homelab/host-git
homelab/host-git
0
0
Fork 0
Code Issues 1 Pull requests Activity Actions
host-git/ansible-pipeline.yml
GregoryDosh 7444371eca
All checks were successful
Deploy Ansible Pipeline / Deploy Ansible Pipeline (push) Successful in 46s
Details
feat: add COOKIE_NAME
2025-04-11 14:49:21 -05:00

210 lines
8.6 KiB
YAML
Raw Permalink Blame History

# Private Forgejo instance for managing/automating Auengun.net
# Source available at git.auengun.net/homelab/host-git
# Copyright (C) 2024 GregoryDosh
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# SPDX-License-Identifier: AGPL-3.0-or-later
# SPDX-FileCopyrightText: 2024 GregoryDosh
---
# Caddy is used as the HTTPS terminating proxy in front of
# almost all of the Auengun.net services. It integrates with
# internal PKI (via ACME) to issue HTTPS certificates. It also
# acts as a rate limiter and some amount of WAF.
# Custom caddy binary: https://git.auengun.net/homelab/bin-caddy/
- name: Caddy
hosts: all
tags:
- caddy
tasks:
- ansible.builtin.include_role:
name: auengun.homelab.caddy # https://git.auengun.net/homelab/ansible-collection/src/branch/main/roles/caddy
vars:
CADDY_CADDYFILE_LOCAL_SRC: "templates/Caddyfile"
CADDY_CADDYFILE_ROBOTS_TXT: "templates/robots.txt"
# This is a custom role I've managed/built through toiling
# and iterating through my homelab and devops-y flow.
# The goal of this is to bootstrap the currently used Proxmox LXC
# container lacks so that it can participate in my homelab.
# This is most always going to include PKI things like SSL Certs
# for SSH & Web authentication of users along with any other small
# tasks to get the container ready for the rest of the playbook.
# I've been slowly moving more and more out of this sort of 'common'
# role into the base LXC and then turning that LXC into an example
# to use from. AKA shift more of the repetitive processing upstream
# where it makes sense. You'll see this in a lot of the OCI images
# use for the Forgejo runners and Renovate maintenance tasks too.
- name: Homelab Common
hosts: all
tags:
- homelab-common
tasks:
- ansible.builtin.include_role:
name: auengun.homelab.common # https://git.auengun.net/homelab/ansible-collection/src/branch/main/roles/common
vars:
GRAFANA_ALLOY_EXTRA_CLEANUP_RULES: "{{ lookup('ansible.builtin.file', 'templates/log-cleanup.alloy')}}"
SSSD_FILTER_USERS:
- "git"
- "forgejo"
SSSD_FILTER_GROUPS:
- "forgejo"
# The Forgejo installation used to be an ansible playbook I pulled from
# an externally mirrored repo. It was an okay setup where I was trying
# to be somewhat repeatable and less manual about standing up my infrastructure.
# Things have matured now and the playbook I relied on isn't meeting my demands.
# I'd like to quickly update/rollback more atomically. Things like NixOS/Guix
# are absolutely in mind, but the stopgap in learning here for me is something
# like Docker & OCI images. So this is an example of practical compromise as
# parts of my homelab evolve with me over time.
- name: Forgejo
hosts: all
tags:
- forgejo
tasks:
- name: Facts from environment
ansible.builtin.set_fact:
COOKIE_NAME: "{{ lookup('ansible.builtin.env', 'COOKIE_NAME') }}"
COOKIE_REMEMBER_NAME: "{{ lookup('ansible.builtin.env', 'COOKIE_REMEMBER_NAME') }}"
FORGEJO_VERSION: "{{ lookup('ansible.builtin.env', 'FORGEJO_VERSION') }}"
INTERNAL_TOKEN: "{{ lookup('ansible.builtin.env', 'INTERNAL_TOKEN') }}"
JWT_SECRET: "{{ lookup('ansible.builtin.env', 'JWT_SECRET') }}"
POSTGRES_DB: "{{ lookup('ansible.builtin.env', 'POSTGRES_DB') }}"
POSTGRES_HOST: "{{ lookup('ansible.builtin.env', 'POSTGRES_HOST') }}"
POSTGRES_PASSWORD: "{{ lookup('ansible.builtin.env', 'POSTGRES_PASSWORD') }}"
POSTGRES_USER: "{{ lookup('ansible.builtin.env', 'POSTGRES_USER') }}"
POSTGRES_VERSION: "{{ lookup('ansible.builtin.env', 'POSTGRES_VERSION') }}"
REDIS_VERSION: "{{ lookup('ansible.builtin.env', 'REDIS_VERSION') }}"
SECRET_KEY: "{{ lookup('ansible.builtin.env', 'SECRET_KEY') }}"
SMTP_PORT: "{{ lookup('ansible.builtin.env', 'SMTP_PORT') }}"
SMTP_SERVER: "{{ lookup('ansible.builtin.env', 'SMTP_SERVER') }}"
SMTP_TOKEN: "{{ lookup('ansible.builtin.env', 'SMTP_TOKEN') }}"
SMTP_USERNAME: "{{ lookup('ansible.builtin.env', 'SMTP_USERNAME') }}"
SSH_TRUSTED_USER_CA_KEYS: "{{ lookup('ansible.builtin.env', 'SSH_TRUSTED_USER_CA_KEYS') }}"
STEP_CERTS_ACME_CA_PROVISIONER: "{{ lookup('ansible.builtin.env', 'STEP_CERTS_ACME_CA_PROVISIONER') }}"
- name: Validate required variables defined.
