feat: initial commit

2021-01-15 21:32:00 +01:00
commit e53a7da36c
40 changed files with 516 additions and 0 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -0,0 +1,9 @@
+---
+kind: pipeline
+name: default
+steps:
+  - name: lint
+    image: python:3.7.8-buster
+    commands:
+      - pip install tox
+      - tox -e ci
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,9 @@
+roles-dependencies/
+tests/report.xml
+*.pyc
+.cache
+.molecule
+report.xml
+*.retry
+.vscode
+.tox
--- a/.yamllint
+++ b/.yamllint
@@ -0,0 +1,15 @@
+---
+extends: default
+ignore: |
+  .tox
+  roles-dependencies
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  line-length: disable
+  truthy: disable
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -0,0 +1,6 @@
+[defaults]
+roles_path=roles-dependencies:roles
+
+[ssh_connection]
+pipelining = True
+control_path = /tmp/ansible-ssh-%%h-%%p-%%r
--- a/inventories/molecule/group_vars/all.yml
+++ b/inventories/molecule/group_vars/all.yml
@@ -0,0 +1 @@
+---
--- a/inventories/molecule/group_vars/all/vars.yml
+++ b/inventories/molecule/group_vars/all/vars.yml
@@ -0,0 +1,4 @@
+---
+# Traefik
+traefik_acme_enabled: false
+traefik_dashboard_enabled: true
--- a/inventories/molecule/group_vars/all/vault.yml
+++ b/inventories/molecule/group_vars/all/vault.yml
@@ -0,0 +1,3 @@
+---
+vault_drone_gitea_client_id: test
+vault_drone_gitea_client_secret: secret
--- a/inventories/vps/group_vars/all/vars.yml
+++ b/inventories/vps/group_vars/all/vars.yml
@@ -0,0 +1,3 @@
+# group_vars/prd
+---
+traefik_docker_domain: ebesson.fr
--- a/inventories/vps/group_vars/all/vault.yml
+++ b/inventories/vps/group_vars/all/vault.yml
@@ -0,0 +1 @@
+---
--- a/inventories/vps/hosts
+++ b/inventories/vps/hosts
@@ -0,0 +1,10 @@
+# inventories/middleware
+[middleware]
+
+[gitea]
+
+
+[vps:children]
+middleware
+gitea
+
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -0,0 +1,44 @@
+---
+driver:
+  name: vagrant
+  provider:
+    name: virtualbox
+lint: |
+  yamllint --config-file .yamllint .
+  ansible-lint . 
+platforms:
+  - name: buster
+    box: debian/buster64
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        ip: "192.168.50.4"
+    instance_raw_config_args:
+      - "vm.network 'forwarded_port', guest: 8080, host: 8080"
+      - "vm.network 'forwarded_port', guest: 8000, host: 80"
+      - "vm.network 'forwarded_port', guest: 8443, host: 443"
+      - "vm.network 'forwarded_port', guest: 3000, host: 3000"
+      - "vm.network 'forwarded_port', guest: 9091, host: 9091"
+    groups:
+      - all 
+      - molecule
+      - middleware
+      - gitea
+provisioner:
+  name: ansible
+  lint: ansible-lint
+  env:
+    ANSIBLE_ROLES_PATH: ${PWD}/roles:${PWD}/roles-dependencies
+  playbooks:
+    converge: ../../site.yml
+  inventory:
+    links:
+      group_vars: ../../inventories/molecule/group_vars
+scenario:
+  name: default
+verifier:
+  name: testinfra
+  options:
+    junit-xml: report.xml
+    o: "junit_family=legacy"
+
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
@@ -0,0 +1,41 @@
+---
+- name: Prepare
+  hosts: all
+  become: true
+  gather_facts: false
+  tasks:
+    - name: Install Python3 for Ansible
+      raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal sudo)
+      changed_when: false
+
+- name: Install Mkcert
+  hosts: all
+  become: true
+  gather_facts: false
+  tasks:
+    - name: install curl
+      apt:
+        name: curl
+        state: present
+        update_cache: yes
+    - name: install libnss3-tools
+      apt:
+        name: libnss3-tools
+        state: present
+        update_cache: yes
+    - name: download and install mkcert
+      get_url:
+        url: https://github.com/FiloSottile/mkcert/releases/download/v1.4.1/mkcert-v1.4.1-linux-amd64
+        dest: /usr/local/bin/mkcert
+        mode: 0755
+    - name: install the local CA in the system trust store
+      shell: mkcert -install
