infra/vervis-docker-ansible
1
0
Fork 0
Code Pull requests Activity

Initial commit

Browse source
This commit is contained in:
Julian Foad 2024-10-21 21:37:49 +01:00
commit f46e1e1cb1
6 changed files with 379 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
README.md Normal file
View file

@ -0,0 +1,27 @@
An Ansible role to deploy Vervis in (Docker) containers.
## Requires
On the controller:
- Ansible
- This role
On the target machine:
- Docker, including 'docker compose' command
## Brief Instructions
Download and store the role where your Ansible configuration can find it, either using ansible-galaxy or manually.
Include the role in your playbook. Set the required variables, and any optional variables, in your inventory or with the 'vars' keyword. All required and optional variables are listed in 'defaults/main.yml'.
Example (in 'roles' section in an Ansible playbook):
```yaml
- role: vervis-docker-ansible
vars:
vervis_domain: vervis.example.org
...
```

44
defaults/main.yml Normal file
View file

@ -0,0 +1,44 @@
---
# The (public/end-user) domain at which Vervis is served.
vervis_domain: ~
# The host filesystem path in which to install Vervis files.
vervis_host_base_path: /srv/vervis
# The host system UID/GID to use for files and to run the Vervis containers.
vervis_host_uid: 981
vervis_host_gid: 981
# Bind the Vervis HTTP port to this TCP port number (or INTERFACE:PORT) on the Docker host.
vervis_host_bind_port_http: 3000
# Bind the Vervis SSH port to this TCP port number (or INTERFACE:PORT) on the Docker host.
vervis_host_bind_port_ssh: 22
# The Vervis Docker image to run.
vervis_docker_image: codeberg.org/forgefed/vervis:0.1
# The Postgres database image to run.
vervis_postgres_docker_image: postgres:15-bookworm
# The Postgres database super-user password. Required.
vervis_postgres_su_password: ~
# The Postgres database 'vervis' user password. Required.
vervis_postgres_password: ~
# Custom settings. These override or add to the default settings, using
# the Ansible 'combine' operator.
# For available setting and documentation see Vervis' sample settings:
# https://codeberg.org/ForgeFed/Vervis/src/branch/main/config/settings-sample-prod.yaml
# Here you can provide the outgoing mail settings ('mail' section) and any
# other settings.
vervis_settings_custom:
mail:
smtp:
login:
user: "vervis@{{ vervis_domain }}"
password: "abcd0123456789"
host: "smtp.example.org"
port: 587
sender:
name: "Vervis"
email: "vervis@{{ vervis_domain }}"
allow-reply: false

71
tasks/main.yml Normal file
View file

@ -0,0 +1,71 @@
---
- name: directories
file: state=directory path="{{ item }}" owner="{{ vervis_host_uid }}" group="{{ vervis_host_gid }}"
loop:
- "{{ vervis_host_base_path }}"
- "{{ vervis_host_base_path }}/config"
- "{{ vervis_host_base_path }}/postgres15"
- "{{ vervis_host_base_path }}/state"
- "{{ vervis_host_base_path }}/state/repos"
- "{{ vervis_host_base_path }}/state/deliveries"
- name: settings base
include_vars:
file: settings.yml
name: vervis_settings_base
- name: settings override
set_fact:
vervis_settings: "{{ vervis_settings_base | combine(vervis_settings_custom) }}"
- name: settings file
copy:
content: "{{ vervis_settings|to_yaml }}"
dest: "{{ vervis_host_base_path }}/config/settings.yml"
owner: "{{ vervis_host_uid }}"
group: "{{ vervis_host_gid }}"
- name: create-db.sql file
template:
src: "{{ item.src }}.j2"
dest: "{{ vervis_host_base_path }}/{{ item.dest|default(item.src) }}"
owner: "{{ vervis_host_uid }}"
group: "{{ vervis_host_gid }}"
loop:
- { src: create-db.sql }
#- name: ssh-host-key
# community.crypto.openssh_keypair:
# path: "{{ vervis_host_base_path }}/state/ssh-host-key"
# comment: "..."
# owner: "{{ vervis_host_uid }}"
# group: "{{ vervis_host_gid }}"
# mode: "0600"
# regenerate: partial_idempotence # a reasonable default behaviour
# #register: keypair_result
- name: ssh-host-key
shell:
cmd: "ssh-keygen -t rsa -m PEM -f {{ vervis_host_base_path }}/state/ssh-host-key"
creates: "{{ vervis_host_base_path }}/state/ssh-host-key"
- name: ssh-host-key permissions
file:
path: "{{ vervis_host_base_path }}/state/{{ item }}"
owner: "{{ vervis_host_uid }}"
group: "{{ vervis_host_gid }}"
loop:
- ssh-host-key
- ssh-host-key.pub
- name: compose definition
include_vars:
file: compose.yml
name: vervis_compose_definition
- name: docker compose up
community.docker.docker_compose_v2:
project_name: vervis
definition: "{{ vervis_compose_definition }}"
remove_orphans: true

