diff options
Diffstat (limited to 'playbooks')
| -rw-r--r-- | playbooks/ci.yml | 7 | ||||
| -rw-r--r-- | playbooks/roles/ci/tasks/main.yml | 8 | ||||
| -rw-r--r-- | playbooks/roles/ci/templates/stacks/docker-compose.yml | 88 | ||||
| -rw-r--r-- | playbooks/roles/ci/templates/volumes/data/.gitkeep | 0 | ||||
| -rw-r--r-- | playbooks/roles/outbound/templates/proxy/nginx/conf.d/ci.conf | 19 |
5 files changed, 122 insertions, 0 deletions
diff --git a/playbooks/ci.yml b/playbooks/ci.yml new file mode 100644 index 0000000..9481f24 --- /dev/null +++ b/playbooks/ci.yml @@ -0,0 +1,7 @@ +--- + +- name: ci setup + hosts: ci + become: true + roles: + - ci diff --git a/playbooks/roles/ci/tasks/main.yml b/playbooks/roles/ci/tasks/main.yml new file mode 100644 index 0000000..cd0c220 --- /dev/null +++ b/playbooks/roles/ci/tasks/main.yml @@ -0,0 +1,8 @@ +--- + +- name: Deploy ci + ansible.builtin.import_tasks: manage-docker-swarm-service.yml + vars: + service_name: ci + template_render_dir: "../templates" + service_destination_dir: "{{ ci_base }}" diff --git a/playbooks/roles/ci/templates/stacks/docker-compose.yml b/playbooks/roles/ci/templates/stacks/docker-compose.yml new file mode 100644 index 0000000..e2358e5 --- /dev/null +++ b/playbooks/roles/ci/templates/stacks/docker-compose.yml @@ -0,0 +1,88 @@ +services: + db: + image: postgres + environment: + POSTGRES_DB: concourse + POSTGRES_PASSWORD: concourse_pass + POSTGRES_USER: concourse_user + PGDATA: /database + POSTGRES_HOST_AUTH_METHOD: trust + healthcheck: + test: ["CMD-SHELL", "pg_isready -U concourse_user -d concourse"] + interval: 3s + timeout: 3s + retries: 5 + networks: + - ci + + worker: + image: concourse/concourse + command: worker + privileged: true + depends_on: + web: + condition: service_healthy + volumes: + - {{ ci_base }}/volumes/keys/worker:/concourse-keys + networks: + - ci + stop_signal: SIGUSR2 + environment: + CONCOURSE_TSA_HOST: web:2222 + CONCOURSE_GARDEN_DNS_PROXY_ENABLE: "true" + + web: + image: concourse + depends_on: + db: + condition: service_healthy + volumes: + - {{ ci_base }}/volumes/keys/web:/concourse-keys + environment: + - TZ={{ timezone }} + - DEPLOYMENT_TIME={{ deployment_time }} + - CONCOURSE_POSTGRES_HOST: db + - CONCOURSE_POSTGRES_USER: concourse_user + - CONCOURSE_POSTGRES_PASSWORD: concourse_pass + - CONCOURSE_POSTGRES_DATABASE: concourse + - CONCOURSE_EXTERNAL_URL: https://{{ ci_domain }} + + - # instead of relying on the default "detect" + - CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER=overlay + - CONCOURSE_CLUSTER_NAME={{ ci_domain }} + + - CONCOURSE_OIDC_DISPLAY_NAME={{ domain }} <3 + - CONCOURSE_OIDC_CLIENT_ID=concourse + - CONCOURSE_OIDC_CLIENT_SECRET={{ concourse_secret_key }} + - CONCOURSE_OID_ISSUER=https://{{ idm_domain }}/oauth2/openid/concourse/ + networks: + - ci + - proxy + healthcheck: + test: ["CMD-SHELL", "curl", "--fail", "http://localhost:8080"] + timeout: 15s + interval: 30s + retries: 3 + start_period: 5s + deploy: + mode: replicated + update_config: + parallelism: 1 + failure_action: rollback + order: start-first + delay: 5s + monitor: 20s + replicas: 1 + labels: + - traefik.enable=true + - traefik.swarm.network=proxy + - traefik.http.routers.ci.tls=true + - traefik.http.routers.ci.tls.certResolver=letsencrypt + - traefik.http.routers.ci.rule=Host(`{{ ci_domain }}`) + - traefik.http.routers.ci.entrypoints=websecure + - traefik.http.services.ci.loadbalancer.server.port=8080 + +networks: + ci: + proxy: + external: true diff --git a/playbooks/roles/ci/templates/volumes/data/.gitkeep b/playbooks/roles/ci/templates/volumes/data/.gitkeep new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/playbooks/roles/ci/templates/volumes/data/.gitkeep diff --git a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/ci.conf b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/ci.conf new file mode 100644 index 0000000..5e90596 --- /dev/null +++ b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/ci.conf @@ -0,0 +1,19 @@ +server { + listen 80; + server_name ci.liz.coffee; + + real_ip_header X-Forwarded-For; + real_ip_recursive on; + set_real_ip_from {{ docker_network }}; + + location / { + proxy_pass https://{{ loadbalancer_ip }}; + proxy_ssl_verify off; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} |