OpenNeo/openneo-code
OpenNeo/openneo-code
1
0
Fork 0
Code Pull requests Activity

Compare commits

base: OpenNeo:7e9ca2023ca1671708107b82cbd901d84f3c6103
Branches Tags
OpenNeo:main
...
compare: OpenNeo:c2e33fd4cf4564b6e8568a8520f4d97d335b1053
Branches Tags
OpenNeo:main

4 commits
7e9ca2023c ... c2e33fd4cf

Author SHA1 Message Date
Emi Matchu
c2e33fd4cf Replace run.sh with ansible-playbook 
I've learned more about Ansible, and that the flags I set by using
`run.sh` are also settable with a `ansible.cfg` file! That's about the
same amount of overhead, but enables everything else to be more
standard. Neat!
 2024-06-10 13:05:51 -07:00
Emi Matchu
24ea2b9de1 Oops, update the README to match the newly-renamed setup-machine.yml 2024-06-10 13:04:56 -07:00
Emi Matchu
a9db85d7c8 Restart every week, to help ensure SSL certificate renews 
Oh right, I dealt with this a few months ago too: I got a notice from
Let's Encrypt that our code.openneo.net SSL certificate was going to
expire soon. And last time, restarting the Forgejo service fixed it and
got a new certificate issued immediately!

My inference is that the logic to check on the certificate status only
happens on startup. So, let's add code to the service file to ensure
that Forgejo will terminate after 7 days of runtime; and the
`Restart=always` setting will ensure that it comes immediately back up.
 2024-06-10 13:03:19 -07:00
Emi Matchu
fcc9a0a3ce Configure machine's hostname as code.openneo.net 2024-06-10 12:55:00 -07:00
5 changed files with 18 additions and 7 deletions
Show stats Expand all files Collapse all files

10
README.md
View file

@ -9,23 +9,23 @@ We like to use Ansible playbooks to keep track of how we set up our servers,
here's how we've structured them! (We don't use very fancy Ansible features, we
just use them as idempotent command-line scripts!)
- `setup-users.yml`: Sets up the user accounts for the system, with their SSH
keys for login.
- `setup-machine.yml`: Sets up the hostname config and user accounts for the
system, with their SSH keys for login.
- `setup-security.yml`: Sets up firewall rules and automatic system updates.
(This is a standard playbook I use for all my servers!)
- `setup-forgejo.yml`: Sets up the Forgejo server itself, as a `systemd`
service running Forgejo's official Linux binary. This is mostly a 1:1 port
of [Forgejo's "Installation from binary" guide][fj-install]!
You can run them individually, or all at once, with `run.sh`:
You can run them individually, or all at once, with `ansible-playbook`:
run.sh setup-all.yml
ansible-playbook setup-all.yml
If you're interested in setting up your own Forgejo service, this could be
useful as a starting point, there's not much custom here! Just a couple things
to note:
- `setup-users.yml` contains my own username and my own SSH public keys—you'll
- `setup-machine.yml` contains my own username and my own SSH public keys—you'll
want to replace those! (Public SSH keys aren't secret, don't worry, I'm fine!)
- `files/app.ini` includes some custom config you'll need to replace, like our
domain name. (We also opt to use Forgejo's built-in HTTPS support, via

5
ansible.cfg Normal file
View file

@ -0,0 +1,5 @@
[defaults]
inventory = inventory.cfg
[privilege_escalation]
become_ask_pass = True

3
files/forgejo.service
View file

@ -51,6 +51,9 @@ After=network.target
###
[Service]
# NOTE: I found that Let's Encrypt certificates only renew when the service
# starts, so let's make sure we're restarting every so often.
RuntimeMaxSec=7d
# Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
# LimitNOFILE=524288:524288
RestartSec=2s

1
run.sh
View file

@ -1 +0,0 @@
ansible-playbook -i inventory.cfg --ask-become-pass $1

6
setup-users.yml → setup-machine.yml
View file

@ -1,9 +1,13 @@
---
- name: Set up user accounts
- name: Set up host config & user accounts
hosts: webserver
become: yes
become_user: root
tasks:
- name: Set hostname to code.openneo.net
hostname:
name: code.openneo.net
- name: Create user account for matchu
user:
name: matchu