feat: initial commit

2021-01-15 21:32:00 +01:00
commit e53a7da36c
40 changed files with 516 additions and 0 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -0,0 +1,9 @@
 ---
 kind: pipeline
 name: default
 steps:
  - name: lint
    image: python:3.7.8-buster
    commands:
      - pip install tox
      - tox -e ci
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,9 @@
 roles-dependencies/
 tests/report.xml
 *.pyc
 .cache
 .molecule
 report.xml
 *.retry
 .vscode
 .tox
--- a/.yamllint
+++ b/.yamllint
@@ -0,0 +1,15 @@
 ---
 extends: default
 ignore: |
  .tox
  roles-dependencies
 rules:
  braces:
    max-spaces-inside: 1
    level: error
  brackets:
    max-spaces-inside: 1
    level: error
  line-length: disable
  truthy: disable
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -0,0 +1,6 @@
 [defaults]
 roles_path=roles-dependencies:roles
 [ssh_connection]
 pipelining = True
 control_path = /tmp/ansible-ssh-%%h-%%p-%%r
--- a/inventories/molecule/group_vars/all.yml
+++ b/inventories/molecule/group_vars/all.yml
@@ -0,0 +1 @@
 ---
--- a/inventories/molecule/group_vars/all/vars.yml
+++ b/inventories/molecule/group_vars/all/vars.yml
@@ -0,0 +1,4 @@
 ---
 # Traefik
 traefik_acme_enabled: false
 traefik_dashboard_enabled: true
--- a/inventories/molecule/group_vars/all/vault.yml
+++ b/inventories/molecule/group_vars/all/vault.yml
@@ -0,0 +1,3 @@
 ---
 vault_drone_gitea_client_id: test
 vault_drone_gitea_client_secret: secret
--- a/inventories/vps/group_vars/all/vars.yml
+++ b/inventories/vps/group_vars/all/vars.yml
@@ -0,0 +1,3 @@
 # group_vars/prd
 ---
 traefik_docker_domain: ebesson.fr
--- a/inventories/vps/group_vars/all/vault.yml
+++ b/inventories/vps/group_vars/all/vault.yml
@@ -0,0 +1 @@
 ---
--- a/inventories/vps/hosts
+++ b/inventories/vps/hosts
@@ -0,0 +1,10 @@
 # inventories/middleware
 [middleware]
 [gitea]
 [vps:children]
 middleware
 gitea
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -0,0 +1,44 @@
 ---
 driver:
  name: vagrant
  provider:
    name: virtualbox
 lint: |
  yamllint --config-file .yamllint .
  ansible-lint . 
 platforms:
  - name: buster
    box: debian/buster64
    interfaces:
      - auto_config: true
        network_name: private_network
        ip: "192.168.50.4"
    instance_raw_config_args:
      - "vm.network 'forwarded_port', guest: 8080, host: 8080"
      - "vm.network 'forwarded_port', guest: 8000, host: 80"
      - "vm.network 'forwarded_port', guest: 8443, host: 443"
      - "vm.network 'forwarded_port', guest: 3000, host: 3000"
      - "vm.network 'forwarded_port', guest: 9091, host: 9091"
    groups:
      - all 
      - molecule
      - middleware
      - gitea
 provisioner:
  name: ansible
  lint: ansible-lint
  env:
    ANSIBLE_ROLES_PATH: ${PWD}/roles:${PWD}/roles-dependencies
  playbooks:
    converge: ../../site.yml
  inventory:
    links:
      group_vars: ../../inventories/molecule/group_vars
 scenario:
  name: default
 verifier:
  name: testinfra
  options:
    junit-xml: report.xml
    o: "junit_family=legacy"
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
@@ -0,0 +1,41 @@
 ---
 - name: Prepare
  hosts: all
  become: true
  gather_facts: false
  tasks:
    - name: Install Python3 for Ansible
      raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal sudo)
      changed_when: false
 - name: Install Mkcert
  hosts: all
  become: true
  gather_facts: false
  tasks:
    - name: install curl
      apt:
        name: curl
        state: present
        update_cache: yes
    - name: install libnss3-tools
      apt:
        name: libnss3-tools
        state: present
        update_cache: yes
    - name: download and install mkcert
      get_url:
        url: https://github.com/FiloSottile/mkcert/releases/download/v1.4.1/mkcert-v1.4.1-linux-amd64
        dest: /usr/local/bin/mkcert
        mode: 0755
    - name: install the local CA in the system trust store
      shell: mkcert -install