2
templates/create-db.sql.j2 Normal file
View file

@ -0,0 +1,2 @@
CREATE USER vervis WITH NOSUPERUSER NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '{{ vervis_postgres_password }}' ;
CREATE DATABASE vervis_production WITH OWNER vervis ENCODING UTF8 ;

44
vars/compose.yml Normal file
View file

@ -0,0 +1,44 @@
---
services:
db:
restart: always
image: "{{ vervis_postgres_docker_image }}"
shm_size: 128mb
networks:
- internal_network
healthcheck:
test: ['CMD', 'pg_isready', '-U', 'postgres']
volumes:
- "{{ vervis_host_base_path }}/postgres15:/var/lib/postgresql/data"
- "{{ vervis_host_base_path }}/create-db.sql:/docker-entrypoint-initdb.d/create_database.sql:ro"
environment:
POSTGRES_PASSWORD: "{{ vervis_postgres_su_password }}"
user: "{{ vervis_host_uid }}:{{ vervis_host_gid }}"
web:
# You can uncomment the following line if you want to not use the prebuilt
# image, for example if you have local code changes
#build: .
image: "{{ vervis_docker_image }}"
restart: always
command: ./vervis config/settings.yml > log/vervis.log 2>&1
networks:
- external_network
- internal_network
healthcheck:
test: ['CMD-SHELL',"curl -s --noproxy localhost localhost:3000 | grep -q 'OK' || exit 1"]
ports:
- '{{ vervis_host_bind_port_http }}:3000'
- '{{ vervis_host_bind_port_ssh }}:5022'
depends_on:
- db
volumes:
- "{{ vervis_host_base_path }}/state:/app/state"
- "{{ vervis_host_base_path }}/config:/app/config:ro"
user: "{{ vervis_host_uid }}:{{ vervis_host_gid }}"
networks:
external_network:
internal_network:
internal: true

