diff options
| author | Elizabeth Hunt <me@liz.coffee> | 2025-07-26 23:40:15 -0700 |
|---|---|---|
| committer | Elizabeth Hunt <me@liz.coffee> | 2025-07-26 23:40:15 -0700 |
| commit | 9940cd169e931631a0da142f72a8ca6c878e34ed (patch) | |
| tree | 4aa2f612b3eb6f2bb5905f66947bf394a797f584 /playbooks/roles | |
| parent | 3d9e02eb8f9d380db7d7d4e947b857c30e4b4874 (diff) | |
| download | infra-9940cd169e931631a0da142f72a8ca6c878e34ed.tar.gz infra-9940cd169e931631a0da142f72a8ca6c878e34ed.zip | |
CI. Fuck.
Diffstat (limited to 'playbooks/roles')
14 files changed, 143 insertions, 26 deletions
diff --git a/playbooks/roles/ci/tasks/main.yml b/playbooks/roles/ci/tasks/main.yml index cd0c220..fb3d3f7 100644 --- a/playbooks/roles/ci/tasks/main.yml +++ b/playbooks/roles/ci/tasks/main.yml @@ -3,6 +3,8 @@ - name: Deploy ci ansible.builtin.import_tasks: manage-docker-swarm-service.yml vars: + service_owner: "1000" + file_mode: "755" service_name: ci template_render_dir: "../templates" service_destination_dir: "{{ ci_base }}" diff --git a/playbooks/roles/ci/templates/stacks/docker-compose.yml b/playbooks/roles/ci/templates/stacks/docker-compose.yml index c62fdd5..1cc3a10 100644 --- a/playbooks/roles/ci/templates/stacks/docker-compose.yml +++ b/playbooks/roles/ci/templates/stacks/docker-compose.yml @@ -2,11 +2,17 @@ services: worker: - image: oci.liz.coffee/emprespresso/ci-worker:release + image: oci.liz.coffee/emprespresso/ci_worker:release volumes: - - /var/run/docker.sock:/var/run/docker.sock + - /var/run/docker.sock:/var/run/docker.sock:ro - {{ ci_base }}/volumes/laminar:/var/lib/laminar/ - /var/lib/laminar/cfg # don't overwrite cfg jobs & scripts + healthcheck: + test: ["CMD-SHELL", "/usr/bin/laminarc show-jobs"] + timeout: 15s + interval: 10s + retries: 3 + start_period: 5s environment: - TZ={{ timezone }} - DEPLOYMENT_TIME={{ deployment_time }} @@ -15,6 +21,8 @@ services: - BW_CLIENTSECRET={{ passwd_client_secret }} - BW_PASSWORD={{ passwd_master_password }} - LAMINAR_BIND_RPC=*:9997 + - LAMINAR_ARCHIVE_URL=https://{{ ci_domain }} + - LAMINAR_KEEP_RUNDIRS=5 networks: - ci - proxy @@ -36,13 +44,19 @@ services: - traefik.http.routers.ci.entrypoints=websecure - traefik.http.services.ci.loadbalancer.server.port=8080 - cihooks: - image: oci.liz.coffee/emprespresso/ci-hooks:release + server: + image: oci.liz.coffee/emprespresso/ci_server:release environment: - LAMINAR_HOST=worker:9997 - - LAMINAR_URL=worker:9997 + - LAMINAR_URL=https://{{ ci_domain }} - TZ={{ timezone }} - DEPLOYMENT_TIME={{ deployment_time }} + healthcheck: + test: ["CMD-SHELL", "curl --fail http://localhost:9000/health"] + timeout: 15s + interval: 10s + retries: 3 + start_period: 5s networks: - ci deploy: diff --git a/playbooks/roles/ci/templates/volumes/laminar/archive/.gitkeep b/playbooks/roles/ci/templates/volumes/laminar/archive/.gitkeep new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/playbooks/roles/ci/templates/volumes/laminar/archive/.gitkeep diff --git a/playbooks/roles/ci/templates/volumes/laminar/run/.gitkeep b/playbooks/roles/ci/templates/volumes/laminar/run/.gitkeep new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/playbooks/roles/ci/templates/volumes/laminar/run/.gitkeep diff --git a/playbooks/roles/common/files/authorized_keys b/playbooks/roles/common/files/authorized_keys index 60edc04..82f2cbb 100644 --- a/playbooks/roles/common/files/authorized_keys +++ b/playbooks/roles/common/files/authorized_keys @@ -1,2 +1,3 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnLAE5TrdYF8QWCSkvgUp15XKcwQJ9393a/CghSo8dG serve@ansible +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkjxFI9i17i1MQXZUBl99OP7nRURHGFItPaCqkUUQJw serve@ci {{ me_lizcoffee_key }} diff --git a/playbooks/roles/docker/tasks/main.yml