├── .ansible-lint ├── .env-sample.yml ├── .gitignore ├── .gitlab-ci.yml ├── .yamllint ├── LICENSE ├── README.md ├── ansible.cfg ├── init.sh ├── inventory.yml ├── roles ├── analytics │ └── tasks │ │ ├── main.yml │ │ ├── maintenance.yml │ │ ├── run.yml │ │ └── setup.yml ├── common_roles │ ├── docker │ │ └── tasks │ │ │ └── main.yml │ └── install_latest │ │ └── tasks │ │ └── main.yml ├── custom │ ├── tasks │ │ ├── dotfiles.yml │ │ ├── install.yml │ │ ├── main.yml │ │ └── root.yml │ └── vars │ │ └── main.yml ├── fail2ban │ ├── tasks │ │ └── main.yml │ └── templates │ │ ├── cloudflare_action │ │ ├── common_filter │ │ ├── jail │ │ └── mail_action ├── gitea │ └── tasks │ │ ├── main.yml │ │ ├── maintenance.yml │ │ ├── run.yml │ │ ├── setup.yml │ │ └── ssh_passthrough.yml ├── harden │ └── tasks │ │ ├── firewall.yml │ │ ├── main.yml │ │ └── ssh.yml ├── housekeeping │ └── tasks │ │ ├── cleanup.yml │ │ ├── main.yml │ │ └── update.yml ├── nextcloud │ └── tasks │ │ ├── main.yml │ │ ├── maintenance.yml │ │ ├── run.yml │ │ └── setup.yml ├── nginx │ ├── files │ │ ├── harden.conf │ │ └── nginx.conf │ ├── tasks │ │ ├── certs.yml │ │ ├── config.yml │ │ ├── install.yml │ │ ├── main.yml │ │ └── servers.yml │ └── templates │ │ ├── nginx-service │ │ └── nginx-website ├── onion │ └── tasks │ │ └── main.yml ├── searx │ ├── tasks │ │ ├── main.yml │ │ ├── maintenance.yml │ │ ├── run.yml │ │ └── setup.yml │ └── templates │ │ └── settings.yml ├── user │ └── tasks │ │ ├── create.yml │ │ ├── main.yml │ │ └── priviledges.yml ├── vault │ └── tasks │ │ ├── main.yml │ │ ├── maintenance.yml │ │ ├── run.yml │ │ └── setup.yml ├── website │ └── tasks │ │ └── main.yml └── welcome │ ├── files │ ├── 20-kernel │ └── 30-resources │ ├── tasks │ └── main.yml │ └── templates │ └── 10-welcome └── run.yml /.ansible-lint: -------------------------------------------------------------------------------- 1 | --- 2 | skip_list: 3 | - yaml[document-start] 4 | - fqcn 5 | - latest[git] 6 | - no-handler 7 | - name 8 | - role-name[path] 9 | - var-naming[no-role-prefix] 10 | -------------------------------------------------------------------------------- /.env-sample.yml: -------------------------------------------------------------------------------- 1 | # Remote user to be created/used 2 | username: "ansible" 3 | 4 | domain: "your.domain.com" 5 | # Also set your VPS's IP if using Cloudflare 6 | # ip: 192.168.1.1 7 | 8 | # Email address for SSL cert and Gitea instance 9 | email: "your@email.address" 10 | 11 | nextcloud_username: "admin_user" 12 | nextcloud_password: "admin_pwd" 13 | 14 | gitea_username: "admin_user" 15 | gitea_password: "admin_pwd" 16 | 17 | vaultwarden_password: "admin_panel_pwd" 18 | 19 | # Defaults to '~/.ssh/id_rsa' to establish a connection 20 | # Uncomment and set you own if needed 21 | # ssh_key: "~/.ssh/[YOUR_PRIVATE_KEY]" 22 | 23 | # Uncomment and point to your stow-based dotfiles 24 | # repository to get them installed on your VPS 25 | # dotfiles_repo: "https://github.com/ericdriussi/dotfiles.git" 26 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .env.yml 2 | ./*.vim 3 | ssh_keys/ 4 | -------------------------------------------------------------------------------- /.gitlab-ci.yml: -------------------------------------------------------------------------------- 1 | stages: 2 | - run 3 | 4 | default: 5 | image: debian:12 6 | before_script: 7 | - apt update 8 | - mkdir -p /run/sshd 9 | - | 10 | cat <.env.yml 11 | --- 12 | username: "ansible" 13 | domain: "localhost" 14 | email: "an@email.address" 15 | nextcloud_username: "admin_user" 16 | nextcloud_password: "admin_pwd" 17 | gitea_username: "admin_user" 18 | gitea_password: "admin_pwd" 19 | vaultwarden_password: "admin_panel_pwd" 20 | ssh_key: "~/.ssh/id_rsa" 21 | dotfiles_repo: "https://gitlab.com/ericdriussi/dotfiles.git" 22 | EOF 23 | 24 | run_job: 25 | stage: run 26 | script: 27 | - chmod 755 . 28 | - ./init.sh --connection=local --skip-tags=ignore-ci 29 | interruptible: true 30 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | extends: default 3 | 4 | rules: 5 | line-length: disable 6 | truthy: 7 | allowed-values: ['true', 'false', 'yes', 'no'] 8 | comments: 9 | min-spaces-from-content: 0 10 | braces: 11 | min-spaces-inside: 0 12 | max-spaces-inside: 1 13 | indentation: 14 | spaces: consistent 15 | ignore: | 16 | .cache 17 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Host your stuff 2 | 3 | > Ansible script to self-host a bunch of services on your VPS. 4 | 5 | An Ansible playbook that sets up: 6 | 7 | - Static website server (served through HTTP and Onion land). 8 | - Open source, GDPR-compliant [analytics](https://github.com/umami-software/umami) 9 | @ `umami.domain`. 10 | - [Nextcloud](https://nextcloud.com/) instance @ `cloud.domain`. 11 | - [Vaultwarden](https://github.com/dani-garcia/vaultwarden) instance @ `vault.domain`. 12 | - [SearxNG](https://github.com/searxng/searxng) instance @ `searx.domain`. 13 | - [Gitea](https://github.com/go-gitea/gitea) instance @ `git.domain`. 14 | - Regular unattended backups and updates for these services. 15 | - HTTPS all the things. 16 | - Regular unattended SSL certs renewal. 17 | - Hardened NGINX reverse proxy. 18 | - Hardened SSH setup. 19 | - Firewall and [Fail2ban](https://github.com/fail2ban/fail2ban). 20 | - Regular unattended system updates. 21 | - [A bunch](./roles/custom/vars/main.yml) of useful CLI tools (add your own!). 22 | - Your dotfiles set up and ready to go (assuming a [GNU-Stow setup](https://devintheshell.com/blog/stow/)). 23 | - Up to date [neovim](https://github.com/neovim/neovim) install (if nvim config 24 | is found in dotfiles). 25 | 26 | ## Requirements 27 | 28 | ### A Debian based VPS 29 | 30 | The script requires a Debian based VPS. If you want this to work on other 31 | distros, feel free to [open a MR](https://gitlab.com/ericdriussi/host-your-own/-/merge_requests/new). 32 | 33 | Assuming it's for personal use, the cheapest most basic VPS you can find should 34 | be enough. 35 | 36 | ### Root SSH access 37 | 38 | Root key-based SSH access to the target machine should be set up on the machine 39 | running this script. 40 | 41 | Further root SSH connections will be blocked at the beginning of the execution, 42 | a dedicated sudo user will be created and used for the (rest of the) setup. 43 | 44 | This sudo user will use the same SSH keys (unless configured otherwise, read 45 | the [env file](./.env-sample.yml) for more info). 46 | 47 | ### Domain Name - DNS setup 48 | 49 | You **need** a valid domain name and a proper DNS setup for your root domain as 50 | well as for (at least) the above-mentioned subdomains. 51 | 52 | ## Run 53 | 54 | 1. Clone this repo 55 | 1. Copy `.env-sample.yml` to `.env.yml` and fill in your config 56 | 1. Run `./init.sh` 57 | 58 | You can use the `--tags` flag to run only some of the roles: 59 | 60 | ```sh 61 | ./init.sh --tags="harden,nextcloud,searx" 62 | ``` 63 | 64 | You can check the available tags in the `run.yml` file. 65 | 66 | ## Post-setup 67 | 68 | After the playbook is done, you should find the Nextcloud, Gitea, SearxNG 69 | and Umami instances under their respective subdomains. 70 | 71 | There should be a custom admin account already setup for Nextcloud and Gitea, 72 | as well as the default Umami admin user. 73 | 74 | Have a look around and make yourself at home! 75 | 76 | ### Vaultwarden 77 | 78 | Public signups are disabled by default for Vaultwarden to improve security. 79 | 80 | You'll have to visit `vault.[your.domain.com]/admin` first, enter the 81 | `vaultwarden_password` defined in your `.env.yml` file, and manually 82 | allow your desired email address to sign up. 83 | 84 | This behavior can be changed, and more info can be found [here](https://github.com/dani-garcia/vaultwarden/wiki/Configuration-overview). 