testing

Add option for private OCI registry auth
Add Makefile, roles_path, and SSH tunnel variable
2023-10-09 00:30:54 -04:00 · 2023-09-29 22:18:59 -04:00 · 2023-09-26 21:14:06 -04:00 · 2023-09-16 00:04:58 -04:00 · 2023-09-15 23:46:45 -04:00
11 changed files with 149 additions and 20 deletions
--- a/10
+++ b/10
@@ -0,0 +1,10 @@
+.PHONY: clean install
+
+all: install
+
+install:
+	vagrant up --no-destroy-on-error
+	sudo ./forward-ssh.sh
+
+clean:
+	vagrant destroy -f && rm -rf .vagrant
--- a/1
+++ b/1
@@ -43,5 +43,6 @@ Vagrant.configure("2") do |config|
    ENV['ANSIBLE_ROLES_PATH'] = File.dirname(__FILE__) + "/roles"
    ansible.compatibility_mode = "2.0"
    ansible.playbook = "dev/" + PLAYBOOK + ".yml"
+    ansible.raw_arguments = ["--diff"]
  end
 end
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,6 +1,7 @@
 [defaults]
 inventory = ./environments/development
 interpreter_python = /usr/bin/python3
+roles_path = ./roles

 [connection]
 pipelining = true
--- a/dev/docker.yml
+++ b/dev/docker.yml
@@ -0,0 +1,8 @@
+- name: Install Docker Server
+  hosts: all
+  become: true
+  vars_files:
+    - host_vars/docker.yml
+  roles:
+    - base
+    - docker
--- a/dev/host_vars/docker.yml
+++ b/dev/host_vars/docker.yml
@@ -0,0 +1,39 @@
+# base
+allow_reboot: false
+manage_network: false
+
+# docker
+docker_users:
+  - vagrant
+
+#docker_login_url: https://myregistry.example.com
+#docker_login_user: myuser
+#docker_login_pass: YOUR_PASSWD
+
+docker_compose_deploy:
+  - name: traefik
+    url: https://github.com/krislamo/traefik
+    version: 4d3391b1644e87dec2d60d3315401e4db2bbc943
+    enabled: true
+    accept_newhostkey: true # Consider verifying manually instead
+    # Must manually add my GPG key to root's keyring
+    #trusted_keys:
+    #  - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
+    env:
+      VERSION: "2.10"
+  - name: traefik2
+    url: https://github.com/krislamo/traefik
+    version: 4d3391b1644e87dec2d60d3315401e4db2bbc943
+    enabled: true
+    accept_newhostkey: true # Consider verifying manually instead
+    # Must manually add my GPG key to root's keyring
+    #trusted_keys:
+    #  - FBF673CEEC030F8AECA814E73EDA9C3441EDA925
+    env:
+      VERSION: "2.10"
+      DOMAIN: traefik2.local.krislamo.org
+      ROUTER: traefik2
+      NETWORK: traefik2
+      WEB_PORT: 127.0.0.1:8000:80
+      WEBSECURE_PORT: 127.0.0.1:4443:443
+      LOCAL_POST: 127.0.0.1:8444:8443
--- a/forward-ssh.sh
+++ b/forward-ssh.sh
@@ -3,6 +3,12 @@
 # Finds the SSH private key under ./.vagrant and connects to
 # the Vagrant box, port forwarding localhost ports: 8443, 80, 443

+# Root check
+if [ "$EUID" -ne 0 ]; then
+  echo "[ERROR]: Please run script as root"
+  exit 1
+fi
+
 # Clean environment
 unset PRIVATE_KEY
 unset HOST_IP
@@ -11,16 +17,26 @@ unset PKILL_ANSWER