+    - name: create certs directory
+      file:
+        path: /certs
+        state: directory
+        mode: 0755
+    - name: generate certificates
+      shell: mkcert -cert-file local-cert.pem -key-file local-key.pem "docker.localhost" "*.docker.localhost" "*.192.168.50.4"
+      args:
+        chdir: /certs
--- a/molecule/default/tests/test_docker.py
+++ b/molecule/default/tests/test_docker.py
@@ -0,0 +1,16 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('middleware')
+
+
+def test_docker_package(host):
+
+    assert host.package("docker-ce").is_installed
+
+
+def test_docker_service(host):
+    assert host.service('docker').is_running
+    assert host.service('docker').is_enabled
--- a/molecule/default/tests/test_gitea.py
+++ b/molecule/default/tests/test_gitea.py
@@ -0,0 +1,23 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('gitea')
+
+
+def test_gitea_service(host):
+    assert host.service('gitea').is_running
+    assert host.service('gitea').is_enabled
+
+
+def test_gitea_with_https(host):
+    cmd = host.run("curl -I -k -H Host:git.localhost https://127.0.0.1")
+    assert cmd.rc == 0
+    assert "HTTP/2 200" in cmd.stdout
+
+
+def test_gitea_redirection_with_http(host):
+    cmd = host.run("curl -I -H Host:git.localhost http://127.0.0.1")
+    assert cmd.rc == 0
+    assert "HTTP/1.1 307 Temporary Redirect" in cmd.stdout
--- a/molecule/default/tests/test_traefik.py
+++ b/molecule/default/tests/test_traefik.py
@@ -0,0 +1,11 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('middleware')
+
+
+def test_traefik_service(host):
+    assert host.service('traefik').is_running
+    assert host.service('traefik').is_enabled
--- a/requirements.yml
+++ b/requirements.yml
@@ -0,0 +1,3 @@
+---
+- src: geerlingguy.docker
+  version: 3.0.0
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+gitea_state: present
+gitea_version: 1.13.1
+gitea_docker_compose_directory: /opt/gitea
+gitea_url:  git.localhost
--- a/roles/gitea/handlers/main.yml
+++ b/roles/gitea/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: restart gitea
+  service:
+    name: gitea
+    state: restarted
+    daemon_reload: True
+    enabled: True
--- a/roles/gitea/tasks/configure.yml
+++ b/roles/gitea/tasks/configure.yml
@@ -0,0 +1,14 @@
+---
+- name: configure | deploy systemd configuration
+  template:
+    src: etc/systemd/system/gitea.service.j2
+    dest: /etc/systemd/system/gitea.service
+    owner: root
+    group: root
+    mode: 0644
+  notify: "restart gitea"
+
+- name: ensure that service is started
+  service:
+    name: "gitea"
+    state: started
--- a/roles/gitea/tasks/install.yml
+++ b/roles/gitea/tasks/install.yml
@@ -0,0 +1,12 @@
+---
+- name: install | create directory {{ gitea_docker_compose_directory }}
+  file:
+    path: "{{ gitea_docker_compose_directory }}"
+    state: directory
+    mode: 0755
+
+- name: install | set compose file
+  template:
+    src: opt/gitea/docker-compose.yml.j2
+    dest: "{{ gitea_docker_compose_directory }}/docker-compose.yml"
+  notify: 'restart gitea'
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -0,0 +1,2 @@
+---
+- include_tasks: "{{ gitea_state }}.yml"
--- a/roles/gitea/tasks/present.yml
+++ b/roles/gitea/tasks/present.yml
@@ -0,0 +1,4 @@
+---
+- include_tasks: "install.yml"
+- include_tasks: "configure.yml"
+- include_tasks: "start.yml"
--- a/roles/gitea/tasks/start.yml
+++ b/roles/gitea/tasks/start.yml
@@ -0,0 +1,14 @@
+---
+- name: start | ensure gitea is up and running
+  service:
+    name: gitea
+    state: started
+
+- name: start | wait for gitea up and running
+  command: "docker ps"
+  register: result
+  retries: 60
+  changed_when: no
+  until: "'gitea/gitea:{{ gitea_version}}' in result.stdout"
+  tags:
+    - skip_ansible_lint
--- a/roles/gitea/tasks/stop.yml
+++ b/roles/gitea/tasks/stop.yml
@@ -0,0 +1,5 @@
+---
+- name: stop | ensure gitea is up and running
+  service:
+    name: gitea
+    state: stopped
