From 952565d8e79f2e68999d23fa032d5017dbb1b541 Mon Sep 17 00:00:00 2001 From: Michael Grote Date: Sat, 13 Feb 2021 14:20:18 +0100 Subject: [PATCH] rollen "ausgeschrieben" --- roles/geerlingguy.ansible | 1 - roles/geerlingguy.ansible/.ansible-lint | 2 + roles/geerlingguy.ansible/.github/FUNDING.yml | 4 + roles/geerlingguy.ansible/.github/stale.yml | 56 ++ .../.github/workflows/ci.yml | 79 +++ .../.github/workflows/release.yml | 38 ++ roles/geerlingguy.ansible/.gitignore | 3 + roles/geerlingguy.ansible/.yamllint | 10 + roles/geerlingguy.ansible/LICENSE | 20 + roles/geerlingguy.ansible/README.md | 51 ++ roles/geerlingguy.ansible/defaults/main.yml | 8 + roles/geerlingguy.ansible/meta/main.yml | 29 + .../molecule/default/converge.yml | 12 + .../molecule/default/molecule.yml | 17 + .../molecule/default/pip.yml | 12 + .../molecule/default/requirements.yml | 2 + roles/geerlingguy.ansible/tasks/main.yml | 34 ++ .../tasks/setup-Debian.yml | 21 + .../tasks/setup-Fedora.yml | 5 + .../tasks/setup-RedHat.yml | 6 + .../tasks/setup-Ubuntu.yml | 15 + roles/geerlingguy.ansible/tasks/setup-pip.yml | 5 + roles/geerlingguy.docker | 1 - roles/geerlingguy.docker/.ansible-lint | 3 + roles/geerlingguy.docker/.github/FUNDING.yml | 4 + roles/geerlingguy.docker/.github/stale.yml | 56 ++ .../.github/workflows/ci.yml | 72 +++ .../.github/workflows/release.yml | 38 ++ roles/geerlingguy.docker/.gitignore | 3 + roles/geerlingguy.docker/.yamllint | 11 + roles/geerlingguy.docker/LICENSE | 20 + roles/geerlingguy.docker/README.md | 97 +++ roles/geerlingguy.docker/defaults/main.yml | 31 + roles/geerlingguy.docker/handlers/main.yml | 3 + roles/geerlingguy.docker/meta/main.yml | 35 ++ .../molecule/default/converge.yml | 24 + .../molecule/default/molecule.yml | 17 + .../tasks/docker-compose.yml | 20 + .../geerlingguy.docker/tasks/docker-users.yml | 7 + roles/geerlingguy.docker/tasks/main.yml | 27 + .../geerlingguy.docker/tasks/setup-Debian.yml | 40 ++ .../geerlingguy.docker/tasks/setup-RedHat.yml | 50 ++ roles/geerlingguy.dotfiles | 1 - roles/geerlingguy.dotfiles/.ansible-lint | 2 + .../geerlingguy.dotfiles/.github/FUNDING.yml | 4 + roles/geerlingguy.dotfiles/.github/stale.yml | 56 ++ .../.github/workflows/ci.yml | 67 ++ .../.github/workflows/release.yml | 38 ++ roles/geerlingguy.dotfiles/.gitignore | 3 + roles/geerlingguy.dotfiles/.yamllint | 11 + roles/geerlingguy.dotfiles/LICENSE | 20 + roles/geerlingguy.dotfiles/README.md | 56 ++ roles/geerlingguy.dotfiles/defaults/main.yml | 12 + roles/geerlingguy.dotfiles/meta/main.yml | 28 + .../molecule/default/converge.yml | 13 + .../molecule/default/molecule.yml | 17 + .../molecule/default/requirements.yml | 2 + roles/geerlingguy.dotfiles/tasks/main.yml | 32 + roles/geerlingguy.gitlab | 1 - roles/geerlingguy.gitlab/.ansible-lint | 3 + roles/geerlingguy.gitlab/.github/FUNDING.yml | 4 + roles/geerlingguy.gitlab/.github/stale.yml | 56 ++ .../.github/workflows/ci.yml | 76 +++ .../.github/workflows/release.yml | 38 ++ roles/geerlingguy.gitlab/.gitignore | 3 + roles/geerlingguy.gitlab/.yamllint | 10 + roles/geerlingguy.gitlab/LICENSE | 20 + roles/geerlingguy.gitlab/README.md | 179 ++++++ roles/geerlingguy.gitlab/defaults/main.yml | 75 +++ roles/geerlingguy.gitlab/handlers/main.yml | 5 + roles/geerlingguy.gitlab/meta/main.yml | 29 + .../molecule/default/converge.yml | 21 + .../molecule/default/molecule.yml | 17 + .../molecule/default/version.yml | 31 + roles/geerlingguy.gitlab/tasks/main.yml | 81 +++ .../geerlingguy.gitlab/templates/gitlab.rb.j2 | 108 ++++ roles/geerlingguy.gitlab/vars/Debian.yml | 3 + roles/geerlingguy.gitlab/vars/RedHat.yml | 3 + roles/geerlingguy.pip | 1 - roles/geerlingguy.pip/.ansible-lint | 2 + roles/geerlingguy.pip/.github/FUNDING.yml | 4 + roles/geerlingguy.pip/.github/stale.yml | 56 ++ .../geerlingguy.pip/.github/workflows/ci.yml | 71 +++ .../.github/workflows/release.yml | 38 ++ roles/geerlingguy.pip/.gitignore | 3 + roles/geerlingguy.pip/.yamllint | 10 + roles/geerlingguy.pip/LICENSE | 20 + roles/geerlingguy.pip/README.md | 76 +++ roles/geerlingguy.pip/defaults/main.yml | 6 + roles/geerlingguy.pip/meta/main.yml | 31 + .../molecule/default/converge.yml | 28 + .../molecule/default/molecule.yml | 17 + roles/geerlingguy.pip/tasks/main.yml | 14 + roles/oefenweb.ufw | 1 - roles/oefenweb.ufw/.ansible-lint | 2 + roles/oefenweb.ufw/.gitignore | 30 + roles/oefenweb.ufw/.travis.yml | 89 +++ roles/oefenweb.ufw/LICENSE.txt | 19 + roles/oefenweb.ufw/README.md | 93 +++ roles/oefenweb.ufw/Vagrantfile | 77 +++ roles/oefenweb.ufw/defaults/main.yml | 25 + roles/oefenweb.ufw/files/empty | 0 roles/oefenweb.ufw/handlers/main.yml | 5 + roles/oefenweb.ufw/meta/main.yml | 26 + roles/oefenweb.ufw/tasks/configure.yml | 77 +++ .../tasks/fix-dropped-ssh-sessions.yml | 17 + roles/oefenweb.ufw/tasks/install.yml | 10 + roles/oefenweb.ufw/tasks/main.yml | 39 ++ .../templates/etc/ansible/facts.d/ufw.fact.j2 | 1 + .../oefenweb.ufw/templates/etc/default/ufw.j2 | 46 ++ roles/oefenweb.ufw/tests/inventory | 1 + roles/oefenweb.ufw/tests/test.yml | 7 + roles/oefenweb.ufw/tests/vagrant.yml | 7 + roles/oefenweb.ufw/vars/main.yml | 10 + roles/riemers.gitlab-runner | 1 - roles/riemers.gitlab-runner/.gitignore | 1 + roles/riemers.gitlab-runner/.travis.yml | 64 ++ roles/riemers.gitlab-runner/LICENSE | 21 + roles/riemers.gitlab-runner/README.md | 165 +++++ roles/riemers.gitlab-runner/defaults/main.yml | 161 +++++ roles/riemers.gitlab-runner/handlers/main.yml | 25 + roles/riemers.gitlab-runner/meta/main.yml | 28 + .../riemers.gitlab-runner/tasks/Container.yml | 74 +++ roles/riemers.gitlab-runner/tasks/Unix.yml | 40 ++ roles/riemers.gitlab-runner/tasks/Windows.yml | 38 ++ .../tasks/config-runner-container.yml | 37 ++ .../tasks/config-runner-windows.yml | 37 ++ .../tasks/config-runner.yml | 37 ++ .../tasks/config-runners-container.yml | 36 ++ .../tasks/config-runners-windows.yml | 68 +++ .../tasks/config-runners.yml | 35 ++ .../tasks/global-setup-windows.yml | 49 ++ .../tasks/global-setup.yml | 53 ++ .../tasks/install-container.yml | 10 + .../tasks/install-debian.yml | 52 ++ .../tasks/install-macos.yml | 69 +++ .../tasks/install-redhat.yml | 38 ++ .../tasks/install-windows.yml | 67 ++ .../tasks/line-config-runner-windows.yml | 14 + .../tasks/line-config-runner.yml | 14 + roles/riemers.gitlab-runner/tasks/main.yml | 23 + .../tasks/register-runner-container.yml | 114 ++++ .../tasks/register-runner-windows.yml | 118 ++++ .../tasks/register-runner.yml | 117 ++++ .../tasks/section-config-runner-windows.yml | 5 + .../tasks/section-config-runner.yml | 5 + .../tasks/systemd-reload.yml | 37 ++ .../tasks/update-config-runner-windows.yml | 339 ++++++++++ .../tasks/update-config-runner.yml | 578 ++++++++++++++++++ .../tests/files/mock_gitlab_runner_ci.py | 69 +++ roles/riemers.gitlab-runner/tests/inventory | 1 + roles/riemers.gitlab-runner/tests/test.yml | 51 ++ .../tests/travis-bootstrap-ansible.ps1 | 18 + .../tests/vars/Windows.yml | 48 ++ .../tests/vars/default.yml | 57 ++ roles/riemers.gitlab-runner/vars/Darwin.yml | 5 + roles/riemers.gitlab-runner/vars/Debian.yml | 8 + roles/riemers.gitlab-runner/vars/RedHat.yml | 8 + roles/riemers.gitlab-runner/vars/Windows.yml | 9 + roles/riemers.gitlab-runner/vars/default.yml | 7 + roles/riemers.gitlab-runner/vars/main.yml | 6 + roles/robertdebock.bootstrap | 1 - roles/robertdebock.bootstrap/.ansible-lint | 8 + .../.github/FUNDING.yml | 2 + .../.github/ISSUE_TEMPLATE/bug_report.md | 31 + .../.github/ISSUE_TEMPLATE/feature_request.md | 19 + .../.github/pull_request_template.md | 11 + .../.github/settings.yml | 8 + .../.github/workflows/galaxy.yml | 18 + .../.github/workflows/molecule.yml | 71 +++ .../.github/workflows/requirements2png.yml | 34 ++ .../.github/workflows/todo.yml | 20 + roles/robertdebock.bootstrap/.gitignore | 4 + roles/robertdebock.bootstrap/.gitlab-ci.yml | 46 ++ .../.pre-commit-config.yaml | 26 + roles/robertdebock.bootstrap/.travis.yml | 30 + roles/robertdebock.bootstrap/.yamllint | 15 + .../robertdebock.bootstrap/CODE_OF_CONDUCT.md | 46 ++ roles/robertdebock.bootstrap/CONTRIBUTING.md | 76 +++ roles/robertdebock.bootstrap/LICENSE | 202 ++++++ roles/robertdebock.bootstrap/README.md | 103 ++++ roles/robertdebock.bootstrap/SECURITY.md | 25 + .../robertdebock.bootstrap/defaults/main.yml | 11 + .../robertdebock.bootstrap/meta/exception.yml | 4 + roles/robertdebock.bootstrap/meta/main.yml | 41 ++ .../meta/preferences.yml | 2 + .../molecule/default/converge.yml | 8 + .../molecule/default/molecule.yml | 30 + .../molecule/default/verify.yml | 14 + roles/robertdebock.bootstrap/requirements.txt | 10 + roles/robertdebock.bootstrap/tasks/assert.yml | 23 + .../tasks/gather_facts.yml | 29 + roles/robertdebock.bootstrap/tasks/main.yml | 58 ++ roles/robertdebock.bootstrap/tox.ini | 26 + roles/robertdebock.bootstrap/vars/main.yml | 70 +++ roles/ryandaniels.create_users | 1 - roles/ryandaniels.create_users/.gitignore | 7 + roles/ryandaniels.create_users/.travis.yml | 95 +++ roles/ryandaniels.create_users/LICENSE | 21 + roles/ryandaniels.create_users/README.md | 230 +++++++ .../defaults/main.yml | 5 + roles/ryandaniels.create_users/meta/main.yml | 36 ++ roles/ryandaniels.create_users/tasks/main.yml | 193 ++++++ .../ryandaniels.create_users/tests/inventory | 2 + .../tests/test-passchange.yml | 91 +++ roles/ryandaniels.create_users/tests/test.yml | 126 ++++ 206 files changed, 7850 insertions(+), 9 deletions(-) delete mode 160000 roles/geerlingguy.ansible create mode 100644 roles/geerlingguy.ansible/.ansible-lint create mode 100644 roles/geerlingguy.ansible/.github/FUNDING.yml create mode 100644 roles/geerlingguy.ansible/.github/stale.yml create mode 100644 roles/geerlingguy.ansible/.github/workflows/ci.yml create mode 100644 roles/geerlingguy.ansible/.github/workflows/release.yml create mode 100644 roles/geerlingguy.ansible/.gitignore create mode 100644 roles/geerlingguy.ansible/.yamllint create mode 100644 roles/geerlingguy.ansible/LICENSE create mode 100644 roles/geerlingguy.ansible/README.md create mode 100644 roles/geerlingguy.ansible/defaults/main.yml create mode 100644 roles/geerlingguy.ansible/meta/main.yml create mode 100644 roles/geerlingguy.ansible/molecule/default/converge.yml create mode 100644 roles/geerlingguy.ansible/molecule/default/molecule.yml create mode 100644 roles/geerlingguy.ansible/molecule/default/pip.yml create mode 100644 roles/geerlingguy.ansible/molecule/default/requirements.yml