diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..2cd03ba --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "ansible/roles/monolithprojects.github_actions_runner"] + path = ansible/roles/monolithprojects.github_actions_runner + url = https://github.com/MonolithProjects/ansible-github_actions_runner.git diff --git a/ansible/deploy_home.yml b/ansible/deploy_home.yml index 126b711..0f7aefb 100644 --- a/ansible/deploy_home.yml +++ b/ansible/deploy_home.yml @@ -1,4 +1,3 @@ ---- - hosts: all vars_files: - vars/vault.yml @@ -7,3 +6,4 @@ - role: git - role: podman - role: ssl + - role: github-actions diff --git a/ansible/roles/github-actions/defaults/main.yml b/ansible/roles/github-actions/defaults/main.yml new file mode 100644 index 0000000..2e21f1a --- /dev/null +++ b/ansible/roles/github-actions/defaults/main.yml @@ -0,0 +1,3 @@ +--- +runner_user: actions-runner +runner_dir: /home/actions-runner \ No newline at end of file diff --git a/ansible/roles/github-actions/tasks/deps.yml b/ansible/roles/github-actions/tasks/deps.yml new file mode 100644 index 0000000..477bc4e --- /dev/null +++ b/ansible/roles/github-actions/tasks/deps.yml @@ -0,0 +1,14 @@ +--- +- name: enable required dnf repositories + become: true + ansible.builtin.shell: + cmd: dnf config-manager --add-repo https://rpm.releases.hashicorp.com/fedora/hashicorp.repo + creates: /etc/yum.repos.d/hashicorp.repo + +- name: install github dependencies + become: true + ansible.builtin.dnf: + name: + - awscli + - terraform + state: present \ No newline at end of file diff --git a/ansible/roles/github-actions/tasks/main.yml b/ansible/roles/github-actions/tasks/main.yml new file mode 100644 index 0000000..723274c --- /dev/null +++ b/ansible/roles/github-actions/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- import_tasks: user.yml + tags: github +- import_tasks: deps.yml + tags: github diff --git a/ansible/roles/github-actions/tasks/user.yml b/ansible/roles/github-actions/tasks/user.yml new file mode 100644 index 0000000..751ef07 --- /dev/null +++ b/ansible/roles/github-actions/tasks/user.yml @@ -0,0 +1,60 @@ +--- +- name: create github actions user + become: true + ansible.builtin.user: + name: "{{ runner_user }}" + shell: /usr/bin/nologin + createhome: true + home: "{{ runner_dir }}" + +- name: set ulimits for github user + become: true + community.general.pam_limits: + domain: "{{ runner_user }}" + limit_type: "{{ item.type }}" + limit_item: "{{ item.name }}" + value: "{{ item.value }}" + loop: + - name: memlock + type: soft + value: "unlimited" + - name: memlock + type: hard + value: "unlimited" + - name: nofile + type: soft + value: 39693561 + - name: memlock + type: hard + value: 39693561 + tags: github + +- name: check if github user lingering enabled + become: true + ansible.builtin.stat: + path: "/var/lib/systemd/linger/{{ runner_user }}" + register: user_lingering + tags: github + +- name: enable github user lingering + become: true + become_user: "{{ runner_user }}" + ansible.builtin.command: | + loginctl enable-linger {{ runner_user }} + when: + - not user_lingering.stat.exists + tags: github + +- name: selinux context for github directories + become: true + community.general.sefcontext: + target: "{{ item.target }}(/.*)?" + setype: "{{ item.setype }}" + state: present + notify: restorecon podman + loop: + - { target: "{{ runner_dir }}", setype: "user_home_dir_t" } + - { target: "{{ runner_dir }}/.local/share", setype: "container_file_t" } + tags: + - github + - selinux diff --git a/ansible/roles/podman/tasks/container-bookstack.yml b/ansible/roles/podman/tasks/container-bookstack.yml index a83a4ae..af069c8 100644 --- a/ansible/roles/podman/tasks/container-bookstack.yml +++ b/ansible/roles/podman/tasks/container-bookstack.yml @@ -69,6 +69,7 @@ - shared env: APP_URL: "https://wiki.skudakrennsport.com" + APP_KEY: "{{ bookstack_app_key }}" DB_HOST: "bookstack-db" DB_USERNAME: "bookstack" DB_DATABASE: "bookstack" diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index f2faf89..0ce13f1 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -15,7 +15,7 @@ - import_tasks: container-hass.yml vars: - image: ghcr.io/home-assistant/home-assistant:stable + image: ghcr.io/home-assistant/home-assistant:2023.11 tags: hass - import_tasks: container-partkeepr.yml @@ -34,30 +34,30 @@ - import_tasks: container-bookstack.yml vars: db_image: docker.io/library/mysql:5.7.21 - image: docker.io/solidnerd/bookstack:23.6 - tags: bookstack + image: docker.io/solidnerd/bookstack:23.10 + tags: skuwiki - import_tasks: container-photos.yml vars: db_image: docker.io/library/mariadb:10.8 - image: docker.io/photoprism/photoprism:230625-ce + image: docker.io/photoprism/photoprism:231021-ce tags: photos - import_tasks: container-cloud.yml vars: - db_image: docker.io/library/mariadb:10.5 - image: docker.io/library/nextcloud:24.0.5-apache + db_image: docker.io/library/mariadb:10.6 + image: docker.io/library/nextcloud:27.1.3-apache tags: cloud - import_tasks: container-cloud-skudak.yml vars: - db_image: docker.io/library/mariadb:10.5 - image: docker.io/library/nextcloud:24.0.5-apache + db_image: docker.io/library/mariadb:10.6 + image: docker.io/library/nextcloud:27.1.3-apache tags: skucloud - import_tasks: container-fulfillr.yml vars: - image: "{{ aws_ecr_endpoint }}/fulfillr:20231005.1415" + image: "{{ aws_ecr_endpoint }}/fulfillr:20231113.1809" tags: fulfillr - import_tasks: configuration-nginx.yml diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml index 4c9763f..550e241 100644 Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