From f46e1e1cb1259a70dc0a480d8856d9963cf0e030 Mon Sep 17 00:00:00 2001 From: Julian Foad Date: Mon, 21 Oct 2024 21:37:49 +0100 Subject: [PATCH] Initial commit --- README.md | 27 ++++++ defaults/main.yml | 44 +++++++++ tasks/main.yml | 71 ++++++++++++++ templates/create-db.sql.j2 | 2 + vars/compose.yml | 44 +++++++++ vars/settings.yml | 191 +++++++++++++++++++++++++++++++++++++ 6 files changed, 379 insertions(+) create mode 100644 README.md create mode 100644 defaults/main.yml create mode 100644 tasks/main.yml create mode 100644 templates/create-db.sql.j2 create mode 100644 vars/compose.yml create mode 100644 vars/settings.yml diff --git a/README.md b/README.md new file mode 100644 index 0000000..2ce0a74 --- /dev/null +++ b/README.md @@ -0,0 +1,27 @@ +An Ansible role to deploy Vervis in (Docker) containers. + +## Requires + +On the controller: + +- Ansible +- This role + +On the target machine: + +- Docker, including 'docker compose' command + +## Brief Instructions + +Download and store the role where your Ansible configuration can find it, either using ansible-galaxy or manually. + +Include the role in your playbook. Set the required variables, and any optional variables, in your inventory or with the 'vars' keyword. All required and optional variables are listed in 'defaults/main.yml'. + +Example (in 'roles' section in an Ansible playbook): + +```yaml + - role: vervis-docker-ansible + vars: + vervis_domain: vervis.example.org + ... +``` diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..ab8f4df --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,44 @@ +--- + +# The (public/end-user) domain at which Vervis is served. +vervis_domain: ~ + +# The host filesystem path in which to install Vervis files. +vervis_host_base_path: /srv/vervis + +# The host system UID/GID to use for files and to run the Vervis containers. +vervis_host_uid: 981 +vervis_host_gid: 981 + +# Bind the Vervis HTTP port to this TCP port number (or INTERFACE:PORT) on the Docker host. +vervis_host_bind_port_http: 3000 +# Bind the Vervis SSH port to this TCP port number (or INTERFACE:PORT) on the Docker host. +vervis_host_bind_port_ssh: 22 + +# The Vervis Docker image to run. +vervis_docker_image: codeberg.org/forgefed/vervis:0.1 +# The Postgres database image to run. +vervis_postgres_docker_image: postgres:15-bookworm +# The Postgres database super-user password. Required. +vervis_postgres_su_password: ~ +# The Postgres database 'vervis' user password. Required. +vervis_postgres_password: ~ + +# Custom settings. These override or add to the default settings, using +# the Ansible 'combine' operator. +# For available setting and documentation see Vervis' sample settings: +# https://codeberg.org/ForgeFed/Vervis/src/branch/main/config/settings-sample-prod.yaml +# Here you can provide the outgoing mail settings ('mail' section) and any +# other settings. +vervis_settings_custom: + mail: + smtp: + login: + user: "vervis@{{ vervis_domain }}" + password: "abcd0123456789" + host: "smtp.example.org" + port: 587 + sender: + name: "Vervis" + email: "vervis@{{ vervis_domain }}" + allow-reply: false diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..0f09b38 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,71 @@ +--- + +- name: directories + file: state=directory path="{{ item }}" owner="{{ vervis_host_uid }}" group="{{ vervis_host_gid }}" + loop: + - "{{ vervis_host_base_path }}" + - "{{ vervis_host_base_path }}/config" + - "{{ vervis_host_base_path }}/postgres15" + - "{{ vervis_host_base_path }}/state" + - "{{ vervis_host_base_path }}/state/repos" + - "{{ vervis_host_base_path }}/state/deliveries" + +- name: settings base + include_vars: + file: settings.yml + name: vervis_settings_base + +- name: settings override + set_fact: + vervis_settings: "{{ vervis_settings_base | combine(vervis_settings_custom) }}" + +- name: settings file + copy: + content: "{{ vervis_settings|to_yaml }}" + dest: "{{ vervis_host_base_path }}/config/settings.yml" + owner: "{{ vervis_host_uid }}" + group: "{{ vervis_host_gid }}" + +- name: create-db.sql file + template: + src: "{{ item.src }}.j2" + dest: "{{ vervis_host_base_path }}/{{ item.dest|default(item.src) }}" + owner: "{{ vervis_host_uid }}" + group: "{{ vervis_host_gid }}" + loop: + - { src: create-db.sql } + +#- name: ssh-host-key +# community.crypto.openssh_keypair: +# path: "{{ vervis_host_base_path }}/state/ssh-host-key" +# comment: "..." +# owner: "{{ vervis_host_uid }}" +# group: "{{ vervis_host_gid }}" +# mode: "0600" +# regenerate: partial_idempotence # a reasonable