notch8 · aprilrieger · Jan 12, 2026 · Sep 17, 2025 · Sep 25, 2025 · Oct 3, 2025
diff --git a/ansible/.gitignore b/ansible/.gitignore
@@ -0,0 +1,6 @@
+.aider*
+.env
+vars/main.yml
+files/id_rsa
+files/b2.adventistdigitallibrary.org.2024.key
+files/b2_adventistdigitallibrary_org_2024_complete.cer
diff --git a/ansible/README.md b/ansible/README.md
@@ -0,0 +1,51 @@
+# Adventist Server Setup
+
+This repository contains Ansible playbooks to automate the setup of the Adventist server.
+
+## Prerequisites
+
+1. Clone the keep volume
+2. Clone the tmp volume
+3. NAD Cloud to generate new instance and give Notch8 access via ssh to setup ansible provision of infrastructure.
+4. NAD Cloud to provision and attach the volumes to the instance:
+   - tmp: 800 GiB
+   - keep: 4000 GiB
+   - 100 GiB
+5. Set up 1password cli (`op`) OR place required files in the `files/` directory:
+   - SSL certificate: `b2_adventistdigitallibrary_org_2024_complete.cer`
+   - SSL private key: `b2.adventistdigitallibrary.org.2024.key`
+   - Nginx config: `nginx-default`
+   - Deploy key: `id_rsa`
+
+## Installation
+
+1. Install Ansible dependencies:
+```bash
+ansible-galaxy collection install community.docker
+ansible-galaxy install -r requirements.yml
+```
+
+2. Update the inventory file with your server's IP address
+
+3. Run the playbook:
+```bash
+ansible-playbook -i inventory.yml site.yml
+```
+
+## What Gets Installed
+
+The playbook will:
+- Create and mount storage directories
+- Install Docker, Nginx, and other required packages
+- Configure SSL certificates
+- Set up Nginx with bad bot blocker
+- Create user accounts with SSH access
+- Configure Docker registry access
+- Set up deployment keys
+
+## Post-Installation
+
+For working with Docker Compose, use:
+```bash
+alias dc='dotenv -e .env.production docker-compose -f docker-compose.production.yml'
+```
diff --git a/ansible/bin/run b/ansible/bin/run
@@ -0,0 +1,16 @@
+#!/bin/bash
+# op document create files/id_rsa --title DEPLOY_ID_RSA --vault "ADVENTIST"
+# op document create files/b2.adventistdigitallibrary.org.2024.key --title ADVENTIST_SSL_KEY --vault "ADVENTIST"
+# op document create files/b2_adventistdigitallibrary_org_2024_complete.cer --title ADVENTIST_SSL_CER --vault "ADVENTIST"
+
+if [ ! -f "files/id_rsa" ]; then
+  op document get DEPLOY_ID_RSA --out-file files/id_rsa
+fi
+if [ ! -f "files/b2.adventistdigitallibrary.org.2024.key" ]; then
+  op document get ADVENTIST_SSL_KEY --out-file files/b2.adventistdigitallibrary.org.2024.key
+fi
+if [ ! -f "files/b2_adventistdigitallibrary_org_2024_complete.cer" ]; then
+  op document get ADVENTIST_SSL_CER --out-file files/b2_adventistdigitallibrary_org_2024_complete.cer
+fi
+
+ansible-playbook -i inventory.yml site.yml
diff --git a/ansible/files/.keep b/ansible/files/.keep
diff --git a/ansible/files/nginx-default b/ansible/files/nginx-default
@@ -0,0 +1,92 @@
+upstream rails_app {
+  server localhost:3000;
+}
+
+map $status $loggable {
+    ~^444  0;
+    default 1;
+}
+
+error_log  /var/log/nginx/error.log warn;
+#tcp_nopush     on;
+
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
+
+server {
+    server_name b2.adventistdigitallibrary.org;
+    root /store/keep/nnp/public;
+    index index.html;
+
+    client_body_in_file_only clean;
+    client_body_buffer_size 32K;
+    client_max_body_size 0;
+    access_log /var/log/nginx/access.log ;
+    # if=$loggable;
+
+    sendfile on;
+    send_timeout 300s;
+
+    include /etc/nginx/bots.d/ddos.conf;
+    include /etc/nginx/bots.d/blockbots.conf;
+
+    location ~ (\.php|\.aspx|\.asp) {
+    	return 404;
+    }
+
+    # deny requests for files that should never be accessed
+    location ~ /\. {
+      deny all;
+    }
+
+    location ~* ^.+\.(rb|log)$ {
+      deny all;
+    }
+
+    # serve static (compiled) assets directly if they exist (for rails production)
+    location ~ ^/(assets|packs|fonts|images|javascripts|stylesheets|swfs|system)/ {
+      try_files $uri @rails;
+
+      # access_log off;
+      gzip_static on; # to serve pre-gzipped version
+
+      expires max;
+      add_header Cache-Control public;
+
+      # Some browsers still send conditional-GET requests if there's a
+      # Last-Modified header or an ETag header even if they haven't
+      # reached the expiry date sent in the Expires header.