85 | 86 | ### Website 87 | 88 | You'll find a lousy website under your root domain. 89 | 90 | It is stored in `/home/[REMOTE_USER]/website/` and you can modify it at any time 91 | using `scp` or `rsync` to upload your static website, blog or whatever else. 92 | 93 | ```sh 94 | rsync --recursive --compress --partial --progress --times local_website/* [REMOTE_USER]@[your.domain.com]:~/website 95 | ``` 96 | 97 | #### Analytics 98 | 99 | The default docker-compose installation process provided 100 | in the [Umami docs](https://umami.is/docs) is followed. 101 | 102 | You can log in to `umami.domain` following the [official instructions](https://umami.is/docs/login). 103 | 104 | ### Updates and Backups 105 | 106 | Both the OS and the individual services are updated on a monthly basis. 107 | 108 | Backups for the services are done weekly and are stored by default under `/home/[REMOTE_USER]/backups`. 109 | You can download them to you local machine with something like: 110 | 111 | ```sh 112 | rsync --recursive --compress --partial --progress --times --rsync-path="sudo rsync" [REMOTE_USER]@[your.domain.com]:~/backups local_backup_dir 113 | ``` 114 | 115 | ## Why? 116 | 117 | Having your private spot on the internet shouldn't be a luxury. 118 | -------------------------------------------------------------------------------- /ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | inventory = inventory.yml 3 | 4 | [ssh_connections] 5 | pipelining = true 6 | -------------------------------------------------------------------------------- /init.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -o nounset 3 | set -o errexit 4 | set -o pipefail 5 | 6 | if command -v apt &>/dev/null; then 7 | install_pipx="apt install -y pipx" 8 | elif command -v dnf &>/dev/null; then 9 | install_pipx="dnf install -y pipx" 10 | elif command -v pacman &>/dev/null; then 11 | install_pipx="pacman --noconfirm -S python-pipx" 12 | else 13 | echo "Unsupported package manager." 14 | exit 1 15 | fi 16 | 17 | if [ "$EUID" -eq 0 ]; then # is root user (ci) 18 | eval "$install_pipx" 19 | else 20 | eval sudo "$install_pipx" 21 | fi 22 | 23 | pipx install --include-deps ansible 24 | ~/.local/bin/ansible-playbook run.yml "$@" 25 | -------------------------------------------------------------------------------- /inventory.yml: -------------------------------------------------------------------------------- 1 | all: 2 | hosts: 3 | vps: 4 | ansible_host: "{{ ip | default(domain) }}" 5 | ansible_ssh_private_key_file: "{{ ssh_key | default('~/.ssh/id_rsa') }}" 6 | 7 | vars: 8 | common_backup_dir: "/home/{{ username }}/backups" 9 | service: 10 | cloud: 11 | subdomain: "cloud" 12 | port: 81 13 | vault: 14 | subdomain: "vault" 15 | port: 82 16 | searx: 17 | subdomain: "searx" 18 | port: 83 19 | gitea: 20 | subdomain: "git" 21 | port: 84 22 | umami: 23 | subdomain: "umami" 24 | port: 85 25 | ports: 26 | ssh: 22 27 | http: 80 28 | https: 443 29 | -------------------------------------------------------------------------------- /roles/analytics/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Umami - Docker 2 | vars: 3 | container: "umami" 4 | image: "ghcr.io/umami-software/umami:postgresql-latest" 5 | data_dir: "/{{ service.umami.subdomain }}-data" 6 | backup_dir: "{{ common_backup_dir }}/{{ service.umami.subdomain }}" 7 | network: "umami_network" 8 | block: 9 | - import_tasks: setup.yml 10 | - import_tasks: run.yml 11 | tags: ignore-ci # TODO: docker in ci 12 | - import_tasks: maintenance.yml 13 | -------------------------------------------------------------------------------- /roles/analytics/tasks/maintenance.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages 2 | import_role: 3 | name: common_roles/install_latest 4 | vars: 5 | packages: "cron" 6 | 7 | - name: Monthly updates 8 | cron: 9 | name: update umami 10 | state: present 11 | minute: "0" 12 | hour: "0" 13 | day: "1" 14 | job: > 15 | /usr/bin/docker stop {{ container }}; 16 | /usr/bin/docker rm {{ container }}; 17 | /usr/bin/docker pull {{ image }}; 18 | /usr/bin/docker run -d 19 | --restart unless-stopped 20 | --name {{ container }} 21 | --env-file /home/{{ username }}/docker_env_files/{{ service.umami.subdomain }}.env 22 | -p {{ service.umami.port }}:3000 23 | --network {{ network }} 24 | {{ image }}; 25 | 26 | - name: Backup 27 | block: 28 | - name: Mkdir backup_dir 29 | file: 30 | state: directory 31 | path: "{{ backup_dir }}" 32 | mode: 0755 33 | 34 | - name: Weekly backups 35 | cron: 36 | name: "backup umami" 37 | state: "present" 38 | special_time: "weekly" 39 | job: > 40 | docker exec -i {{ container }}-db pg_dump -U umami -d umami -F c > {{ backup_dir }}/umami_backup.dump 41 | -------------------------------------------------------------------------------- /roles/analytics/tasks/run.yml: -------------------------------------------------------------------------------- 1 | - name: Custom network 2 | docker_network: 3 | name: "{{ network }}" 4 | state: present 5 | 6 | - name: Run umami database 7 | docker_container: 8 | name: "{{ container }}-db" 9 | image: postgres:15-alpine 10 | env_file: "/home/{{ username }}/docker_env_files/umami.env" 11 | volumes: 12 | - "/{{ service.umami.subdomain }}-data:/var/lib/postgresql/data" 13 | restart_policy: unless-stopped 14 | networks: 15 | - name: "{{ network }}" 16 | healthcheck: 17 | test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"] 18 | interval: 5s 19 | timeout: 5s 20 | retries: 5 21 | 22 | - name: Run umami 23 | docker_container: 24 | name: "{{ container }}" 25 | image: "{{ image }}" 26 | ports: 27 | - "{{ service.umami.port }}:3000" 28 | env_file: "/home/{{ username }}/docker_env_files/{{ service.umami.subdomain }}.env" 29 | restart_policy: unless-stopped 30 | networks: 31 | - name: "{{ network }}" 32 | healthcheck: 33 | test: ["CMD-SHELL", "curl http://localhost:3000/api/heartbeat"] 34 | interval: 5s 35 | timeout: 5s 36 | retries: 5 37 | -------------------------------------------------------------------------------- /roles/analytics/tasks/setup.yml: -------------------------------------------------------------------------------- 1 | - name: Setup docker 2 | tags: ignore-ci # ci doesn't boot with systemd 3 | import_role: 4 | name: common_roles/docker 5 | 6 | - name: Mkdir docker_env_files 7 | file: 8 | state: directory 9 | path: "/home/{{ username }}/docker_env_files" 10 | mode: 0755 11 | 12 | - name: Docker env file 13 | copy: 14 | dest: "/home/{{ username }}/docker_env_files/umami.env" 15 | content: | 16 | POSTGRES_DB=umami 17 | POSTGRES_USER=umami 18 | POSTGRES_PASSWORD=umami 19 | DATABASE_URL=postgresql://umami:umami@umami-db:5432/umami 20 | DATABASE_TYPE=postgresql 21 | APP_SECRET={{ 99999 | random(seed=inventory_hostname) }} 22 | mode: 0644 23 | -------------------------------------------------------------------------------- /roles/common_roles/docker/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages 2 | import_role: 3 | name: common_roles/install_latest 4 | vars: 5 | packages: 6 | - "docker.io" 7 | 8 | - name: Setup log rotation 9 | become: true 10 | vars: 11 | docker_dir: "/etc/docker" 12 | block: 13 | - name: Mkdir "{{ docker_dir }}" 14 | file: 15 | state: directory 16 | path: "{{ docker_dir }}" 17 | mode: 0755 18 | 19 | - name: Create daemon.json 20 | copy: 21 | content: | 22 | { 23 | "log-opts": { 24 | "max-size": "10m", 25 | "max-file": "5" 26 | } 27 | } 28 | dest: "{{ docker_dir }}/daemon.json" 29 | owner: root 30 | group: root 31 | mode: 0644 32 | 33 | - name: Start and enable docker 34 | become: true 35 | systemd: 36 | name: docker 37 | daemon_reload: true 38 | state: started 39 | enabled: true 40 | -------------------------------------------------------------------------------- /roles/common_roles/install_latest/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Update system 2 | become: true 3 | package: 4 | update_cache: true 5 | upgrade: true 6 | 7 | - name: Install packages 8 | become: true 9 | package: 10 | name: "{{ item }}" 11 | state: present 12 | with_items: "{{ packages }}" 13 | -------------------------------------------------------------------------------- /roles/custom/tasks/dotfiles.