--- a/roles/gitea/templates/etc/systemd/system/gitea.service.j2
+++ b/roles/gitea/templates/etc/systemd/system/gitea.service.j2
@@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+[Unit]
+Description=gitea
+
+[Service]
+Restart=always
+ExecStart=/usr/local/bin/docker-compose -f "{{ gitea_docker_compose_directory }}/docker-compose.yml" up
+ExecStop=/usr/local/bin/docker-compose -f "{{ gitea_docker_compose_directory }}/docker-compose.yml" stop
+
+[Install]
+WantedBy=local.target
--- a/roles/gitea/templates/opt/gitea/docker-compose.yml.j2
+++ b/roles/gitea/templates/opt/gitea/docker-compose.yml.j2
@@ -0,0 +1,29 @@
+# {{ ansible_managed }}
+
+version: '3.2'
+services:
+    gitea:
+        image: gitea/gitea:{{ gitea_version }}
+        environment:
+          - ROOT_URL="http://{{ gitea_url }}"
+          - DISABLE_SSH=true
+          - DISABLE_REGISTRATION=true
+          - REQUIRE_SIGNIN_VIEW=true
+        restart: always
+        labels:
+          - traefik.enable=true
+          - traefik.docker.network=traefik_network
+          - traefik.backend=gitea
+          - traefik.port=3000
+          - traefik.frontend.rule=Host:{{ gitea_url }}
+        networks:
+          - traefik_network
+        volumes:
+          - gitea:/data
+volumes:
+  gitea:
+    driver: local
+
+networks:
+    traefik_network:
+        external: true
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@@ -0,0 +1,9 @@
+---
+traefik_state: present
+traefik_version: v1.7.28
+traefik_docker_compose_directory: /opt/traefik
+traefik_use_configuration_file: false
+traefik_docker_domain: docker.localhost
+traefik_docker_log_level: ERROR
+traefik_acme_enabled: true
+traefik_dashboard_enabled: false
--- a/roles/traefik/handlers/main.yml
+++ b/roles/traefik/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: restart traefik
+  service:
+    name: traefik
+    state: restarted
+    daemon_reload: True
+    enabled: True
--- a/roles/traefik/tasks/configure.yml
+++ b/roles/traefik/tasks/configure.yml
@@ -0,0 +1,35 @@
+---
+- name: configure | deploy systemd configuration
+  template:
+    src: etc/systemd/system/traefik.service.j2
+    dest: /etc/systemd/system/traefik.service
+    owner: root
+    group: root
+    mode: 0644
+  notify: "restart traefik"
+
+- name: configure | deploy traefik configuration
+  template:
+    src: opt/traefik/traefik.toml.j2
+    dest: "{{ traefik_docker_compose_directory }}/traefik.toml"
+    owner: root
+    group: root
+    mode: 0644
+  notify: "restart traefik"
+
+- name: configure | create acme.json
+  file:
+    path: "{{ traefik_docker_compose_directory }}/acme.json"
+    owner: root
+    group: root
+    state: touch
+    mode: 0600
+  changed_when: no
+
+- name: configure | create network traefik_network
+  command: docker network create traefik_network
+  ignore_errors: yes
+  changed_when: no
+
+- name: configure | flush handlers
+  meta: flush_handlers
--- a/roles/traefik/tasks/install.yml
+++ b/roles/traefik/tasks/install.yml
@@ -0,0 +1,12 @@
+---
+- name: install | create directory {{ traefik_docker_compose_directory }}
+  file:
+    path: "{{ traefik_docker_compose_directory }}"
+    state: directory
+    mode: 0755
+
+- name: install | set compose file
+  template:
+    src: opt/traefik/docker-compose.yml.j2
+    dest: "{{ traefik_docker_compose_directory }}/docker-compose.yml"
+  notify: 'restart traefik'
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -0,0 +1,2 @@
+---
+- include_tasks: "{{ traefik_state }}.yml"
--- a/roles/traefik/tasks/present.yml
+++ b/roles/traefik/tasks/present.yml
@@ -0,0 +1,4 @@
+---
+- include_tasks: "install.yml"
+- include_tasks: "configure.yml"
+- include_tasks: "start.yml"
--- a/roles/traefik/tasks/start.yml
+++ b/roles/traefik/tasks/start.yml
@@ -0,0 +1,10 @@
+---
+- name: start | ensure traefik is up and running
+  service:
+    name: traefik
+    state: started
+
+- name: start | wait for traefik up and running