+      add_header Last-Modified "";
+      add_header ETag "";
+      break;
+    }
+
+    # send non-static file requests to the app server
+    location / {
+      try_files $uri @rails;
+    }
+
+    location @rails {
+      proxy_set_header  X-Real-IP  $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_set_header Host $http_host;
+      proxy_redirect off;
+      proxy_pass http://rails_app;
+    }
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/ssl/b2_adventistdigitallibrary_org_2024_complete.cer;
+    ssl_certificate_key /etc/ssl/private/b2.adventistdigitallibrary.org.2024.key;
+}
+
+server {
+    if ($host = b2.adventistdigitallibrary.org) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    listen 80;
+    server_name b2.adventistdigitallibrary.org;
+    return 404; # managed by Certbot
+}
diff --git a/ansible/inventory.yml b/ansible/inventory.yml
@@ -0,0 +1,9 @@
+---
+all:
+  children:
+    adventist_servers:
+      hosts:
+        adventist2025:
+          ansible_host: ####### ADD IP ADDRESS OF SERVER HERE #######
+          ansible_user: ubuntu
+          ansible_ssh_private_key_file: ~/.ssh/adventist-nadcloud
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
@@ -0,0 +1,5 @@
+---
+roles:
+  - name: nginx-badbot-blocker
+    src: https://github.com/Sharlyll/Ansible-role-nginx-ultimate-bad-bot-blocker
+    version: main
diff --git a/ansible/roles/base_setup/meta/main.yml b/ansible/roles/base_setup/meta/main.yml
@@ -0,0 +1,13 @@
+---
+galaxy_info:
+  author: Notch8
+  description: Base setup for Adventist Hyku servers
+  license: MIT
+  min_ansible_version: 2.9
+  platforms:
+    - name: Ubuntu
+      versions:
+        - focal
+        - jammy
+
+dependencies: []
diff --git a/ansible/roles/base_setup/tasks/main.yml b/ansible/roles/base_setup/tasks/main.yml
@@ -0,0 +1,43 @@
+---
+- name: Create storage directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  with_items:
+    - /store/keep
+    - /store/tmp
+
+- name: Mount volumes
+  mount:
+    path: "{{ item.path }}"
+    src: "{{ item.device }}"
+    fstype: ext4
+    state: mounted
+  with_items:
+    - { path: "/store/keep", device: "/dev/nvme1n1" }
+    - { path: "/store/tmp", device: "/dev/nvme2n1" }
+
+- name: Update apt cache
+  apt:
+    update_cache: yes
+
+- name: Install required packages
+  apt:
+    name:
+      - docker.io
+      - nginx
+      - python3-dotenv-cli
+    state: present
+
+- name: Install Docker Compose
+  get_url:
+    url: "https://github.com/docker/compose/releases/latest/download/docker-compose-{{ ansible_system }}-{{ ansible_architecture }}"
+    dest: /usr/local/bin/docker-compose
+    mode: '0755'
+
+- name: Add ubuntu user to docker group
+  user:
+    name: ubuntu
+    groups: docker
+    append: yes
diff --git a/ansible/site.yml b/ansible/site.yml
@@ -0,0 +1,79 @@
+---
+- name: Setup Adventist Server
+  hosts: adventist_servers
+  become: true
+  vars_files:
+    - vars/main.yml
+
+  roles:
+    - role: base_setup
+      tags: base
+    - role: nginx-badbot-blocker
+      tags: nginx
+
+  tasks:
+
+    - name: Copy SSL certificate
+      copy:
+        src: files/b2_adventistdigitallibrary_org_2024_complete.cer
+        dest: /etc/ssl/b2_adventistdigitallibrary_org_2024_complete.cer
+        mode: '0644'
+
+    - name: Copy SSL key
+      copy:
+        src: files/b2.adventistdigitallibrary.org.2024.key
+        dest: /etc/ssl/private/b2.adventistdigitallibrary.org.2024.key
+        mode: '0600'
+
+    - name: Copy nginx configuration
+      copy:
+        src: files/nginx-default
+        dest: /etc/nginx/sites-enabled/default
+        mode: '0644'
+      notify: restart nginx
+
+    - name: Create user accounts
+      user:
+        name: "{{ item.name }}"
+        state: present
+        create_home: yes
+        groups: adm,sudo,docker
+      with_items:
+        "{{ ssh_users }}"
+
+    - name: Configure sudo without password
+      copy:
+        dest: "/etc/sudoers.d/{{ item.name }}"
+        content: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
+        mode: '0440'
+        validate: /usr/sbin/visudo -cf %s
+      with_items:
+        "{{ ssh_users }}"
+
+    - name: set up github keys
+      authorized_key:
+        user: "{{ item.name }}"
+        state: present
+        key: "https://github.com/{{ item.github }}.keys"
+      with_items:
+        "{{ ssh_users }}"
+
+    - name: Configure Docker login
+      docker_login:
+        registry_url: ghcr.io
+        username: orangewolf
+        password: "{{ ghcr_token }}"
+
+    - name: Copy deploy key
+      copy:
+        src: files/id_rsa
+        dest: /root/.ssh/id_rsa
+        mode: '0600'
+        owner: root
+        group: root
+
+  handlers:
+    - name: restart nginx
+      service:
+        name: nginx
+        state: restarted