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages 2 | import_role: 3 | name: common_roles/install_latest 4 | vars: 5 | packages: 6 | - "git" 7 | - "zsh" 8 | - "stow" 9 | 10 | - name: Clone dotfiles 11 | git: 12 | repo: "{{ dotfiles_repo }}" 13 | dest: "/home/{{ username }}/dotfiles" 14 | track_submodules: true 15 | force: true 16 | 17 | - name: Get configs to unstow 18 | command: "ls /home/{{ username }}/dotfiles" 19 | register: dot_dirs 20 | changed_when: true 21 | 22 | - name: Unstow dotfiles 23 | args: 24 | chdir: "/home/{{ username }}/dotfiles" 25 | command: 26 | cmd: "stow -R {{ item }}" 27 | loop: "{{ dot_dirs.stdout_lines }}" 28 | changed_when: true 29 | -------------------------------------------------------------------------------- /roles/custom/tasks/install.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages 2 | import_role: 3 | name: common_roles/install_latest 4 | vars: 5 | packages: "{{ basic_packages }}" 6 | 7 | - name: Download and extract Starship 8 | become: true 9 | unarchive: 10 | src: "{{ item }}" 11 | dest: "/usr/local/bin/" 12 | remote_src: yes 13 | mode: 0755 14 | with_items: 15 | - "https://github.com/starship/starship/releases/latest/download/starship-x86_64-unknown-linux-gnu.tar.gz" 16 | 17 | - name: Download and extract Eza 18 | become: true 19 | unarchive: 20 | src: "{{ item }}" 21 | dest: "/usr/local/bin/" 22 | remote_src: yes 23 | extra_opts: ["--strip-components=1"] 24 | mode: 0755 25 | with_items: 26 | - "https://github.com/eza-community/eza/releases/latest/download/eza_x86_64-unknown-linux-gnu.tar.gz" 27 | 28 | - name: Check if nvim config is present 29 | stat: 30 | path: "/home/{{ username }}/dotfiles/nvim" 31 | register: nvim_config 32 | 33 | - name: Check if nvim is already installed 34 | stat: 35 | path: "/usr/bin/nvim" 36 | register: nvim_install 37 | 38 | - name: Nvim tarball 39 | # Only when nvim conf is present AND nvim is not installed 40 | when: nvim_config.stat.exists and not nvim_install.stat.exists 41 | block: 42 | 43 | - name: Download latest Neovim release 44 | get_url: 45 | url: https://github.com/neovim/neovim/releases/latest/download/nvim-linux-x86_64.tar.gz 46 | dest: /tmp/nvim-linux-x86_64.tar.gz 47 | mode: 0644 48 | 49 | - name: Extract Neovim to /opt 50 | become: true 51 | unarchive: 52 | src: /tmp/nvim-linux-x86_64.tar.gz 53 | dest: /tmp 54 | remote_src: true 55 | 56 | - name: Copy Neovim binaries to /usr/bin 57 | become: true 58 | copy: 59 | src: /tmp/nvim-linux-x86_64/bin/ 60 | dest: /usr/bin/ 61 | owner: root 62 | group: root 63 | mode: 0755 64 | remote_src: true 65 | 66 | - name: Copy Neovim libraries to /usr/lib 67 | become: true 68 | copy: 69 | src: /tmp/nvim-linux-x86_64/lib/ 70 | dest: /usr/lib/ 71 | owner: root 72 | group: root 73 | mode: 0755 74 | remote_src: true 75 | 76 | - name: Copy Neovim shared files to /usr/share 77 | become: true 78 | copy: 79 | src: /tmp/nvim-linux-x86_64/share/ 80 | dest: /usr/share/ 81 | owner: root 82 | group: root 83 | mode: 0755 84 | remote_src: true 85 | -------------------------------------------------------------------------------- /roles/custom/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Custom dotfiles 2 | when: dotfiles_repo is defined 3 | block: 4 | - name: Clone dotfiles 5 | import_tasks: dotfiles.yml 6 | when: dotfiles_repo is defined and dotfiles_repo | length > 0 7 | 8 | - name: Copy configs for root 9 | become: true 10 | import_tasks: root.yml 11 | 12 | when: dotfiles_repo is defined and dotfiles_repo | length > 0 13 | - name: Install basick packages 14 | import_tasks: install.yml 15 | 16 | - name: Set zsh as default shell 17 | become: true 18 | user: 19 | name: "{{ item }}" 20 | shell: /usr/bin/zsh 21 | with_items: 22 | - "{{ username }}" 23 | - root 24 | -------------------------------------------------------------------------------- /roles/custom/tasks/root.yml: -------------------------------------------------------------------------------- 1 | - name: Copy for root user 2 | copy: 3 | src: "/home/{{ username }}/dotfiles" 4 | dest: "/root/" 5 | owner: root 6 | group: root 7 | remote_src: true 8 | mode: 0755 9 | 10 | - name: Get configs to unstow 11 | command: "ls /root/dotfiles" 12 | register: conf_dirs 13 | changed_when: true 14 | 15 | - name: Unstow dotfiles 16 | args: 17 | chdir: "/root/dotfiles" 18 | command: 19 | cmd: "stow -R {{ item }}" 20 | loop: "{{ conf_dirs.stdout_lines }}" 21 | changed_when: true 22 | -------------------------------------------------------------------------------- /roles/custom/vars/main.yml: -------------------------------------------------------------------------------- 1 | basic_packages: 2 | - bat 3 | - curl 4 | - docker 5 | - docker-compose 6 | - fzf 7 | - git 8 | - htop 9 | - lsof 10 | - lua5.3 11 | - mmv 12 | - python3-pip 13 | - ripgrep 14 | - rsync 15 | - stow 16 | - tree 17 | - ufw 18 | - zsh 19 | -------------------------------------------------------------------------------- /roles/fail2ban/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages 2 | import_role: 3 | name: common_roles/install_latest 4 | vars: 5 | packages: fail2ban 6 | 7 | - name: Copy config files 8 | template: 9 | src: "{{ item.template }}" 10 | dest: "/etc/fail2ban/{{ item.conf_file }}" 11 | mode: 0644 12 | with_items: 13 | - template: "cloudflare_action" 14 | conf_file: "action.d/cloudflare.local" 15 | - template: "mail_action" 16 | conf_file: "action.d/sendmail-common.local" 17 | - template: "common_filter" 18 | conf_file: "filter.d/common" 19 | - template: "jail" 20 | conf_file: "jail.local" 21 | 22 | - name: Enable and restart fail2ban 23 | tags: ignore-ci # ci doesn't boot with systemd 24 | service: 25 | name: fail2ban 26 | enabled: true 27 | state: restarted 28 | -------------------------------------------------------------------------------- /roles/fail2ban/templates/cloudflare_action: -------------------------------------------------------------------------------- 1 | # src: https://github.com/fail2ban/fail2ban/blob/master/config/action.d/cloudflare.conf 2 | 3 | [Definition] 4 | actionstart = 5 | actionstop = 6 | actioncheck = 7 | actionban = curl -s -o /dev/null -X POST <_cf_api_prms> \ 8 | -d '{"mode":"block","configuration":{"target":"","value":""},"notes":"Fail2Ban "}' \ 9 | <_cf_api_url> 10 | actionunban = id=$(curl -s -X GET <_cf_api_prms> \ 11 | "<_cf_api_url>?mode=block&configuration_target=&configuration_value=&page=1&per_page=1¬es=Fail2Ban%%20" \ 12 | | { jq -r '.result[0].id' 2>/dev/null || tr -d '\n' | sed -nE 's/^.*"result"\s*:\s*\[\s*\{\s*"id"\s*:\s*"([^"]+)".*$/\1/p'; }) 13 | if [ -z "$id" ]; then echo ": id for cannot be found"; exit 0; fi; 14 | curl -s -o /dev/null -X DELETE <_cf_api_prms> "<_cf_api_url>/$id" 15 | _cf_api_url = https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules 16 | _cf_api_prms = -H 'X-Auth-Email: ' -H 'X-Auth-Key: ' -H 'Content-Type: application/json' 17 | 18 | [Init] 19 | cftoken = 20 | cfuser = 21 | cftarget = ip 22 | 23 | [Init?family=inet6] 24 | cftarget = ip6 25 | -------------------------------------------------------------------------------- /roles/fail2ban/templates/common_filter: -------------------------------------------------------------------------------- 1 | [INCLUDES] 2 | before = common.conf 3 | 4 | [Definition] 5 | ignoreregex = 6 | failregex = ^.