First attempt at CI

author: Elizabeth Alexander Hunt <me@liz.coffee> 2025-05-04 15:46:06 -0700
committer: Elizabeth Alexander Hunt <me@liz.coffee> 2025-05-04 15:46:06 -0700
commit: 59417f290463d3aabbf3ec2ab8e75703928db217 (patch)
tree: b0c2f7e7820920561e100d35ae552a30bc993fb6
parent: b15dfc4a99c066be88406df259bd6367a26b48e4 (diff)
download: infra-59417f290463d3aabbf3ec2ab8e75703928db217.tar.gz
infra-59417f290463d3aabbf3ec2ab8e75703928db217.zip
10 files changed, 134 insertions, 0 deletions
diff --git a/deploy.yml b/deploy.yml
index 89fd643..8b9578b 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -56,3 +56,6 @@
 
 - name: test
   ansible.builtin.import_playbook: playbooks/test.yml
+
+- name: ci
+  ansible.builtin.import_playbook: playbooks/ci.yml
diff --git a/group_vars/ci.yml b/group_vars/ci.yml
new file mode 100644
index 0000000..90cf7f9
--- /dev/null
+++ b/group_vars/ci.yml
@@ -0,0 +1,4 @@
+---
+
+ci_domain: ci.liz.coffee
+ci_base: "{{ swarm_base }}/ci"
diff --git a/group_vars/labdns.yml b/group_vars/labdns.yml
index 70fd718..c1985c9 100644
--- a/group_vars/labdns.yml
+++ b/group_vars/labdns.yml
@@ -3,6 +3,7 @@
 labdns_base: "{{ swarm_base }}/labdns"
 
 internal_services:
+  - ci.{{ domain }}
   - test.{{ domain }}
   - bin.{{ domain }}
   - ci.{{ domain }}
diff --git a/inventory b/inventory
index 2b2ebe9..86135a8 100644
--- a/inventory
+++ b/inventory
@@ -65,3 +65,6 @@ swarm-one ansible_host=10.128.0.201 ansible_user=serve         ansible_connectio
 [test]
 swarm-one ansible_host=10.128.0.201 ansible_user=serve         ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
 
