Initial Main commit

2024-03-05 08:32:15 -06:00 · 2024-03-05 08:32:15 -06:00 · dfbd35725a
commit dfbd35725a
13 changed files with 331 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,10 @@
+.idea/
+*.iml
+terraform/.secrets
+terraform_ghost/.secrets
+terraform/.tunnel
+**/*.tfplan
+**/*.tfstate*
+**/.terraform.lock.hcl
+**/.terraform/
+**/*.pem
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+66313862303134613964336532616465383364643134316563653537323236353132616161623730
+3763626335633066393138346662363334393735663231640a656137633834326237663162363339
+30343661373936646337653133623263346665383538643164653534646232613862346234373438
+3863653739373862350a383937623630303236376333373562656437663566623361653863623764
+62373931356462303138363634346663313665303162333533636265623166386637653434633636
+30646337373865323330363839346437643164376231613033643331633031643865356266383766
+64326536303762653839633431653831303637353235383033336337303437333264396138613835
+38633464373665666562616439646436373637373339393334346366336435366636663035653862
+3831
--- a/roles/flarum/files/composer_installer.sh
+++ b/roles/flarum/files/composer_installer.sh
@ -0,0 +1,17 @@
+#!/bin/sh
+
+EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
+php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
+
+if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
+then
+    >&2 echo 'ERROR: Invalid installer checksum'
+    rm composer-setup.php
+    exit 1
+fi
+
+php composer-setup.php --quiet  --install-dir /usr/bin
+RESULT=$?
+rm composer-setup.php
+exit $RESULT
--- a/roles/flarum/files/nginx.conf
+++ b/roles/flarum/files/nginx.conf
@ -0,0 +1,92 @@
+server {
+  listen 8544 ssl http2;
+  listen [::]:8544 ssl http2;
+  server_name flarum.bubblesthebunny.com;
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_tickets off;
+
+  # Uncomment these lines once you acquire a certificate:
+  ssl_certificate     /etc/nginx/flarum.bubblesthebunny.com/fullchain.pem;
+  ssl_certificate_key /etc/nginx/flarum.bubblesthebunny.com/privkey.pem;
+
+  root /home/flarum/flarum/public
+  # Pass requests that don't refer directly to files in the filesystem to index.php
+  location / {
+    try_files $uri $uri/ /index.php?$query_string;
+  }
+
+  # Uncomment the following lines if you are not using a `public` directory
+  # to prevent sensitive resources from being exposed.
+  # <!-- BEGIN EXPOSED RESOURCES PROTECTION -->
+  # location ~* ^/(\.git|composer\.(json|lock)|auth\.json|config\.php|flarum|storage|vendor) {
+  #   deny all;
+  #   return 404;
+  # }
+  # <!-- END EXPOSED RESOURCES PROTECTION -->
+
+  # The following directives are based on best practices from H5BP Nginx Server Configs
+  # https://github.com/h5bp/server-configs-nginx
+
+  # Expire rules for static content
+  location ~* \.(?:manifest|appcache|html?|xml|json)$ {
+    add_header Cache-Control "max-age=0";
+  }
+
+  location ~* \.(?:rss|atom)$ {
+    add_header Cache-Control "max-age=3600";
+  }
+
+  location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
+    add_header Cache-Control "max-age=2592000";
+    access_log off;
+  }
+
+  location ~* \.(?:css|js)$ {
+    add_header Cache-Control "max-age=31536000";
+    access_log off;
+  }
+
+  location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
+    add_header Cache-Control "max-age=2592000";
+    access_log off;
+  }
+
+  # Gzip compression
+  gzip on;
+  gzip_comp_level 5;
+  gzip_min_length 256;
+  gzip_proxied any;
+  gzip_vary on;
+  gzip_types
+      application/atom+xml
+      application/javascript
+      application/json
+      application/ld+json
+      application/manifest+json
+      application/rss+xml
+      application/vnd.geo+json
+      application/vnd.ms-fontobject
+      application/x-font-ttf
+      application/x-web-app-manifest+json
+      application/xhtml+xml
+      application/xml
+      font/opentype
+      image/bmp
+      image/svg+xml
+      image/x-icon
+      text/cache-manifest
+      text/css
+      text/javascript
+      text/plain
+      text/vcard
+      text/vnd.rim.location.xloc
+      text/vtt
+      text/x-component
+      text/x-cross-domain-policy;
+}
--- a/roles/flarum/tasks/add_to_cloudflare_tunnel.yml
+++ b/roles/flarum/tasks/add_to_cloudflare_tunnel.yml
@ -0,0 +1,15 @@
+---
+- name: Add Cloudflare Tunnel route
+  become: yes
+  lineinfile:
+    path: /etc/cloudflared/config.yaml
+    regexp: "- hostname: flarum\.bubblesthebunny\.com[\W]*service: https:\/\/localhost:8544"
+    line: |-
+      - hostname: flarum.bubblesthebunny.com
+        service: https://localhost:8544
+    insertbefore: "- service: http_status:404"
+- name: Restart Cloudflared
+  become: yes
+  systemd:
+    name: cloudflared
+    state: restarted
--- a/roles/flarum/tasks/main.yml
+++ b/roles/flarum/tasks/main.yml
@ -0,0 +1,48 @@
+---
+- name: Add flarum group
+  become: yes
+  group:
+    name: flarum
+    state: present
+- name: Add flarum user
+  become: yes
+  user:
+    create_home: yes
+    name: flarum
+    comment: For running flarum
+    shell: /bin/false
+    password: '!'