default behaviour +# #register: keypair_result + +- name: ssh-host-key + shell: + cmd: "ssh-keygen -t rsa -m PEM -f {{ vervis_host_base_path }}/state/ssh-host-key" + creates: "{{ vervis_host_base_path }}/state/ssh-host-key" + +- name: ssh-host-key permissions + file: + path: "{{ vervis_host_base_path }}/state/{{ item }}" + owner: "{{ vervis_host_uid }}" + group: "{{ vervis_host_gid }}" + loop: + - ssh-host-key + - ssh-host-key.pub + +- name: compose definition + include_vars: + file: compose.yml + name: vervis_compose_definition + +- name: docker compose up + community.docker.docker_compose_v2: + project_name: vervis + definition: "{{ vervis_compose_definition }}" + remove_orphans: true diff --git a/templates/create-db.sql.j2 b/templates/create-db.sql.j2 new file mode 100644 index 0000000..969dc67 --- /dev/null +++ b/templates/create-db.sql.j2 @@ -0,0 +1,2 @@ +CREATE USER vervis WITH NOSUPERUSER NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '{{ vervis_postgres_password }}' ; +CREATE DATABASE vervis_production WITH OWNER vervis ENCODING UTF8 ; diff --git a/vars/compose.yml b/vars/compose.yml new file mode 100644 index 0000000..85567e1 --- /dev/null +++ b/vars/compose.yml @@ -0,0 +1,44 @@ +--- + +services: + db: + restart: always + image: "{{ vervis_postgres_docker_image }}" + shm_size: 128mb + networks: + - internal_network + healthcheck: + test: ['CMD', 'pg_isready', '-U', 'postgres'] + volumes: + - "{{ vervis_host_base_path }}/postgres15:/var/lib/postgresql/data" + - "{{ vervis_host_base_path }}/create-db.sql:/docker-entrypoint-initdb.d/create_database.sql:ro" + environment: + POSTGRES_PASSWORD: "{{ vervis_postgres_su_password }}" + user: "{{ vervis_host_uid }}:{{ vervis_host_gid }}" + + web: + # You can uncomment the following line if you want to not use the prebuilt + # image, for example if you have local code changes + #build: . + image: "{{ vervis_docker_image }}" + restart: always + command: ./vervis config/settings.yml > log/vervis.log 2>&1 + networks: + - external_network + - internal_network + healthcheck: + test: ['CMD-SHELL',"curl -s --noproxy localhost localhost:3000 | grep -q 'OK' || exit 1"] + ports: + - '{{ vervis_host_bind_port_http }}:3000' + - '{{ vervis_host_bind_port_ssh }}:5022' + depends_on: + - db + volumes: + - "{{ vervis_host_base_path }}/state:/app/state" + - "{{ vervis_host_base_path }}/config:/app/config:ro" + user: "{{ vervis_host_uid }}:{{ vervis_host_gid }}" + +networks: + external_network: + internal_network: + internal: true diff --git a/vars/settings.yml b/vars/settings.yml new file mode 100644 index 0000000..fd985ec --- /dev/null +++ b/vars/settings.yml @@ -0,0 +1,191 @@ +# Values formatted like "_env:ENV_VAR_NAME:default_value" can be overridden by +# the specified environment variable. See the Yesod wiki, Configuration page. + +############################################################################### +# HTTP server +############################################################################### + +# any IPv4 host +host: "*4" + +# The port `yesod devel` uses is distinct from this value. Set the +# `yesod devel` port from the command line. +http-port: "3000" + +ip-from-header: "false" + +# The instance's host (e.g. "mycoolforge.org"). Used for determining which +# requests are federated and which are for this instance, and for generating +# URLs. The database relies on this value, and you shouldn't change it once +# you deploy an instance. +instance-host: "{{ vervis_domain }}" + +# How much time after the last request it takes for the session cookie to +# expire +client-session-timeout: + amount: 60 + unit: days + +# Maximal accepted time difference between request date and current time, when +# performing this check during HTTP signature verification +request-time-limit: + amount: 5 + unit: minutes + +# How often to generate a new actor key for HTTP-signing requests +actor-key-rotation: + amount: 1 + unit: days + +# Whether to use personal actor keys, or an instance-wide key +per-actor-keys: false + +############################################################################### +# Development +############################################################################### + +# Optional values with the following production defaults. +# In development, they default to the inverse. +# +# development: false +# detailed-logging: false +# should-log-all: false +# mutable-static: false + +# This setting isn't used anymore (because no more need for SVG fonts) +# load-font-from-lib-data: false + +############################################################################### +# Database +############################################################################### + +# If you need a numeric value (e.g. 123) to parse as a String, wrap it in +# single quotes (e.g. "_env:PGPASS:'123'"). See the Yesod wiki, Configuration +# page. + +database: + user: "vervis" + password: "{{ vervis_postgres_password }}" + host: "db" + port: "5432" + database: "vervis_production" + poolsize: "10" + +max-instance-keys: 2 +max-actor-keys: 2 + +state-dir: state + +############################################################################### +# Version control repositories +############################################################################### + +diff-context-lines: 5 +post-receive-hook: /app/vervis-post-receive +post-apply-hook: /app/vervis-post-apply + +############################################################################### +# SSH server +############################################################################### + +ssh-port: 5022 + +############################################################################### +# Accounts +############################################################################### + +registration: false +max-accounts: 3 + +# Whether to verify users' email addresses by sending them email with a +# verification link. If not set below, the default is not to verify in +# development, and to verify otherwise. +email-verification: true + +# Person usernames who are allowed to create Factory actors +can-create-factories: [] + +# KeyHashids of local Factory actors who will auto-send a develop-Grant to +# every newly created account +# +# If empty or unset, and there's exactly 1 local factory in DB, it will +# automatically become the resident +resident-factories: [] + +############################################################################### +# Mail +############################################################################### + +# Optional SMTP server settings for sending email. If not provided, no email +# will be sent. The login field is optional, provide if you need SMTP +# authentication. + +#mail: +# smtp: +# login: +# user: "vervis@dev.example.org" +# password: "abcd0123456789" +# host: "smtp.example.org" +# port: "587" +# sender: +# name: "Vervis" +# email: "vervis@dev.example.org" +# allow-reply: false + +############################################################################### +# Federation +############################################################################### + +# Whether to support federation. This includes: +# +# * Accept activities from other servers in the inbox +# * Accept activities from users in the outbox +# * Deliver local activities to other servers +federation: true + +# Whether to reject an HTTP signature when we want to insert a new key or usage +# record but reached the limit setting +reject-on-max-keys: true + +# The duration of time during which a remote actor is unreachable and we +# periodically retry to deliver them activities. After that period of time, we +# stop trying to deliver and we remove them from follower lists of local +# actors. +# +# TODO this probably isn't working anymore since the switch to DeliveryTheater +drop-delivery-after: + amount: 25 + unit: weeks + +# Base of the exponential backoff for inbox POST delivery to remote actors, +# i.e. how much time to wait before the first retry. Afterwards this time +# interval will be doubled with each retry. +retry-delivery-base: + amount: 5 + unit: minutes + +# How many activities to remember in the debug report list, showing latest +# activities received in local inboxes and the result of their processing. +# 'null' means disable the report page entirely. +#activity-debug-reports: 10 + +# List of (hosts of) other known federating instances. +#instances: [] + +# Maximal length we allow for Grant chains (default: 16) +max-grant-chain-length: 16 + +############################################################################### +# User interface +############################################################################### + +# Default color scheme for syntax highlighing of code blocks inside rendered +# documents. The available styles are listed in the "Text.Pandoc.Highlighting" +# module documentation. +highlight-style: zenburn + +# Color scheme to use for UI header, footer, links on pages etc., should help +# with visually identifying instances that may otherwise look very much alike. +# Any number is valid; the scheme is chosen via modulo the number of available +# schemes. +main-color: 0