    - name: create certs directory
      file:
        path: /certs
        state: directory
        mode: 0755
    - name: generate certificates
      shell: mkcert -cert-file local-cert.pem -key-file local-key.pem "docker.localhost" "*.docker.localhost" "*.192.168.50.4"
      args:
        chdir: /certs
--- a/molecule/default/tests/test_docker.py
+++ b/molecule/default/tests/test_docker.py
@@ -0,0 +1,16 @@
 import os
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('middleware')
 def test_docker_package(host):
    assert host.package("docker-ce").is_installed
 def test_docker_service(host):
    assert host.service('docker').is_running
    assert host.service('docker').is_enabled
--- a/molecule/default/tests/test_gitea.py
+++ b/molecule/default/tests/test_gitea.py
@@ -0,0 +1,23 @@
 import os
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('gitea')
 def test_gitea_service(host):
    assert host.service('gitea').is_running
    assert host.service('gitea').is_enabled
 def test_gitea_with_https(host):
    cmd = host.run("curl -I -k -H Host:git.localhost https://127.0.0.1")
    assert cmd.rc == 0
    assert "HTTP/2 200" in cmd.stdout
 def test_gitea_redirection_with_http(host):
    cmd = host.run("curl -I -H Host:git.localhost http://127.0.0.1")
    assert cmd.rc == 0
    assert "HTTP/1.1 307 Temporary Redirect" in cmd.stdout
--- a/molecule/default/tests/test_traefik.py
+++ b/molecule/default/tests/test_traefik.py
@@ -0,0 +1,11 @@
 import os
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('middleware')
 def test_traefik_service(host):
    assert host.service('traefik').is_running
    assert host.service('traefik').is_enabled
--- a/requirements.yml
+++ b/requirements.yml
@@ -0,0 +1,3 @@
 ---
 - src: geerlingguy.docker
  version: 3.0.0
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@@ -0,0 +1,5 @@
 ---
 gitea_state: present
 gitea_version: 1.13.1
 gitea_docker_compose_directory: /opt/gitea
 gitea_url:  git.localhost
--- a/roles/gitea/handlers/main.yml
+++ b/roles/gitea/handlers/main.yml
@@ -0,0 +1,7 @@
 ---
 - name: restart gitea
  service:
    name: gitea
    state: restarted
    daemon_reload: True
    enabled: True
--- a/roles/gitea/tasks/configure.yml
+++ b/roles/gitea/tasks/configure.yml
@@ -0,0 +1,14 @@
 ---
 - name: configure | deploy systemd configuration
  template:
    src: etc/systemd/system/gitea.service.j2
    dest: /etc/systemd/system/gitea.service
    owner: root
    group: root
    mode: 0644
  notify: "restart gitea"
 - name: ensure that service is started
  service:
    name: "gitea"
    state: started
--- a/roles/gitea/tasks/install.yml
+++ b/roles/gitea/tasks/install.yml
@@ -0,0 +1,12 @@
 ---
 - name: install | create directory {{ gitea_docker_compose_directory }}
  file:
    path: "{{ gitea_docker_compose_directory }}"
    state: directory
    mode: 0755
 - name: install | set compose file
  template:
    src: opt/gitea/docker-compose.yml.j2
    dest: "{{ gitea_docker_compose_directory }}/docker-compose.yml"
  notify: 'restart gitea'
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@@ -0,0 +1,2 @@
 ---
 - include_tasks: "{{ gitea_state }}.yml"
--- a/roles/gitea/tasks/present.yml
+++ b/roles/gitea/tasks/present.yml
@@ -0,0 +1,4 @@
 ---
 - include_tasks: "install.yml"
 - include_tasks: "configure.yml"
 - include_tasks: "start.yml"
--- a/roles/gitea/tasks/start.yml
+++ b/roles/gitea/tasks/start.yml
@@ -0,0 +1,14 @@
 ---
 - name: start | ensure gitea is up and running
  service:
    name: gitea
    state: started
 - name: start | wait for gitea up and running
  command: "docker ps"
  register: result
  retries: 60
  changed_when: no
  until: "'gitea/gitea:{{ gitea_version}}' in result.stdout"
  tags:
    - skip_ansible_lint
--- a/roles/gitea/tasks/stop.yml
+++ b/roles/gitea/tasks/stop.yml
@@ -0,0 +1,5 @@
 ---
 - name: stop | ensure gitea is up and running
  service:
    name: gitea
    state: stopped