 # Function to create the SSH tunnel
 function ssh_connect {
-  printf "[INFO]: Starting new vagrant SSH tunnel on PID "
-  sudo ssh -fNT -i "$PRIVATE_KEY" \
-    -L 8443:localhost:8443 \
-    -L 80:localhost:80 \
-    -L 443:localhost:443 \
-    -o UserKnownHostsFile=/dev/null \
-    -o StrictHostKeyChecking=no \
-      vagrant@"$HOST_IP" 2>/dev/null
-  sleep 2
-  pgrep -f "$MATCH_PATTERN"
+  read -rp "Start a new vagrant SSH tunnel? [y/N] " PSTART_ANSWER
+  echo
+  case "$PSTART_ANSWER" in
+    [yY])
+      printf "[INFO]: Starting new vagrant SSH tunnel on PID "
+      sudo -u "$USER" ssh -fNT -i "$PRIVATE_KEY" \
+        -L 8443:localhost:8443 \
+        -L 80:localhost:80 \
+        -L 443:localhost:443 \
+        -o UserKnownHostsFile=/dev/null \
+        -o StrictHostKeyChecking=no \
+        vagrant@"$HOST_IP" 2>/dev/null
+      sleep 2
+      pgrep -f "$MATCH_PATTERN"
+      ;;
+    *)
+      echo "[INFO]: Delined to start a new vagrant SSH tunnel"
+      exit 0
+      ;;
+  esac
 }

 # Check for valid PRIVATE_KEY location
@@ -56,7 +72,7 @@ else
  case "$PKILL_ANSWER" in
    [yY])
      echo "[WARNING]: Killing old vagrant SSH tunnel(s): "
-      pgrep -f "$MATCH_PATTERN" | tee >(xargs sudo kill -15)
+      pgrep -f "$MATCH_PATTERN" | tee >(xargs kill -15)
      echo
      if [ "$(pgrep -afc "$MATCH_PATTERN")" -eq 0 ]; then
        ssh_connect
--- a/roles/base/tasks/system.yml
+++ b/roles/base/tasks/system.yml
@@ -4,6 +4,11 @@
    state: present
    update_cache: true

+- name: Install GPG
+  ansible.builtin.apt:
+    name: gpg
+    state: present
+
 - name: Manage root authorized_keys
  ansible.builtin.template:
    src: authorized_keys.j2
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -3,4 +3,4 @@ docker_compose_service: compose
 docker_compose: /usr/bin/docker-compose
 docker_repos_keys: "{{ docker_repos_path }}/.keys"
 docker_repos_keytype: rsa
-docker_repos_path: /srv/compose_repos
+docker_repos_path: /srv/.compose_repos
--- a/roles/docker/handlers/main.yml
+++ b/roles/docker/handlers/main.yml
@@ -2,3 +2,29 @@
  ansible.builtin.systemd:
    daemon_reload: true
  listen: compose_systemd
+
+- name: Find which services had a docker-compose.yml updated
+  set_fact:
+    compose_restart_list: "{{ (compose_restart_list | default([])) + [item.item.name] }}"
+  loop: "{{ compose_update.results }}"
+  loop_control:
+    label: "{{ item.item.name }}"
+  when: item.changed
+  listen: compose_restart
+
+- name: Find which services had their .env updated
+  set_fact:
+    compose_restart_list: "{{ (compose_restart_list | default([])) + [item.item.name] }}"
+  loop: "{{ compose_env_update.results }}"
+  loop_control:
+    label: "{{ item.item.name }}"
+  when: item.changed
+  listen: compose_restart
+
+- name: Restart {{ docker_compose_service }} services
+  ansible.builtin.systemd:
+    state: restarted
+    name: "{{ docker_compose_service }}@{{ item }}"
+  loop: "{{ compose_restart_list | unique }}"
+  when: compose_restart_list is defined
+  listen: compose_restart
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -4,6 +4,13 @@
    state: present
    update_cache: true

