testing

2024-05-03 02:43:38 -04:00 · 2024-05-02 01:58:07 -04:00 · 2024-05-02 01:37:26 -04:00
13 changed files with 98 additions and 100 deletions
--- a/.github/workflows/vagrant.yml
+++ b/.github/workflows/vagrant.yml
@ -3,17 +3,22 @@ name: homelab-ci
 on:
  push:
    branches:
-      - github_actions
-      # - main
-      # - testing
+      - main
+      - testing

 jobs:
  homelab-ci:
-    runs-on: macos-latest
+    runs-on: macos-13

    steps:
      - uses: actions/checkout@v3

+      - name: Setup tmate session
+        uses: mxschmitt/action-tmate@v3
+        with:
+          detached: true
+          limit-access-to-actor: true
+
      - name: Cache Vagrant boxes
        uses: actions/cache@v3
        with:
@ -22,19 +27,23 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-vagrant-

+      - name: Install Tools
+        run: brew install nmap tree
+
+      - name: Install VirtualBox
+        run: brew install --cask virtualbox
+
+      - name: Install Vagrant
+        run: brew install --cask vagrant
+
      - name: Install Ansible
-        run: brew install ansible@7
+        run: brew install ansible

      - name: Software Versions
        run: |
-          printf "VirtualBox "
-          vboxmanage --version
+          printf "VirtualBox "; vboxmanage --version
          vagrant --version
-          export PATH="/usr/local/opt/ansible@7/bin:$PATH"
          ansible --version

      - name: Vagrant Up with Dockerbox Playbook
-        run: |
-          export PATH="/usr/local/opt/ansible@7/bin:$PATH"
-          PLAYBOOK=dockerbox vagrant up
-          vagrant ssh -c "docker ps"
+        run: ./scripts/github-vagrant.sh
--- a/3
+++ b/3
@ -36,6 +36,7 @@ Vagrant.configure("2") do |config|
  config.vm.provider :virtualbox do |vbox|
    vbox.cpus   = VAGRANT_CPUS
    vbox.memory = VAGRANT_MEM
+    vbox.gui    = true
  end

  # Provision with Ansible
@ -43,6 +44,6 @@ Vagrant.configure("2") do |config|
    ENV['ANSIBLE_ROLES_PATH'] = File.dirname(__FILE__) + "/roles"
    ansible.compatibility_mode = "2.0"
    ansible.playbook = "dev/" + PLAYBOOK + ".yml"
-    ansible.raw_arguments = ["--diff"]
+    ansible.raw_arguments = ["--diff", "-vvvv"]
  end
 end
--- a/playbooks/docker.yml
+++ b/playbooks/docker.yml
@ -4,5 +4,4 @@
  roles:
    - base
    - jenkins
-    - proxy
    - docker
--- a/roles/base/tasks/samba.yml
+++ b/roles/base/tasks/samba.yml
@ -26,7 +26,7 @@
  ansible.builtin.template:
    src: smb.conf.j2
    dest: /etc/samba/smb.conf
-    mode: "644"
+    mode: "700"
  notify: restart_samba

 - name: Start smbd and enable on boot
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@ -80,10 +80,8 @@
    state: present
    uid: "{{ item.value.uid }}"
    group: "{{ item.value.gid }}"
-    groups: "{{ item.value.groups | default([]) }}"
    shell: "{{ item.value.shell | default('/bin/bash') }}"
    create_home: "{{ item.value.home | default(false) }}"
-    home: "{{ item.value.homedir | default('/home/' + item.key) }}"
    system: "{{ item.value.system | default(false) }}"
  loop: "{{ users | dict2items }}"
  loop_control:
--- a/roles/base/tasks/wireguard.yml
+++ b/roles/base/tasks/wireguard.yml
@ -18,28 +18,6 @@
    src: /etc/wireguard/privatekey
  register: wgkey

