From 53f2868916085971eed2567b8945e20ee405fb27 Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Thu, 24 Sep 2020 22:52:33 -0400 Subject: [PATCH] Implemented working version of drone w/nginx https --- .gitattributes | 1 + Makefile | 18 +++++--- ansible/deploy_home.yml | 3 ++ ansible/roles/common/defaults/main.yml | 3 +- ansible/roles/drone/defaults/main.yml | 3 ++ ansible/roles/drone/tasks/docker.yml | 17 ------- ansible/roles/drone/tasks/drone.yml | 43 ++++++++++++++++++ ansible/roles/drone/tasks/main.yml | 2 +- ansible/roles/http/defaults/main.yml | 1 - ansible/roles/http/files/nginx/nginx.conf | 2 +- ansible/roles/http/tasks/cron.yml | 11 ++--- ansible/roles/http/tasks/main.yml | 1 + .../nginx/sites/ci.bdebyl.net.https.conf.j2 | 38 +++++++++------- ansible/vars/vault.yml | Bin 0 -> 1673 bytes 14 files changed, 93 insertions(+), 50 deletions(-) create mode 100644 ansible/roles/drone/defaults/main.yml delete mode 100644 ansible/roles/drone/tasks/docker.yml create mode 100644 ansible/roles/drone/tasks/drone.yml create mode 100644 ansible/vars/vault.yml diff --git a/.gitattributes b/.gitattributes index 1bbbb10..6be7b46 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1,2 @@ .pass.sh filter=git-crypt diff=git-crypt +ansible/vars/vault.yml filter=git-crypt diff=git-crypt diff --git a/Makefile b/Makefile index 61bf015..44404f9 100644 --- a/Makefile +++ b/Makefile @@ -10,9 +10,12 @@ VENV_BIN=.venv/bin PIP=${VENV_BIN}/pip ANSIBLE=${VENV_BIN}/ansible-playbook ANSIBLE_VAULT=${VENV_BIN}/ansible-vault + LINT_ANSIBLE=${VENV_BIN}/ansible-lint LINT_YAML=${VENV_BIN}/yamllint + VAULT_PASS_FILE=.ansible-vaultpass +VAULT_FILE=ansible/vars/vault.yml # Variables ANSIBLE_INVENTORY=ansible/inventories/home/hosts.yml @@ -29,16 +32,19 @@ ${ANSIBLE} ${ANSIBLE_VAULT} ${LINT_YAML} ${LINT_ANSIBLE}: ${VENV} requirements.t ${VAULT_PASS_FILE}: ${ANSIBLE} . ${PASS_SRC}; pass $$PASS_LOC > $@ +${VAULT_FILE}: ${VAULT_PASS_FILE} + ${ANSIBLE_VAULT} create --vault-password-file ${VAULT_PASS_FILE} $@ + # Targets -deploy: ${ANSIBLE} ${VAULT_PASS_FILE} +deploy: ${ANSIBLE} ${VAULT_FILE} ${ANSIBLE} --diff --private-key ${SSH_KEY} -t ${TAGS} -i ${ANSIBLE_INVENTORY} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml -check: ${ANSIBLE} ${VAULT_PASS_FILE} +check: ${ANSIBLE} ${VAULT_FILE} ${ANSIBLE} --check --diff --private-key ${SSH_KEY} -t ${TAGS} -i ${ANSIBLE_INVENTORY} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml -encrypt-string: ${ANSIBLE_VAULT} ${VAULT_PASS_FILE} - ${ANSIBLE_VAULT} encrypt_string --vault-password-file ${VAULT_PASS_FILE} +vault: ${ANSIBLE_VAULT} ${VAULT_FILE} + ${ANSIBLE_VAULT} edit --vault-password-file ${VAULT_PASS_FILE} ${VAULT_FILE} lint: ${LINT_YAML} ${LINT_ANSIBLE} - @${LINT_YAML} ansible/ - @${LINT_ANSIBLE} ansible/ + ${LINT_YAML} ansible/ + ${LINT_ANSIBLE} ansible/ diff --git a/ansible/deploy_home.yml b/ansible/deploy_home.yml index f0f1033..40758a2 100644 --- a/ansible/deploy_home.yml +++ b/ansible/deploy_home.yml @@ -1,5 +1,8 @@ --- - hosts: all + vars_files: + - vars/vault.yml roles: - role: common - role: http + - role: drone diff --git a/ansible/roles/common/defaults/main.yml b/ansible/roles/common/defaults/main.yml index 9b0f71d..f1d769c 100644 --- a/ansible/roles/common/defaults/main.yml +++ b/ansible/roles/common/defaults/main.yml @@ -1,7 +1,8 @@ --- deps: [ docker, - fail2ban + fail2ban, + python-docker ] fail2ban_jails: [ diff --git a/ansible/roles/drone/defaults/main.yml b/ansible/roles/drone/defaults/main.yml new file mode 100644 index 0000000..2476ded --- /dev/null +++ b/ansible/roles/drone/defaults/main.yml @@ -0,0 +1,3 @@ +--- +drone_server_proto: "https" +drone_runner_capacity: "1" diff --git a/ansible/roles/drone/tasks/docker.yml b/ansible/roles/drone/tasks/docker.yml deleted file mode 100644 index bd2ceef..0000000 --- a/ansible/roles/drone/tasks/docker.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: Create Drone CI container - community.general.docker_container: - name: drone - image: drone/drone - restart: true - restart_policy: on-failure - restart_retries: 3 - env: - DRONE_GITHUB_CLIENT_ID: {{ drone_gh_client_id }} - DRONE_GITHUB_CLIENT_SECRET: {{ drone_gh_client_sec }} - DRONE_RPC_SECRET: {{ drone_rpc_secret }} - DRONE_SERVER_HOST: {{ ci_server_name }} - DRONE_SERVER_PROTO: {{ drone_server_proto }} - DRONE_GIT_ALWAYS_AUTH: 'true' - DRONE_USER_FILTER: {{ drone_user_filter }} - diff --git a/ansible/roles/drone/tasks/drone.yml b/ansible/roles/drone/tasks/drone.yml new file mode 100644 index 0000000..9ba9794 --- /dev/null +++ b/ansible/roles/drone/tasks/drone.yml @@ -0,0 +1,43 @@ +--- +- name: create drone-ci server container + diff: false + docker_container: + name: drone + image: drone/drone:latest + recreate: true + restart: true + restart_policy: on-failure + restart_retries: 3 + env: + DRONE_GITHUB_CLIENT_ID: "{{ drone_gh_client_id }}" + DRONE_GITHUB_CLIENT_SECRET: "{{ drone_gh_client_sec }}" + DRONE_GIT_ALWAYS_AUTH: 'true' + DRONE_RPC_SECRET: "{{ drone_rpc_secret }}" + DRONE_SERVER_HOST: "{{ ci_server_name }}" + DRONE_SERVER_PROTO: "{{ drone_server_proto }}" + DRONE_USER_FILTER: "{{ drone_user_filter }}" + volumes: + - /var/lib/drone:/data + ports: + - "8080:80" + tags: drone + +- name: create drone-ci worker container + diff: false + docker_container: + name: drone-runner + image: drone/drone-runner-docker:latest + recreate: true + restart: true + restart_policy: on-failure + restart_retries: 3 + env: + DRONE_RPC_SECRET: "{{ drone_rpc_secret }}" + DRONE_RPC_HOST: "{{ ci_server_name }}" + DRONE_RPC_PROTO: "{{ drone_server_proto }}" + DRONE_RUNNER_CAPACITY: "{{ drone_runner_capacity }}" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + ports: + - "3000:3000" + tags: drone diff --git a/ansible/roles/drone/tasks/main.yml b/ansible/roles/drone/tasks/main.yml index 9eab6da..479cac1 100644 --- a/ansible/roles/drone/tasks/main.yml +++ b/ansible/roles/drone/tasks/main.yml @@ -1,2 +1,2 @@ --- -- import_tasks: docker.yml +- import_tasks: drone.yml diff --git a/ansible/roles/http/defaults/main.yml b/ansible/roles/http/defaults/main.yml index 479c3fc..6cd2ba6 100644 --- a/ansible/roles/http/defaults/main.yml +++ b/ansible/roles/http/defaults/main.yml @@ -4,6 +4,5 @@ ci_server_name: ci.bdebyl.net deps: [ certbot, - certbot-nginx, nginx ] diff --git a/ansible/roles/http/files/nginx/nginx.conf b/ansible/roles/http/files/nginx/nginx.conf index 7dd225e..fce002d 100644 --- a/ansible/roles/http/files/nginx/nginx.conf +++ b/ansible/roles/http/files/nginx/nginx.conf @@ -32,5 +32,5 @@ http { limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; - include etc/nginx/sites-enabled/*.conf; + include /etc/nginx/sites-enabled/*.conf; } diff --git a/ansible/roles/http/tasks/cron.yml b/ansible/roles/http/tasks/cron.yml index 236d983..7295af1 100644 --- a/ansible/roles/http/tasks/cron.yml +++ b/ansible/roles/http/tasks/cron.yml @@ -1,10 +1,9 @@ --- -- cron: renew certbot ssl certificate weekly +- name: renew certbot ssl certificates weekly + become: true cron: - name: ci_bdebyl_net_renewal + name: certbot_renew special_time: weekly job: | - certbot --renew certonly --webroot --webroot-path=/srv/http \ - -m {{ ci_server_email }} --agree-tos \ - -d {{ ci_server_name }} - tags: never + certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" + tags: cron diff --git a/ansible/roles/http/tasks/main.yml b/ansible/roles/http/tasks/main.yml index e49aa72..8558561 100644 --- a/ansible/roles/http/tasks/main.yml +++ b/ansible/roles/http/tasks/main.yml @@ -2,3 +2,4 @@ - import_tasks: deps.yml - import_tasks: http.yml - import_tasks: ssl.yml +- import_tasks: cron.yml diff --git a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 index 2b7c17b..0807735 100644 --- a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 +++ b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 @@ -1,35 +1,39 @@ +upstream drone { + server 127.0.0.1:8080; +} + server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name {{ ci_server_name }}; + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ ci_server_name }}; add_header Strict-Transport-Security max-age=6307200; - ssl_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem; + ssl_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem; ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; ssl_session_tickets off; - ssl_stapling on; - ssl_stapling_verify on; + ssl_stapling on; + ssl_stapling_verify on; - ssl_protocols TLSv1.2 TLSv1.3; + ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; + ssl_prefer_server_ciphers off; - location / { - proxy_set_header X-Forwarded-For $remote_addr; + location / { + proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_post; + proxy_set_header Host $http_host; - proxy_pass http://127.0.0.1:4242; + proxy_pass http://drone; proxy_redirect off; proxy_http_version 1.1; proxy_buffering off; chunked_transfer_encoding off; - } + } } diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml new file mode 100644 index 0000000000000000000000000000000000000000..1a512d414d8881b93c403e729ccf8d08b1cd7ece GIT binary patch literal 1673 zcmV;426p)XM@dveQdv+`04aJU1591vnb*wy#OM=&Q*9;03N9V%oIVZh(mM9Vx>d-J z4V3_We;DYzfX9pf2Ms6~#O;(W#Jh3&6c>IQUVX9lr0{+)D{p^)CtajxUoAPh-IvAf zfHc!Cn3G1nerC!Q%`aZLzu3wSzN@tph=;NxQaLM-90s@pLHmfW7u3^%S>|n2-`q^>UG1aIw)5O4{J8Jb#MFk5LFBr{n&tNrYv9n>RIydo^3M zabyWEPtYi#Bh_P*dlnYCOOVvmS6NPDU3lh0?moO;tvI3r9bM7!v(UiyRg53Z!cu%` zTIh8(V7}@=%HKk}xtjQN`vrb*UyLeN+o|%Gg{!@mTA)Yd)|>In)=qW*Gpnz3maQJ) z?Cbk;odfPB8JzctyFgQl$#I>Q(AWlG)vI3Y&QFnaG^S$wAX;(yF3=ANbM|VRcT~+8 zbhJ46#9BwU%}shjGb}aUpmn3Vhow(gVHIL8-k$N)Ai%W-WW_{Ba8{5bR=zixRo;`t zHcf}!KjMle35C`kx=)y^;qxmk6iG&JByHE&nRz+l%O4JCsMM^Ux&1aIz@YiVDrh); z>g8q3Txl$WaClT~X?LVrWz|D}K8?MJXWS~O`A3#X;yP{905Y-FQZ*x^U|A;A1%e&x zfJaM6L7oe3NeO8?{D}knkjr761r@eR;X3LAW!s3Oc*|~A0Ow97Ya%zdQvK4hm}_~u zn%FJ?;Kp%%S`8J3%F^mwMQHNV|4C{_G7WN1vTAxo&M@r60wz0}y^8v~e}-hHdBj39 zJzU#QVSddW=b!NiLTw|)D1O03V>n=rS&8kAC}D2+1~|C#pvN%1 zdKBDviv{N*exw{Av;eZoH&;8buwmqd&U;KAnLHu5keGZzJIoZ+CY?~qlrGi+%xRe% z7bz?q)PQLI8jG0;o7N>2hsO`XQA51U0)eM76))yQh$5wm#$=;;jiaxQh{~7Wc^*L3 zgETBF0$~g6!6gpRP-QF;U#t}?$eWR`f*tXJnZ#&6mcVeY5fgtM@STal8ImTv# z5cGR^!4TP~-A`0N9oQK?*$qUDRM1W5(73XtPV(}_eAzcq)5!#`1ncv*qt$i4Q&O)N znR8OJw{KD39`tld@Ubjb%H2$@2jGmqxy!BF(o!OlZ7&1Zp-0?@2_&$8QHHR$G3xzv~X60oeg7_Hi{F4dNjN3lwx9=BZ0XqL~`m z4`jwrUSJn_HV?nYCyp)78OVwoy@BLQv(<7m-)qe7DMr2_n4z6=yOXP!Q(2R?7nWrO z%0Okh)%Y|9uCAG0oqfH^#bxwF<&A#e3o~*B#Jl8OqwPj$r^xO^U|GJ`$Ps?Nli9(> zM1+KPXBoEKtjqVu(qVxU8Y@-OraI|7{;>ARd8TCJwnx-d_n=U_Y8A)GSoc{J%gUNZ zNXog)xB1z2$+E-H(s4sP_!JZ!3TD$E?jGhPu@7kLPmeYsIh6$*=Cpe*lsp3fTww z$afzc-Sj+zPbKH3jIYR#6eT&HI4j#Oqt6!ZYA#fc1x`z;2YZ3n8-esE4dN=RAc|8~ z@>6YvHw*K;bHE-w#Hdw*m5Qn;rODRUicH3)6rV3)=ak^R5+-BPz%8;DVtaDUzCK2_ z2&)26Pu6%Sa4dvH2YiQ?NU-Mh@V$F&Ik-_0F6Fw2ADLhIaiYIUt39M5S~-(~hjyfs zp9H?MNHR`9t&Lm^WMG3M$c;Wbm-l+f^jgM1w1=`ll+i^sn7daAknU5dw6f`tL=L3J z?H$(wS5fr7P9!vTzFiuYKb!7>=#ZZMppK@2T6g(ILSwa}MlOpfJYFbz>?tCG9pAr` T&hwGIjIKBbg^O-KXFCR}s!~J% literal 0 HcmV?d00001