191
vars/settings.yml Normal file
View file

@ -0,0 +1,191 @@
# Values formatted like "_env:ENV_VAR_NAME:default_value" can be overridden by
# the specified environment variable. See the Yesod wiki, Configuration page.
###############################################################################
# HTTP server
###############################################################################
# any IPv4 host
host: "*4"
# The port `yesod devel` uses is distinct from this value. Set the
# `yesod devel` port from the command line.
http-port: "3000"
ip-from-header: "false"
# The instance's host (e.g. "mycoolforge.org"). Used for determining which
# requests are federated and which are for this instance, and for generating
# URLs. The database relies on this value, and you shouldn't change it once
# you deploy an instance.
instance-host: "{{ vervis_domain }}"
# How much time after the last request it takes for the session cookie to
# expire
client-session-timeout:
amount: 60
unit: days
# Maximal accepted time difference between request date and current time, when
# performing this check during HTTP signature verification
request-time-limit:
amount: 5
unit: minutes
# How often to generate a new actor key for HTTP-signing requests
actor-key-rotation:
amount: 1
unit: days
# Whether to use personal actor keys, or an instance-wide key
per-actor-keys: false
###############################################################################
# Development
###############################################################################
# Optional values with the following production defaults.
# In development, they default to the inverse.
#
# development: false
# detailed-logging: false
# should-log-all: false
# mutable-static: false
# This setting isn't used anymore (because no more need for SVG fonts)
# load-font-from-lib-data: false
###############################################################################
# Database
###############################################################################
# If you need a numeric value (e.g. 123) to parse as a String, wrap it in
# single quotes (e.g. "_env:PGPASS:'123'"). See the Yesod wiki, Configuration
# page.
database:
user: "vervis"
password: "{{ vervis_postgres_password }}"
host: "db"
port: "5432"
database: "vervis_production"
poolsize: "10"
max-instance-keys: 2
max-actor-keys: 2
state-dir: state
###############################################################################
# Version control repositories
###############################################################################
diff-context-lines: 5
post-receive-hook: /app/vervis-post-receive
post-apply-hook: /app/vervis-post-apply
###############################################################################
# SSH server
###############################################################################
ssh-port: 5022
###############################################################################
# Accounts
###############################################################################
registration: false
max-accounts: 3
# Whether to verify users' email addresses by sending them email with a
# verification link. If not set below, the default is not to verify in
# development, and to verify otherwise.
email-verification: true
# Person usernames who are allowed to create Factory actors
can-create-factories: []
# KeyHashids of local Factory actors who will auto-send a develop-Grant to
# every newly created account
#
# If empty or unset, and there's exactly 1 local factory in DB, it will
# automatically become the resident
resident-factories: []
###############################################################################
# Mail
###############################################################################
# Optional SMTP server settings for sending email. If not provided, no email
# will be sent. The login field is optional, provide if you need SMTP
# authentication.
#mail:
# smtp:
# login:
# user: "vervis@dev.example.org"
# password: "abcd0123456789"
# host: "smtp.example.org"
# port: "587"
# sender:
# name: "Vervis"
# email: "vervis@dev.example.org"
# allow-reply: false
###############################################################################
# Federation
###############################################################################
# Whether to support federation. This includes:
#
# * Accept activities from other servers in the inbox
# * Accept activities from users in the outbox
# * Deliver local activities to other servers
federation: true
# Whether to reject an HTTP signature when we want to insert a new key or usage
# record but reached the limit setting
reject-on-max-keys: true
# The duration of time during which a remote actor is unreachable and we
# periodically retry to deliver them activities. After that period of time, we
# stop trying to deliver and we remove them from follower lists of local
# actors.
#
# TODO this probably isn't working anymore since the switch to DeliveryTheater
drop-delivery-after:
amount: 25
unit: weeks
# Base of the exponential backoff for inbox POST delivery to remote actors,
# i.e. how much time to wait before the first retry. Afterwards this time
# interval will be doubled with each retry.
retry-delivery-base:
amount: 5
unit: minutes
# How many activities to remember in the debug report list, showing latest
# activities received in local inboxes and the result of their processing.
# 'null' means disable the report page entirely.
#activity-debug-reports: 10
# List of (hosts of) other known federating instances.
#instances: []
# Maximal length we allow for Grant chains (default: 16)
max-grant-chain-length: 16
###############################################################################
# User interface
###############################################################################
# Default color scheme for syntax highlighing of code blocks inside rendered
# documents. The available styles are listed in the "Text.Pandoc.Highlighting"
# module documentation.
highlight-style: zenburn
# Color scheme to use for UI header, footer, links on pages etc., should help
# with visually identifying instances that may otherwise look very much alike.
# Any number is valid; the scheme is chosen via modulo the number of available
# schemes.
main-color: 0