- name: Check if WireGuard preshared key file exists
-  ansible.builtin.stat:
-    path: /etc/wireguard/presharedkey-{{ item.name }}
-  loop: "{{ wireguard.peers }}"
-  loop_control:
-    label: "{{ item.name }}"
-  register: presharedkey_files
-
- name: Grab WireGuard preshared key for configuration
-  ansible.builtin.slurp:
-    src: /etc/wireguard/presharedkey-{{ item.item.name }}
-  register: wgshared
-  loop: "{{ presharedkey_files.results }}"
-  loop_control:
-    label: "{{ item.item.name }}"
-  when: item.stat.exists
-
- name: Grab WireGuard private key for configuration
-  ansible.builtin.slurp:
-    src: /etc/wireguard/privatekey
-  register: wgkey
-
 - name: Install WireGuard configuration
  ansible.builtin.template:
    src: wireguard.j2
--- a/roles/base/templates/wireguard.j2
+++ b/roles/base/templates/wireguard.j2
@ -1,6 +1,4 @@
-# {{ ansible_managed }}
-
-[Interface] # {{ ansible_hostname }}
+[Interface]
 PrivateKey = {{ wgkey['content'] | b64decode | trim }}
 Address = {{ wireguard.address }}
 {% if wireguard.listenport is defined %}
@ -8,26 +6,8 @@ ListenPort = {{ wireguard.listenport }}
 {% endif %}

 {% for peer in wireguard.peers %}
-{% if peer.name is defined %}
-[Peer] # {{ peer.name }}
-{% else %}
 [Peer]
-{% endif %}
 PublicKey = {{ peer.publickey }}
-{% if peer.presharedkey is defined %}
-PresharedKey = {{ peer.presharedkey }}
-{% else %}
-{% set preshared_key = (
-    wgshared.results
-    | selectattr('item.item.name', 'equalto', peer.name)
-    | first
-  ).content
-  | default(none)
-%}
-{% if preshared_key is not none %}
-PresharedKey = {{ preshared_key | b64decode | trim }}
-{% endif %}
-{% endif %}
 {% if peer.endpoint is defined %}
 Endpoint = {{ peer.endpoint }}
 {% endif %}
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -24,21 +24,15 @@

 - name: Install/uninstall Docker from Debian repositories
  ansible.builtin.apt:
-    name: ["docker.io", "docker-compose", "containerd", "runc"]
+    name: ['docker.io', 'docker-compose', 'containerd', 'runc']
    state: "{{ 'absent' if docker_official else 'present' }}"
    autoremove: true
    update_cache: true

 - name: Install/uninstall Docker from Docker repositories
  ansible.builtin.apt:
-    name:
-      [
-        "docker-ce",
-        "docker-ce-cli",
-        "containerd.io",
-        "docker-buildx-plugin",
-        "docker-compose-plugin",
-      ]
+    name: ['docker-ce', 'docker-ce-cli', 'containerd.io',
+           'docker-buildx-plugin', 'docker-compose-plugin']
    state: "{{ 'present' if docker_official else 'absent' }}"
    autoremove: true
    update_cache: true
@ -141,6 +135,14 @@
    label: "{{ item.name }}"
  when: docker_compose_deploy is defined and item.env is defined

+- name: Add users to docker group
+  ansible.builtin.user:
+    name: "{{ item }}"
+    groups: docker
+    append: true
+  loop: "{{ docker_users }}"
+  when: docker_users is defined
+
 - name: Start Docker and enable on boot
  ansible.builtin.service:
    name: docker
--- a/roles/jellyfin/templates/docker-compose.yml.j2
+++ b/roles/jellyfin/templates/docker-compose.yml.j2
@ -15,7 +15,7 @@ services:
    networks:
      - traefik
    labels:
-      - "traefik.http.routers.{{ jellyfin_router }}.rule=Host({{ jellyfin_domains }})"
+      - "traefik.http.routers.{{ jellyfin_router }}.rule=Host(`{{ jellyfin_domain }}`)"
 {% if traefik_http_only %}
      - "traefik.http.routers.{{ jellyfin_router }}.entrypoints=web"
 {% else %}
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@ -45,11 +45,10 @@
  register: nginx_sites

 - name: Generate self-signed certificate
-  ansible.builtin.command:
-    'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
-    -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
-    -keyout /etc/ssl/private/nginx-selfsigned.key \
-    -out    /etc/ssl/certs/nginx-selfsigned.crt'
+  ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
+          -subj   "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
+          -keyout /etc/ssl/private/nginx-selfsigned.key \
+          -out    /etc/ssl/certs/nginx-selfsigned.crt'
  args:
    creates: /etc/ssl/certs/nginx-selfsigned.crt
  when: proxy.production is not defined or not proxy.production
@ -57,22 +56,15 @@

 - name: Install LE's certbot
  ansible.builtin.apt:
-    name: ["certbot", "python3-certbot-dns-cloudflare"]
+    name: ['certbot', 'python3-certbot-dns-cloudflare']
    state: present
  when: proxy.production is defined and proxy.production

