diff options
Diffstat (limited to 'playbooks/roles/ci')
6 files changed, 116 insertions, 58 deletions
diff --git a/playbooks/roles/ci/templates/stacks/docker-compose.yml b/playbooks/roles/ci/templates/stacks/docker-compose.yml index e2358e5..38e1b1c 100644 --- a/playbooks/roles/ci/templates/stacks/docker-compose.yml +++ b/playbooks/roles/ci/templates/stacks/docker-compose.yml @@ -1,69 +1,26 @@ -services: - db: - image: postgres - environment: - POSTGRES_DB: concourse - POSTGRES_PASSWORD: concourse_pass - POSTGRES_USER: concourse_user - PGDATA: /database - POSTGRES_HOST_AUTH_METHOD: trust - healthcheck: - test: ["CMD-SHELL", "pg_isready -U concourse_user -d concourse"] - interval: 3s - timeout: 3s - retries: 5 - networks: - - ci - - worker: - image: concourse/concourse - command: worker - privileged: true - depends_on: - web: - condition: service_healthy - volumes: - - {{ ci_base }}/volumes/keys/worker:/concourse-keys - networks: - - ci - stop_signal: SIGUSR2 - environment: - CONCOURSE_TSA_HOST: web:2222 - CONCOURSE_GARDEN_DNS_PROXY_ENABLE: "true" +--- - web: - image: concourse - depends_on: - db: - condition: service_healthy +services: + laminard: + image: oci.liz.coffee/img/laminar-ciworker:latest volumes: - - {{ ci_base }}/volumes/keys/web:/concourse-keys + - {{ ci_base }}/volumes/laminar:/var/lib/laminar + - /var/run/docker.sock:/var/run/docker.sock + healthcheck: + test: ["CMD-SHELL", "/usr/bin/laminarc show-jobs"] + timeout: 15s + interval: 30s + retries: 3 + start_period: 5s environment: + - BW_CLIENTID={{ vaultwarden_client_id }} + - BW_CLIENTSECRET={{ vaultwarden_client_secret }} + - BW_PASSWORD={{ vaultwarden_master_password }} - TZ={{ timezone }} - DEPLOYMENT_TIME={{ deployment_time }} - - CONCOURSE_POSTGRES_HOST: db - - CONCOURSE_POSTGRES_USER: concourse_user - - CONCOURSE_POSTGRES_PASSWORD: concourse_pass - - CONCOURSE_POSTGRES_DATABASE: concourse - - CONCOURSE_EXTERNAL_URL: https://{{ ci_domain }} - - - # instead of relying on the default "detect" - - CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER=overlay - - CONCOURSE_CLUSTER_NAME={{ ci_domain }} - - - CONCOURSE_OIDC_DISPLAY_NAME={{ domain }} <3 - - CONCOURSE_OIDC_CLIENT_ID=concourse - - CONCOURSE_OIDC_CLIENT_SECRET={{ concourse_secret_key }} - - CONCOURSE_OID_ISSUER=https://{{ idm_domain }}/oauth2/openid/concourse/ networks: - ci - proxy - healthcheck: - test: ["CMD-SHELL", "curl", "--fail", "http://localhost:8080"] - timeout: 15s - interval: 30s - retries: 3 - start_period: 5s deploy: mode: replicated update_config: @@ -84,5 +41,7 @@ services: networks: ci: + driver: overlay + attachable: true proxy: external: true diff --git a/playbooks/roles/ci/templates/volumes/laminar/.gitkeep b/playbooks/roles/ci/templates/volumes/laminar/.gitkeep new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/playbooks/roles/ci/templates/volumes/laminar/.gitkeep diff --git a/playbooks/roles/ci/templates/volumes/laminar/jobs/build_image.run b/playbooks/roles/ci/templates/volumes/laminar/jobs/build_image.run new file mode 100755 index 0000000..ed7bf21 --- /dev/null +++ b/playbooks/roles/ci/templates/volumes/laminar/jobs/build_image.run @@ -0,0 +1,36 @@ +#!