ansible.builtin.assert:
that:
- "COOKIE_NAME | length > 0"
- "COOKIE_REMEMBER_NAME | length > 0"
- "FORGEJO_VERSION | length > 0"
- "INTERNAL_TOKEN | length > 0"
- "JWT_SECRET | length > 0"
- "POSTGRES_DB | length > 0"
- "POSTGRES_HOST | length > 0"
- "POSTGRES_PASSWORD | length > 0"
- "POSTGRES_USER | length > 0"
- "POSTGRES_VERSION | length > 0"
- "REDIS_VERSION | length > 0"
- "SECRET_KEY | length > 0"
- "SMTP_PORT | length > 0"
- "SMTP_SERVER | length > 0"
- "SMTP_TOKEN | length > 0"
- "SMTP_USERNAME | length > 0"
- "SSH_TRUSTED_USER_CA_KEYS | length > 0"
- "STEP_CERTS_ACME_CA_PROVISIONER | length > 0"
# DCaaSS -> Docker Compose as a Systemd Service
- ansible.builtin.include_role:
name: auengun.homelab.dcaass # https://git.auengun.net/homelab/ansible-collection/src/branch/main/roles/dcaass
vars:
DCAASS_CONFIG_PATH: /forgejo
DCAASS_CONFIG_USER_NAME: forgejo
DCAASS_CONFIG_GROUP_NAME: forgejo
DCAASS_SERVICE_NAME: forgejo
DCAASS_DOCKER_COMPOSE_YAML_OVERRIDES:
services:
forgejo:
image: "codeberg.org/forgejo/forgejo:{{ FORGEJO_VERSION }}"
postgresql:
image: "docker.io/library/postgres:{{ POSTGRES_VERSION }}"
redis:
image: "redis:{{ REDIS_VERSION }}"
DCAASS_ENV_EXTRA_CONFIG: |
POSTGRES_DB: {{ POSTGRES_DB }}
POSTGRES_HOST: {{ POSTGRES_HOST }}
POSTGRES_PASSWORD: {{ POSTGRES_PASSWORD }}
POSTGRES_USER: {{ POSTGRES_USER }}
DCAASS_EXTRA_CONFIG_DIRS:
- { path: "/forgejo", mode: "0755" }
- "/forgejo/forgejo"
- "/forgejo/forgejo/custom"
- "/forgejo/forgejo/data"
- "/forgejo/forgejo/indexers"
- "/forgejo/forgejo/repos"
DCAASS_EXTRA_CONFIG_FILES:
- {
src: "templates/forgejo.ini",
dest: "/forgejo/forgejo.ini",
owner: "forgejo",
group: "forgejo",
mode: "0600",
}
# To enable internal SSH Passthrough for Forgejo the host needs
# to be adjusted to use a shim that handles the git user and the
# SSL Certificated based ssh mechanisms the PKI uses for internal auth.
- name: Forgejo SSH Host to Container passthrough config
hosts: all
tags:
- forgejo
tasks:
- name: Create git sshd service user
become: true
ansible.builtin.user:
name: git
groups: docker
- name: template `docker-git-shell-shim.sh` into place
become: true
ansible.builtin.template:
src: "templates/docker-git-shell-shim.sh"
dest: "/home/git/docker-git-shell-shim.sh"
owner: git
group: git
mode: "0744"
- name: make `docker-git-shell-shim.sh` default shell for git user
become: true
ansible.builtin.user:
name: git
shell: /home/git/docker-git-shell-shim.sh
- ansible.builtin.blockinfile:
path: /etc/ssh/sshd_config
marker: "# {mark} Forgejo Host w/ Step SSH Configuration Passthrough (ANSIBLE MANAGED) -->"
insertbefore: "Match all"
block: |
Match user git
AcceptEnv GIT_PROTOCOL
AuthorizedPrincipalsCommandUser forgejo
AuthorizedPrincipalsCommand /bin/cat /forgejo/forgejo/ssh/authorized_principals
ClientAliveInterval 150
ClientAliveCountMax 2
MaxSessions 5
register: _sshd_config
- name: Restart ssh daemon
when: _sshd_config.changed
become: true
ansible.builtin.systemd_service:
name: "sshd"
state: restarted
Reference in a new issue View git blame Copy permalink