+- name: Login to private registry
+  community.docker.docker_login:
+    registry_url: "{{ docker_login_url | default('') }}"
+    username: "{{ docker_login_user }}"
+    password: "{{ docker_login_pass }}"
+  when: docker_login_user is defined and docker_login_pass is defined
+
 - name: Create docker-compose root
  ansible.builtin.file:
    path: "{{ docker_compose_root }}"
@@ -31,6 +38,7 @@
  community.crypto.openssh_keypair:
    path: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}"
    type: "{{ docker_repos_keytype }}"
+    comment: "{{ ansible_hostname }}-deploy-key"
    mode: 0400
    state: present
  when: docker_compose_deploy is defined
@@ -39,11 +47,15 @@
  ansible.builtin.git:
    repo: "{{ item.url }}"
    dest: "{{ docker_repos_path }}/{{ item.name }}"
-    version: "{{ item.version | default('main') }}"
-    force: true
+    version: "{{ item.version }}"
+    accept_newhostkey: "{{ item.accept_newhostkey | default('false') }}"
+    gpg_whitelist: "{{ item.trusted_keys | default([]) }}"
+    verify_commit: "{{ true if (item.trusted_keys is defined and item.trusted_keys) else false }}"
    key_file: "{{ docker_repos_keys }}/id_{{ docker_repos_keytype }}"
-  when: docker_compose_deploy is defined
  loop: "{{ docker_compose_deploy }}"
+  loop_control:
+    label: "{{ item.url }}"
+  when: docker_compose_deploy is defined

 - name: Create directories for docker-compose projects using the systemd service
  ansible.builtin.file:
@@ -51,14 +63,20 @@
    state: directory
    mode: 0400
  loop: "{{ docker_compose_deploy }}"
+  loop_control:
+    label: "{{ item.name }}"
  when: docker_compose_deploy is defined

- name: Copy docker-compose.yml files to their service directories
-  ansible.builtin.copy:
+- name: Synchronize docker-compose.yml
+  ansible.posix.synchronize:
    src: "{{ docker_repos_path }}/{{ item.name }}/{{ item.path | default('docker-compose.yml') }}"
    dest: "{{ docker_compose_root }}/{{ item.name }}/docker-compose.yml"
-    remote_src: yes
+  delegate_to: "{{ inventory_hostname }}"
+  register: compose_update
+  notify: compose_restart
  loop: "{{ docker_compose_deploy }}"
+  loop_control:
+    label: "{{ item.name }}"
  when: docker_compose_deploy is defined

 - name: Set environment variables for docker-compose projects
@@ -66,7 +84,11 @@
    src: docker-compose-env.j2
    dest: "{{ docker_compose_root }}/{{ item.name }}/.env"
    mode: 0400
+  register: compose_env_update
+  notify: compose_restart
  loop: "{{ docker_compose_deploy }}"
+  loop_control:
+    label: "{{ item.name }}"
  when: docker_compose_deploy is defined and item.env is defined

 - name: Add users to docker group
@@ -89,4 +111,6 @@
    state: started
    enabled: true
  loop: "{{ docker_compose_deploy }}"
+  loop_control:
+    label: "{{ docker_compose_service }}@{{ item.name }}"
  when: item.enabled is defined and item.enabled is true
--- a/roles/docker/templates/docker-compose-env.j2
+++ b/roles/docker/templates/docker-compose-env.j2
@@ -1,5 +1,4 @@
 # {{ ansible_managed }}
-
 {% if item.env is defined %}
 {% for kvpair in item.env.items() %}
 {{ kvpair.0 }}={{ kvpair.1 }}
Author	SHA1	Message	Date
Kris Lamoureux	7c2def16a5	testing	2023-10-09 00:30:54 -04:00
Kris Lamoureux	0377a5e642	Add option for private OCI registry auth	2023-09-29 22:18:59 -04:00
Kris Lamoureux	2e02efcbb7	Add Makefile, roles_path, and SSH tunnel variable	2023-09-26 21:14:06 -04:00
Kris Lamoureux	8fed63792b	Ask permission for starting vagrant SSH tunnels	2023-09-16 00:04:58 -04:00
Kris Lamoureux	2c4fcbacc3	Introduce forward-ssh.sh method & reorganize - Abandoned update-hosts.sh in favor of loopback SSH forwarding - Adopted *.local.krislamo.org as a wildcard loopback domain - Bound Traefik to ports 443/80 on Dockerbox dev - Removed outdated Gitea config from Dockerbox - Relocated production playbooks to a new directory	2023-09-15 23:46:45 -04:00