homelab/host-forgejo-runner
0
0
Fork 0
Code Issues 1 Pull requests 1 Activity Actions
host-forgejo-runner/Makefile
Renovate[BOT] 248789ae49
All checks were successful
Deploy Ansible Pipeline / Deploy Ansible Pipeline (push) Successful in 58s
Details
chore(deps): update docker.io/library/docker:28.5.1-dind docker digest to ea9d204 (#429) 
Reviewed-on: #429
Co-authored-by: Renovate[BOT] <renovate-bot@auengun.net>
Co-committed-by: Renovate[BOT] <renovate-bot@auengun.net>
2025-11-01 15:08:01 +00:00

134 lines
6.6 KiB
Makefile
Raw Permalink Blame History

# git.auengun.net/homelab/host-forgejo-runner
# Copyright (C) 2024 GregoryDosh
# Avoid Noisey Directory Messages
MAKEFLAGS += --no-print-directory
####################
# Renovate Managed #
####################
# renovate: datasource=docker depName=docker.io/library/docker versioning=docker
export DOCKER_DIND_VERSION=28.5.1-dind@sha256:ea9d20492ca1caaaba78e68453433895d256173c79281756e88b745647fcbcfd
# renovate: datasource=docker depName=code.forgejo.org/forgejo/runner versioning=docker
export FORGEJO_RUNNER_VERSION=11.2.0@sha256:85709f74716b64bf46f753676cec5299dd15010a4517fe4efdb2f84d31f4bbdd
# renovate: datasource=docker depName=git.auengun.net/homelab/image-forgejo-runner versioning=docker
export FORGEJO_RUNNER_IMAGE_ACT_VERSION=act-latest@sha256:02fdabf7bde6c8c4378f1d286773fbac7b6432a0c0119a073de34ba066bd4697
# My homelab pulls secrets from an internal secrets provider
# called Infisical. A while ago I was using it as an ansible
# library which used a python client. It was fragile and their
# update cadence was out of step which lead to breaking changes.
#
# In corporate environments I've seen a number of different
# deployed solutions that aim to "solve" the problem of developer
# consumption of secrets and configuration. Custom built or vendor.
# They all sort of run into a problem when you need to change
# them for some reason or another.
#
# I recommend using whatever provider your environment supports
# and then ingesting secrets/configuration through environmental
# variables or files where appropriate. Decouple the app secrets
# and config from the provider and the consumer through the
# common "API" of the file system and shell environment.
export INFISICAL_API_URL=https://infisical.auengun.net/api
export INFISICAL_PATH=/$(shell basename `pwd` | cut -f1 -d"-")/$(shell basename `pwd` | cut -f2- -d"-")
export INFISICAL_TOKEN=$(shell infisical --telemetry=false --domain=${INFISICAL_API_URL} login --method=universal-auth --client-id=${INFISICAL_CLIENT_ID} --client-secret=${INFISICAL_CLIENT_SECRET} --silent --plain)
# The ansible playbooks seem to have an issue on Darwin (Apple) systems
# and this is the common fix I'd seen to get past misc errors that were showing.
export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
# A lil sanity check of whats saved/stored or whatever an app is seeing.
print-env:
# Intentionally echoing back to the terminal the PATH so I can copy & paste
# easier if needed. It's a debug/dev convenience feature mostly.
@echo export INFISICAL_PATH=$$INFISICAL_PATH
@infisical --telemetry=false run --projectId $$INFISICAL_PROJECT_ID --path=$$INFISICAL_PATH --command="env -0 | sort -z | tr '\0' '\n'"
# A way of setting up the local (or CI) environment with the needed
install-deps:
@echo Installing Dependencies
########################
# Ansible Dependencies #
########################
# Ansible is what currently runs the commands necessary to mutate a running
# physical/virtual machine into a "reliably" consistent state. Or at least something
# we can more resonably reason with. Mileage out on if it's good. TODO: Nix/GUIX!
#
# Ansible doesn't do much for deps but there is a `ansible-galaxy` bin which is
# needed to install ansible roles/collections from the `requirements.yml` file.
# The bin is installed in the Forgejo runner image and installed manually local environments.
#
# I've iterated on roles & collections and right now I'm pulling everything I need from
# some instances of this workflow that do or don't have them. I've just kept
# the workflow generic enough to use "as-is" if I'm not using distinct roles/collections here.
ansible-galaxy collection install -r requirements.yml --force
grype:
@echo Checking for CVEs with Grype...