- name: Grab Cloudflare API token for configuration
-  ansible.builtin.slurp:
-    src: /root/.cloudflare-api
-  register: cfapi
-  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
-
 - name: Install Cloudflare API token
  ansible.builtin.template:
    src: cloudflare.ini.j2
    dest: /root/.cloudflare.ini
    mode: "400"
-  diff: false
  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined

 - name: Create nginx post renewal hook directory
@ -86,19 +78,19 @@
  ansible.builtin.copy:
    src: reload-nginx.sh
    dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh
-    mode: "0755"
+    mode: '0755'
  when: proxy.production is defined and proxy.production

 - name: Run Cloudflare DNS-01 challenges on wildcard domains
  ansible.builtin.shell: '/usr/bin/certbot certonly \
-    --non-interactive \
-    --agree-tos \
-    --email "{{ proxy.dns_cloudflare.email }}" \
-    --dns-cloudflare \
-    --dns-cloudflare-credentials /root/.cloudflare.ini \
-    -d "*.{{ item }}" \
-    -d "{{ item }}" \
-    {{ proxy.dns_cloudflare.opts | default("") }}'
+            --non-interactive \
+            --agree-tos \
+            --email "{{ proxy.dns_cloudflare.email }}" \
+            --dns-cloudflare \
+            --dns-cloudflare-credentials /root/.cloudflare.ini \
+            -d "*.{{ item }}" \
+            -d "{{ item }}" \
+            {{ proxy.dns_cloudflare.opts | default("") }}'
  args:
    creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
  loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
--- a/roles/proxy/templates/cloudflare.ini.j2
+++ b/roles/proxy/templates/cloudflare.ini.j2
@ -1,2 +1,2 @@
 # Cloudflare API token used by Certbot
-dns_cloudflare_api_token = {{ cfapi['content'] | b64decode | trim }}
+dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }}
--- a/roles/proxy/templates/server-nginx.conf.j2
+++ b/roles/proxy/templates/server-nginx.conf.j2
@ -35,13 +35,7 @@ server {
  client_max_body_size {{ item.client_max_body_size }};
 {% endif %}
  location / {
-{% if item.allowedips is defined %}
-{% for ip in item.allowedips %}
-    allow {{ ip }};
-{% endfor %}
-    deny all;
-{% endif %}
-{% if item.restrict is defined and item.restrict %}
+{% if item.restrict is defined and item.restrict  %}
    auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
    auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
    proxy_set_header Authorization "";
--- a/scripts/github-vagrant.sh
+++ b/scripts/github-vagrant.sh
@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Defaults
+TIMEOUT=600
+ELAPSED=0
+INITIAL_SLEEP=60
+SLEEP_DURATION=30
+SSH_AVAILABLE=0
+DEBUG_ID="[homelab-ci]"
+
+# Run Vagrant Up in the background
+PLAYBOOK=dockerbox vagrant up &
+VAGRANT_UP_PID=$!
+
+# Initial delay
+echo "$DEBUG_ID Waiting for VM to start..."
+sleep $INITIAL_SLEEP
+
+# Loop until timeout or breaks
+while [[ $ELAPSED -lt $TIMEOUT ]]; do
+	VAGRANT_SSH_CONFIG=$(mktemp)
+	vagrant ssh-config > "$VAGRANT_SSH_CONFIG"
+	echo "$DEBUG_ID SSH config at $VAGRANT_SSH_CONFIG"
+	cat "$VAGRANT_SSH_CONFIG"
+	echo "$DEBUG_ID Vagrant status"
+	vagrant status
+
+	# SSH attempt
+	set -x
+	ssh -vvv -F "$VAGRANT_SSH_CONFIG" default 'cat /etc/os-release' && set +x; break \
+	|| echo "$DEBUG_ID SSH connection failed, retrying in $SLEEP_DURATION seconds..."
+	set +x
+
+	# Sleep and start again
+	sleep $SLEEP_DURATION
+	((ELAPSED+=SLEEP_DURATION))
+done
+
+# Success?
+if [[ $SSH_AVAILABLE -ne 1 ]]; then
+	echo "$DEBUG_ID Timeout reached without successful SSH connection."
+fi
+
+# Ensure the Vagrant up process completes
+wait $VAGRANT_UP_PID
Author	SHA1	Message	Date
Kris Lamoureux	2d09ce28e7	testing	2024-05-03 02:43:38 -04:00
Kris Lamoureux	8d1cc8e160	testing	2024-05-02 01:58:07 -04:00
Kris Lamoureux	4d3faf3617	testing	2024-05-02 01:37:26 -04:00