Initial Headscale + Gitpot Stuffs

This commit is contained in:
Sangelo 2024-01-15 11:03:47 +01:00
parent 2dccc10f28
commit 791ea73681
17 changed files with 228 additions and 6 deletions

View file

@ -0,0 +1,15 @@
proxmox_id: 5001
common_firewall_enable: false
core_groups:
- name: "git"
state: present
core_users:
- name: "git"
password: "{{ sec_gitpot_pass }}"
groups: ['docker', 'git']
state: present
authorized_keys:
- "sangelo"
- "sangelo-access"

View file

@ -0,0 +1,15 @@
proxmox_id: 5101
common_firewall_enable: false
core_groups:
- name: "act-runner"
state: present
core_users:
- name: "act-runner"
password: "{{ sec_gitpot_runner_pass }}"
groups: ['docker', 'act-runner']
state: present
authorized_keys:
- "sangelo"
- "sangelo-access"

View file

@ -13,3 +13,8 @@ core_users:
authorized_keys:
- "sangelo"
- "sangelo-access"
# Headscale
headscale_server_config_server_url: https://vpn.lunivity.com
headscale_server_config_ip_prefixes: '{{ sec_headscale_server_config_ip_prefixes }}'
headscale_server_config_disable_check_updates: true

View file

@ -2,5 +2,15 @@
[headscale]
10.1.0.5
[headscale-exit-nodes]
10.1.0.15
[headscale_exit_nodes]
10.1.0.15
[gitpot]
; 10.5.0.1
[gitpot_bots]
10.5.0.2
[gitpot_runners]
10.5.1.1
; 10.5.1.2

View file

@ -1,2 +1,5 @@
[dockertest]
10.1.1.1
10.1.1.1
[gitpot]
10.5.0.2

View file

@ -0,0 +1,9 @@
- name: Gitpot Runner
hosts: gitpot_bots
remote_user: root
roles:
- lunivity.common.all
- lunivity.core.docker
- lunivity.core.users
- gitpot-bots

View file

@ -0,0 +1,9 @@
- name: Gitpot Runner
hosts: gitpot_runners
remote_user: root
roles:
- lunivity.common.all
- lunivity.core.docker
- lunivity.core.users
- gitpot-runner

View file

@ -0,0 +1,9 @@
- name: Gitpot
hosts: gitpot
remote_user: root
roles:
- lunivity.common.all
- lunivity.core.docker
- lunivity.core.users
- gitpot

View file

@ -1,5 +1,5 @@
- name: Headscale VPN Server
hosts: headscale-exit-nodes
hosts: headscale_exit_nodes
remote_user: root
roles:

View file

@ -0,0 +1,21 @@
---
- name: Make sure Renovate's Dirs exist
ansible.builtin.file:
path: '{{ renovate_bot_host_dirs }}'
state: directory
owner: '{{ gitpot_bot_user }}'
group: '{{ gitpot_bot_group }}'
mode: '0750'
loop:
- '{{ gitpot_runner_host_base_dir }}'
- '{{ gitpot_runner_host_base_dir }}/{{ gitpot_runner_host_data_dir }}'
loop_control:
loop_var: gitpot_runner_host_dirs
- name: Create Renovate docker-compose.yml
ansible.builtin.template:
src: docker-compose.yml.j2
dest: '{{ gitpot_runner_host_base_dir }}/renovate-bot-docker-compose.yml'
owner: '{{ gitpot_bot_user }}'
group: '{{ gitpot_bot_group }}'
mode: '0750'

View file

@ -0,0 +1,16 @@
gitpot_runner_version: 3.3.0
gitpot_runner_instance: https://gitpot.dev
gitpot_runner_dind_port: 2376
# Create Shared Secret with `openssl rand -hex 20`. A token from the Forgejo Web Interface cannot be used here.
# Then, register the runner through SSH:
# git$ forgejo forgejo-cli actions register --secret {SHARED_SECRET} --labels {NAME} --version 3.3.0 --config /etc/forgejo/app.ini
gitpot_runner_shared_secret: '{{ sec_gitpot_runner_shared_secret }}'
gitpot_runner_host_base_dir: /srv/runner
gitpot_runner_host_data_dir: data
gitpot_runner_host_certs_dir: certs
gitpot_runner_user: act-runner
gitpot_runner_group: act-runner
gitpot_runner_name: gitpot_main