+    home: /home/flarum
+- name: Create Flarum install dir
+  become: yes
+  file:
+    path: /home/flarum/flarum
+    state: directory
+    owner: flarum
+    group: flarum
+- name: Install PHP
+  become: yes
+  zypper:
+    name: php81
+    state: latest
+- name: Install Composer
+  become: yes
+  script:
+    command: composer_installer.sh
+    creates: /usr/bin/composer
+- name: Create Flarum project
+  become: yes
+  become_user: flarum
+  community.general.composer:
+    command: create-project
+    arguments: flarum/flarum .
+    working-dir: /home/flarum/flarum
+- name: Setup Nginx
+  import_tasks: setup_nginx.yml
+- name: Add to CloudflareD tunnel
+  import_tasks: add_to_cloudflare_tunnel.yml
+- name: Reload Nginx
+  become: yes
+  systemd:
+    name: nginx
+    state: reloaded
--- a/roles/flarum/tasks/setup_nginx.yml
+++ b/roles/flarum/tasks/setup_nginx.yml
@ -0,0 +1,33 @@
+---
+- name: Create cert dir
+  become: yes
+  file:
+    path: /etc/nginx/flarum.bubblesthebunny.com
+    state: directory
+- name: Copy chain
+  become: yes
+  copy:
+    src: fullchain.pem
+    dest: /etc/nginx/flarum.bubblesthebunny.com/fullchain.pem
+    owner: nginx
+    group: nginx
+    mode: 0640
+- name: Copy key
+  become: yes
+  copy:
+    src: privkey.pem
+    dest: /etc/nginx/flarum.bubblesthebunny.com/privkey.pem
+    owner: nginx
+    group: nginx
+    mode: 0640
+- name: Copy nginx.conf
+  become: yes
+  copy:
+    src: nginx.conf
+    dest: /etc/nginx/sites-available/flarum
+- name: Link to sites-enabled
+  become: yes
+  file:
+    src: /etc/nginx/sites-available/flarum
+    path: /etc/nginx/sites-enabled/flarum
+    state: link
--- a/run.sh
+++ b/run.sh
@ -0,0 +1,3 @@
+#!/usr/bin/env sh
+
+ansible-playbook -i hosts.yml site.yml --vault-password-file ~/.vault_pass.txt
--- a/site.yml
+++ b/site.yml
@ -0,0 +1,5 @@
+---
+- name: Setup Flarum
+  hosts: server1
+  roles:
+  - role: flarum
--- a/terraform/hose.sh
+++ b/terraform/hose.sh
@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+
+terraform plan -destroy -out destroy.tfplan
+
+terraform apply destroy.tfplan
--- a/terraform/main.tf
+++ b/terraform/main.tf
@ -0,0 +1,61 @@
+terraform {
+  required_providers {
+    acme = {
+      source  = "vancluever/acme"
+      version = "~>2.0"
+    }
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~>4.0"
+    }
+  }
+}
+
+provider "acme" {
+  server_url = "https://acme-v02.api.letsencrypt.org/directory"
+}
+
+provider "cloudflare" {
+  api_token = var.cloudflare_token
+}
+
+resource "tls_private_key" "private_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "acme_registration" "reg" {
+  account_key_pem = tls_private_key.private_key.private_key_pem
+  email_address   = "admin@bubblesthebunny.com"
+}
+
+resource "acme_certificate" "certificate" {
+  account_key_pem           = acme_registration.reg.account_key_pem
+  common_name               = "bubblesthebunny.com"
+  subject_alternative_names = ["flarum.bubblesthebunny.com"]
+
+  dns_challenge {
+    provider = "cloudflare"
+    config = {
+      CF_DNS_API_TOKEN = var.cloudflare_token
+    }
+  }
+}
+
+resource "cloudflare_record" "flarum" {
+  name    = "flarum"
+  type    = "CNAME"
+  zone_id = var.zone_id
+  value   = var.cname_record
+  proxied = true
+}
+
+resource "local_file" "public_cert" {
+  filename = "../roles/flarum/files/fullchain.pem"
+  content  = "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}"
+}
+
+resource "local_sensitive_file" "private_key" {
+  filename = "../roles/flarum/files/privkey.pem"
+  content  = acme_certificate.certificate.private_key_pem
+}
--- a/terraform/run.sh
+++ b/terraform/run.sh
@ -0,0 +1,13 @@
+#!/usr/bin/env sh
+
+export TF_IN_AUTOMATION=true
+
+terraform init -upgrade || exit
+
+terraform fmt -recursive || exit
+
+terraform validate || exit
+
+terraform plan -out flarum_plan.tfplan || exit
+
+terraform apply flarum_plan.tfplan || exit
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@ -0,0 +1,19 @@
+variable "cloudflare_token" {
+  type        = string
+  description = "Cloudflare DNS:Edit token"
+}
+
+variable "zone_id" {
+  type        = string
+  description = "The Cloudflare Zone ID"
+}
+
+variable "account_id" {
+  type        = string
+  description = "The Cloudflare Account ID"
+}
+
+variable "cname_record" {
+  type        = string
+  description = "The CNAME record used by the Cloudflared tunnel"
+}