*Username or password is incorrect\. Try again\. IP: \. Username:.*$ 7 | ^.*Invalid admin token\. IP: .*$ 8 | ^ -.*"(GET|POST|HEAD).* HTTP.*" (4[0-9]{2}|5[0-9]{2}) 9 | .*user .* was not found in .*access log.* 10 | .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from 11 | -------------------------------------------------------------------------------- /roles/fail2ban/templates/jail: -------------------------------------------------------------------------------- 1 | [DEFAULT] 2 | banaction = iptables-allports 3 | maxretry = 3 4 | bantime = 600 5 | findtime = 300 6 | ignoreip = 127.0.0.1/8 ::1 7 | action = iptables-allports[chain="FORWARD"] cloudflare 8 | destemail = 9 | sender = 10 | 11 | [sshd] 12 | enabled = true 13 | port = {{ ports.ssh }} 14 | filter = sshd 15 | 16 | [common] 17 | enabled = true 18 | port = {{ ports.http }}, {{ ports.https }} 19 | filter = common 20 | -------------------------------------------------------------------------------- /roles/fail2ban/templates/mail_action: -------------------------------------------------------------------------------- 1 | [Definition] 2 | actionstop = 3 | actionstart = 4 | 5 | -------------------------------------------------------------------------------- /roles/gitea/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Gitea - Docker 2 | vars: 3 | container: "gitea" 4 | image: "gitea/gitea:latest" 5 | data_dir: "/{{ service.gitea.subdomain }}-data" 6 | backup_dir: "{{ common_backup_dir }}/{{ service.gitea.subdomain }}" 7 | git_uid: "1005" 8 | git_gid: "1005" 9 | git_domain: "{{ service.gitea.subdomain }}.{{ domain }}" 10 | block: 11 | - import_tasks: ssh_passthrough.yml 12 | - import_tasks: setup.yml 13 | - import_tasks: run.yml 14 | tags: ignore-ci # TODO: docker in ci 15 | - import_tasks: maintenance.yml 16 | -------------------------------------------------------------------------------- /roles/gitea/tasks/maintenance.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages 2 | import_role: 3 | name: common_roles/install_latest 4 | vars: 5 | packages: "cron" 6 | 7 | - name: Monthly updates 8 | cron: 9 | name: update gitea 10 | state: present 11 | minute: "0" 12 | hour: "0" 13 | day: "1" 14 | job: > 15 | /usr/bin/docker stop {{ container }}; 16 | /usr/bin/docker rm {{ container }}; 17 | /usr/bin/docker pull {{ image }}; 18 | /usr/bin/docker run -d 19 | --restart unless-stopped 20 | --name {{ container }} 21 | --env-file /home/{{ username }}/docker_env_files/{{ service.gitea.subdomain }}.env 22 | -v {{ data_dir }}/:/data/ 23 | -v /etc/timezone:/etc/timezone:ro 24 | -v /etc/localtime:/etc/localtime:ro 25 | -v /home/git/.ssh/:/data/git/.ssh 26 | -p {{ service.gitea.port }}:3000 27 | -p 2222:22 28 | {{ image }} 29 | 30 | - name: Backup 31 | block: 32 | - name: Mkdir backup_dir 33 | file: 34 | state: directory 35 | path: "{{ backup_dir }}" 36 | mode: 0755 37 | 38 | - name: Weekly backups 39 | cron: 40 | name: "backup gitea" 41 | state: "present" 42 | special_time: "weekly" 43 | job: > 44 | sudo /bin/cp -urp {{ data_dir }}/* {{ backup_dir }} 45 | -------------------------------------------------------------------------------- /roles/gitea/tasks/run.yml: -------------------------------------------------------------------------------- 1 | - name: Run container 2 | docker_container: 3 | name: "{{ container }}" 4 | image: "{{ image }}" 5 | pull: true 6 | detach: true 7 | state: "started" 8 | restart_policy: unless-stopped 9 | env_file: "/home/{{ username }}/docker_env_files/{{ service.gitea.subdomain }}.env" 10 | volumes: 11 | - "{{ data_dir }}/:/data/" 12 | - /etc/timezone:/etc/timezone:ro 13 | - /etc/localtime:/etc/localtime:ro 14 | - /home/git/.ssh/:/data/git/.ssh 15 | ports: 16 | - "{{ service.gitea.port }}:3000" 17 | - "2222:22" 18 | 19 | - name: Create admin user 20 | block: 21 | - name: Wait for gitea db 22 | wait_for: 23 | timeout: 4 24 | 25 | - name: List existing users 26 | community.docker.docker_container_exec: 27 | container: "{{ container }}" 28 | user: "git" 29 | command: "gitea admin user list" 30 | register: user_list 31 | 32 | - name: Create admin user if not present 33 | when: "gitea_username not in user_list.stdout" 34 | community.docker.docker_container_exec: 35 | container: "{{ container }}" 36 | user: "git" 37 | command: "gitea admin user create --admin --username {{ gitea_username }} --password {{ gitea_password }} --email {{ email }}" 38 | -------------------------------------------------------------------------------- /roles/gitea/tasks/setup.yml: -------------------------------------------------------------------------------- 1 | - name: Setup docker 2 | tags: ignore-ci # ci doesn't boot with systemd 3 | import_role: 4 | name: common_roles/docker 5 | 6 | - name: Mkdir docker_env_files 7 | file: 8 | state: directory 9 | path: "/home/{{ username }}/docker_env_files" 10 | mode: 0755 11 | 12 | - name: Docker env file 13 | copy: 14 | dest: "/home/{{ username }}/docker_env_files/{{ service.gitea.subdomain }}.env" 15 | content: | 16 | GITEA__security__INSTALL_LOCK=true 17 | GITEA__service__DISABLE_REGISTRATION=true 18 | GITEA__repository__ROOT=/data/gitea/git/repositories 19 | GITEA__repository__DEFAULT_BRANCH=master 20 | GITEA__lfs__PATH=/data/gitea/git/lfs 21 | GITEA__server__DOMAIN={{ git_domain }} 22 | GITEA__server__SSH_DOMAIN={{ git_domain }} 23 | GITEA__server__ROOT_URL=http://{{ git_domain }} 24 | USER_UID={{ git_uid }} 25 | USER_GID={{ git_gid }} 26 | mode: 0644 27 | -------------------------------------------------------------------------------- /roles/gitea/tasks/ssh_passthrough.yml: -------------------------------------------------------------------------------- 1 | - name: Setup git user for SSH passthrough 2 | become: true 3 | vars: 4 | git_user: "git" 5 | block: 6 | 7 | - name: Create "{{ git_user }}" group 8 | group: 9 | name: "{{ git_user }}" 10 | gid: "{{ git_gid }}" 11 | 12 | - name: Create "{{ git_user }}" user 13 | user: 14 | name: "{{ git_user }}" 15 | uid: "{{ git_uid }}" 16 | group: "{{ git_gid }}" 17 | system: true 18 | createhome: true 19 | home: "/home/{{ git_user }}" 20 | 21 | - name: Fake gitea cmd 22 | copy: 23 | dest: "/usr/local/bin/gitea" 24 | content: | 25 | #!/bin/sh 26 | ssh -p 2222 -o StrictHostKeyChecking=no {{ git_user }}@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@" 27 | mode: 0755 28 | 29 | # Needed for ansible's become_user shenanigans 30 | - name: Install acl 31 | import_role: 32 | name: common_roles/install_latest 33 | vars: 34 | packages: 35 | - "acl" 36 | - "sudo" 37 | 38 | - name: SSH for {{ git_user }} 39 | become: true 40 | become_user: "{{ git_user }}" 41 | block: 42 | 43 | - name: Mkdir ssh 44 | file: 45 | state: directory 46 | path: "/home/{{ git_user }}/.ssh" 47 | mode: 0700 48 | 49 | - name: Ssh key pair 50 | openssh_keypair: 51 | path: "/home/{{ git_user }}/.ssh/id_rsa" 52 | 53 | - name: Slurp public key 54 | slurp: 55 | src: "/home/{{ git_user }}/.ssh/id_rsa.pub" 56 | register: public_key 57 | 58 | - name: Add to auth_keys 59 | authorized_key: 60 | user: "{{ git_user }}" 61 | state: present 62 | key: "{{ public_key['content'] | b64decode }}" 63 | 64 | - name: Enable and restart ssh 65 | become: true 66 | tags: ignore-ci # ci doesn't boot with systemd 67 | service: 68 | name: sshd 69 | enabled: true 70 | state: restarted 71 | -------------------------------------------------------------------------------- /roles/harden/tasks/firewall.