+[ci]
+swarm-one ansible_host=10.128.0.201 ansible_user=serve         ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+
diff --git a/playbooks/ci.yml b/playbooks/ci.yml
new file mode 100644
index 0000000..9481f24
--- /dev/null
+++ b/playbooks/ci.yml
@@ -0,0 +1,7 @@
+---
+
+- name: ci setup
+  hosts: ci
+  become: true
+  roles:
+    - ci
diff --git a/playbooks/roles/ci/tasks/main.yml b/playbooks/roles/ci/tasks/main.yml
new file mode 100644
index 0000000..cd0c220
--- /dev/null
+++ b/playbooks/roles/ci/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+
+- name: Deploy ci
+  ansible.builtin.import_tasks: manage-docker-swarm-service.yml
+  vars:
+    service_name: ci
+    template_render_dir: "../templates"
+    service_destination_dir: "{{ ci_base }}"
diff --git a/playbooks/roles/ci/templates/stacks/docker-compose.yml b/playbooks/roles/ci/templates/stacks/docker-compose.yml
new file mode 100644
index 0000000..e2358e5
--- /dev/null
+++ b/playbooks/roles/ci/templates/stacks/docker-compose.yml
@@ -0,0 +1,88 @@
+services:
+  db:
+    image: postgres
+    environment:
+      POSTGRES_DB: concourse
+      POSTGRES_PASSWORD: concourse_pass
+      POSTGRES_USER: concourse_user
+      PGDATA: /database
+      POSTGRES_HOST_AUTH_METHOD: trust
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U concourse_user -d concourse"]
+      interval: 3s
+      timeout: 3s
+      retries: 5
+    networks:
+      - ci
+
+  worker:
+    image: concourse/concourse
+    command: worker
+    privileged: true
+    depends_on:
+      web:
+        condition: service_healthy
+    volumes:
+      - {{ ci_base }}/volumes/keys/worker:/concourse-keys
+    networks:
+      - ci
+    stop_signal: SIGUSR2
+    environment:
+      CONCOURSE_TSA_HOST: web:2222
+      CONCOURSE_GARDEN_DNS_PROXY_ENABLE: "true"
+
+  web:
+    image: concourse
+    depends_on:
+      db:
+        condition: service_healthy
+    volumes:
+      - {{ ci_base }}/volumes/keys/web:/concourse-keys
+    environment:
+      - TZ={{ timezone }}
+      - DEPLOYMENT_TIME={{ deployment_time }}
+      - CONCOURSE_POSTGRES_HOST: db
+      - CONCOURSE_POSTGRES_USER: concourse_user
+      - CONCOURSE_POSTGRES_PASSWORD: concourse_pass
+      - CONCOURSE_POSTGRES_DATABASE: concourse
+      - CONCOURSE_EXTERNAL_URL: https://{{ ci_domain }}
+
+      - # instead of relying on the default "detect"
+      - CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER=overlay
+      - CONCOURSE_CLUSTER_NAME={{ ci_domain }}
+
+      - CONCOURSE_OIDC_DISPLAY_NAME={{ domain }} <3
+      - CONCOURSE_OIDC_CLIENT_ID=concourse
+      - CONCOURSE_OIDC_CLIENT_SECRET={{ concourse_secret_key }}
+      - CONCOURSE_OID_ISSUER=https://{{ idm_domain }}/oauth2/openid/concourse/
+    networks:
+      - ci
+      - proxy
+    healthcheck:
+      test: ["CMD-SHELL", "curl", "--fail", "http://localhost:8080"]
+      timeout: 15s
+      interval: 30s
+      retries: 3
+      start_period: 5s
+    deploy:
+      mode: replicated
+      update_config:
+        parallelism: 1
+        failure_action: rollback
+        order: start-first
+        delay: 5s
+        monitor: 20s
+      replicas: 1
+      labels:
+        - traefik.enable=true
+        - traefik.swarm.network=proxy
+        - traefik.http.routers.ci.tls=true
+        - traefik.http.routers.ci.tls.certResolver=letsencrypt
+        - traefik.http.routers.ci.rule=Host(`{{ ci_domain }}`)
+        - traefik.http.routers.ci.entrypoints=websecure
+        - traefik.http.services.ci.loadbalancer.server.port=8080
+
+networks:
+  ci:
+  proxy:
+    external: true
diff --git a/playbooks/roles/ci/templates/volumes/data/.gitkeep b/playbooks/roles/ci/templates/volumes/data/.gitkeep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/playbooks/roles/ci/templates/volumes/data/.gitkeep
diff --git a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/ci.conf b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/ci.conf
new file mode 100644
index 0000000..5e90596
--- /dev/null
+++ b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/ci.conf
@@ -0,0 +1,19 @@
+server {
+    listen 80;
+    server_name ci.liz.coffee;
+
+    real_ip_header X-Forwarded-For;
+    real_ip_recursive on;
+    set_real_ip_from {{ docker_network }};
+
+    location / {
+        proxy_pass https://{{ loadbalancer_ip }};
+        proxy_ssl_verify off;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
diff --git a/secrets.txt b/secrets.txt
index 7be8b66..4fd2647 100644
--- a/secrets.txt
+++ b/secrets.txt
@@ -17,3 +17,4 @@ roundcube_oauth2_client_basic_secret
 info_mail_password
 yubico_client_id
 yubico_secret_key
+concourse_secret_key
author	Elizabeth Alexander Hunt <me@liz.coffee>	2025-05-04 15:46:06 -0700
committer	Elizabeth Alexander Hunt <me@liz.coffee>	2025-05-04 15:46:06 -0700
commit	59417f290463d3aabbf3ec2ab8e75703928db217 (patch)
tree	b0c2f7e7820920561e100d35ae552a30bc993fb6
parent	b15dfc4a99c066be88406df259bd6367a26b48e4 (diff)
download	infra-59417f290463d3aabbf3ec2ab8e75703928db217.tar.gz infra-59417f290463d3aabbf3ec2ab8e75703928db217.zip