/bin/bash +# usage: laminarc queue build_publish_image registry="oci.liz.coffee" \ +# repo="src/cgit" tag="latest" remote="ssh://src.liz.coffee:2222/cgit" \ +# rev="<sha>" image_file="Dockerfile" + +set -e + +declare -a args=("$registry" "$repo" "$tag" "$remote" "$rev" "$image_file") +for arg in "${args[@]}" +do + if [[ ! "$arg" =~ ^[[:alnum:]:_\.\/\-]*$ ]]; then + echo "Invalid argument format. Don't be sneaky snek (-_-)." + exit 1 + fi +done + +log "Logging into registry $registry" +registry_username="$(get_secret $registry | jq -r ".login.username")" +get_secret $registry | jq -r ".login.password" \ + | docker login --username "$registry_username" --password-stdin "$registry" + +log "Cloning remote $remote" +r=$(echo "build-$(date --iso-8601=seconds)") +git clone "$remote" "$r" && cd "$r" +git checkout "$rev" + +image_tag="$registry/$repo:$tag" +log "Building image $image_tag" +env -i HOME="$HOME" bash -l -c "docker build . -t '$image_tag' -f '$image_file'" + +log "Pushing $image_tag" +docker push "$image_tag" + +cd - +rm -rf "$r" +docker logout "$registry" diff --git a/playbooks/roles/ci/templates/volumes/laminar/jobs/playbook.run b/playbooks/roles/ci/templates/volumes/laminar/jobs/playbook.run new file mode 100755 index 0000000..181a050 --- /dev/null +++ b/playbooks/roles/ci/templates/volumes/laminar/jobs/playbook.run @@ -0,0 +1,25 @@ +#!/bin/bash +# usage: laminarc queue playbook remote="ssh://src.liz.coffee:2222/infra" playbooks="deploy.yml playbooks/labdns.yml" + +set -e + +declare -a args=("$remote" "$playbooks") +for arg in "${args[@]}" +do + if [[ ! "$arg" =~ ^[[:alnum:]:_\ \.\/\-]*$ ]]; then + echo "Invalid argument format. Don't be sneaky snek (-_-)." + exit 1 + fi +done + +log "Cloning remote $remote" +r=$(echo "ansible-$(date --iso-8601=seconds)") +git clone "$remote" "$r" && cd "$r" + +get_secret "ansible_secrets" | jq -r '.notes' > secrets.yml +private_key=$(get_secret "ssh_key" | jq -r '.notes') + +env -i HOME="$HOME" ssh-agent bash -c "ssh-add <(echo \"$private_key\") && ansible-playbook -e @secrets.yml $playbooks" + +cd - +rm -rf "$r" diff --git a/playbooks/roles/ci/templates/volumes/laminar/scripts/get_secret b/playbooks/roles/ci/templates/volumes/laminar/scripts/get_secret new file mode 100755 index 0000000..2774651 --- /dev/null +++ b/playbooks/roles/ci/templates/volumes/laminar/scripts/get_secret @@ -0,0 +1,35 @@ +#!/bin/bash + +bw config server "https://{{ passwd_domain }}" +bw login --apikey --quiet +bw unlock --passwordenv BW_PASSWORD --quiet + +# https://github.com/bitwarden/clients/issues/3366 +function bw_get() { + local pwd + local count + local organisation=${2:-notnull} + + count=$(bw list items --pretty --organizationid ${organisation} | jq -r '[.[] | select(.name=="'$1'")] | length') + + if [[ "$count" -gt 1 ]]; then + echo "Multiple items found" + return 1 + fi + + if [[ "$count" -lt 1 ]]; then + echo "No items found" + return 1 + fi + + pwd=$(bw list items --pretty --organizationid ${organisation} | jq -r '.[] | select(.name=="'$1'")') + if [[ -z "$pwd" ]]; then + echo "Password not found" + return 1 + fi + + echo "$pwd" +} + +bw_get $@ +bw --quiet lock diff --git a/playbooks/roles/ci/templates/volumes/laminar/scripts/log b/playbooks/roles/ci/templates/volumes/laminar/scripts/log new file mode 100755 index 0000000..180fa33 --- /dev/null +++ b/playbooks/roles/ci/templates/volumes/laminar/scripts/log @@ -0,0 +1,3 @@ +#!/bin/bash + +echo `date +"%d-%m-%Y %H:%M:%S"` " - " "${@}" |