@bash -c '\
EXIT_STATUS=0;\
\
echo "...docker.io/library/docker:$$DOCKER_DIND_VERSION";\
grype --fail-on critical --platform linux/amd64 docker.io/library/docker:$$DOCKER_DIND_VERSION -o table;\
if [ $$? -ne 0 ]; then EXIT_STATUS=1; fi;\
\
echo ""; \
\
echo "...code.forgejo.org/forgejo/runner:$$FORGEJO_RUNNER_VERSION";\
grype --fail-on critical --platform linux/amd64 code.forgejo.org/forgejo/runner:$$FORGEJO_RUNNER_VERSION -o table;\
if [ $$? -ne 0 ]; then EXIT_STATUS=2; fi;\
\
exit $$EXIT_STATUS;\
'
# This contains the order of all the various subtasks to execute to piece together a cohesive
# flow in both local environments and CI like Forgejo. Leveraging a lot of the existing tooling
# to make this "easier" through a lot of existing tooling makes bootstrapping harder, but maintaining
# in the long run easier. Iterate and add things as ya go.
ansible-pipeline:
make install-deps homelab-common healthchecks forgejo-runner
pull-image:
@docker pull --platform linux/amd64 docker.io/library/docker:$$DOCKER_DIND_VERSION
@docker pull --platform linux/amd64 code.forgejo.org/forgejo/runner:$$FORGEJO_RUNNER_VERSION
@docker pull --platform linux/amd64 git.auengun.net/homelab/image-forgejo-runner:$$FORGEJO_RUNNER_IMAGE_ACT_VERSION
homelab-common:
@echo export INFISICAL_PATH=$$INFISICAL_PATH
@infisical --telemetry=false run --projectId $$INFISICAL_PROJECT_ID --path=$$INFISICAL_PATH --command="ansible-playbook -i hosts ansible-pipeline.yml --tags=homelab-common"
healthchecks:
@echo export INFISICAL_PATH=$$INFISICAL_PATH
@infisical --telemetry=false run --projectId $$INFISICAL_PROJECT_ID --path=$$INFISICAL_PATH --command="ansible-playbook -i hosts ansible-pipeline.yml --tags=healthchecks"
forgejo-runner:
@echo export INFISICAL_PATH=$$INFISICAL_PATH
@infisical --telemetry=false run --projectId $$INFISICAL_PROJECT_ID --path=$$INFISICAL_PATH --command="ansible-playbook -i hosts ansible-pipeline.yml --tags=forgejo-runner"
tf-init:
@echo export INFISICAL_PATH=$$INFISICAL_PATH
@infisical --telemetry=false run --projectId $$INFISICAL_PROJECT_ID --path=$$INFISICAL_PATH --command='tofu init'
tf-plan:
@echo export INFISICAL_PATH=$$INFISICAL_PATH
@infisical --telemetry=false run --projectId $$INFISICAL_PROJECT_ID --path=$$INFISICAL_PATH --command='tofu plan'
tf-apply:
@echo export INFISICAL_PATH=$$INFISICAL_PATH
@infisical --telemetry=false run --projectId $$INFISICAL_PROJECT_ID --path=$$INFISICAL_PATH --command='tofu apply'
tf-destroy:
@echo export INFISICAL_PATH=$$INFISICAL_PATH
@infisical --telemetry=false run --projectId $$INFISICAL_PROJECT_ID --path=$$INFISICAL_PATH --command='tofu destroy'
tf-output:
@echo export INFISICAL_PATH=$$INFISICAL_PATH
@infisical --telemetry=false run --projectId $$INFISICAL_PROJECT_ID --path=$$INFISICAL_PATH --command='tofu output CF_TUNNEL_TOKEN'
tf-shell:
@echo export INFISICAL_PATH=$$INFISICAL_PATH
@infisical --telemetry=false run --projectId $$INFISICAL_PROJECT_ID --path=$$INFISICAL_PATH --command='zsh -i'
Reference in a new issue View git blame Copy permalink