create mode 100644 roles/geerlingguy.ansible/tasks/main.yml create mode 100644 roles/geerlingguy.ansible/tasks/setup-Debian.yml create mode 100644 roles/geerlingguy.ansible/tasks/setup-Fedora.yml create mode 100644 roles/geerlingguy.ansible/tasks/setup-RedHat.yml create mode 100644 roles/geerlingguy.ansible/tasks/setup-Ubuntu.yml create mode 100644 roles/geerlingguy.ansible/tasks/setup-pip.yml delete mode 160000 roles/geerlingguy.docker create mode 100644 roles/geerlingguy.docker/.ansible-lint create mode 100644 roles/geerlingguy.docker/.github/FUNDING.yml create mode 100644 roles/geerlingguy.docker/.github/stale.yml create mode 100644 roles/geerlingguy.docker/.github/workflows/ci.yml create mode 100644 roles/geerlingguy.docker/.github/workflows/release.yml create mode 100644 roles/geerlingguy.docker/.gitignore create mode 100644 roles/geerlingguy.docker/.yamllint create mode 100644 roles/geerlingguy.docker/LICENSE create mode 100644 roles/geerlingguy.docker/README.md create mode 100644 roles/geerlingguy.docker/defaults/main.yml create mode 100644 roles/geerlingguy.docker/handlers/main.yml create mode 100644 roles/geerlingguy.docker/meta/main.yml create mode 100644 roles/geerlingguy.docker/molecule/default/converge.yml create mode 100644 roles/geerlingguy.docker/molecule/default/molecule.yml create mode 100644 roles/geerlingguy.docker/tasks/docker-compose.yml create mode 100644 roles/geerlingguy.docker/tasks/docker-users.yml create mode 100644 roles/geerlingguy.docker/tasks/main.yml create mode 100644 roles/geerlingguy.docker/tasks/setup-Debian.yml create mode 100644 roles/geerlingguy.docker/tasks/setup-RedHat.yml delete mode 160000 roles/geerlingguy.dotfiles create mode 100644 roles/geerlingguy.dotfiles/.ansible-lint create mode 100644 roles/geerlingguy.dotfiles/.github/FUNDING.yml create mode 100644 roles/geerlingguy.dotfiles/.github/stale.yml create mode 100644 roles/geerlingguy.dotfiles/.github/workflows/ci.yml create mode 100644 roles/geerlingguy.dotfiles/.github/workflows/release.yml create mode 100644 roles/geerlingguy.dotfiles/.gitignore create mode 100644 roles/geerlingguy.dotfiles/.yamllint create mode 100644 roles/geerlingguy.dotfiles/LICENSE create mode 100644 roles/geerlingguy.dotfiles/README.md create mode 100644 roles/geerlingguy.dotfiles/defaults/main.yml create mode 100644 roles/geerlingguy.dotfiles/meta/main.yml create mode 100644 roles/geerlingguy.dotfiles/molecule/default/converge.yml create mode 100644 roles/geerlingguy.dotfiles/molecule/default/molecule.yml create mode 100644 roles/geerlingguy.dotfiles/molecule/default/requirements.yml create mode 100644 roles/geerlingguy.dotfiles/tasks/main.yml delete mode 160000 roles/geerlingguy.gitlab create mode 100644 roles/geerlingguy.gitlab/.ansible-lint create mode 100644 roles/geerlingguy.gitlab/.github/FUNDING.yml create mode 100644 roles/geerlingguy.gitlab/.github/stale.yml create mode 100644 roles/geerlingguy.gitlab/.github/workflows/ci.yml create mode 100644 roles/geerlingguy.gitlab/.github/workflows/release.yml create mode 100644 roles/geerlingguy.gitlab/.gitignore create mode 100644 roles/geerlingguy.gitlab/.yamllint create mode 100644 roles/geerlingguy.gitlab/LICENSE create mode 100644 roles/geerlingguy.gitlab/README.md create mode 100644 roles/geerlingguy.gitlab/defaults/main.yml create mode 100644 roles/geerlingguy.gitlab/handlers/main.yml create mode 100644 roles/geerlingguy.gitlab/meta/main.yml create mode 100644 roles/geerlingguy.gitlab/molecule/default/converge.yml create mode 100644 roles/geerlingguy.gitlab/molecule/default/molecule.yml create mode 100644 roles/geerlingguy.gitlab/molecule/default/version.yml create mode 100644 roles/geerlingguy.gitlab/tasks/main.yml create mode 100644 roles/geerlingguy.gitlab/templates/gitlab.rb.j2 create mode 100644 roles/geerlingguy.gitlab/vars/Debian.yml create mode 100644 roles/geerlingguy.gitlab/vars/RedHat.yml delete mode 160000 roles/geerlingguy.pip create mode 100644 roles/geerlingguy.pip/.ansible-lint create mode 100644 roles/geerlingguy.pip/.github/FUNDING.yml create mode 100644 roles/geerlingguy.pip/.github/stale.yml create mode 100644 roles/geerlingguy.pip/.github/workflows/ci.yml create mode 100644 roles/geerlingguy.pip/.github/workflows/release.yml create mode 100644 roles/geerlingguy.pip/.gitignore create mode 100644 roles/geerlingguy.pip/.yamllint create mode 100644 roles/geerlingguy.pip/LICENSE create mode 100644 roles/geerlingguy.pip/README.md create mode 100644 roles/geerlingguy.pip/defaults/main.yml create mode 100644 roles/geerlingguy.pip/meta/main.yml create mode 100644 roles/geerlingguy.pip/molecule/default/converge.yml create mode 100644 roles/geerlingguy.pip/molecule/default/molecule.yml create mode 100644 roles/geerlingguy.pip/tasks/main.yml delete mode 160000 roles/oefenweb.ufw create mode 100644 roles/oefenweb.ufw/.ansible-lint create mode 100644 roles/oefenweb.ufw/.gitignore create mode 100644 roles/oefenweb.ufw/.travis.yml create mode 100644 roles/oefenweb.ufw/LICENSE.txt create mode 100644 roles/oefenweb.ufw/README.md create mode 100644 roles/oefenweb.ufw/Vagrantfile create mode 100644 roles/oefenweb.ufw/defaults/main.yml create mode 100644 