diff --git a/group_vars/all/secrets.yml b/group_vars/all/secrets.yml index 1401540..7ed5b96 100644 --- a/group_vars/all/secrets.yml +++ b/group_vars/all/secrets.yml @@ -1,22 +1,34 @@ $ANSIBLE_VAULT;1.1;AES256 -39373266356536656663653438363463633264366465316163353764366463383431376131643433 -6433303537373830643432633533663334326632656364390a303161333635343966393537303665 -65383565643732386333613139623235623262353834313464333136383637666361373764333164 -3138643563373137380a363934613635343431346339393130643266666532613438656535386535 -62643332656437326131336366396365666333346230613863306137353162313032393262303366 -38663932343962323161643836353031303638623037303831656464663664373265396163643661 -36623638353337663132336164336466383139613264353136663833633438303835333436386430 -61363832643136323933343261356236396363396266393932343732653664393931653237373832 -37303665353764343466333534323833396532373563663863363766303230616538343535316334 -31663139626562393837393163356337303236363739333738363735386434656437366232636666 -64393031323964313239346436323162356231366662623635323834356339323866653864333231 -61613464303065666262623466343165393238373232636637376434636538316639393437366236 -36386337313361383632333737313437386336326633353934656566343064636237623361366262 -63323632613336303237613764376636316166666530666136653661336232333536393231663936 -33396661636331663362663930323466346466383236353830313966363133366137353063613033 -31623936343865326336366361396464383733393561663962613039653466366235666364363162 -35623865646438336532313231343633663762643066303632353762343435663630363562313332 -37363237313662313933636630396231343134383034366330616134633233663537393334373332 -65343763313133353035623438646361613038333732613438303336643861333034383531336335 -34613530656664353238363231386565306134366131373538623631616334616463356637356164 -3939 +65353562636430376563366133363132626163613334633266323765333734633731323332653437 +6634666438313066323466343331346337353334336435310a336132333463633131353134336162 +66343637656233626336336461323836303665613334333938326532316330646235393965373164 +3430656664373764620a353832616537633532393731646633383738333362313138623862653661 +66373562393638623539373462623166656337326436326631333132346464656432323162616364 +34663161303434343234326232643234633530343738316334373064323237383839343232633264 +37643130663935363964616333653139653262303366656332373062626662373663656534633666 +61326363326561333834343765343565363465336335393535316663623532613839343461353830 +36356663356263613363663830623063306236323061353437326335393230323165613135366665 +66303863346531386538653064613238323666356662626533643534386336376334353837373764 +63316333343736623939373866353138396235356135326532386138396465396438613736346437 +33363038386332613336316538393962663465616666373931323939623737363934666534626238 +34626264336230333761643732333934636535303636373436343037666332663832323136323234 +62356336633038316161323234316231393065653838653839643861386430653238393934376439 +63616335623933383863613561363062386161343032383830373034383439653135333430303665 +63396464626637613133313964303134633934343262306163623534616134643431376138366161 +32346663333234343265313632616436643430363735643539616165633863336230396631333766 +62633439343361383535636338643438313664363561363434636464383532643536343366383161 +65613135316635396663626634386161373961363461353835396263646238653437373234313639 +32663365333561646332306263356330653037666437633630353333303535333937323435613630 +62343262646638613230376635336330653734376436356165383263643333336432636166343162 +64663332323565373236343533366665623531356336643139343833393462666532363435343130 +31623736663433343762646566323861373238373738306331383861336532396234343737313066 +30353936613838386661356437666463303662623730653038303364663666353130653064363331 +66623666666431633231376137663532616635383834373063383163313465646636646434363831 +35646261333830616134633066663338353338373533343636343036646636636539363762353466 +39303634323938613731393865333338336366363130656237333832393363326564626561633133 +65306361383531396466653764643366373832346266336437636563623038363564396663623239 +35653438343834363561633331663663383363643735363032643739313965343232613561383337 +65633263316632656434633539393635626664616136343861396639663536656465643439373032 +39353362333130323066323037373637353630356633623263383231633738633533646462366639 +38313738363361306130393135333862616464333962366164656266396239336530616161313664 +6462 diff --git a/hosts.yml b/hosts.yml index 1c34a46..d4899be 100755 --- a/hosts.yml +++ b/hosts.yml @@ -33,6 +33,8 @@ all: ansible_host: 10.89.0.107 apps: ansible_host: 10.89.0.108 + gitea_runners: + ansible_host: 10.89.0.109 utility: hosts: observability_hub: diff --git a/playbooks/nodes/apps.yml b/playbooks/nodes/apps.yml index 1b70b85..6604628 100644 --- a/playbooks/nodes/apps.yml +++ b/playbooks/nodes/apps.yml @@ -15,9 +15,6 @@ - role: apps/flowtodo vars: port: 7076 - - role: apps/komga - vars: - port: 7080 - role: apps/outline-wiki vars: port: 7083 @@ -59,6 +56,12 @@ - role: apps/umami vars: port: 7088 + - role: apps/scripthost + vars: + port: 7089 + - role: apps/authentikate + vars: + port: 7090 tasks: - name: Personal DW drop ansible.builtin.include_role: @@ -66,16 +69,6 @@ vars: port: 7077 pin: "8989" - - - name: Komga DW drop - ansible.builtin.include_role: - name: apps/dumbware-drop - vars: - container_name: dw-drop-komga-books - page_title: "Contribute to the book library" - port: 7081 - pin: "1337" - directory: "komga/data/books" - name: Javier Feliz Blog ansible.builtin.include_role: name: apps/ghost diff --git a/playbooks/nodes/gitea-runners.yml b/playbooks/nodes/gitea-runners.yml new file mode 100644 index 0000000..6d308e7 --- /dev/null +++ b/playbooks/nodes/gitea-runners.yml @@ -0,0 +1,10 @@ +--- +- name: Set up gitea runners node + hosts: gitea_runners + become: true + roles: + # - role: docker/install + # - role: docker/portainer + # - role: observability/prometheus-node-exporter + # - role: server/setup/sshkey + - role: services/gitea-act-runner \ No newline at end of file diff --git a/playbooks/proxy/external.yml b/playbooks/proxy/external.yml index 18c3e74..b1e8b73 100644 --- a/playbooks/proxy/external.yml +++ b/playbooks/proxy/external.yml @@ -25,6 +25,9 @@ - name: "share" host: "{{ lookup('hostip', 'apps') }}" port: 7078 + - name: "run" + host: "{{ lookup('hostip', 'apps') }}" + port: 7089 - name: "blinker.club" host: "{{ lookup('hostip', 'portainer_main') }}" port: 7575 @@ -100,4 +103,7 @@ port: 7087 - name: "analytics" host: "{{ lookup('hostip', 'apps') }}" - port: 7088 \ No newline at end of file + port: 7088 + - name: "auth" + host: "{{ lookup('hostip', 'apps') }}" + port: 7090 \ No newline at end of file diff --git a/roles/apps/komga/defaults/main.yml b/roles/apps/authentikate/defaults/main.yml similarity index 100% rename from roles/apps/komga/defaults/main.yml rename to roles/apps/authentikate/defaults/main.yml diff --git a/roles/apps/authentikate/tasks/main.yml b/roles/apps/authentikate/tasks/main.yml new file mode 100644 index 0000000..ddc6639 --- /dev/null +++ b/roles/apps/authentikate/tasks/main.yml @@ -0,0 +1,48 @@ +- name: Container data folder for oauth keys + ansible.builtin.include_role: + role: docker/container-data + vars: + dir_name: "authentikate" + +- name: Make keys folder in container data + ansible.builtin.file: + path: "{{ container_data_base_path }}/authentikate/keys" + state: directory + mode: '0777' + +- name: Make avatars folder in container data + ansible.builtin.file: + path: "{{ container_data_base_path }}/authentikate/avatars" + state: directory + mode: '0777' + +- name: Create database + ansible.builtin.include_role: + role: app/database + vars: + app_name: "authentikate" + +- name: Deploy container + community.docker.docker_container: + image: gitgud.foo/thegrind/authentikate:latest + name: authentikate + pull: true + state: started + ports: + - "{{ port }}:8000" + env: + APP_URL: "https://auth.melab.fyi" + APP_NAME: "The Grind Auth" + APP_TIMEZONE: "America/New_York" + APP_KEY: "base64:5T2vyytKe4gILICvEoNqBxoiSFwrY4qZ0/264gDHJxI=" + OCTANE_HTTPS: "true" + DB_CONNECTION: "pgsql" + DB_HOST: "{{ pg_host }}" + DB_PORT: "{{ pg_port | string }}" + DB_DATABASE: "authentikate" + DB_USERNAME: "authentikate" + DB_PASSWORD: "password" + LOG_CHANNEL: daily + volumes: + - "{{container_data_base_path}}/authentikate/keys:/app/storage/oauth" + - "{{container_data_base_path}}/authentikate/avatars:/app/storage/avatars" \ No newline at end of file diff --git a/roles/apps/komga/tasks/main.yml b/roles/apps/komga/tasks/main.yml deleted file mode 100644 index f3b5c8f..0000000 --- a/roles/apps/komga/tasks/main.yml +++ /dev/null @@ -1,35 +0,0 @@ -# - name: Create DB -# ansible.builtin.include_role: -# name: app/database -# vars: -# app_name: "booklore" -- name: Create data folder - ansible.builtin.include_role: - name: docker/container-data - vars: - dir_name: "komga" - -- name: Create necessary subfolders - ansible.builtin.file: - dest: "{{ container_data_base_path }}/komga/{{ item }}" - state: directory - mode: '0777' - loop: - - data - - "data/books" - - config - -- name: Deploy container - community.docker.docker_container: - name: komga-ebook-library - pull: true - state: started - image: gotson/komga - volumes: - - "{{ container_data_base_path }}/komga/config:/config" - - "{{ container_data_base_path }}/komga/data:/data" - - /etc/timezone:/etc/timezone - ports: - - "{{ port }}:25600" - user: "1000:1000" - restart_policy: unless-stopped \ No newline at end of file diff --git a/roles/apps/maxun/defaults/main.yml b/roles/apps/maxun/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/apps/maxun/tasks/main.yml b/roles/apps/maxun/tasks/main.yml new file mode 100644 index 0000000..c8f49b9 --- /dev/null +++ b/roles/apps/maxun/tasks/main.yml @@ -0,0 +1,68 @@ +- name: Create database + ansible.builtin.include_role: + role: app/database + vars: + app_name: "maxun" + +- name: Deploy maxun backend + community.docker.docker_container: + name: maxun-backend + image: getmaxun/maxun-backend:v0.0.18 + state: started + restart_policy: unless-stopped + ports: + - "{{ backend_port }}:{{ backend_port }}" + env: + URL: "{{ backend_url }}" + PLAYWRIGHT_BROWSERS_PATH: "/ms-playwright" + PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "0" + CHROMIUM_FLAGS: "'--disable-gpu --no-sandbox --headless=new'" + # Adapted from the example .env + NODE_ENV: "production" + JWT_SECRET: "{{ maxun.jwt_secret }}" + DB_NAME: "maxun" + DB_USER: "maxun" + DB_PASSWORD: "password" + DB_HOST: "{{ pg_host }}" + DB_PORT: "{{ pg_port | string }}" + ENCRYPTION_KEY: "{{ maxun.app_key }}" + SESSION_SECRET: "{{ maxun.session_secret }}" + + MINIO_ENDPOINT: "{{ lookup('hostip', 'prod_services') }}" + MINIO_PORT: "5002" + MINIO_CONSOLE_PORT: "5001" + MINIO_ACCESS_KEY: "K8YFuQFhUm8i7F9KuAMy" + MINIO_SECRET_KEY: "Vw9MGxOQWe3MaBjTBnqK8VxL1YGwQxEgLC1A6ZwO" + REDIS_HOST: "{{ lookup('hostip', 'prod_services') }}" + REDIS_PORT: "6379" + REDIS_PASSWORD: "" + + # Backend and Frontend URLs and Ports + BACKEND_PORT: "{{ backend_port | string }}" # Port to run backend on. Needed for Docker setup + FRONTEND_PORT: "{{ frontend_port | string }}" # Port to run frontend on. Needed for Docker setup + VITE_BACKEND_URL: "{{ backend_url }}" + VITE_PUBLIC_URL: "{{ frontend_url }}" + MAXUN_TELEMETRY: "false" + security_opts: + - seccomp=unconfined + shm_size: "2G" + memory_reservation: "2G" + volumes: + - "/var/run/dbus:/var/run/dbus" + +- name: Deploy maxun front end + community.docker.docker_container: + name: maxun-frontend + image: getmaxun/maxun-frontend:v0.0.18 + state: started + ports: + - "{{ frontend_port }}:5173" + env: + PUBLIC_URL: "{{ frontend_url }}" + BACKEND_URL: "{{ backend_url }}" + NODE_ENV: "production" + MAXUN_TELEMETRY: "false" + BACKEND_PORT: "{{ backend_port | string }}" # Port to run backend on. Needed for Docker setup + FRONTEND_PORT: "{{ frontend_port | string }}" # Port to run frontend on. Needed for Docker setup + VITE_BACKEND_URL: "{{ backend_url }}" + VITE_PUBLIC_URL: "{{ frontend_url }}" \ No newline at end of file diff --git a/roles/apps/scripthost/defaults/main.yml b/roles/apps/scripthost/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/apps/scripthost/tasks/main.yml b/roles/apps/scripthost/tasks/main.yml new file mode 100644 index 0000000..c3c83ad --- /dev/null +++ b/roles/apps/scripthost/tasks/main.yml @@ -0,0 +1,25 @@ +- name: Create database + ansible.builtin.include_role: + role: app/database + vars: + app_name: "scripthost" + +- name: Deploy container + community.docker.docker_container: + image: gitgud.foo/thegrind/scripthost + name: scripthost + pull: true + state: started + ports: + - "{{ port }}:8000" + env: + APP_URL: "https://run.thatshit.live" + APP_TIMEZONE: "America/New_York" + APP_KEY: "base64:rq0EBhrppwplUkdUPnN6G54nSn+pUiZE1T0WG6Q3gzc=" + OCTANE_HTTPS: "true" + DB_CONNECTION: "pgsql" + DB_HOST: "{{ pg_host }}" + DB_PORT: "{{ pg_port | string }}" + DB_DATABASE: "scripthost" + DB_USERNAME: "scripthost" + DB_PASSWORD: "password" \ No newline at end of file diff --git a/roles/caddy/proxy/templates/Caddyfile.j2 b/roles/caddy/proxy/templates/Caddyfile.j2 index da74eec..0ca3e24 100644 --- a/roles/caddy/proxy/templates/Caddyfile.j2 +++ b/roles/caddy/proxy/templates/Caddyfile.j2 @@ -37,6 +37,17 @@ {% for site in domain.sites %} @{{ site.name }} host {{ site.name }}.{{ base_domain }} handle @{{ site.name }} { + {% if site.api_path is defined %} + handle_path /{{ site.api_path }}/* { + reverse_proxy {{ site.host }}:{{ site.api_port }} { + transport http { + {% for opt in (site.api_transport_opts | default([])) %} + {{ opt }} + {% endfor %} + } + } + } + {% endif %} reverse_proxy {{ site.host }}:{{ site.port }} { transport http { {% for opt in (site.transport_opts | default([])) %} diff --git a/roles/observability/prometheus-node-exporter/tasks/main.yml b/roles/observability/prometheus-node-exporter/tasks/main.yml index 935428e..bfa1185 100644 --- a/roles/observability/prometheus-node-exporter/tasks/main.yml +++ b/roles/observability/prometheus-node-exporter/tasks/main.yml @@ -1,4 +1,4 @@ -- name: Deploy node exporter container +- name: deploy node exporter container community.docker.docker_container: name: prometheus-node-exporter image: quay.io/prometheus/node-exporter:latest @@ -7,6 +7,6 @@ restart: true network_mode: host pid_mode: host - restart_policy: unless-stopped + restart_policy: always volumes: - '/:/host:ro,rslave' \ No newline at end of file diff --git a/roles/services/gitea-act-runner/defaults/main.yml b/roles/services/gitea-act-runner/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/services/gitea-act-runner/tasks/main.yml b/roles/services/gitea-act-runner/tasks/main.yml new file mode 100644 index 0000000..cc5cafa --- /dev/null +++ b/roles/services/gitea-act-runner/tasks/main.yml @@ -0,0 +1,61 @@ +- name: Ensure act_runner user exists + ansible.builtin.user: + name: "{{ gitea_runner_user }}" + groups: "{{ gitea_runner_group }}" + append: true + shell: /bin/bash + +- name: Create data directory + ansible.builtin.file: + path: "{{ gitea_runner_data_dir }}" + state: directory + owner: "{{ gitea_runner_user }}" + group: "{{ gitea_runner_group }}" + mode: "0755" + +- name: Download act_runner binary + ansible.builtin.get_url: + url: "{{ gitea_runner_download_url }}" + dest: "{{ gitea_runner_install_path }}" + mode: "0755" + +- name: Generate act_runner config + ansible.builtin.template: + src: config.yml.j2 + dest: "{{ gitea_runner_config_path }}" + owner: "{{ gitea_runner_user }}" + group: "{{ gitea_runner_group }}" + mode: "0644" + +- name: Register runner + become: true + ansible.builtin.shell: > + rm -f {{ gitea_runner_data_dir }}/.runner && + sudo -u {{ gitea_runner_user }} {{ gitea_runner_install_path }} register + --no-interactive + --config {{ gitea_runner_config_path }} + --instance {{ gitea_instance_url }} + --token {{ gitea_runner_token }} + --name {{ gitea_runner_name }} + --labels {{ gitea_runner_labels | join(',') }} + args: + chdir: "{{ gitea_runner_data_dir }}" + executable: /bin/bash + +- name: Install systemd service + ansible.builtin.template: + src: act_runner.service.j2 + dest: /etc/systemd/system/act_runner.service + owner: root + group: root + mode: "0644" + +- name: Reload systemd + ansible.builtin.systemd: + daemon_reload: true + +- name: Enable and start act_runner + ansible.builtin.systemd: + name: act_runner + enabled: true + state: restarted diff --git a/roles/services/gitea-act-runner/templates/act_runner.service.j2 b/roles/services/gitea-act-runner/templates/act_runner.service.j2 new file mode 100644 index 0000000..e2baec8 --- /dev/null +++ b/roles/services/gitea-act-runner/templates/act_runner.service.j2 @@ -0,0 +1,13 @@ +[Unit] +Description=Gitea Actions runner +After=docker.service + +[Service] +ExecStart={{ gitea_runner_install_path }} daemon --config {{ gitea_runner_config_path }} +WorkingDirectory={{ gitea_runner_data_dir }} +Restart=always +RestartSec=10 +User={{ gitea_runner_user }} + +[Install] +WantedBy=multi-user.target diff --git a/roles/services/gitea-act-runner/templates/config.yml.j2 b/roles/services/gitea-act-runner/templates/config.yml.j2 new file mode 100644 index 0000000..d43c06d --- /dev/null +++ b/roles/services/gitea-act-runner/templates/config.yml.j2 @@ -0,0 +1,18 @@ +log: + level: info + +runner: + name: {{ gitea_runner_name }} + priviledged: true + volumes: + - /var/run/docker.sock:/var/run/docker.sock + labels: +{% for label in gitea_runner_labels %} + - "{{ label }}" +{% endfor %} + data_dir: {{ gitea_runner_data_dir }} + config_file: {{ gitea_runner_config_path }} + capacity: 4 + +cache: + enabled: false diff --git a/roles/services/gitea-act-runner/vars/main.yml b/roles/services/gitea-act-runner/vars/main.yml new file mode 100644 index 0000000..e2d0718 --- /dev/null +++ b/roles/services/gitea-act-runner/vars/main.yml @@ -0,0 +1,23 @@ +gitea_runner_version: "0.2.12" +gitea_runner_download_url: "https://dl.gitea.com/act_runner/{{ gitea_runner_version }}/act_runner-{{ gitea_runner_version }}-linux-amd64" +gitea_runner_install_path: "/usr/local/bin/act_runner" + +gitea_instance_url: "https://gitgud.foo" +gitea_runner_token: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63333331616539333263306466323537616665383838383934313633656633326535643139313930 + 6238363266333530343531663866343232343232343930330a333964643234653262393133393262 + 34313237313866633739666432663061343965376232383639626366343833323637633262663035 + 3166646562383034380a333130336334356338616463643638623936393138393363343535366436 + 66303933613535363630313430323765376637623530343232623161653333383934336462613832 + 3837663036326136316236313537356639353537626132333963 +gitea_runner_name: "melab_dot_fyi" +gitea_runner_labels: + - "ubuntu-latest:docker://node:20-bullseye" + - "laravel-runner:docker://gitgud.foo/thegrind/laravel-runner:latest" + - "laravel-runner-php84:docker://gitgud.foo/thegrind/laravel-runner:php8.4" + +gitea_runner_user: "act_runner" +gitea_runner_group: "docker" +gitea_runner_config_path: "/home/act_runner/config.yaml" +gitea_runner_data_dir: "/var/lib/act_runner"