b/playbooks/roles/docker/tasks/main.yml index a156e4e..b99437d 100644 --- a/playbooks/roles/docker/tasks/main.yml +++ b/playbooks/roles/docker/tasks/main.yml @@ -25,6 +25,12 @@ {{ ansible_distribution_release }} stable state: present +- name: Make docker group id deterministic + ansible.builtin.group: + name: docker + gid: "{{ docker_gid }}" + state: present + - name: Install docker ansible.builtin.apt: name: diff --git a/playbooks/roles/mon/tasks/main.yml b/playbooks/roles/mon/tasks/main.yml new file mode 100644 index 0000000..c45b377 --- /dev/null +++ b/playbooks/roles/mon/tasks/main.yml @@ -0,0 +1,8 @@ +--- + +- name: Deploy mon + ansible.builtin.import_tasks: manage-docker-swarm-service.yml + vars: + service_name: mon + template_render_dir: "../templates" + service_destination_dir: "{{ mon_base }}" diff --git a/playbooks/roles/mon/templates/stacks/docker-compose.yml b/playbooks/roles/mon/templates/stacks/docker-compose.yml new file mode 100644 index 0000000..ff7269f --- /dev/null +++ b/playbooks/roles/mon/templates/stacks/docker-compose.yml @@ -0,0 +1,31 @@ +services: + mon: + image: twinproduction/gatus:latest + volumes: + - {{ mon_base }}/volumes/data:/data + environment: + - TZ={{ timezone }} + - DEPLOYMENT_TIME={{ deployment_time }} + networks: + - proxy + deploy: + mode: replicated + update_config: + parallelism: 1 + failure_action: rollback + order: start-first + delay: 5s + monitor: 30s + replicas: 1 + labels: + - traefik.enable=true + - traefik.swarm.network=proxy + - traefik.http.routers.mon.tls=true + - traefik.http.routers.mon.tls.certResolver=letsencrypt + - traefik.http.routers.mon.rule=Host(`{{ mon_domain }}`) + - traefik.http.routers.mon.entrypoints=websecure + - traefik.http.services.mon.loadbalancer.server.port=8080 + +networks: + proxy: + external: true diff --git a/playbooks/roles/mon/templates/volumes/data/.gitkeep b/playbooks/roles/mon/templates/volumes/data/.gitkeep new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/playbooks/roles/mon/templates/volumes/data/.gitkeep diff --git a/playbooks/roles/outbound/templates/headscale/config/acl.json b/playbooks/roles/outbound/templates/headscale/config/acl.json index dcdd954..410de11 100644 --- a/playbooks/roles/outbound/templates/headscale/config/acl.json +++ b/playbooks/roles/outbound/templates/headscale/config/acl.json @@ -2,7 +2,7 @@ "groups": { "group:vpn_admins": [ {% for user in vpn_admins %} - "{{ user }}{{ oauth_user_suffix }}"{{ ", " if not loop.last else "" }} + "{{ user }}@{{ oauth_user_suffix }}"{{ ", " if not loop.last else "" }} {% endfor %} ] }, @@ -10,26 +10,26 @@ {% for user in vpn_users %} { "action": "accept", - "src": ["{{ user }}{{ oauth_user_suffix }}"], - "dst": ["{{ user }}{{ oauth_user_suffix }}:*"] + "src": ["{{ user }}@{{ oauth_user_suffix }}"], + "dst": ["{{ user }}@{{ oauth_user_suffix }}:*"] }, {% endfor %} { "action": "accept", - "src": ["{{ auth_key_user }}"], - "dst": ["{{ auth_key_user }}:*", "{{ loadbalancer_ip }}/32:*"] + "src": ["{{ auth_key_user }}@"], + "dst": ["{{ auth_key_user }}@:*", "{{ loadbalancer_ip }}/32:*"] }, {% for user, m in mesh.items() %} { "action": "accept", - "src": ["{{ user }}{{ oauth_user_suffix }}"], - "dst": ["{{ m.gateway }}/32:*]" + "src": ["{{ user }}@{{ oauth_user_suffix }}"], + "dst": ["{{ m.gateway }}/32:*"] }, {% endfor %} { "action": "accept", "src": ["group:vpn_admins"], - "dst": ["{{ loadbalancer_ip }}/32:*"] + "dst": [{% for user, m in mesh.items() %} "{{ m.gateway }}/32:*", {% endfor %} "{{ loadbalancer_ip }}/32:*"] } ] } diff --git a/playbooks/roles/outbound/templates/headscale/config/config.yaml b/playbooks/roles/outbound/templates/headscale/config/config.yaml index d3bff5a..54657b2 100644 --- a/playbooks/roles/outbound/templates/headscale/config/config.yaml +++ b/playbooks/roles/outbound/templates/headscale/config/config.yaml @@ -120,14 +120,18 @@ policy: dns: magic_dns: true base_domain: "{{ headscale_base_domain }}" + search_domains: [] nameservers: global: - {{ headscale_dns_for_connected_clients_1 }} - {{ headscale_dns_for_connected_clients_2 }} split: - {{ domain }}: - - {{ loadbalancer_ip }} - search_domains: [] +{% for user, m in mesh.items() %} +{% if "split_vpn_dns_to" in m %} + {{ m.domain }}: + - {{ m.split_vpn_dns_to }} +{% endif %} +{% endfor %} unix_socket: /var/run/headscale/headscale.sock unix_socket_permission: "0770" @@ -151,7 +155,6 @@ oidc: - {{ domain }} allowed_groups: - vpn@{{ idm_domain }} - strip_email_domain: true # Logtail configuration # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel diff --git a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/mon.conf b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/mon.conf new file mode 100644 index 0000000..601e200 --- /dev/null +++ b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/mon.conf @@ -0,0 +1,19 @@ +server { + listen 80; + server_name mon.liz.coffee; + + real_ip_header X-Forwarded-For; + real_ip_recursive on; + set_real_ip_from {{ docker_network }}; + + location / { + proxy_pass https://{{ loadbalancer_ip }}; + proxy_ssl_verify off; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} diff --git a/playbooks/roles/src/templates/stacks/docker-compose.yml b/playbooks/roles/src/templates/stacks/docker-compose.yml index 3ac70f9..ec514b4 100644 --- a/playbooks/roles/src/templates/stacks/docker-compose.yml +++ b/playbooks/roles/src/templates/stacks/docker-compose.yml @@ -1,5 +1,37 @@ services: - # TODO: own cgit fork + frontend: + image: oci.liz.coffee/emprespresso/cgit:release + volumes: + - {{ src_base }}/volumes/data/repos:/srv/git:ro + environment: + CGIT_TITLE: '{{ src_domain }}' + CGIT_DESC: '<3 {{ domain }}' + CGIT_VROOT: '/cgit' + CGIT_SECTION_FROM_STARTPATH: 1 + CGIT_MAX_REPO_COUNT: 100 + networks: + - proxy + healthcheck: + test: ["CMD-SHELL", "curl --fail http://localhost"] + timeout: 15s + interval: 30s + retries: 3 + start_period: 5s + deploy: + mode: replicated + update_config: + parallelism: 1 + failure_action: rollback + order: start-first + monitor: 10s + labels: + - traefik.enable=true + - traefik.swarm.network=proxy + - traefik.http.routers.src.tls=true + - traefik.http.routers.src.tls.certResolver=letsencrypt + - traefik.http.routers.src.rule=Host(`{{ src_domain }}`) + - traefik.http.routers.src.entrypoints=websecure + - traefik.http.services.src.loadbalancer.server.port=80 src: image: charmcli/soft-serve diff --git a/playbooks/roles/src/templates/volumes/soft-serve/hooks/update b/playbooks/roles/src/templates/volumes/soft-serve/hooks/update index a97e5f9..c209b41 100755 --- a/playbooks/roles/src/templates/volumes/soft-serve/hooks/update +++ b/playbooks/roles/src/templates/volumes/soft-serve/hooks/update @@ -41,22 +41,23 @@ refname="$1" _oldrev="$2" rev="$3" -function post_trigger_ci_jobs() { - local host="cihooks" +post_trigger_ci_jobs() { + local host="ci_server" local port="9000" local path="/job" local json_payload=$(printf '{"type": "ci_pipeline", "arguments": {"remote": "%s", "rev": "%s", "refname": "%s"}}' "$1" "$2" "$3") - + echo "> $json_payload" - - which curl 2&>/dev/null || apk add -q curl - curl --silent --show-error -X POST \ - -H "Content-Type: application/json" \ -H "Connection: close" \ + which curl 2&>/dev/null || apk add -q curl + curl -X POST \ + -H "Content-Type: application/json" \ + -H "Connection: close" \ -d "$json_payload" \ + --no-progress-meter \ "http://$host:$port$path" - echo "... Done!" + echo "... Done" } # -- </continuous_integration> -- |