roles/oefenweb.ufw/files/empty create mode 100644 roles/oefenweb.ufw/handlers/main.yml create mode 100644 roles/oefenweb.ufw/meta/main.yml create mode 100644 roles/oefenweb.ufw/tasks/configure.yml create mode 100644 roles/oefenweb.ufw/tasks/fix-dropped-ssh-sessions.yml create mode 100644 roles/oefenweb.ufw/tasks/install.yml create mode 100644 roles/oefenweb.ufw/tasks/main.yml create mode 100644 roles/oefenweb.ufw/templates/etc/ansible/facts.d/ufw.fact.j2 create mode 100644 roles/oefenweb.ufw/templates/etc/default/ufw.j2 create mode 100644 roles/oefenweb.ufw/tests/inventory create mode 100644 roles/oefenweb.ufw/tests/test.yml create mode 100644 roles/oefenweb.ufw/tests/vagrant.yml create mode 100644 roles/oefenweb.ufw/vars/main.yml delete mode 160000 roles/riemers.gitlab-runner create mode 100644 roles/riemers.gitlab-runner/.gitignore create mode 100644 roles/riemers.gitlab-runner/.travis.yml create mode 100644 roles/riemers.gitlab-runner/LICENSE create mode 100644 roles/riemers.gitlab-runner/README.md create mode 100644 roles/riemers.gitlab-runner/defaults/main.yml create mode 100644 roles/riemers.gitlab-runner/handlers/main.yml create mode 100644 roles/riemers.gitlab-runner/meta/main.yml create mode 100644 roles/riemers.gitlab-runner/tasks/Container.yml create mode 100644 roles/riemers.gitlab-runner/tasks/Unix.yml create mode 100644 roles/riemers.gitlab-runner/tasks/Windows.yml create mode 100644 roles/riemers.gitlab-runner/tasks/config-runner-container.yml create mode 100644 roles/riemers.gitlab-runner/tasks/config-runner-windows.yml create mode 100644 roles/riemers.gitlab-runner/tasks/config-runner.yml create mode 100644 roles/riemers.gitlab-runner/tasks/config-runners-container.yml create mode 100644 roles/riemers.gitlab-runner/tasks/config-runners-windows.yml create mode 100644 roles/riemers.gitlab-runner/tasks/config-runners.yml create mode 100644 roles/riemers.gitlab-runner/tasks/global-setup-windows.yml create mode 100644 roles/riemers.gitlab-runner/tasks/global-setup.yml create mode 100644 roles/riemers.gitlab-runner/tasks/install-container.yml create mode 100644 roles/riemers.gitlab-runner/tasks/install-debian.yml create mode 100644 roles/riemers.gitlab-runner/tasks/install-macos.yml create mode 100644 roles/riemers.gitlab-runner/tasks/install-redhat.yml create mode 100644 roles/riemers.gitlab-runner/tasks/install-windows.yml create mode 100644 roles/riemers.gitlab-runner/tasks/line-config-runner-windows.yml create mode 100644 roles/riemers.gitlab-runner/tasks/line-config-runner.yml create mode 100644 roles/riemers.gitlab-runner/tasks/main.yml create mode 100644 roles/riemers.gitlab-runner/tasks/register-runner-container.yml create mode 100644 roles/riemers.gitlab-runner/tasks/register-runner-windows.yml create mode 100644 roles/riemers.gitlab-runner/tasks/register-runner.yml create mode 100644 roles/riemers.gitlab-runner/tasks/section-config-runner-windows.yml create mode 100644 roles/riemers.gitlab-runner/tasks/section-config-runner.yml create mode 100644 roles/riemers.gitlab-runner/tasks/systemd-reload.yml create mode 100644 roles/riemers.gitlab-runner/tasks/update-config-runner-windows.yml create mode 100644 roles/riemers.gitlab-runner/tasks/update-config-runner.yml create mode 100644 roles/riemers.gitlab-runner/tests/files/mock_gitlab_runner_ci.py create mode 100644 roles/riemers.gitlab-runner/tests/inventory create mode 100644 roles/riemers.gitlab-runner/tests/test.yml create mode 100644 roles/riemers.gitlab-runner/tests/travis-bootstrap-ansible.ps1 create mode 100644 roles/riemers.gitlab-runner/tests/vars/Windows.yml create mode 100644 roles/riemers.gitlab-runner/tests/vars/default.yml create mode 100644 roles/riemers.gitlab-runner/vars/Darwin.yml create mode 100644 roles/riemers.gitlab-runner/vars/Debian.yml create mode 100644 roles/riemers.gitlab-runner/vars/RedHat.yml create mode 100644 roles/riemers.gitlab-runner/vars/Windows.yml create mode 100644 roles/riemers.gitlab-runner/vars/default.yml create mode 100644 roles/riemers.gitlab-runner/vars/main.yml delete mode 160000 roles/robertdebock.bootstrap create mode 100644 roles/robertdebock.bootstrap/.ansible-lint create mode 100644 roles/robertdebock.bootstrap/.github/FUNDING.yml create mode 100644 roles/robertdebock.bootstrap/.github/ISSUE_TEMPLATE/bug_report.md create mode 100644 roles/robertdebock.bootstrap/.github/ISSUE_TEMPLATE/feature_request.md create mode 100644 roles/robertdebock.bootstrap/.github/pull_request_template.md create mode 100644 roles/robertdebock.bootstrap/.github/settings.yml create mode 100644 roles/robertdebock.bootstrap/.github/workflows/galaxy.yml create mode 100644 roles/robertdebock.bootstrap/.github/workflows/molecule.yml create mode 100644 roles/robertdebock.bootstrap/.github/workflows/requirements2png.yml create mode 100644 roles/robertdebock.bootstrap/.github/workflows/todo.yml create mode 100644 roles/robertdebock.bootstrap/.gitignore create mode 100644 roles/robertdebock.bootstrap/.gitlab-ci.yml create mode 100644 roles/robertdebock.bootstrap/.pre-commit-config.yaml create mode 100644 roles/robertdebock.bootstrap/.travis.yml create mode 100644 roles/robertdebock.bootstrap/.yamllint create mode 100644 roles/robertdebock.bootstrap/CODE_OF_CONDUCT.md create mode 100644 roles/robertdebock.bootstrap/CONTRIBUTING.md create mode 100644 roles/robertdebock.bootstrap/LICENSE create mode 100644 roles/robertdebock.bootstrap/README.md create mode 100644 roles/robertdebock.bootstrap/SECURITY.md create mode 100644 roles/robertdebock.bootstrap/defaults/main.yml create mode 100644 roles/robertdebock.bootstrap/meta/exception.yml create mode 100644 roles/robertdebock.bootstrap/meta/main.yml create mode 100644 roles/robertdebock.bootstrap/meta/preferences.yml create mode 100644 roles/robertdebock.bootstrap/molecule/default/converge.yml create mode 100644 roles/robertdebock.bootstrap/molecule/default/molecule.yml create mode 100644 roles/robertdebock.bootstrap/molecule/default/verify.yml create mode 100644 roles/robertdebock.bootstrap/requirements.txt create mode 100644 roles/robertdebock.bootstrap/tasks/assert.yml create mode 100644 roles/robertdebock.bootstrap/tasks/gather_facts.yml create mode 100644 roles/robertdebock.bootstrap/tasks/main.yml create mode 100644 roles/robertdebock.bootstrap/tox.ini create mode 100644 roles/robertdebock.bootstrap/vars/main.yml delete mode 160000 roles/ryandaniels.create_users create mode 100644 roles/ryandaniels.create_users/.gitignore create mode 100644 roles/ryandaniels.create_users/.travis.yml create mode 100644 roles/ryandaniels.create_users/LICENSE create mode 100644 roles/ryandaniels.create_users/README.md create mode 100644 roles/ryandaniels.create_users/defaults/main.yml create mode 100644 roles/ryandaniels.create_users/meta/main.yml create mode 100644 roles/ryandaniels.create_users/tasks/main.yml create mode 100644 roles/ryandaniels.create_users/tests/inventory create mode 100644 roles/ryandaniels.create_users/tests/test-passchange.yml create mode 100644 roles/ryandaniels.create_users/tests/test.yml diff --git a/roles/geerlingguy.ansible b/roles/geerlingguy.ansible deleted file mode 160000 index adf22d8c..00000000 --- a/roles/geerlingguy.ansible +++ /dev/null @@ -1 +0,0 @@ -Subproject commit adf22d8c735670a8323f118de6bc37ba6b67f86e diff --git a/roles/geerlingguy.ansible/.ansible-lint b/roles/geerlingguy.ansible/.ansible-lint new file mode 100644 index 00000000..55572942 --- /dev/null +++ b/roles/geerlingguy.ansible/.ansible-lint @@ -0,0 +1,2 @@ +skip_list: + - '106' diff --git a/roles/geerlingguy.ansible/.github/FUNDING.yml b/roles/geerlingguy.ansible/.github/FUNDING.yml new file mode 100644 index 00000000..96b49383 --- /dev/null +++ b/roles/geerlingguy.ansible/.github/FUNDING.yml @@ -0,0 +1,4 @@ +# These are supported funding model platforms +--- +github: geerlingguy +patreon: geerlingguy diff --git a/roles/geerlingguy.ansible/.github/stale.yml b/roles/geerlingguy.ansible/.github/stale.yml new file mode 100644 index 00000000..c7ff1275 --- /dev/null +++ b/roles/geerlingguy.ansible/.github/stale.yml @@ -0,0 +1,56 @@ +# Configuration for probot-stale - https://github.com/probot/stale + +# Number of days of inactivity before an Issue or Pull Request becomes stale +daysUntilStale: 90 + +# Number of days of inactivity before an Issue or Pull Request with the stale label is closed. +# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale. +daysUntilClose: 30 + +# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled) +onlyLabels: [] + +# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable +exemptLabels: + - pinned + - security + - planned + +# Set to true to ignore issues in a project (defaults to false) +exemptProjects: false + +# Set to true to ignore issues in a milestone (defaults to false) +exemptMilestones: false + +# Set to true to ignore issues with an assignee (defaults to false) +exemptAssignees: false + +# Label to use when marking as stale +staleLabel: stale + +# Limit the number of actions per hour, from 1-30. Default is 30 +limitPerRun: 30 + +pulls: + markComment: |- + This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution! + + Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale. + + unmarkComment: >- + This pull request is no longer marked for closure. + + closeComment: >- + This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details. + +issues: + markComment: |- + This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! + + Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale. + + unmarkComment: >- + This issue is no longer marked for closure. + + closeComment: >- + This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details. diff --git a/roles/geerlingguy.ansible/.github/workflows/ci.yml b/roles/geerlingguy.ansible/.github/workflows/ci.yml new file mode 100644 index 00000000..95c75247 --- /dev/null +++ b/roles/geerlingguy.ansible/.github/workflows/ci.yml @@ -0,0 +1,79 @@ +--- +name: CI +'on': + pull_request: + push: + branches: + - master + schedule: + - cron: "30 5 * * 0" + +defaults: + run: + working-directory: 'geerlingguy.ansible' + +jobs: + + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.ansible' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install yamllint ansible-lint + + - name: Lint code. + run: | + yamllint . + ansible-lint + + molecule: + name: Molecule + runs-on: ubuntu-latest + strategy: + matrix: + include: + - distro: centos8 + playbook: converge.yml + - distro: fedora32 + playbook: converge.yml + # See: https://github.com/geerlingguy/ansible-role-ansible/issues/18 + # - distro: ubuntu2004 + # playbook: converge.yml + - distro: ubuntu1804 + playbook: converge.yml + - distro: debian10 + playbook: converge.yml + - distro: centos8 + playbook: pip.yml + + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.ansible' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install ansible molecule[docker] docker + + - name: Run Molecule tests. + run: molecule test + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + MOLECULE_DISTRO: ${{ matrix.distro }} + MOLECULE_PLAYBOOK: ${{ matrix.playbook }} diff --git a/roles/geerlingguy.ansible/.github/workflows/release.yml b/roles/geerlingguy.ansible/.github/workflows/release.yml new file mode 100644 index 00000000..916a8a07 --- /dev/null +++ b/roles/geerlingguy.ansible/.github/workflows/release.yml @@ -0,0 +1,38 @@ +--- +# This workflow requires a GALAXY_API_KEY secret present in the GitHub +# repository or organization. +# +# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy +# See: https://github.com/ansible/galaxy/issues/46 + +name: Release +'on': + push: + tags: + - '*' + +defaults: + run: + working-directory: 'geerlingguy.ansible' + +jobs: + + release: + name: Release + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.ansible' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install Ansible. + run: pip3 install ansible-base + + - name: Trigger a new import on Galaxy. + run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/roles/geerlingguy.ansible/.gitignore b/roles/geerlingguy.ansible/.gitignore new file mode 100644 index 00000000..f56f5b57 --- /dev/null +++ b/roles/geerlingguy.ansible/.gitignore @@ -0,0 +1,3 @@ +*.retry +*/__pycache__ +*.pyc diff --git a/roles/geerlingguy.ansible/.yamllint b/roles/geerlingguy.ansible/.yamllint new file mode 100644 index 00000000..76a383c6 --- /dev/null +++ b/roles/geerlingguy.ansible/.yamllint @@ -0,0 +1,10 @@ +--- +extends: default + +rules: + line-length: + max: 120 + level: warning + +ignore: | + .github/stale.yml diff --git a/roles/geerlingguy.ansible/LICENSE b/roles/geerlingguy.ansible/LICENSE new file mode 100644 index 00000000..4275cf3c --- /dev/null +++ b/roles/geerlingguy.ansible/LICENSE @@ -0,0 +1,20 @@ +The MIT License (MIT) + +Copyright (c) 2017 Jeff Geerling + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/roles/geerlingguy.ansible/README.md b/roles/geerlingguy.ansible/README.md new file mode 100644 index 00000000..1dcda348 --- /dev/null +++ b/roles/geerlingguy.ansible/README.md @@ -0,0 +1,51 @@ +# Ansible Role: Ansible + +[![CI](https://github.com/geerlingguy/ansible-role-ansible/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-ansible/actions?query=workflow%3ACI) + +An Ansible Role that installs Ansible on Linux servers. + +## Requirements + +If using on a RedHat/CentOS-based host, make sure you've added the EPEL repository (it can easily be installed by including the `geerlingguy.repo-epel` role on Ansible Galaxy). + +## Role Variables + +Available variables are listed below, along with default values (see `defaults/main.yml`): + + ansible_install_method: package + +Whether to install Ansible via the system `package` manager (`apt`, `yum`, `dnf`, etc.), or via `pip`. If set to `pip`, you need to make sure Pip is installed prior to running this role. You can use the `geerlingguy.pip` module to install Pip easily. + + ansible_install_version_pip: '' + +If `ansible_install_method` is set to `pip`, the specific Ansible version to be installed via Pip. If not set, the latest version of Ansible will be installed. + +## Dependencies + +None. + +## Example Playbook + +Install from the system package manager: + + - hosts: servers + roles: + - role: geerlingguy.ansible + +Install from pip: + + - hosts: servers + vars: + ansible_install_method: pip + ansible_install_version_pip: "2.7.0" + roles: + - role: geerlingguy.pip + - role: geerlingguy.ansible + +## License + +MIT / BSD + +## Author Information + +This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). diff --git a/roles/geerlingguy.ansible/defaults/main.yml b/roles/geerlingguy.ansible/defaults/main.yml new file mode 100644 index 00000000..5898c332 --- /dev/null +++ b/roles/geerlingguy.ansible/defaults/main.yml @@ -0,0 +1,8 @@ +--- +ansible_default_release: "" + +# Valid options include: 'package' or 'pip'. +ansible_install_method: package + +# Used only if ansible_install_method is 'pip'. If empty, defaults to latest. +ansible_install_version_pip: '' diff --git a/roles/geerlingguy.ansible/meta/main.yml b/roles/geerlingguy.ansible/meta/main.yml new file mode 100644 index 00000000..4ae9541b --- /dev/null +++ b/roles/geerlingguy.ansible/meta/main.yml @@ -0,0 +1,29 @@ +--- +dependencies: [] + +galaxy_info: + author: geerlingguy + description: Ansible for RedHat/CentOS/Debian/Ubuntu. + company: "Midwestern Mac, LLC" + license: "license (BSD, MIT)" + min_ansible_version: 2.4 + platforms: + - name: EL + versions: + - all + - name: Fedora + versions: + - all + - name: Debian + versions: + - all + - name: Ubuntu + versions: + - all + galaxy_tags: + - system + - packaging + - development + - cloud + - ansible + - automation diff --git a/roles/geerlingguy.ansible/molecule/default/converge.yml b/roles/geerlingguy.ansible/molecule/default/converge.yml new file mode 100644 index 00000000..7adc54e3 --- /dev/null +++ b/roles/geerlingguy.ansible/molecule/default/converge.yml @@ -0,0 +1,12 @@ +--- +- name: Converge + hosts: all + become: true + + pre_tasks: + - name: Update apt cache. + apt: update_cache=true cache_valid_time=300 + when: ansible_os_family == 'Debian' + + roles: + - role: geerlingguy.ansible diff --git a/roles/geerlingguy.ansible/molecule/default/molecule.yml b/roles/geerlingguy.ansible/molecule/default/molecule.yml new file mode 100644 index 00000000..74907107 --- /dev/null +++ b/roles/geerlingguy.ansible/molecule/default/molecule.yml @@ -0,0 +1,17 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: instance + image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +provisioner: + name: ansible + playbooks: + converge: ${MOLECULE_PLAYBOOK:-converge.yml} diff --git a/roles/geerlingguy.ansible/molecule/default/pip.yml b/roles/geerlingguy.ansible/molecule/default/pip.yml new file mode 100644 index 00000000..60e298ef --- /dev/null +++ b/roles/geerlingguy.ansible/molecule/default/pip.yml @@ -0,0 +1,12 @@ +--- +- name: Converge + hosts: all + become: true + + vars: + ansible_install_method: pip + ansible_install_version_pip: "2.6.2" + + roles: + - role: geerlingguy.pip + - role: geerlingguy.ansible diff --git a/roles/geerlingguy.ansible/molecule/default/requirements.yml b/roles/geerlingguy.ansible/molecule/default/requirements.yml new file mode 100644 index 00000000..963f84b2 --- /dev/null +++ b/roles/geerlingguy.ansible/molecule/default/requirements.yml @@ -0,0 +1,2 @@ +--- +- role: geerlingguy.pip diff --git a/roles/geerlingguy.ansible/tasks/main.yml b/roles/geerlingguy.ansible/tasks/main.yml new file mode 100644 index 00000000..5b7bbddc --- /dev/null +++ b/roles/geerlingguy.ansible/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: Set the package state based on how Ansible is installed. + set_fact: + ansible_package_state: "{{ 'present' if ansible_install_method == 'package' else 'absent' }}" + +# Setup/install tasks. +- name: Set up Ansible on RedHat. + include_tasks: setup-RedHat.yml + when: + - ansible_os_family == 'RedHat' + - ansible_distribution != 'Fedora' + - ansible_install_method == 'package' + +- name: Set up Ansible on Fedora. + include_tasks: setup-Fedora.yml + when: + - ansible_distribution == 'Fedora' + - ansible_install_method == 'package' + +- name: Set up Ansible on Ubuntu. + include_tasks: setup-Ubuntu.yml + when: + - ansible_distribution == 'Ubuntu' + - ansible_install_method == 'package' + +- name: Set up Ansible on Debian. + include_tasks: setup-Debian.yml + when: + - ansible_distribution == 'Debian' + - ansible_install_method == 'package' + +- name: Set up Ansible using Pip. + include_tasks: setup-pip.yml + when: ansible_install_method == 'pip' diff --git a/roles/geerlingguy.ansible/tasks/setup-Debian.yml b/roles/geerlingguy.ansible/tasks/setup-Debian.yml new file mode 100644 index 00000000..fb6911d7 --- /dev/null +++ b/roles/geerlingguy.ansible/tasks/setup-Debian.yml @@ -0,0 +1,21 @@ +--- +- name: Enable Backports repository. + apt_repository: + repo: >- + deb http://ftp.debian.org/debian + {{ ansible_distribution_release }}-backports main' + state: present + filename: "{{ ansible_distribution_release }}_backports" + update_cache: true + when: ansible_distribution_version | int < 9 + +- name: Set the default_release option for older Debian versions. + set_fact: + ansible_default_release: "{{ ansible_distribution_release }}-backports" + when: ansible_distribution_version | int < 9 + +- name: Install Ansible. + apt: + name: ansible + state: "{{ ansible_package_state }}" + default_release: "{{ ansible_default_release }}" diff --git a/roles/geerlingguy.ansible/tasks/setup-Fedora.yml b/roles/geerlingguy.ansible/tasks/setup-Fedora.yml new file mode 100644 index 00000000..7d56261d --- /dev/null +++ b/roles/geerlingguy.ansible/tasks/setup-Fedora.yml @@ -0,0 +1,5 @@ +--- +- name: Install Ansible. + package: + name: ansible + state: "{{ ansible_package_state }}" diff --git a/roles/geerlingguy.ansible/tasks/setup-RedHat.yml b/roles/geerlingguy.ansible/tasks/setup-RedHat.yml new file mode 100644 index 00000000..170f243b --- /dev/null +++ b/roles/geerlingguy.ansible/tasks/setup-RedHat.yml @@ -0,0 +1,6 @@ +--- +- name: Install Ansible. + package: + name: ansible + state: "{{ ansible_package_state }}" + enablerepo: epel diff --git a/roles/geerlingguy.ansible/tasks/setup-Ubuntu.yml b/roles/geerlingguy.ansible/tasks/setup-Ubuntu.yml new file mode 100644 index 00000000..23b972df --- /dev/null +++ b/roles/geerlingguy.ansible/tasks/setup-Ubuntu.yml @@ -0,0 +1,15 @@ +--- +- name: Ensure dirmngr is installed (gnupg dependency). + apt: + name: dirmngr + state: present + +- name: Add ansible repository. + apt_repository: + repo: 'ppa:ansible/ansible' + update_cache: true + +- name: Install Ansible. + apt: + name: ansible + state: "{{ ansible_package_state }}" diff --git a/roles/geerlingguy.ansible/tasks/setup-pip.yml