+  wait_for:
+    port: 443
+    delay: 10
--- a/roles/traefik/tasks/stop.yml
+++ b/roles/traefik/tasks/stop.yml
@@ -0,0 +1,5 @@
+---
+- name: stop | ensure traefik is up and running
+  service:
+    name: traefik
+    state: stopped
--- a/roles/traefik/templates/etc/systemd/system/traefik.service.j2
+++ b/roles/traefik/templates/etc/systemd/system/traefik.service.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+[Unit]
+Description=Traefik
+Wants=docker.service
+After=docker.service
+ 
+[Service]
+Restart=always
+ExecStart=/usr/local/bin/docker-compose -f "{{ traefik_docker_compose_directory }}/docker-compose.yml" up
+ExecStop=/usr/local/bin/docker-compose -f "{{ traefik_docker_compose_directory }}/docker-compose.yml" down
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/traefik/templates/opt/traefik/docker-compose.yml.j2
+++ b/roles/traefik/templates/opt/traefik/docker-compose.yml.j2
@@ -0,0 +1,27 @@
+---
+# {{ ansible_managed }}
+version: '3.2'
+services:
+    traefik:
+        image: traefik:{{ traefik_version }}
+        restart: always
+        command: --api --docker # Enables the web UI and tells Traefik to listen to docker
+        ports:
+          - "80:80"     # The HTTP port
+          - "443:443"   # The HTTPS ports
+{% if traefik_dashboard_enabled %}
+          - "8080:8080" # Dashboard port
+{% endif %}
+        volumes:
+          - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
+          - {{ traefik_docker_compose_directory }}/traefik.toml:/traefik.toml
+          - {{ traefik_docker_compose_directory }}/acme.json:/acme.json
+        labels:
+          - traefik.enable=true
+          - traefik.docker.network=traefik_network
+        networks:
+          - traefik_network
+
+networks:
+    traefik_network:
+        external: true
--- a/roles/traefik/templates/opt/traefik/traefik.toml.j2
+++ b/roles/traefik/templates/opt/traefik/traefik.toml.j2
@@ -0,0 +1,43 @@
+# {{ ansible_managed }}
+###Traefik.toml###
+
+logLevel = "{{ traefik_docker_log_level }}"
+defaultEntryPoints = ["http","https"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+{% if not traefik_acme_enabled %}
+    [[entryPoints.https.tls.certificate]]
+    certFile = "/certs/local-cert.pem"
+    keyFile = "/certs/local-key.pem"
+{% endif %}
+
+{% if traefik_dashboard_enabled %}
+[api]
+  # With this you enable the web UI
+  insecure = true
+  dashboard = true
+{% endif %}
+
+{% if traefik_acme_enabled %}
+[acme]
+email = "etienne.besson@gmail.com"
+storage = "acme.json"
+onHostRule = true
+entryPoint = "https" 
+  [acme.tlsChallenge]
+{% endif %}
+
+# Enable Docker configuration backend
+[docker]
+  endpoint = "unix:///var/run/docker.sock"
+  domain = "{{ traefik_docker_domain }}"
+  watch = true
+  exposedByDefault = false 
+
--- a/site.yml
+++ b/site.yml
@@ -0,0 +1,23 @@
+---
+- hosts: all
+  gather_facts: False
+  tasks:
+    - name: Install python for Ansible
+      raw: test -e /usr/bin/python || (apt -y update && apt install -y python2.7 python-minimal sudo)
+      changed_when: False
+
+
+- hosts: middleware
+  become: True
+  roles:
+    - geerlingguy.docker
+    - traefik
+  tags:
+    - traefik
+
+- hosts: gitea
+  become: True
+  roles:
+    - gitea
+  tags:
+    - gitea
--- a/tox.ini
+++ b/tox.ini
@@ -0,0 +1,20 @@
+[tox]
+recreate = true
+skipsdist = true
+envlist = py{3}-ansible
+
+[testenv]
+passenv = *
+deps =
+    ansible==2.9.*
+    pytest-testinfra==6.0.*
+    molecule==3.2.*
+    molecule-vagrant==0.6.*
+    python-vagrant==0.5.*
+    paramiko==2.6.0
+    ansible-lint==4.3.*
+
+[testenv:ci]
+passenv = *
+    ansible-galaxy install -r requirements.yml --ignore-errors -p roles-dependencies --force
+    molecule lint
--- a/venv.sh
+++ b/venv.sh
@@ -0,0 +1,4 @@
+tox
+source .tox/py3-ansible/bin/activate
+rm -Rf roles-dependencies || true
+ansible-galaxy install -r requirements.yml --ignore-errors -p roles-dependencies --force