Further nanna stuff: Update docker setup & gitea runner

2025-01-24 19:31:05 +01:00 · 2025-01-24 19:31:05 +01:00 · b8d4ff9d97
commit b8d4ff9d97
parent 41a5970c4b
9 changed files with 98 additions and 9 deletions
--- a/ansible/playbooks/nanna-docker.yaml
+++ b/ansible/playbooks/nanna-docker.yaml
@ -0,0 +1,67 @@
+---
+- name: Update Docker configuration
+  hosts: nanna
+  tasks:
+    - name: Add users for running containers
+      become: true
+      ansible.builtin.user:
+        name: "{{ item.name }}"
+        uid: "{{ item.uid }}"
+        state: "{{ item.state }}"
+        create_home: false
+        system: true
+      loop:
+        - name: gitea
+          uid: 42001
+          state: present
+        - name: caddy
+          uid: 42002
+          state: present
+    - name: Create Caddy network
+      become: true
+      community.docker.docker_network:
+        name: caddy-network
+        state: present
+    - name: Upload docker configuration
+      become: true
+      ansible.builtin.copy:
+        src: ../../docker/docker
+        dest: /etc/pbri
+        # Files should inaccessible to non-root users.
+        mode: u=rw,g=,o=
+        # Directories should be listable
+        directory_mode: u=rwx,g=rx,o=rx
+    - name: Create directory for docker volumes
+      become: true
+      ansible.builtin.file:
+        path: /var/lib/pbri/docker
+        state: directory
+        # Hide contents from non-root users
+        mode: u=rwx,g=,o=
+    - name: Upload and decrypt docker environment vars
+      become: true
+      ansible.builtin.copy:
+        src: "../../docker/envs/{{ item.name }}/.env"
+        dest: /etc/pbri/docker/{{ item.name }}/.env
+        # Files should inaccessible to non-root users.
+        mode: u=rw,g=,o=
+        # This is true by default but I put it here anyways
+        # to emphasize what's happening
+        decrypt: true
+      # Not quite happy with all the seperate loops yet.
+      loop:
+        - name: gitea
+          state: present
+    - name: Create volume directories with correct permissions
+      become: true
+      ansible.builtin.file:
+        path: "/var/lib/pbri/docker/{{ item.name }}"
+        owner: "{{ item.user }}"
+        group: "{{ item.user }}"
+        state: directory
+        mode: u=rwx,g=,o=
+      loop:
+        - name: caddy_config
+          user: caddy
+        - name: caddy_data
+          user: caddy
--- a/ansible/playbooks/nanna-setup.yaml
+++ b/ansible/playbooks/nanna-setup.yaml
@ -17,6 +17,9 @@
        validate: /usr/sbin/sshd -T -f %s
      notify:
        - Restart sshd
+    - name: Install and set up Docker and docker-compose
+      ansible.builtin.include_role:
+        name: docker

  handlers:
    - name: Restart sshd
--- a/ansible/playbooks/nanna-sites.yaml
+++ b/ansible/playbooks/nanna-sites.yaml
@ -0,0 +1,18 @@
+---
+- name: Check out static sites hosted on nanna
+  hosts: nanna
+  tasks:
+    - name: Check out static sites
+      ansible.builtin.include_role:
+        name: checkout_static_sites
+      vars:
+        checkout_static_sites_config:
+          checkouts:
+            - path: /home/paul/Sites/pbrinkmeier.de
+              url: https://git.pbrinkmeier.de/paul/pbrinkmeier.de
+              commit: bab3208e61972851a5e609930a05e0d4322f8a06
+              owner: paul
+            - path: /home/paul/Sites/tichy.click
+              url: https://github.com/pbrinkmeier/tichy-clicker
+              commit: 7dfb14183c765e3661fda84a7e89c2f73ca86f26
+              owner: paul
--- a/ansible/roles/docker/defaults/main.yaml
+++ b/ansible/roles/docker/defaults/main.yaml
@ -0,0 +1,4 @@
+---
+docker_apt_arch: "amd64"
+docker_ubuntu_release: "{{ ansible_distribution_release }}"
+
--- a/ansible/roles/docker/tasks/main.yaml
+++ b/ansible/roles/docker/tasks/main.yaml
@ -25,12 +25,6 @@
    stdin: "{{ docker_gpg_key.content }}"
    creates: /usr/share/keyrings/docker-archive-keyring.gpg

- name: Retrieve dpkg architecture
-  check_mode: false
-  ansible.builtin.command: dpkg --print-architecture
-  register: docker_dpkg_architecture
-  changed_when: false
-
 - name: Add Docker apt repository
  become: true
  ansible.builtin.template:
@ -48,3 +42,4 @@
      - docker-ce
      - docker-ce-cli
      - containerd.io
+      - docker-compose-plugin
--- a/ansible/roles/docker/templates/docker.list.j2
+++ b/ansible/roles/docker/templates/docker.list.j2
@ -1 +1 @@
-deb [arch={{ docker_dpkg_architecture.stdout }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable
+deb [arch={{ docker_apt_arch }} signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu {{ docker_ubuntu_release }} stable
--- a/docker/docker/caddy/docker-compose.yaml
+++ b/docker/docker/caddy/docker-compose.yaml
@ -6,6 +6,7 @@ services:
    ports:
      - "80:80"
      - "443:443"
+    user: "42002"
    volumes:
      - /var/lib/pbri/docker/caddy_data:/data
      - /var/lib/pbri/docker/caddy_config:/config
--- a/docker/docker/gitea/Dockerfile
+++ b/docker/docker/gitea/Dockerfile
@ -1,3 +1,3 @@
- FROM gitea/act_runner:0.2.10
+ FROM gitea/act_runner:0.2.11

 COPY runner-config.yaml /opt/runner-config.yaml
--- a/docker/docker/gitea/docker-compose.yaml
+++ b/docker/docker/gitea/docker-compose.yaml
@ -64,7 +64,8 @@ services:
      - /var/lib/pbri/docker/gitea_db:/var/lib/postgresql/data

  gitea_runner:
-    image: pbrinkmeier/act_runner:0.2.10
+    # Make sure to keep this in sync with the version in the Dockerfile
+    image: pbrinkmeier/act_runner:0.2.11
    build: .
    restart: unless-stopped
    environment: