From a24fd466090a405054060df7a0302d73bbf7f5fe Mon Sep 17 00:00:00 2001 From: Kris Lamoureux Date: Tue, 24 May 2022 21:15:10 -0400 Subject: [PATCH] testing --- ansible.cfg | 3 + dev/host_vars/proxy.yml | 6 +- dev/proxy.yml | 3 +- roles/base/tasks/ansible.yml | 7 ++ roles/bitwarden/defaults/main.yml | 2 +- roles/bitwarden/handlers/main.yml | 15 ++- roles/bitwarden/tasks/main.yml | 34 +++--- .../bitwarden/templates/bitwarden.service.j2 | 13 +++ roles/docker/defaults/main.yml | 3 + roles/docker/tasks/main.yml | 16 +++ roles/docker/templates/daemon.json.j2 | 3 + .../templates/docker-compose.service.j2 | 14 +++ roles/gitea/defaults/main.yml | 15 ++- roles/gitea/tasks/main.yml | 109 +++++------------- roles/gitea/templates/compose-env.j2 | 17 +++ roles/gitea/templates/docker-compose.yml.j2 | 30 +++++ roles/proxy/tasks/main.yml | 1 + roles/proxy/templates/server-nginx.conf.j2 | 8 ++ 18 files changed, 188 insertions(+), 111 deletions(-) create mode 100644 roles/bitwarden/templates/bitwarden.service.j2 create mode 100644 roles/docker/defaults/main.yml create mode 100644 roles/docker/templates/daemon.json.j2 create mode 100644 roles/docker/templates/docker-compose.service.j2 create mode 100644 roles/gitea/templates/compose-env.j2 create mode 100644 roles/gitea/templates/docker-compose.yml.j2 diff --git a/ansible.cfg b/ansible.cfg index f237d47..e0ac21f 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,3 +1,6 @@ [defaults] inventory = ./environments/development interpreter_python = /usr/bin/python3 + +[connection] +pipelining = true diff --git a/dev/host_vars/proxy.yml b/dev/host_vars/proxy.yml index 1f0dae2..f4bf756 100644 --- a/dev/host_vars/proxy.yml +++ b/dev/host_vars/proxy.yml @@ -17,7 +17,7 @@ proxy: - domain: "{{ bitwarden_domain }}" proxy_pass: "http://127.0.0.1:8080" - domain: "{{ gitea_domain }}" - proxy_pass: "http://127.0.0.1:3080" + proxy_pass: "http://127.0.0.1:3000" # docker docker_users: @@ -34,8 +34,4 @@ bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p # gitea gitea_domain: "git.{{ base_domain }}" gitea_version: 1 -gitea_dbversion: latest gitea_dbpass: password -gitea_ports: - - "222:22" - - "3080:3000" diff --git a/dev/proxy.yml b/dev/proxy.yml index 8df84cb..bd011b8 100644 --- a/dev/proxy.yml +++ b/dev/proxy.yml @@ -5,7 +5,8 @@ - host_vars/proxy.yml roles: - base + - postgresql - proxy - docker - - bitwarden - gitea + - bitwarden diff --git a/roles/base/tasks/ansible.yml b/roles/base/tasks/ansible.yml index 16ae819..37922de 100644 --- a/roles/base/tasks/ansible.yml +++ b/roles/base/tasks/ansible.yml @@ -13,3 +13,10 @@ loop: - aptitude - python3-docker + - python3-psycopg2 + +- name: Create Ansible's temporary remote directory + file: + path: "~/.ansible/tmp" + state: directory + mode: 0700 diff --git a/roles/bitwarden/defaults/main.yml b/roles/bitwarden/defaults/main.yml index da91560..46c67fe 100644 --- a/roles/bitwarden/defaults/main.yml +++ b/roles/bitwarden/defaults/main.yml @@ -1,5 +1,5 @@ bitwarden_name: bitwarden -bitwarden_root: "/opt/{{ bitwarden_name }}" +bitwarden_root: "{{ docker_root }}/{{ bitwarden_name }}" bitwarden_database: "{{ bitwarden_name }}" bitwarden_standalone: false bitwarden_production: false diff --git a/roles/bitwarden/handlers/main.yml b/roles/bitwarden/handlers/main.yml index 8fd980b..1e9b262 100644 --- a/roles/bitwarden/handlers/main.yml +++ b/roles/bitwarden/handlers/main.yml @@ -1,7 +1,16 @@ +- name: Stop Bitwarden for rebuild + service: + name: "{{ bitwarden_name }}" + state: stopped + listen: rebuild_bitwarden + - name: Rebuild Bitwarden shell: "{{ bitwarden_root }}/bitwarden.sh rebuild" listen: rebuild_bitwarden -- name: Start Bitwarden - shell: "{{ bitwarden_root }}/bitwarden.sh start" - listen: start_bitwarden +- name: Start Bitwarden after rebuild + service: + name: "{{ bitwarden_name }}" + state: started + enabled: true + listen: rebuild_bitwarden diff --git a/roles/bitwarden/tasks/main.yml b/roles/bitwarden/tasks/main.yml index 4a9cc12..ebcb1b0 100644 --- a/roles/bitwarden/tasks/main.yml +++ b/roles/bitwarden/tasks/main.yml @@ -25,16 +25,13 @@ shell: "{{ bitwarden_root }}/bw_wrapper" args: creates: "{{ bitwarden_root }}/bwdata/config.yml" - notify: start_bitwarden - name: Install docker-compose override template: src: compose.override.yml.j2 dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml" when: traefik_version is defined - notify: - - rebuild_bitwarden - - start_bitwarden + notify: rebuild_bitwarden - name: Disable bitwarden-nginx HTTP on 80 replace: @@ -42,9 +39,7 @@ regexp: "^http_port: 80$" replace: "http_port: 8080" when: not bitwarden_standalone - notify: - - rebuild_bitwarden - - start_bitwarden + notify: rebuild_bitwarden - name: Disable bitwarden-nginx HTTPS on 443 replace: @@ -52,9 +47,7 @@ regexp: "^https_port: 443$" replace: "https_port: 8443" when: not bitwarden_standalone - notify: - - rebuild_bitwarden - - start_bitwarden + notify: rebuild_bitwarden - name: Disable Bitwarden managed Lets Encrypt replace: @@ -62,9 +55,7 @@ regexp: "^ssl_managed_lets_encrypt: true$" replace: "ssl_managed_lets_encrypt: false" when: not bitwarden_standalone or not bitwarden_production - notify: - - rebuild_bitwarden - - start_bitwarden + notify: rebuild_bitwarden - name: Disable Bitwarden managed SSL replace: @@ -72,6 +63,17 @@ regexp: "^ssl: true$" replace: "ssl: false" when: not bitwarden_standalone - notify: - - rebuild_bitwarden - - start_bitwarden + notify: rebuild_bitwarden + +- name: Install Bitwarden systemd service + template: + src: bitwarden.service.j2 + dest: "/etc/systemd/system/{{ bitwarden_name }}.service" + register: bitwarden_systemd + notify: rebuild_bitwarden + +- name: Reload systemd manager configuration + systemd: + daemon_reload: true + when: bitwarden_systemd.changed + notify: rebuild_bitwarden diff --git a/roles/bitwarden/templates/bitwarden.service.j2 b/roles/bitwarden/templates/bitwarden.service.j2 new file mode 100644 index 0000000..fab45ce --- /dev/null +++ b/roles/bitwarden/templates/bitwarden.service.j2 @@ -0,0 +1,13 @@ +[Unit] +Description=Bitwarden Password Manager Server +PartOf=docker.service +After=docker.service + +[Service] +Type=oneshot +RemainAfterExit=true +ExecStart={{ bitwarden_root }}/bitwarden.sh start +ExecStop={{ bitwarden_root }}/bitwarden.sh stop + +[Install] +WantedBy=multi-user.target diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml new file mode 100644 index 0000000..370f7a9 --- /dev/null +++ b/roles/docker/defaults/main.yml @@ -0,0 +1,3 @@ +docker_root: /var/lib/docker-compose +docker_compose: /usr/bin/docker-compose +docker_compose_service: compose diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index f8eb230..7175650 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -4,6 +4,22 @@ state: present update_cache: true +- name: Create docker-compose root + file: + path: "{{ docker_root }}" + state: directory + +- name: Install docker-compose systemd service + template: + src: docker-compose.service.j2 + dest: "/etc/systemd/system/{{ docker_compose_service }}@.service" + register: compose_systemd + +- name: Reload systemd manager configuration + systemd: + daemon_reload: true + when: compose_systemd.changed + - name: Add users to docker group user: name: "{{ item }}" diff --git a/roles/docker/templates/daemon.json.j2 b/roles/docker/templates/daemon.json.j2 new file mode 100644 index 0000000..ccba523 --- /dev/null +++ b/roles/docker/templates/daemon.json.j2 @@ -0,0 +1,3 @@ +{ + "bip": "{{ docker_network }}" +} diff --git a/roles/docker/templates/docker-compose.service.j2 b/roles/docker/templates/docker-compose.service.j2 new file mode 100644 index 0000000..34e8188 --- /dev/null +++ b/roles/docker/templates/docker-compose.service.j2 @@ -0,0 +1,14 @@ +[Unit] +Description=%i docker-compose service +PartOf=docker.service +After=docker.service + +[Service] +Type=oneshot +RemainAfterExit=true +WorkingDirectory={{ docker_root }}/%i +ExecStart={{ docker_compose }} up -d --remove-orphans +ExecStop={{ docker_compose }} down + +[Install] +WantedBy=multi-user.target diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml index 6e62152..d9808e1 100644 --- a/roles/gitea/defaults/main.yml +++ b/roles/gitea/defaults/main.yml @@ -1,11 +1,16 @@ # container settings gitea_name: gitea -gitea_dbname: "{{ gitea_name }}-db" -gitea_ports: "222:22" +gitea_sshport: "222" +gitea_webport: "3000" +gitea_volume: "{{ gitea_name }}" +gitea_rooturl: "http://{{ gitea_domain }}" +gitea_signup: true # database settings -gitea_dbuser: "{{ gitea_dbname }}" +gitea_dbtype: postgres +gitea_dbhost: host.docker.internal +gitea_dbname: "{{ gitea_name }}" +gitea_dbuser: "{{ gitea_name }}" # host -gitea_root: "/opt/{{ gitea_name }}/data" -gitea_dbroot: "/opt/{{ gitea_name }}/database" +gitea_root: "{{ docker_root }}/{{ gitea_name }}" diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index c6391e6..b50dca0 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -1,85 +1,34 @@ -- name: Create Gitea Network - docker_network: - name: "{{ gitea_name }}" +- name: Create Gitea directory + file: + path: "{{ gitea_root }}" + state: directory -- name: Start Gitea's database container - docker_container: +- name: Create gitea database + postgresql_db: name: "{{ gitea_dbname }}" - image: mariadb:{{ gitea_dbversion }} - state: started - restart_policy: always - volumes: "{{ gitea_dbroot }}:/var/lib/mysql" - container_default_behavior: "no_defaults" - networks_cli_compatible: true - networks: - - name: "{{ gitea_name }}" - env: - MYSQL_RANDOM_ROOT_PASSWORD: "true" - MYSQL_DATABASE: "{{ gitea_dbname }}" - MYSQL_USER: "{{ gitea_dbuser }}" - MYSQL_PASSWORD: "{{ gitea_dbpass }}" + become: true + become_user: postgres -- name: Start Gitea container (traefik routing) - docker_container: - name: "{{ gitea_name }}" - image: gitea/gitea:{{ gitea_version }} - state: started - restart_policy: always - container_default_behavior: "no_defaults" - networks_cli_compatible: true - ports: "{{ gitea_ports }}" - networks: - - name: "{{ gitea_name }}" - - name: traefik - volumes: - - "{{ gitea_root }}:/data" - - /etc/timezone:/etc/timezone:ro - - /etc/localtime:/etc/localtime:ro - env: - USER_UID: "1000" - USER_GID: "1000" - DB_TYPE: mysql - DB_HOST: "{{ gitea_dbname }}" - DB_NAME: "{{ gitea_dbname }}" - DB_USER: "{{ gitea_dbuser }}" - DB_PASSWD: "{{ gitea_dbpass }}" - ROOT_URL: "https://{{ gitea_domain }}/" - SSH_DOMAIN: "{{ gitea_domain }}" - DOMAIN: "{{ gitea_domain }}" - labels: - traefik.http.routers.gitea.rule: "Host(`{{ gitea_domain }}`)" - traefik.http.routers.gitea.entrypoints: websecure - traefik.http.routers.gitea.tls.certresolver: letsencrypt - traefik.http.routers.gitea.middlewares: "securehttps@file" - traefik.http.services.gitea.loadbalancer.server.port: "3000" - traefik.docker.network: traefik - traefik.enable: "true" - when: traefik_version is defined +- name: Create gitea database user + postgresql_user: + db: "{{ gitea_dbname }}" + name: "{{ gitea_dbuser }}" + password: "{{ gitea_dbpass }}" + become: true + become_user: postgres -- name: Start Gitea container - docker_container: - name: "{{ gitea_name }}" - image: gitea/gitea:{{ gitea_version }} +- name: Install Gitea's docker-compose file + template: + src: docker-compose.yml.j2 + dest: "{{ gitea_root }}/docker-compose.yml" + +- name: Install Gitea's docker-compose variables + template: + src: compose-env.j2 + dest: "{{ gitea_root }}/.env" + +- name: Start and enable Gitea service + service: + name: "{{ docker_compose_service }}@{{ gitea_name }}" state: started - restart_policy: always - container_default_behavior: "no_defaults" - networks_cli_compatible: true - ports: "{{ gitea_ports }}" - networks: - - name: "{{ gitea_name }}" - volumes: - - "{{ gitea_root }}:/data" - - /etc/timezone:/etc/timezone:ro - - /etc/localtime:/etc/localtime:ro - env: - USER_UID: "1000" - USER_GID: "1000" - DB_TYPE: mysql - DB_HOST: "{{ gitea_dbname }}" - DB_NAME: "{{ gitea_dbname }}" - DB_USER: "{{ gitea_dbuser }}" - DB_PASSWD: "{{ gitea_dbpass }}" - ROOT_URL: "https://{{ gitea_domain }}/" - SSH_DOMAIN: "{{ gitea_domain }}" - DOMAIN: "{{ gitea_domain }}" - when: traefik_version is not defined + enabled: true diff --git a/roles/gitea/templates/compose-env.j2 b/roles/gitea/templates/compose-env.j2 new file mode 100644 index 0000000..bfa1ca5 --- /dev/null +++ b/roles/gitea/templates/compose-env.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} +gitea_version={{ gitea_version }} +gitea_name={{ gitea_name }} +gitea_domain={{ gitea_domain }} +gitea_rooturl={{ gitea_rooturl }} +gitea_webport={{ gitea_webport }} +gitea_sshport={{ gitea_sshport }} +gitea_dbtype={{ gitea_dbtype }} +gitea_dbhost={{ gitea_dbhost }} +gitea_dbname={{ gitea_dbname }} +gitea_dbuser={{ gitea_dbuser }} +gitea_dbpass={{ gitea_dbpass }} +{% if not gitea_signup %} +gitea_disable_registration=true +{% else %} +gitea_disable_registration=false +{% endif %} diff --git a/roles/gitea/templates/docker-compose.yml.j2 b/roles/gitea/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..db28af4 --- /dev/null +++ b/roles/gitea/templates/docker-compose.yml.j2 @@ -0,0 +1,30 @@ +version: '3.7' + +services: + gitea: + image: "gitea/gitea:${gitea_version}" + container_name: "${gitea_name}" + ports: + - "${gitea_sshport}:22" + - "127.0.0.1:${gitea_webport}:3000" + extra_hosts: + - "host.docker.internal:host-gateway" + environment: + - USER_UID=1000 + - USER_GID=1000 + - GITEA__server__ROOT_URL=${gitea_rooturl} + - GITEA__server__DOMAIN=${gitea_domain} + - GITEA__server__SSH_DOMAIN=${gitea_domain} + - GITEA__database__DB_TYPE=${gitea_dbtype} + - GITEA__database__HOST=${gitea_dbhost} + - GITEA__database__NAME=${gitea_dbname} + - GITEA__database__USER=${gitea_dbuser} + - GITEA__database__PASSWD=${gitea_dbpass} + - GITEA__service__DISABLE_REGISTRATION=${gitea_disable_registration} + volumes: + - {{ gitea_volume }}:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + +volumes: + {{ gitea_volume }}: diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml index 44c0aa0..171ed09 100644 --- a/roles/proxy/tasks/main.yml +++ b/roles/proxy/tasks/main.yml @@ -62,6 +62,7 @@ file: path: /etc/letsencrypt/renewal-hooks/post state: directory + when: proxy.production is defined and proxy.production - name: Install nginx post renewal hook copy: diff --git a/roles/proxy/templates/server-nginx.conf.j2 b/roles/proxy/templates/server-nginx.conf.j2 index 718a96e..37b36fd 100644 --- a/roles/proxy/templates/server-nginx.conf.j2 +++ b/roles/proxy/templates/server-nginx.conf.j2 @@ -1,3 +1,11 @@ +{% if item.https is not defined or item.https %} +server { + listen 80; + + server_name {{ item.domain }}; + return 301 https://{{ item.domain }}$request_uri; +} +{% endif %} server { listen 443 ssl; server_name {{ item.domain }};