This commit is contained in:
Elizabeth Hunt 2024-03-25 01:19:53 -04:00
parent 5c566ef8d0
commit 4d4d0cc58d
17 changed files with 109 additions and 6 deletions

View File

@ -1,5 +1,7 @@
- [ ] BACKUPS BACKUPS BACKUPS
- [ ] nameservers for users - [ ] nameservers for users
- [ ] read email for service accounts dmarc.report, postmaster email users, give access to infra users - [ ] read email for service accounts dmarc.report, postmaster email users, give access to infra users
- [ ] allow infra users to ssh into any machine in infra, regular users into their tilde account on himmel - [ ] allow infra users to ssh into any machine in infra, regular users into their tilde account on himmel
- [ ] allow ufw and setup wireguard on himmel - [x] allow ufw and setup wireguard on himmel
- [ ] internal vpn for infra, figure out routing - [x] internal vpn for infra, figure out routing

View File

@ -23,3 +23,6 @@
- name: Wireguard Mesh - name: Wireguard Mesh
ansible.builtin.import_playbook: playbooks/deploy-wireguard-mesh.yml ansible.builtin.import_playbook: playbooks/deploy-wireguard-mesh.yml
- name: CI
ansible.builtin.import_playbook: playbooks/deploy-drone.yml

4
group_vars/drone.yml Normal file
View File

@ -0,0 +1,4 @@
---
drone_gitea_server: "https://git.hatecomputers.club"
drone_server_host: "https://ci.hatecomputers.club"

View File

@ -1,10 +1,11 @@
--- ---
host_domains: host_domains:
fern.infra.hatecomputers.club: fern.int.infra.hatecomputers.club:
- fern.hatecomputers.club # - fern.hatecomputers.club
- auth.hatecomputers.club - auth.hatecomputers.club
- mail.hatecomputers.club - mail.hatecomputers.club
himmel.infra.hatecomputers.club: himmel.int.infra.hatecomputers.club:
- himmel.hatecomputers.club # - himmel.hatecomputers.club
- git.hatecomputers.club - git.hatecomputers.club
- ci.hatecomputers.club

View File

@ -29,3 +29,6 @@ fern.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
[wireguard-endpoint] [wireguard-endpoint]
himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
[drone]
himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh

View File

@ -0,0 +1,6 @@
---
- name: Drone CI setup
hosts: drone
roles:
- drone

View File

@ -0,0 +1,23 @@
---
- name: Ensure drone docker/compose exist
ansible.builtin.file:
path: /etc/docker/compose/drone
state: directory
owner: root
group: root
mode: 0700
- name: Build drone docker-compose.yml.j2
ansible.builtin.template:
src: docker-compose.yml.j2
dest: /etc/docker/compose/drone/docker-compose.yml
owner: root
group: root
mode: 0700
- name: Daemon-reload and enable drone
ansible.builtin.systemd_service:
state: restarted
enabled: true
name: docker-compose@drone

View File

@ -0,0 +1,29 @@
version: '3'
services:
drone:
container_name: drone
image: drone/drone:latest
volumes:
- ./drone:/data
ports:
- "127.0.0.1:2201:80"
environment:
- DRONE_GITEA_SERVER={{ drone_gitea_server }}
- DRONE_GITEA_CLIENT_ID={{ drone_gitea_client_id }}
- DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_client_secret }}
- DRONE_GIT_ALWAYS_AUTH=true
- DRONE_SERVER_PROTO=https
- DRONE_SERVER_HOST={{ drone_server_host }}
- DRONE_RPC_SECRET={{ drone_rpc_secret }}
drone-runner:
container_name: drone_runner
image: drone/drone-runner-docker:latest
userns_mode: 'host' # Needed to get access to docker socket
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- DRONE_RPC_SECRET={{ drone_rpc_secret }}
- DRONE_RPC_HOST=drone:80
- DRONE_RPC_PROTO=http
- DRONE_RUNNER_CAPACITY=4

View File

@ -0,0 +1,8 @@
server {
listen 80;
server_name ci.hatecomputers.club;
location / {
rewrite ^ https://ci.hatecomputers.club$request_uri? permanent;
}
}

View File

@ -0,0 +1,21 @@
server {
server_name ci.hatecomputers.club;
listen 443 ssl;
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
ssl_certificate /etc/letsencrypt/live/ci.hatecomputers.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ci.hatecomputers.club/privkey.pem;
location / {
proxy_pass http://127.0.0.1:2201;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
}
}

View File

@ -6,3 +6,6 @@ roundcube_oauth2_client_basic_secret
gitea_jwt_secret gitea_jwt_secret
gitea_oauth2_jwt_secret gitea_oauth2_jwt_secret
gitea_internal_token gitea_internal_token
drone_gitea_client_id
drone_gitea_client_secret
drone_rpc_secret