View file

@ -0,0 +1,23 @@
---
# roles/gitpot-runner/tasks/main.yml
- name: Make sure act_runner's directories and files exist
ansible.builtin.file:
path: '{{ gitpot_runner_host_dirs }}'
state: directory
owner: '{{ gitpot_runner_user }}'
group: '{{ gitpot_runner_group }}'
mode: '0750'
loop:
- '{{ gitpot_runner_host_base_dir }}'
- '{{ gitpot_runner_host_base_dir }}/{{ gitpot_runner_host_data_dir }}'
loop_control:
loop_var: gitpot_runner_host_dirs
- name: Create docker-compose.yml
ansible.builtin.template:
src: docker-compose.yml.j2
dest: '{{ gitpot_runner_host_base_dir }}/docker-compose.yml'
owner: '{{ gitpot_runner_user }}'
group: '{{ gitpot_runner_group }}'
mode: '0750'

View file

@ -0,0 +1,83 @@
version: "3"
services:
docker:
image: docker:dind
privileged: true
volumes:
- {{ gitpot_runner_host_base_dir }}/{{ gitpot_runner_host_certs_dir }}:/certs
restart: always
runner:
image: code.forgejo.org/forgejo/runner:3.3.0
environment:
DOCKER_HOST: tcp://docker:{{ gitpot_runner_dind_port }}
DOCKER_TLS_VERIFY: 1
DOCKER_CERT_PATH: /certs/client
volumes:
- {{ gitpot_runner_host_base_dir }}/{{ gitpot_runner_host_data_dir }}:/data
- {{ gitpot_runner_host_base_dir }}/{{ gitpot_runner_host_certs_dir }}:/certs
command: "forgejo-runner --config config.yml daemon"
depends_on:
runner-register:
condition: service_completed_successfully
docker:
condition: service_started
restart: always
runner-register:
image: code.forgejo.org/forgejo/runner:{{ gitpot_runner_version }}
container_name: runner-register
links:
- docker
# - forgejo
environment:
DOCKER_HOST: tcp://docker:{{ gitpot_runner_dind_port }}
volumes:
- {{ gitpot_runner_host_base_dir }}/{{ gitpot_runner_host_data_dir }}:/data
user: 0:0
command: >-
bash -ec '
while : ; do
forgejo-runner create-runner-file --connect --instance {{ gitpot_runner_instance }} --name {{ gitpot_runner_name }} --secret {{ gitpot_runner_shared_secret }} && break ;
sleep 1 ;
done ;
forgejo-runner generate-config > config.yml ;
sed -i -e "s|network: .*|network: host|" config.yml ;
sed -i -e "s|labels: \[\]|labels: \[\"docker:docker://alpine:3.18\"\]|" config.yml ;
chown -R 1000:1000 /data
'
# restart: always
# docker-in-docker:
# image: docker:dind
# container_name: docker-in-docker
# privileged: true
# command: [ "dockerd", "-H", "tcp://0.0.0.0:{{ gitpot_runner_dind_port }}", "--tls=false" ]
# networks:
# - runner_net
# networks:
# - runner_net
# runner-daemon:
# image: code.forgejo.org/forgejo/runner:{{ gitpot_runner_version }}
# container_name: runner-daemon
# links:
# - docker-in-docker
# # - forgejo
# environment:
# DOCKER_HOST: tcp://0.0.0.0:{{ gitpot_runner_dind_port }}
# depends_on:
# runner-register:
# condition: service_completed_successfully
# volumes:
# - {{ gitpot_runner_host_base_dir }}/{{ gitpot_runner_host_data_dir }}:/data
# command: "forgejo-runner --config config.yml daemon"
# networks:
# - runner_net
# networks:
# runner_net:
# driver: bridge

View file

@ -0,0 +1,3 @@
---
# roles/gitpot/tasks/main.yml

View file

@ -25,7 +25,7 @@ headscale_web_port_http: 9480
# General (headscale container config)
# Change to your hostname or host IP
headscale_server_config_server_url: https://vpn.lunivity.com
headscale_server_config_server_url: https://vpn.example.com
# Listen Addresses
headscale_server_config_listen_addr: 0.0.0.0:8080
headscale_server_config_metrics_listen_addr: 0.0.0.0:9090
@ -41,7 +41,8 @@ headscale_server_config_db_path: /data/db.sqlite
# headscale_server_config_grpc_allow_insecure: false
# IP Prefixes
headscale_server_config_ip_prefixes: '{{ sec_headscale_server_config_ip_prefixes }}'
# headscale_server_config_ip_prefixes:
# - ''
headscale_server_config_disable_check_updates: false
# headscale_server_config_ephemeral_node_inactivity_timeout: 30m