capabilities to be applied on Forgejo process. The following
+# value if set to true sandboxes Forgejo service and prevent any processes from running with privileges
+# in the host user namespace.
+###
+#PrivateUsers=false
+###
+
+[Install]
+WantedBy=multi-user.target
--- a/inventory.cfg
+++ b/inventory.cfg
@ -0,0 +1,2 @@
+[webserver]
+code.openneo.net
--- a/run.sh
+++ b/run.sh
@ -0,0 +1 @@
+ansible-playbook -i inventory.cfg --ask-become-pass $1
--- a/setup-forgejo.yml
+++ b/setup-forgejo.yml
@ -0,0 +1,73 @@
+---
+# Adapted from https://forgejo.org/docs/latest/admin/installation-binary/
+- name: Install Forgejo
+  hosts: webserver
+  become: yes
+  become_user: root
+  tasks:
+    - name: Download Forgejo binary to /usr/local/bin (and verify its checksum)
+      get_url:
+        url: https://codeberg.org/forgejo/forgejo/releases/download/v1.21.3-0/forgejo-1.21.3-0-linux-amd64
+        dest: /usr/local/bin/forgejo
+        checksum: "sha256:8c8f34e889f968b4f9357701ceee7daab5b47ea605793325da8e3e740457b45a"
+        mode: "755"
+
+    - name: Update apt cache
+      apt:
+        update_cache: true
+
+    - name: Install git and git-lfs
+      apt:
+        name:
+          - git
+          - git-lfs
+
+    - name: Create git user
+      user:
+        name: git
+        password: "!" # disables password login
+        home: /home/git
+        shell: /bin/bash
+        comment: Git Version Control
+
+    - name: Create Forgejo's data directory
+      file:
+        path: /var/lib/forgejo
+        state: directory
+        mode: "750"
+        owner: git
+        group: git
+
+    - name: Create Forgejo's config directory
+      file:
+        path: /etc/forgejo
+        state: directory
+        mode: "770"
+        owner: root
+        group: git
+
+    - name: Install systemd service for Forgejo
+      copy:
+        src: files/forgejo.service
+        dest: /etc/systemd/system/forgejo.service
+      notify:
+        - Reload Forgejo's service file and restart Forgejo
+
+    - name: Start Forgejo service
+      systemd_service:
+        name: forgejo
+        state: started
+
+    - name: Print hint to go configure
+      debug:
+        msg: >
+          Forgejo is now running on port 3000! Run `ssh -L 3000:localhost:3000
+          code.openneo.net` to be able to open `localhost:3000` in your local
+          browser and have it redirect to Forgejo's setup page!
+
+  handlers:
+    - name: Reload Forgejo's service file and restart Forgejo
+      systemd_service:
+        name: forgejo
+        state: restarted
+        daemon_reload: true
--- a/setup-security.yml
+++ b/setup-security.yml
@ -0,0 +1,101 @@
+---
+- name: Set up security defaults
+  hosts: webserver
+  become: yes
+  become_user: root
+  tasks:
+    - name: Disable root SSH login
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: ^#?PermitRootLogin
+        line: PermitRootLogin no
+
+    - name: Disable password-based SSH authentication
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: ^#?PasswordAuthentication
+        line: PasswordAuthentication no
+
+    - name: Enable public-key SSH authentication
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: ^#?PubkeyAuthentication
+        line: PubkeyAuthentication yes
+
+    - name: Update the apt cache
+      apt:
+        update_cache: yes
+
+    - name: Install fail2ban firewall with default settings
+      apt:
+        name: fail2ban
+
+    - name: Install ufw firewall
+      apt:
+        name: ufw
+
+    - name: Configure ufw firewall to allow SSH connections on port 22
+      community.general.ufw:
+        rule: allow
+        port: "22"
+
+    - name: Configure ufw firewall to allow HTTP connections on port 80
+      community.general.ufw:
+        rule: allow
+        port: "80"
+
+    - name: Configure ufw firewall to allow HTTPS connections on port 443
+      community.general.ufw:
+        rule: allow
+        port: "443"
+
+    - name: Configure ufw firewall to deny access to ChatGPT-User's IP range
+      community.general.ufw:
+        rule: deny
+        src: 23.98.142.176/28
+        comment: ChatGPT-User (https://platform.openai.com/docs/plugins/bot)
+
+    - name: Load GPTBot IP ranges
+      uri:
+        url: https://openai.com/gptbot.json
+      register: gptbot_info
+
+    - name: Configure ufw firewall to deny access to each of GPTBot's IP ranges
+      community.general.ufw:
+        rule: deny
+        src: "{{ item }}"
+        comment: GPTBot (https://platform.openai.com/docs/gptbot)
+      loop: "{{ gptbot_info['json'] |
+        community.general.json_query('prefixes[*].ipv4Prefix') }}"
+
+    - name: Enable ufw firewall with all other ports closed by default
+      community.general.ufw:
+        state: enabled
+        policy: deny
+
+    - name: Install unattended-upgrades
+      apt:
+        name: unattended-upgrades
+
+    - name: Enable unattended-upgrades to auto-upgrade our system
+      copy:
+        content: |
+          APT::Periodic::Update-Package-Lists "1";
+          APT::Periodic::Unattended-Upgrade "1";
+        dest: /etc/apt/apt.conf.d/20auto-upgrades
+
+    - name: Configure unattended-upgrades to auto-reboot our server when necessary
+      lineinfile:
+        regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot ".*";$
+        line: Unattended-Upgrade::Automatic-Reboot "true";
+        dest: /etc/apt/apt.conf.d/50unattended-upgrades
+
+    - name: Configure the system timezone to be US Pacific time
+      community.general.timezone:
+        name: America/Los_Angeles
+
+    - name: Configure unattended-upgrades to delay necessary reboots to 3am
+      lineinfile:
+        regex: ^(//\s*)?Unattended-Upgrade::Automatic-Reboot-Time ".*";$
+        line: Unattended-Upgrade::Automatic-Reboot-Time "03:00";
+        dest: /etc/apt/apt.conf.d/50unattended-upgrades
--- a/setup-users.yml
+++ b/setup-users.yml
@ -0,0 +1,28 @@
+---
+- name: Set up user accounts
+  hosts: webserver
+  become: yes
+  become_user: root
+  tasks:
+    - name: Create user account for matchu
+      user:
+        name: matchu
+        comment: Emi Matchu
+
+    - name: Create matchu's .ssh folder
+      file:
+        name: /home/matchu/.ssh
+        mode: "700"
+        owner: matchu
+        group: matchu
+        state: directory
+
+    - name: Set up matchu's public SSH keys
+      copy:
+        dest: /home/matchu/.ssh/authorized_keys
+        mode: "600"
+        owner: matchu
+        group: matchu
+        content: |
+          ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFwWryq6slOQqkrJ7HIig7BvEQVQeH19hFwb+9VpXgz Matchu's Laptop (Ebon Hawk)
+          ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu5a+mp2KKSGkOGWQPrARCrsqJS4g2vK7TmRIbj/YBh Matchu's Desktop (Leviathan 2023)
				`@ -0,0 +1 @@`
				`ansible-playbook -i inventory.cfg --ask-become-pass $1`