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages 2 | import_role: 3 | name: common_roles/install_latest 4 | vars: 5 | packages: "ufw" 6 | 7 | - name: UFW deny all except HTTP and HTTPS 8 | tags: ignore-ci # no iptables in docker ci 9 | ufw: 10 | state: enabled 11 | policy: deny 12 | rule: allow 13 | port: "{{ item }}" 14 | with_items: 15 | - "{{ ports.http }}" 16 | - "{{ ports.https }}" 17 | 18 | - name: UFW limit ssh traffic 19 | tags: ignore-ci # no iptables in docker ci 20 | ufw: 21 | state: enabled 22 | rule: limit 23 | port: "{{ ports.ssh }}" 24 | -------------------------------------------------------------------------------- /roles/harden/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Harden ssh 2 | import_tasks: ssh.yml 3 | 4 | - name: Configure ufw 5 | import_tasks: firewall.yml 6 | -------------------------------------------------------------------------------- /roles/harden/tasks/ssh.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages 2 | import_role: 3 | name: common_roles/install_latest 4 | vars: 5 | packages: "openssh-server" 6 | 7 | - name: Secure ssh config 8 | lineinfile: 9 | dest: "/etc/ssh/sshd_config" 10 | regexp: "{{ item.regexp }}" 11 | line: "{{ item.line }}" 12 | state: present 13 | validate: "sshd -T -f %s" 14 | mode: 0644 15 | with_items: 16 | - regexp: "^#?PasswordAuthentication.*" 17 | line: "PasswordAuthentication no" 18 | - regexp: "^#?PermitRootLogin.*" 19 | line: "PermitRootLogin no" 20 | - regexp: "^#?Port.*" 21 | line: "Port {{ ports.ssh }}" 22 | - regexp: "^#?PermitEmptyPasswords.*" 23 | line: "PermitEmptyPasswords no" 24 | - regexp: "^#?X11Forwarding.*" 25 | line: "X11Forwarding no" 26 | - regexp: "^#?MaxAuthTries.*" 27 | line: "MaxAuthTries 3" 28 | 29 | - name: Enable and restart ssh 30 | tags: ignore-ci # ci doesn't boot with systemd 31 | service: 32 | name: sshd 33 | enabled: true 34 | state: restarted 35 | -------------------------------------------------------------------------------- /roles/housekeeping/tasks/cleanup.yml: -------------------------------------------------------------------------------- 1 | - name: Clean up docker 2 | cron: 3 | name: docker prune 4 | state: present 5 | minute: "0" 6 | hour: "0" 7 | day: "2" 8 | job: "docker system prune --force --all --volumes" 9 | 10 | - name: Clean up journalctl 11 | lineinfile: 12 | path: "/etc/systemd/journald.conf" 13 | line: "MaxRetentionSec=2day" 14 | insertafter: EOF 15 | create: true 16 | mode: 0644 17 | -------------------------------------------------------------------------------- /roles/housekeeping/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Update system 2 | import_tasks: update.yml 3 | 4 | - name: Clean up system 5 | import_tasks: cleanup.yml 6 | -------------------------------------------------------------------------------- /roles/housekeeping/tasks/update.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages 2 | import_role: 3 | name: common_roles/install_latest 4 | vars: 5 | packages: "cron" 6 | 7 | - name: Autoremove 8 | apt: 9 | autoremove: true 10 | 11 | - name: Update system 12 | package: 13 | update_cache: true 14 | upgrade: true 15 | 16 | - name: Monthly updates 17 | cron: 18 | name: update system 19 | state: present 20 | minute: "0" 21 | hour: "0" 22 | day: "2" 23 | job: "apt -y update && apt -y upgrade && systemctl reboot" 24 | -------------------------------------------------------------------------------- /roles/nextcloud/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Nextcloud - Docker 2 | vars: 3 | container: "nextcloud" 4 | image: "nextcloud" 5 | data_dir: "/{{ service.cloud.subdomain }}-data" 6 | backup_dir: "{{ common_backup_dir }}/{{ service.cloud.subdomain }}" 7 | block: 8 | - import_tasks: setup.yml 9 | - import_tasks: run.yml 10 | tags: ignore-ci # TODO: docker in ci 11 | - import_tasks: maintenance.yml 12 | -------------------------------------------------------------------------------- /roles/nextcloud/tasks/maintenance.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages 2 | import_role: 3 | name: common_roles/install_latest 4 | vars: 5 | packages: "cron" 6 | 7 | - name: Monthly updates 8 | cron: 9 | name: update nextcloud 10 | state: present 11 | minute: "0" 12 | hour: "0" 13 | day: "1" 14 | job: > 15 | /usr/bin/docker stop {{ container }}; 16 | /usr/bin/docker rm {{ container }}; 17 | /usr/bin/docker pull {{ image }}; 18 | /usr/bin/docker run -d 19 | --restart unless-stopped 20 | --name {{ container }} 21 | --env-file /home/{{ username }}/docker_env_files/{{ service.cloud.subdomain }}.env 22 | -v {{ data_dir }}/data/:/var/www/html/data/ 23 | -v {{ data_dir }}/apps/:/var/www/html/apps/ 24 | -v {{ data_dir }}/config/:/var/www/html/config/ 25 | -p {{ service.cloud.port }}:80 26 | {{ image }}; 27 | while [ "$(docker inspect -f '{{ '{{ .State.Running }}' }}' {{ container }})" != "true" ]; do sleep 1; done; 28 | docker exec --user www-data {{ container }} php occ upgrade --no-interaction 29 | 30 | - name: Backup 31 | block: 32 | - name: Mkdir backup_dir 33 | file: 34 | state: directory 35 | path: "{{ backup_dir }}" 36 | mode: 0755 37 | 38 | - name: Weekly backups 39 | cron: 40 | name: "backup cloud" 41 | state: "present" 42 | special_time: "weekly" 43 | job: > 44 | sudo /bin/cp -urp {{ data_dir }}/* {{ backup_dir }} 45 | 46 | - name: Enable auto-refresh with Cron 47 | cron: 48 | name: "cloud - cron" 49 | state: "present" 50 | minute: "*/5" 51 | job: > 52 | /usr/bin/docker exec -u www-data {{ container }} /bin/sh -c 'php -f /var/www/html/cron.php' 53 | -------------------------------------------------------------------------------- /roles/nextcloud/tasks/run.yml: -------------------------------------------------------------------------------- 1 | - name: Run container 2 | docker_container: 3 | name: "{{ container }}" 4 | image: "{{ image }}" 5 | pull: true 6 | detach: true 7 | state: "started" 8 | restart_policy: unless-stopped 9 | env_file: "/home/{{ username }}/docker_env_files/{{ service.cloud.subdomain }}.env" 10 | volumes: 11 | - "{{ data_dir }}/data/:/var/www/html/data" 12 | - "{{ data_dir }}/apps/:/var/www/html/apps" 13 | - "{{ data_dir }}/config/:/var/www/html/config" 14 | ports: 15 | - "{{ service.cloud.port }}:80" 16 | -------------------------------------------------------------------------------- /roles/nextcloud/tasks/setup.yml: -------------------------------------------------------------------------------- 1 | - name: Setup docker 2 | tags: ignore-ci # ci doesn't boot with systemd 3 | import_role: 4 | name: common_roles/docker 5 | 6 | - name: Mkdir docker_env_files 7 | file: 8 | state: directory 9 | path: "/home/{{ username }}/docker_env_files" 10 | mode: 0755 11 | 12 | - name: Docker env file 13 | copy: 14 | dest: "/home/{{ username }}/docker_env_files/{{ service.cloud.subdomain }}.env" 15 | content: | 16 | NEXTCLOUD_ADMIN_USER="{{ nextcloud_username }}" 17 | NEXTCLOUD_ADMIN_PASSWORD="{{ nextcloud_password }}" 18 | NEXTCLOUD_TRUSTED_DOMAINS=localhost {{ service.cloud.subdomain }}.{{ domain }} 19 | NEXTCLOUD_TRUSTED_PROXIES={{ ip | default('') }} 20 | NEXTCLOUD_OVERWRITEHOST={{ service.cloud.subdomain }}.{{ domain }} 21 | NEXTCLOUD_OVERWRITEPROTOCOL={{ ports.https }} 22 | NEXTCLOUD_OVERWRITECLIURL={{ ports.https }}://{{ service.cloud.subdomain }}.