From 7adb5f10e93ce5868401f61eb265cb65b2123ca6 Mon Sep 17 00:00:00 2001 From: Kris Lamoureux Date: Fri, 20 Oct 2023 15:41:44 -0400 Subject: [PATCH] Update Gitea role for docker_compose_deploy - Add MariaDB to dev playbook - Set Git user in "users:" - Define Gitea external compose project - Forward SSH port in forwarding script - Create user groups with system users - Install python3-pymysql for Ansible - Strip old Gitea deployment methods - Bind MariaDB to docker0 for Docker access --- dev/gitea.yml | 1 + dev/host_vars/gitea.yml | 24 +++++++++++++++-- forward-ssh.sh | 3 ++- roles/base/handlers/main.yml | 2 +- roles/base/tasks/system.yml | 26 ++++++++++++++---- roles/gitea/tasks/main.yml | 48 ++++++--------------------------- roles/mariadb/defaults/main.yml | 3 --- roles/mariadb/handlers/main.yml | 5 ++++ roles/mariadb/tasks/main.yml | 19 ++++++------- 9 files changed, 68 insertions(+), 63 deletions(-) delete mode 100644 roles/mariadb/defaults/main.yml create mode 100644 roles/mariadb/handlers/main.yml diff --git a/dev/gitea.yml b/dev/gitea.yml index 53b6c67..80322d8 100644 --- a/dev/gitea.yml +++ b/dev/gitea.yml @@ -6,4 +6,5 @@ roles: - base - docker + - mariadb - gitea diff --git a/dev/host_vars/gitea.yml b/dev/host_vars/gitea.yml index 2fe51ae..44cae68 100644 --- a/dev/host_vars/gitea.yml +++ b/dev/host_vars/gitea.yml @@ -2,6 +2,12 @@ allow_reboot: false manage_network: false +users: + git: + uid: 1001 + gid: 1001 + home: true + # Import my GPG key for git signature verification root_gpgkeys: - name: kris@lamoureux.io @@ -16,10 +22,24 @@ docker_compose_deploy: # Traefik - name: traefik url: https://github.com/krislamo/traefik - version: 31ee724feebc1d5f91cb17ffd6892c352537f194 + version: 398eb48d311db78b86abf783f903af4a1658d773 enabled: true - accept_newhostkey: true # Consider verifying manually instead + accept_newhostkey: true trusted_keys: - FBF673CEEC030F8AECA814E73EDA9C3441EDA925 env: ENABLE: true + # Gitea + - name: gitea + url: https://github.com/krislamo/gitea + version: b0ce66f6a1ab074172eed79eeeb36d7e9011ef8f + env: + USER_UID: "{{ users.git.uid }}" + USER_GID: "{{ users.git.gid }}" + DB_PASSWD: "{{ gitea.DB_PASSWD }}" + +# gitea +gitea: + DB_NAME: gitea + DB_USER: gitea + DB_PASSWD: password diff --git a/forward-ssh.sh b/forward-ssh.sh index d98c2f0..dc0d578 100755 --- a/forward-ssh.sh +++ b/forward-ssh.sh @@ -23,9 +23,10 @@ function ssh_connect { [yY]) printf "[INFO]: Starting new vagrant SSH tunnel on PID " sudo -u "$USER" ssh -fNT -i "$PRIVATE_KEY" \ - -L 8443:localhost:8443 \ + -L 22:localhost:22 \ -L 80:localhost:80 \ -L 443:localhost:443 \ + -L 8443:localhost:8443 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyChecking=no \ vagrant@"$HOST_IP" 2>/dev/null diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml index 333a146..10f55bb 100644 --- a/roles/base/handlers/main.yml +++ b/roles/base/handlers/main.yml @@ -27,4 +27,4 @@ ansible.builtin.service: name: smbd state: restarted - listen: restart_samba \ No newline at end of file + listen: restart_samba diff --git a/roles/base/tasks/system.yml b/roles/base/tasks/system.yml index c0c16d5..522306c 100644 --- a/roles/base/tasks/system.yml +++ b/roles/base/tasks/system.yml @@ -66,13 +66,27 @@ mode: 0400 when: authorized_keys is defined +- name: Create system user groups + ansible.builtin.group: + name: "{{ item.key }}" + gid: "{{ item.value.gid }}" + state: present + loop: "{{ users | dict2items }}" + loop_control: + label: "{{ item.key }}" + when: users is defined + - name: Create system users ansible.builtin.user: - name: "{{ item.name }}" + name: "{{ item.key }}" state: present - shell: "{{ item.shell | default('/bin/bash') }}" - create_home: "{{ item.home | default(false) }}" - loop: "{{ users }}" + uid: "{{ item.value.uid }}" + group: "{{ item.value.gid }}" + shell: "{{ item.value.shell | default('/bin/bash') }}" + create_home: "{{ item.value.home | default(false) }}" + loop: "{{ users | dict2items }}" + loop_control: + label: "{{ item.key }}" when: users is defined - name: Set authorized_keys for system users @@ -80,7 +94,9 @@ user: "{{ item.key }}" key: "{{ item.value.key }}" state: present - loop: "{{ users }}" + loop: "{{ users | dict2items }}" + loop_control: + label: "{{ item.key }}" when: users is defined and item.value.key is defined - name: Manage filesystem mounts diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index d4f12c7..611047e 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -1,38 +1,23 @@ -- name: Create Gitea directory - ansible.builtin.file: - path: "{{ gitea_root }}" - state: directory +- name: Install MySQL module for Ansible + ansible.builtin.apt: + name: python3-pymysql + state: present - name: Create Gitea database community.mysql.mysql_db: - name: "{{ gitea_dbname }}" + name: "{{ gitea.DB_NAME }}" state: present login_unix_socket: /var/run/mysqld/mysqld.sock - name: Create Gitea database user community.mysql.mysql_user: - name: "{{ gitea_dbuser }}" - password: "{{ gitea_dbpass }}" + name: "{{ gitea.DB_USER }}" + password: "{{ gitea.DB_PASSWD }}" host: '%' state: present - priv: "{{ gitea_dbname }}.*:ALL" + priv: "{{ gitea.DB_NAME }}.*:ALL" login_unix_socket: /var/run/mysqld/mysqld.sock -- name: Create git user - ansible.builtin.user: - name: git - state: present - -- name: Git user uid - ansible.builtin.getent: - database: passwd - key: git - -- name: Git user gid - ansible.builtin.getent: - database: group - key: git - - name: Create git's .ssh directory ansible.builtin.file: path: /home/git/.ssh @@ -70,28 +55,11 @@ dest: /usr/local/bin/gitea mode: 0755 -- name: Install Gitea's docker-compose file - ansible.builtin.template: - src: docker-compose.yml.j2 - dest: "{{ gitea_root }}/docker-compose.yml" - notify: restart_gitea - -- name: Install Gitea's docker-compose variables - ansible.builtin.template: - src: compose-env.j2 - dest: "{{ gitea_root }}/.env" - notify: restart_gitea - - name: Create Gitea's logging directory ansible.builtin.file: name: /var/log/gitea state: directory -- name: Create Gitea's initial log file - ansible.builtin.file: - name: /var/log/gitea/gitea.log - state: touch - - name: Install Gitea's Fail2ban filter ansible.builtin.template: src: fail2ban-filter.conf.j2 diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml deleted file mode 100644 index 78d6e67..0000000 --- a/roles/mariadb/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -mariadb_trust: - - "172.16.0.0/12" - - "192.168.0.0/16" diff --git a/roles/mariadb/handlers/main.yml b/roles/mariadb/handlers/main.yml new file mode 100644 index 0000000..d69f765 --- /dev/null +++ b/roles/mariadb/handlers/main.yml @@ -0,0 +1,5 @@ +- name: Restart MariaDB + ansible.builtin.service: + name: mariadb + state: restarted + listen: restart_mariadb diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 0c43cc9..fd5c944 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -3,23 +3,20 @@ name: mariadb-server state: present -- name: Change the bind-address to allow Docker +- name: Regather facts for the potentially new docker0 interface + ansible.builtin.setup: + +- name: Change the bind-address to allow from docker0 ansible.builtin.lineinfile: path: /etc/mysql/mariadb.conf.d/50-server.cnf regex: "^bind-address" - line: "bind-address = 0.0.0.0" - register: mariadb_conf + line: "bind-address = {{ ansible_facts.docker0.ipv4.address }}" + notify: restart_mariadb -- name: Restart MariaDB - ansible.builtin.service: - name: mariadb - state: restarted - when: mariadb_conf.changed - -- name: Allow database connections +- name: Allow database connections from Docker community.general.ufw: rule: allow port: "3306" proto: tcp src: "{{ item }}" - loop: "{{ mariadb_trust }}" + loop: "{{ mariadb_trust | default(['172.16.0.0/12']) }}"