--- a/roles/gitea/templates/etc/systemd/system/gitea.service.j2
+++ b/roles/gitea/templates/etc/systemd/system/gitea.service.j2
@@ -0,0 +1,11 @@
 # {{ ansible_managed }}
 [Unit]
 Description=gitea
 [Service]
 Restart=always
 ExecStart=/usr/local/bin/docker-compose -f "{{ gitea_docker_compose_directory }}/docker-compose.yml" up
 ExecStop=/usr/local/bin/docker-compose -f "{{ gitea_docker_compose_directory }}/docker-compose.yml" stop
 [Install]
 WantedBy=local.target
--- a/roles/gitea/templates/opt/gitea/docker-compose.yml.j2
+++ b/roles/gitea/templates/opt/gitea/docker-compose.yml.j2
@@ -0,0 +1,29 @@
 # {{ ansible_managed }}
 version: '3.2'
 services:
    gitea:
        image: gitea/gitea:{{ gitea_version }}
        environment:
          - ROOT_URL="http://{{ gitea_url }}"
          - DISABLE_SSH=true
          - DISABLE_REGISTRATION=true
          - REQUIRE_SIGNIN_VIEW=true
        restart: always
        labels:
          - traefik.enable=true
          - traefik.docker.network=traefik_network
          - traefik.backend=gitea
          - traefik.port=3000
          - traefik.frontend.rule=Host:{{ gitea_url }}
        networks:
          - traefik_network
        volumes:
          - gitea:/data
 volumes:
  gitea:
    driver: local
 networks:
    traefik_network:
        external: true
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@@ -0,0 +1,9 @@
 ---
 traefik_state: present
 traefik_version: v1.7.28
 traefik_docker_compose_directory: /opt/traefik
 traefik_use_configuration_file: false
 traefik_docker_domain: docker.localhost
 traefik_docker_log_level: ERROR
 traefik_acme_enabled: true
 traefik_dashboard_enabled: false
--- a/roles/traefik/handlers/main.yml
+++ b/roles/traefik/handlers/main.yml
@@ -0,0 +1,7 @@
 ---
 - name: restart traefik
  service:
    name: traefik
    state: restarted
    daemon_reload: True
    enabled: True
--- a/roles/traefik/tasks/configure.yml
+++ b/roles/traefik/tasks/configure.yml
@@ -0,0 +1,35 @@
 ---
 - name: configure | deploy systemd configuration
  template:
    src: etc/systemd/system/traefik.service.j2
    dest: /etc/systemd/system/traefik.service
    owner: root
    group: root
    mode: 0644
  notify: "restart traefik"
 - name: configure | deploy traefik configuration
  template:
    src: opt/traefik/traefik.toml.j2
    dest: "{{ traefik_docker_compose_directory }}/traefik.toml"
    owner: root
    group: root
    mode: 0644
  notify: "restart traefik"
 - name: configure | create acme.json
  file:
    path: "{{ traefik_docker_compose_directory }}/acme.json"
    owner: root
    group: root
    state: touch
    mode: 0600
  changed_when: no
 - name: configure | create network traefik_network
  command: docker network create traefik_network
  ignore_errors: yes
  changed_when: no
 - name: configure | flush handlers
  meta: flush_handlers
--- a/roles/traefik/tasks/install.yml
+++ b/roles/traefik/tasks/install.yml
@@ -0,0 +1,12 @@
 ---
 - name: install | create directory {{ traefik_docker_compose_directory }}
  file:
    path: "{{ traefik_docker_compose_directory }}"
    state: directory
    mode: 0755
 - name: install | set compose file
  template:
    src: opt/traefik/docker-compose.yml.j2
    dest: "{{ traefik_docker_compose_directory }}/docker-compose.yml"
  notify: 'restart traefik'
--- a/roles/traefik/tasks/main.yml
+++ b/roles/traefik/tasks/main.yml
@@ -0,0 +1,2 @@
 ---
 - include_tasks: "{{ traefik_state }}.yml"
--- a/roles/traefik/tasks/present.yml
+++ b/roles/traefik/tasks/present.yml
@@ -0,0 +1,4 @@
 ---
 - include_tasks: "install.yml"
 - include_tasks: "configure.yml"
 - include_tasks: "start.yml"
--- a/roles/traefik/tasks/start.yml
+++ b/roles/traefik/tasks/start.yml
@@ -0,0 +1,10 @@
 ---
 - name: start | ensure traefik is up and running
  service:
    name: traefik
    state: started
 - name: start | wait for traefik up and running
  wait_for:
    port: 443
    delay: 10