{{ domain }} 23 | SQLITE_DATABASE=nextcloud_db 24 | mode: 0644 25 | -------------------------------------------------------------------------------- /roles/nginx/files/harden.conf: -------------------------------------------------------------------------------- 1 | proxy_http_version 1.1; 2 | proxy_set_header Host $host; 3 | proxy_set_header X-Real-IP $remote_addr; 4 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 5 | proxy_set_header X-Forwarded-Host $host; 6 | proxy_set_header X-Forwarded-Proto $scheme; 7 | proxy_set_header Upgrade $http_upgrade; 8 | proxy_set_header Connection 'upgrade'; 9 | proxy_cache_bypass $http_upgrade; 10 | proxy_hide_header X-Powered-By; 11 | 12 | add_header Server ""; 13 | add_header X-Frame-Options "SAMEORIGIN"; 14 | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; 15 | add_header Content-Security-Policy: "form-action 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'"; 16 | add_header X-Content-Type-Options: nosniff; 17 | add_header X-Permitted-Cross-Domain-Policies: none; 18 | add_header Referrer-Policy: no-referrer; 19 | add_header Cross-Origin-Embedder-Policy: require-corp; 20 | add_header Cross-Origin-Opener-Policy: same-origin; 21 | add_header Cross-Origin-Resource-Policy: same-origin; 22 | 23 | client_body_buffer_size 512k; 24 | -------------------------------------------------------------------------------- /roles/nginx/files/nginx.conf: -------------------------------------------------------------------------------- 1 | user www-data; 2 | worker_processes auto; 3 | pid /run/nginx.pid; 4 | include /etc/nginx/modules-enabled/*.conf; 5 | 6 | events { 7 | worker_connections 768; 8 | } 9 | 10 | http { 11 | server_tokens off; 12 | 13 | # Big files 14 | client_max_body_size 128M; 15 | 16 | ## 17 | # Basic Settings 18 | ## 19 | sendfile on; 20 | tcp_nopush on; 21 | tcp_nodelay on; 22 | keepalive_timeout 65; 23 | types_hash_max_size 2048; 24 | 25 | include /etc/nginx/mime.types; 26 | default_type application/octet-stream; 27 | 28 | ## 29 | # SSL Settings 30 | ## 31 | ssl_protocols TLSv1.2 TLSv1.3; 32 | ssl_prefer_server_ciphers on; 33 | 34 | ## 35 | # Logging Settings 36 | ## 37 | access_log /var/log/nginx/access.log; 38 | error_log /var/log/nginx/error.log; 39 | 40 | ## 41 | # Gzip Settings 42 | ## 43 | gzip on; 44 | gzip_vary on; 45 | gzip_min_length 512; 46 | gzip_proxied expired no-cache no-store private auth; 47 | gzip_disable "MSIE [1-6]\."; 48 | gzip_types 49 | application/atom+xml 50 | application/geo+json 51 | application/javascript 52 | application/x-javascript 53 | application/json 54 | application/ld+json 55 | application/manifest+json 56 | application/rdf+xml 57 | application/rss+xml 58 | application/xhtml+xml 59 | application/xml 60 | font/eot 61 | font/otf 62 | font/ttf 63 | image/svg+xml 64 | text/css 65 | text/javascript 66 | text/plain 67 | text/xml; 68 | 69 | include /etc/nginx/sites-enabled/*; 70 | include /etc/nginx/conf.d/*.conf; 71 | } 72 | 73 | -------------------------------------------------------------------------------- /roles/nginx/tasks/certs.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages 2 | import_role: 3 | name: common_roles/install_latest 4 | vars: 5 | packages: "cron" 6 | 7 | - name: Run cert script 8 | tags: ignore-ci # certbot can't work on ci with made up data 9 | command: "/usr/bin/certbot --nginx -n --agree-tos --redirect --expand --email {{ email }} --domains {{ domain }},cloud.{{ domain }},vault.{{ domain }},searx.{{ domain }},git.{{ domain }},umami.{{ domain }}" 10 | changed_when: true 11 | 12 | - name: Keep certs updated 13 | cron: 14 | name: update certs 15 | state: present 16 | minute: "0" 17 | hour: "0" 18 | day: "1" 19 | job: "certbot --nginx renew" 20 | -------------------------------------------------------------------------------- /roles/nginx/tasks/config.yml: -------------------------------------------------------------------------------- 1 | - name: Copy config file 2 | copy: 3 | src: "nginx.conf" 4 | dest: "/etc/nginx/nginx.conf" 5 | mode: 0644 6 | 7 | - name: Copy hardened defaults 8 | copy: 9 | src: "harden.conf" 10 | dest: "/etc/nginx/conf.d/harden.conf" 11 | mode: 0644 12 | 13 | - name: Ensure HTTP port is available 14 | shell: 15 | cmd: | 16 | set +o pipefail 17 | sudo lsof -ti:{{ item }} | xargs -r sudo kill 18 | executable: /bin/bash 19 | changed_when: true 20 | failed_when: false 21 | with_items: 22 | - "{{ ports.http }}" 23 | - "{{ ports.https }}" 24 | 25 | - name: Enable and restart nginx 26 | tags: ignore-ci # ci doesn't boot with systemd 27 | service: 28 | name: nginx 29 | enabled: true 30 | state: restarted 31 | -------------------------------------------------------------------------------- /roles/nginx/tasks/install.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages 2 | import_role: 3 | name: common_roles/install_latest 4 | vars: 5 | packages: 6 | - "nginx" 7 | - "python3-certbot-nginx" 8 | - "gnupg" 9 | - "sudo" 10 | 11 | - name: Download NGINX GPG key 12 | shell: 13 | cmd: | 14 | set -o pipefail 15 | curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \ 16 | | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null 17 | executable: /bin/bash 18 | changed_when: true 19 | 20 | - name: Add NGINX repository to sources.list.d 21 | apt_repository: 22 | repo: "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian {{ ansible_distribution_release }} nginx" 23 | state: present 24 | filename: nginx 25 | -------------------------------------------------------------------------------- /roles/nginx/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Install nginx and certbot 2 | import_tasks: install.yml 3 | 4 | - name: Configure nginx 5 | import_tasks: config.yml 6 | 7 | - name: Configure servers 8 | import_tasks: servers.yml 9 | 10 | - name: Create certs and keep them updated 11 | import_tasks: certs.yml 12 | -------------------------------------------------------------------------------- /roles/nginx/tasks/servers.yml: -------------------------------------------------------------------------------- 1 | - name: Clear existing servers 2 | block: 3 | - name: Rm sites-enabled 4 | file: 5 | state: absent 6 | path: "/etc/nginx/sites-enabled" 7 | 8 | - name: Mkdir sites-enabled 9 | file: 10 | state: directory 11 | path: "/etc/nginx/sites-enabled" 12 | mode: 0755 13 | 14 | # TODO: depends on onion tasks 15 | - name: Get onion address 16 | slurp: 17 | src: "/var/lib/tor/hidden_service/hostname" 18 | register: onion_address 19 | ignore_errors: true 20 | 21 | - name: Set default onion address if missing 22 | set_fact: 23 | onion_address: {"content": "NOT_FOUND"} 24 | when: onion_address.failed is defined and onion_address.failed 25 | 26 | - name: Config website server 27 | template: 28 | src: "nginx-website" 29 | dest: "/etc/nginx/sites-enabled/website" 30 | mode: 0644 31 | 32 | - name: Config proxy server for services 33 | vars: 34 | serv_subdom: "{{ item.subdomain }}" 35 | serv_port: "{{ item.port }}" 36 | template: 37 | src: nginx-service 38 | dest: "/etc/nginx/sites-enabled/{{ item.subdomain }}" 39 | mode: 0644 40 | loop: 41 | - "{{ service.cloud }}" 42 | - "{{ service.vault }}" 43 | - "{{ service.searx }}" 44 | - "{{ service.gitea }}" 45 | - "{{ service.umami }}" 46 | loop_control: 47 | label: "{{ item.subdomain }}" 48 | 49 | - name: Enable and restart nginx 50 | tags: ignore-ci # ci doesn't boot with systemd 51 | service: 52 | name: nginx 53 | enabled: true 54 | state: restarted 55 | -------------------------------------------------------------------------------- /roles/nginx/templates/nginx-service: -------------------------------------------------------------------------------- 1 | server { 2 | listen {{ ports.http }} ; 3 | listen [::]:{{ ports.http }} ; 4 | server_name {{ serv_subdom }}.