fix: Adapted to a gitea infrastructure. #20

Merged
so-rose merged 1 commits from gitea-org-migrate into main 2023-08-13 22:31:14 +02:00
4 changed files with 12 additions and 156 deletions

149
TODO.md
View File

@ -1,149 +0,0 @@
# Ansible / Dev TODO
Cluster/Ansible Setup
- [x] Setup Playbook
- [x] Root as local var: `work/dtu/python-support/*`
- [x] Get 2 DO Droplets
- [x] Provision DNS
- [ ] Key Fingerprint as local var
- [x] Setup Wireguard wg0 between DO Droplets
- [ ] Setup unattended-upgrades
Swarm
- [x] Install Docker
- [x] Check Swarm ports on wg0: https://docs.docker.com/engine/swarm/swarm-tutorial/
- [x] Init Swarm manager & worker
- [x] Install rclone volume plugin: https://rclone.org/docker/
- [ ] Label big one as 'storage'
Stack: cleanup
- [x] Security Audit
- [x] **Deploy Stack**
Stack: mesh
- [x] Install Configs
- [x] **Deploy Stack**
- [x] rclone `acme.json` to R2 w/crypt
- [ ] Security Audit
Stack: site-support
- [x] Generate Configs
- [x] Install Configs
- [x] **Deploy Stack**
- [ ] Security Audit
Stack: updater
- [ ] config: main
- [ ] config: cleanup
- [ ] config: mesh
- [ ] config: site-support
- [ ] Install Configs
- [ ] **Deploy Stack**
- [ ] Security Audit
Stack: auth
- [ ] Write Stack
- [ ] storage: authentik-postgres
- [ ] storage: authentik-redis
- [ ] *Test Deploy*
- [ ] configs: Blueprints (export from prototyping)
- [ ] Install Configs
- [ ] role: API Setup of Things
- [ ] **Deploy Stack**
- [ ] updater: Integrate update-check
- [ ] Security Audit
Stack: s3
- [ ] Write Stack
- https://geek-cookbook.funkypenguin.co.nz/recipes/minio/
- Restrict to 'storage' label.
- [ ] ...?
- [ ] Install Configs
- [ ] Install Secrets
- [ ] storage: minio
- [ ] *Test Deploy*
- [ ] role: API Setup of Things
- [ ] **Deploy Stack**
- [ ] auth: Integrate OIDC
- https://min.io/docs/minio/container/operations/external-iam.html
- https://goauthentik.io/integrations/services/minio/
- [ ] updater: integrate
- [ ] Security Audit
Stack: chat
- [ ] Write Stack
- https://geek-cookbook.funkypenguin.co.nz/recipes/minio/
- Restrict to 'storage' label.
- [ ] ...?
- [ ] Install Configs
- [ ] Install Secrets
- [ ] storage: zulip-postgres
- [ ] storage: zulip-rabbitmq
- [ ] storage: zulip-redis
- [ ] s3: zulip
- [ ] *Test Deploy*
- [ ] auth: Integrate OIDC
- https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#openid-connect
- Backup SAML: https://goauthentik.io/integrations/services/zulip/
- [ ] role: API Setup of Things
- [ ] **Deploy Stack**
- [ ] updater: Integrate
- [ ] Security Audit
Stack: git
- [ ] Install Configs
- [ ] Install Secrets
- [ ] *Test Deploy*
- [ ] storage: gitea-redis
- [ ] storage: gitea-postgres
- [ ] storage: gitea-mellisearch
- https://www.meilisearch.com/docs/learn/cookbooks/docker
- [ ] s3: gitea
- [ ] s3 via rclone: gitea (repositories)
- [ ] role: API Setup of Things
- [ ] **Deploy Stack**
- [ ] Configure gitea-actions w/auto-setup
- [ ] manual: Migrate docker-mdbook, site-support.
Bonus:
- Play with `uptime`.
- Backups!
# Playbook Creation Notes
- [x] mesh should use a non-`local` driver.
- [ ] Implement rolling updates to services within stacks, whose configs have changed.
- Note `rolling_updates` in the `docker_config` ansible module.
- With a little information-gathering, I'm certain we can prevent actually stopping stacks on deploy and instead only do the secret rotation as described in the Docker documentation: https://docs.docker.com/engine/swarm/secrets/#example-rotate-a-secret
- NOTE that the rclone volume stuff is always gonna need manual stop/start. Is jank. Such is the life.
- [ ] Automatic R2 Bucket Creation
- [ ] Only do the delays when we actually need to stop stacks / unmount volumes
- [ ] Encrypted use of R2 bucket.
- https://rclone.org/crypt/
- [ ] Templated security.txt in site-support
- [ ] Templated limits to not kill the demo hosts in ex. site-support :)
- [ ] Please, please, a nice README.md in site-support?
- [ ] Move DNS stuff out to the stacks. Trust me!
- [ ] Invest in some delegation to roles. These playbooks be gettin messy.
- [ ] Figure out a way to deal with concurrent `acme.json` in Traefik. For now I've set it to one replica and `vfs_cache_mode=full` (I think `none` may be wonky with this particular need of Traefik?)
- Needs more testing!

View File

@ -67,12 +67,12 @@
path: "/var/lib/docker-plugins/rclone/cache"
state: directory
mode: "0750"
- name: "Disable the rclone Docker Plugin"
community.docker.docker_plugin:
state: "disable"
alias: "rclone"
plugin_name: "rclone/docker-volume-rclone:amd64"
# - name: "Disable the rclone Docker Plugin"
# community.docker.docker_plugin:
# state: "disable"
# alias: "rclone"
# plugin_name: "rclone/docker-volume-rclone:amd64"
- name: "Install rclone Docker Plugin"
community.docker.docker_plugin:

5
run.sh
View File

@ -135,6 +135,11 @@ case $1 in
action_swarm
;;
sync-stacks)
action_stack_cleanup
action_stack_mesh
action_stack_site_support
;;
sync-stack-cleanup)
action_stack_cleanup
;;

View File

@ -2,7 +2,7 @@ version: "3.8"
services:
site-support:
image: git.sofus.io/so-rose/site-support:0
image: git.sofus.io/python-support/site-support:0
user: "5020:5020"
cap_drop:
- ALL