--- a/roles/traefik/tasks/stop.yml
+++ b/roles/traefik/tasks/stop.yml
@@ -0,0 +1,5 @@
 ---
 - name: stop | ensure traefik is up and running
  service:
    name: traefik
    state: stopped
--- a/roles/traefik/templates/etc/systemd/system/traefik.service.j2
+++ b/roles/traefik/templates/etc/systemd/system/traefik.service.j2
@@ -0,0 +1,13 @@
 # {{ ansible_managed }}
 [Unit]
 Description=Traefik
 Wants=docker.service
 After=docker.service
 [Service]
 Restart=always
 ExecStart=/usr/local/bin/docker-compose -f "{{ traefik_docker_compose_directory }}/docker-compose.yml" up
 ExecStop=/usr/local/bin/docker-compose -f "{{ traefik_docker_compose_directory }}/docker-compose.yml" down
 [Install]
 WantedBy=multi-user.target
--- a/roles/traefik/templates/opt/traefik/docker-compose.yml.j2
+++ b/roles/traefik/templates/opt/traefik/docker-compose.yml.j2
@@ -0,0 +1,27 @@
 ---
 # {{ ansible_managed }}
 version: '3.2'
 services:
    traefik:
        image: traefik:{{ traefik_version }}
        restart: always
        command: --api --docker # Enables the web UI and tells Traefik to listen to docker
        ports:
          - "80:80"     # The HTTP port
          - "443:443"   # The HTTPS ports
 {% if traefik_dashboard_enabled %}
          - "8080:8080" # Dashboard port
 {% endif %}
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
          - {{ traefik_docker_compose_directory }}/traefik.toml:/traefik.toml
          - {{ traefik_docker_compose_directory }}/acme.json:/acme.json
        labels:
          - traefik.enable=true
          - traefik.docker.network=traefik_network
        networks:
          - traefik_network
 networks:
    traefik_network:
        external: true
--- a/roles/traefik/templates/opt/traefik/traefik.toml.j2
+++ b/roles/traefik/templates/opt/traefik/traefik.toml.j2
@@ -0,0 +1,43 @@
 # {{ ansible_managed }}
 ###Traefik.toml###
 logLevel = "{{ traefik_docker_log_level }}"
 defaultEntryPoints = ["http","https"]
 [entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
 {% if not traefik_acme_enabled %}
    [[entryPoints.https.tls.certificate]]
    certFile = "/certs/local-cert.pem"
    keyFile = "/certs/local-key.pem"
 {% endif %}
 {% if traefik_dashboard_enabled %}
 [api]
  # With this you enable the web UI
  insecure = true
  dashboard = true
 {% endif %}
 {% if traefik_acme_enabled %}
 [acme]
 email = "etienne.besson@gmail.com"
 storage = "acme.json"
 onHostRule = true
 entryPoint = "https" 
  [acme.tlsChallenge]
 {% endif %}
 # Enable Docker configuration backend
 [docker]
  endpoint = "unix:///var/run/docker.sock"
  domain = "{{ traefik_docker_domain }}"
  watch = true
  exposedByDefault = false 
--- a/site.yml
+++ b/site.yml
@@ -0,0 +1,23 @@
 ---
 - hosts: all
  gather_facts: False
  tasks:
    - name: Install python for Ansible
      raw: test -e /usr/bin/python || (apt -y update && apt install -y python2.7 python-minimal sudo)
      changed_when: False
 - hosts: middleware
  become: True
  roles:
    - geerlingguy.docker
    - traefik
  tags:
    - traefik
 - hosts: gitea
  become: True
  roles:
    - gitea
  tags:
    - gitea
--- a/tox.ini
+++ b/tox.ini
@@ -0,0 +1,20 @@
 [tox]
 recreate = true
 skipsdist = true
 envlist = py{3}-ansible
 [testenv]
 passenv = *
 deps =
    ansible==2.9.*
    pytest-testinfra==6.0.*
    molecule==3.2.*
    molecule-vagrant==0.6.*
    python-vagrant==0.5.*
    paramiko==2.6.0
    ansible-lint==4.3.*
 [testenv:ci]
 passenv = *
    ansible-galaxy install -r requirements.yml --ignore-errors -p roles-dependencies --force
    molecule lint
--- a/venv.sh
+++ b/venv.sh
@@ -0,0 +1,4 @@
 tox
 source .tox/py3-ansible/bin/activate
 rm -Rf roles-dependencies || true
 ansible-galaxy install -r requirements.yml --ignore-errors -p roles-dependencies --force
		`@@ -0,0 +1,2 @@`
							`---`
							`- include_tasks: "{{ gitea_state }}.yml"`
		`@@ -0,0 +1,2 @@`
							`---`
							`- include_tasks: "{{ traefik_state }}.yml"`