{{ domain }} ; 5 | 6 | location / { 7 | proxy_pass http://127.0.0.1:{{ serv_port }}; 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /roles/nginx/templates/nginx-website: -------------------------------------------------------------------------------- 1 | server { 2 | listen {{ ports.http }} default_server ; 3 | listen [::]:{{ ports.http }} default_server ; 4 | server_name {{ domain }} ; 5 | root /home/{{ username }}/website ; 6 | index index.html index.htm index.nginx-debian.html ; 7 | include /etc/nginx/conf.d/harden.conf; 8 | add_header Cache-Control "max-age=2629746, public"; 9 | add_header Onion-Location http://{{ (onion_address.content | b64decode).strip() }}$request_uri; 10 | 11 | open_file_cache max=1000 inactive=20s; 12 | open_file_cache_valid 30s; 13 | open_file_cache_min_uses 2; 14 | open_file_cache_errors on; 15 | 16 | location / { 17 | try_files $uri $uri/ =404 ; 18 | } 19 | 20 | location ~* \.(?:jpg|jpeg|gif|png|ico|svg|webp)$ { 21 | expires 1M; 22 | access_log off; 23 | } 24 | 25 | # CSS and Javascript 26 | location ~* \.(?:css|js)$ { 27 | expires 1y; 28 | access_log off; 29 | } 30 | } 31 | 32 | server { 33 | listen 127.0.0.1:{{ ports.http }} ; 34 | server_name {{ (onion_address.content | b64decode).strip() }} ; 35 | root /home/{{ username }}/website ; 36 | index index.html index.htm index.nginx-debian.html ; 37 | 38 | location / { 39 | try_files $uri $uri/ =404 ; 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /roles/onion/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Download Tor GPG key 2 | get_url: 3 | url: "https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc" 4 | dest: "/usr/share/keyrings/tor-archive-keyring.gpg" 5 | mode: 0644 6 | 7 | - name: Add Tor repository to sources.list.d 8 | apt_repository: 9 | repo: "{{ item }}" 10 | state: present 11 | filename: tor 12 | loop: 13 | - "deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main" 14 | - "deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main" 15 | 16 | - name: Install packages 17 | import_role: 18 | name: common_roles/install_latest 19 | vars: 20 | packages: 21 | - "tor" 22 | - "deb.torproject.org-keyring" 23 | 24 | - name: Config tor port and directory 25 | lineinfile: 26 | dest: /etc/tor/torrc 27 | regexp: "{{ item.regexp }}" 28 | line: "{{ item.line }}" 29 | state: present 30 | with_items: 31 | - regexp: "^#?HiddenServiceDir" 32 | line: "HiddenServiceDir /var/lib/tor/hidden_service/" 33 | - regexp: "^#?HiddenServicePort" 34 | line: "HiddenServicePort {{ ports.http }} 127.0.0.1:{{ ports.http }}" 35 | 36 | - name: Enable and restart tor 37 | tags: ignore-ci # ci doesn't boot with systemd 38 | service: 39 | name: tor 40 | enabled: true 41 | state: restarted 42 | -------------------------------------------------------------------------------- /roles/searx/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: SearxNG - Docker 2 | vars: 3 | container: "searxng" 4 | image: "searxng/searxng:latest" 5 | block: 6 | - import_tasks: setup.yml 7 | - import_tasks: run.yml 8 | tags: ignore-ci # TODO: docker in ci 9 | - import_tasks: maintenance.yml 10 | -------------------------------------------------------------------------------- /roles/searx/tasks/maintenance.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages 2 | import_role: 3 | name: common_roles/install_latest 4 | vars: 5 | packages: "cron" 6 | 7 | - name: Monthly updates 8 | cron: 9 | name: update searx 10 | state: present 11 | minute: "0" 12 | hour: "0" 13 | day: "1" 14 | job: > 15 | /usr/bin/docker stop {{ container }}; 16 | /usr/bin/docker rm {{ container }}; 17 | /usr/bin/docker pull {{ image }}; 18 | /usr/bin/docker run -d 19 | --restart unless-stopped 20 | --name {{ container }} 21 | -e INSTANCE_NAME=SearX! 22 | -v /home/{{ username }}/searxng:/etc/searxng 23 | -p {{ service.searx.port }}:8080 24 | {{ image }} 25 | -------------------------------------------------------------------------------- /roles/searx/tasks/run.yml: -------------------------------------------------------------------------------- 1 | - name: Run container 2 | docker_container: 3 | name: "{{ container }}" 4 | image: "{{ image }}" 5 | pull: true 6 | detach: true 7 | state: "started" 8 | restart_policy: unless-stopped 9 | env: 10 | INSTANCE_NAME: "SearX!" 11 | volumes: 12 | - "/home/{{ username }}/searxng:/etc/searxng" 13 | ports: 14 | - "{{ service.searx.port }}:8080" 15 | -------------------------------------------------------------------------------- /roles/searx/tasks/setup.yml: -------------------------------------------------------------------------------- 1 | - name: Setup docker 2 | tags: ignore-ci # ci doesn't boot with systemd 3 | import_role: 4 | name: common_roles/docker 5 | 6 | - name: Create admin admin_token 7 | shell: 8 | cmd: openssl rand -hex 16 9 | executable: /bin/bash 10 | register: secret_key 11 | changed_when: true 12 | 13 | - name: Copy Searx conf 14 | block: 15 | - name: Mkdir searxng 16 | file: 17 | state: directory 18 | path: "/home/{{ username }}/searxng" 19 | mode: 0755 20 | - name: Copy Searx conf 21 | template: 22 | src: "settings.yml" 23 | dest: "/home/{{ username }}/searxng/settings.yml" 24 | mode: 0644 25 | -------------------------------------------------------------------------------- /roles/searx/templates/settings.yml: -------------------------------------------------------------------------------- 1 | use_default_settings: true 2 | 3 | general: 4 | instance_name: "SearX!" 5 | 6 | search: 7 | autocomplete: 'duckduckgo' 8 | autocomplete_min: 3 9 | 10 | server: 11 | secret_key: "{{ secret_key.stdout }}" 12 | limiter: true 13 | image_proxy: true 14 | base_url: "https://{{ service.searx.subdomain }}.{{ domain }}" 15 | 16 | engines: 17 | - name: google 18 | use_mobile_ui: false 19 | - name: bing 20 | disabled: false 21 | - name: brave 22 | disabled: false 23 | - name: yahoo 24 | disabled: false 25 | -------------------------------------------------------------------------------- /roles/user/tasks/create.yml: -------------------------------------------------------------------------------- 1 | - name: Create docker group 2 | group: 3 | name: docker 4 | state: present 5 | 6 | - name: Create user {{ username }} 7 | user: 8 | name: "{{ username }}" 9 | groups: 10 | - sudo 11 | - cron 12 | - docker 13 | system: true 14 | createhome: true 15 | home: "/home/{{ username }}" 16 | -------------------------------------------------------------------------------- /roles/user/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Create User 2 | vars: 3 | has_root_access: false 4 | block: 5 | - name: Check root access 6 | block: 7 | - name: Check SSH access 8 | raw: ssh -o BatchMode=yes -o ConnectTimeout=5 -i "{{ ansible_ssh_private_key_file }}" "root@{{ ansible_host }}" 'echo ok' 9 | register: root_ssh 10 | ignore_errors: true 11 | failed_when: false 12 | changed_when: true 13 | delegate_to: localhost 14 | 15 | - set_fact: 16 | has_root_access: true 17 | when: "root_ssh.rc == 0" 18 | 19 | - name: Run tasks 20 | when: has_root_access 21 | block: 22 | - name: Create user 23 | import_tasks: create.yml 24 | 25 | - name: Sudo and SSH 26 | import_tasks: priviledges.yml 27 | -------------------------------------------------------------------------------- /roles/user/tasks/priviledges.yml: -------------------------------------------------------------------------------- 1 | - name: Password-less sudo for {{ username }} 2 | lineinfile: 3 | dest: /etc/sudoers 4 | regexp: "^%wheel" 5 | line: "{{ username }} ALL=(ALL) NOPASSWD: ALL" 6 | validate: "/usr/sbin/visudo -cf %s" 7 | 8 | - name: Setup ssh for {{ username }} 9 | authorized_key: 10 | user: "{{ username }}" 11 | key: "{{ lookup('file', ssh_key + '.pub' | default('~/.ssh/id_rsa.pub')) }}" 12 | -------------------------------------------------------------------------------- /roles/vault/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: VaultWarden - Docker 2 | vars: 3 | container: "vaultwarden" 4 | image: "vaultwarden/server:latest" 5 | data_dir: "/{{ service.vault.subdomain }}-data" 6 | backup_dir: "{{ common_backup_dir }}/{{ service.vault.subdomain }}" 7 | block: 8 | - import_tasks: setup.yml 9 | - import_tasks: run.yml 10 | tags: ignore-ci # TODO: docker in ci 11 | - import_tasks: maintenance.yml 12 | -------------------------------------------------------------------------------- /roles/vault/tasks/maintenance.yml: -------------------------------------------------------------------------------- 1 | - name: Install packages 2 | import_role: 3 | name: common_roles/install_latest 4 | vars: 5 | packages: "cron" 6 | 7 | - name: Monthly updates 8 | cron: 9 | name: update vaultwarden 10 | state: present 11 | minute: "0" 12 | hour: "0" 13 | day: "1" 14 | job: > 15 | /usr/bin/docker stop {{ container }}; 16 | /usr/bin/docker rm {{ container }}; 17 | /usr/bin/docker pull {{ image }}; 18 | /usr/bin/docker run -d 19 | --restart unless-stopped 20 | --name {{ container }} 21 | --env-file /home/{{ username }}/docker_env_files/{{ service.vault.subdomain }}.env 22 | -v {{ data_dir }}/:/data/ 23 | -p {{ service.vault.port }}:80 24 | {{ image }} 25 | 26 | - name: Backup 27 | block: 28 | - name: Mkdir backup_dir 29 | file: 30 | state: directory 31 | path: "{{ backup_dir }}" 32 | mode: 0755 33 | 34 | - name: Weekly backups 35 | cron: 36 | name: "backup vault" 37 | state: "present" 38 | special_time: "weekly" 39 | job: > 40 | sudo /bin/cp -urp {{ data_dir }}/db.sqlite* {{ backup_dir }}; 41 | sudo /bin/cp -urp {{ data_dir }}/attachments {{ backup_dir }}; 42 | -------------------------------------------------------------------------------- /roles/vault/tasks/run.yml: -------------------------------------------------------------------------------- 1 | - name: Run container 2 | docker_container: 3 | name: "{{ container }}" 4 | image: "{{ image }}" 5 | pull: true 6 | detach: true 7 | state: "started" 8 | restart_policy: unless-stopped 9 | env_file: "/home/{{ username }}/docker_env_files/{{ service.vault.subdomain }}.env" 10 | volumes: 11 | - "{{ data_dir }}/:/data/" 12 | ports: 13 | - "{{ service.vault.port }}:80" 14 | -------------------------------------------------------------------------------- /roles/vault/tasks/setup.yml: -------------------------------------------------------------------------------- 1 | - name: Admin Token 2 | block: 3 | - name: Install packages 4 | import_role: 5 | name: common_roles/install_latest 6 | vars: 7 | packages: "argon2" 8 | 9 | - name: Create admin admin_token 10 | shell: 11 | cmd: | 12 | set -o pipefail 13 | echo -n "{{ vaultwarden_password }}" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4 14 | executable: /bin/bash 15 | register: admin_token 16 | changed_when: true 17 | 18 | - name: Setup docker 19 | tags: ignore-ci # ci doesn't boot with systemd 20 | import_role: 21 | name: common_roles/docker 22 | 23 | - name: Mkdir docker_env_files 24 | file: 25 | state: directory 26 | path: "/home/{{ username }}/docker_env_files" 27 | mode: 0755 28 | 29 | - name: Docker env file 30 | copy: 31 | dest: "/home/{{ username }}/docker_env_files/{{ service.vault.subdomain }}.env" 32 | content: | 33 | ADMIN_TOKEN={{ admin_token.stdout }} 34 | SIGNUPS_ALLOWED=false 35 | mode: 0644 36 | -------------------------------------------------------------------------------- /roles/website/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Create and chown website dir 2 | file: 3 | path: "/home/{{ username }}/website" 4 | state: directory 5 | mode: 0755 6 | 7 | - name: Sample index 8 | copy: 9 | dest: "/home/{{ username }}/website/index.html" 10 | content: | 11 | 12 |

13 | Hi mom! 14 |

15 | 16 | mode: 0644 17 | -------------------------------------------------------------------------------- /roles/welcome/files/20-kernel: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | echo "Kernel: $(uname -srm) 3 | " 4 | -------------------------------------------------------------------------------- /roles/welcome/files/30-resources: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | hostName=$(uname -n) 3 | 4 | biggestDisk=$(df -h | sort -k2 -h | tail -n1) 5 | diskPercentage=$(echo "$biggestDisk" | awk '{ print $5 }') 6 | totalDiskSpace=$(echo "$biggestDisk" | awk '{ print $2 }') 7 | usedDiskSpace=$(echo "$biggestDisk" | awk '{ print $3 }') 8 | 9 | totalMemory=$(grep MemTotal /proc/meminfo | awk '{ print $2 }') 10 | freeMemory=$(grep MemAvailable /proc/meminfo | awk '{ print $2 }') 11 | 12 | memoryPrecentage=$(((totalMemory - freeMemory) * 100 / totalMemory)) 13 | memoryUsage=$(free -h | awk '/Mem:/ { printf "%s/%s", $3, $2 }' | sed 's/i//g') 14 | 15 | echo "========================================== 16 | - Hostname............: $hostName 17 | - Disk Space..........: $diskPercentage ($usedDiskSpace/$totalDiskSpace) 18 | - Memory used.........: $memoryPrecentage% ($memoryUsage) 19 | ========================================== 20 | " 21 | -------------------------------------------------------------------------------- /roles/welcome/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: Remove all motd 2 | block: 3 | - name: Remove default welcome message 4 | file: 5 | state: absent 6 | path: "/etc/motd" 7 | 8 | - name: Remove all files in /etc/update-motd.d 9 | file: 10 | path: "/etc/update-motd.d/" 11 | state: absent 12 | 13 | - name: Recreate /etc/update-motd.d directory 14 | file: 15 | path: "/etc/update-motd.d" 16 | state: directory 17 | mode: 0755 18 | 19 | - name: Copy welcome message template 20 | template: 21 | src: "10-welcome" 22 | dest: "/etc/update-motd.d/" 23 | mode: 0755 24 | 25 | - name: Copy all sh scripts 26 | copy: 27 | src: "{{ item }}" 28 | dest: "/etc/update-motd.d/" 29 | mode: 0755 30 | with_fileglob: 31 | - "*" 32 | 33 | - name: Enable and restart ssh 34 | become: true 35 | tags: ignore-ci # ci doesn't boot with systemd 36 | service: 37 | name: sshd 38 | enabled: true 39 | state: restarted 40 | -------------------------------------------------------------------------------- /roles/welcome/templates/10-welcome: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | domain="{{ domain }}" 4 | {% raw %} 5 | welcome_msg="-- Welcome to ${domain} --" 6 | border_length=${#welcome_msg} 7 | 8 | border=$(printf '=%.0s' "$(seq 1 "$border_length")") 9 | 10 | echo "$border 11 | $welcome_msg 12 | $border 13 | " 14 | {% endraw %} 15 | -------------------------------------------------------------------------------- /run.yml: -------------------------------------------------------------------------------- 1 | - name: Create user 2 | hosts: vps 3 | remote_user: root 4 | gather_facts: no 5 | vars_files: 6 | - .env.yml 7 | roles: 8 | - role: user 9 | tags: 10 | - user 11 | 12 | - name: Server setup 13 | hosts: vps 14 | remote_user: "{{ username }}" 15 | vars_files: 16 | - .env.yml 17 | 18 | roles: 19 | - role: harden 20 | become: true 21 | tags: 22 | - harden 23 | - sec 24 | 25 | - role: housekeeping 26 | become: true 27 | tags: 28 | - housekeeping 29 | 30 | - role: custom 31 | tags: 32 | - custom 33 | 34 | - role: nextcloud 35 | tags: 36 | - nextcloud 37 | - services 38 | 39 | - role: vault 40 | tags: 41 | - vault 42 | - services 43 | 44 | - role: searx 45 | tags: 46 | - searx 47 | - services 48 | 49 | - role: gitea 50 | tags: 51 | - gitea 52 | - services 53 | 54 | - role: website 55 | tags: 56 | - website 57 | 58 | - role: analytics 59 | tags: 60 | - analytics 61 | 62 | - role: onion 63 | become: true 64 | tags: 65 | - onion 66 | - website 67 | 68 | - role: fail2ban 69 | become: true 70 | tags: 71 | - fail2ban 72 | - sec 73 | 74 | - role: nginx 75 | become: true 76 | tags: 77 | - nginx 78 | 79 | - role: welcome 80 | become: true 81 | tags: 82 | - welcome 83 | --------------------------------------------------------------------------------