b/roles/geerlingguy.ansible/tasks/setup-pip.yml new file mode 100644 index 00000000..a91049bd --- /dev/null +++ b/roles/geerlingguy.ansible/tasks/setup-pip.yml @@ -0,0 +1,5 @@ +--- +- name: Install Ansible via Pip. + pip: + name: ansible + version: "{{ ansible_install_version_pip | default(omit) }}" diff --git a/roles/geerlingguy.docker b/roles/geerlingguy.docker deleted file mode 160000 index c254e080..00000000 --- a/roles/geerlingguy.docker +++ /dev/null @@ -1 +0,0 @@ -Subproject commit c254e08049d9792c2b532d8df0e44d4700be2aa7 diff --git a/roles/geerlingguy.docker/.ansible-lint b/roles/geerlingguy.docker/.ansible-lint new file mode 100644 index 00000000..affe64fa --- /dev/null +++ b/roles/geerlingguy.docker/.ansible-lint @@ -0,0 +1,3 @@ +skip_list: + - '306' + - '106' diff --git a/roles/geerlingguy.docker/.github/FUNDING.yml b/roles/geerlingguy.docker/.github/FUNDING.yml new file mode 100644 index 00000000..96b49383 --- /dev/null +++ b/roles/geerlingguy.docker/.github/FUNDING.yml @@ -0,0 +1,4 @@ +# These are supported funding model platforms +--- +github: geerlingguy +patreon: geerlingguy diff --git a/roles/geerlingguy.docker/.github/stale.yml b/roles/geerlingguy.docker/.github/stale.yml new file mode 100644 index 00000000..3ac21f9a --- /dev/null +++ b/roles/geerlingguy.docker/.github/stale.yml @@ -0,0 +1,56 @@ +# Configuration for probot-stale - https://github.com/probot/stale +--- +# Number of days of inactivity before an Issue or Pull Request becomes stale +daysUntilStale: 90 + +# Number of days of inactivity before an Issue or Pull Request with the stale label is closed. +# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale. +daysUntilClose: 30 + +# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled) +onlyLabels: [] + +# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable +exemptLabels: + - pinned + - security + - planned + +# Set to true to ignore issues in a project (defaults to false) +exemptProjects: false + +# Set to true to ignore issues in a milestone (defaults to false) +exemptMilestones: false + +# Set to true to ignore issues with an assignee (defaults to false) +exemptAssignees: false + +# Label to use when marking as stale +staleLabel: stale + +# Limit the number of actions per hour, from 1-30. Default is 30 +limitPerRun: 30 + +pulls: + markComment: |- + This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution! + + Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale. + + unmarkComment: >- + This pull request is no longer marked for closure. + + closeComment: >- + This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details. + +issues: + markComment: |- + This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! + + Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale. + + unmarkComment: >- + This issue is no longer marked for closure. + + closeComment: >- + This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details. diff --git a/roles/geerlingguy.docker/.github/workflows/ci.yml b/roles/geerlingguy.docker/.github/workflows/ci.yml new file mode 100644 index 00000000..6a2fe4a8 --- /dev/null +++ b/roles/geerlingguy.docker/.github/workflows/ci.yml @@ -0,0 +1,72 @@ +--- +name: CI +'on': + pull_request: + push: + branches: + - master + schedule: + - cron: "0 7 * * 0" + +defaults: + run: + working-directory: 'geerlingguy.docker' + +jobs: + + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.docker' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install yamllint ansible-lint + + - name: Lint code. + run: | + yamllint . + ansible-lint + + molecule: + name: Molecule + runs-on: ubuntu-latest + strategy: + matrix: + distro: + - centos8 + - centos7 + - ubuntu2004 + - ubuntu1804 + - debian10 + - debian9 + - fedora33 + + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.docker' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install ansible molecule[docker] docker + + - name: Run Molecule tests. + run: molecule test + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + MOLECULE_DISTRO: ${{ matrix.distro }} diff --git a/roles/geerlingguy.docker/.github/workflows/release.yml b/roles/geerlingguy.docker/.github/workflows/release.yml new file mode 100644 index 00000000..5d02a3e6 --- /dev/null +++ b/roles/geerlingguy.docker/.github/workflows/release.yml @@ -0,0 +1,38 @@ +--- +# This workflow requires a GALAXY_API_KEY secret present in the GitHub +# repository or organization. +# +# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy +# See: https://github.com/ansible/galaxy/issues/46 + +name: Release +'on': + push: + tags: + - '*' + +defaults: + run: + working-directory: 'geerlingguy.docker' + +jobs: + + release: + name: Release + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.docker' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install Ansible. + run: pip3 install ansible-base + + - name: Trigger a new import on Galaxy. + run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/roles/geerlingguy.docker/.gitignore b/roles/geerlingguy.docker/.gitignore new file mode 100644 index 00000000..f56f5b57 --- /dev/null +++ b/roles/geerlingguy.docker/.gitignore @@ -0,0 +1,3 @@ +*.retry +*/__pycache__ +*.pyc diff --git a/roles/geerlingguy.docker/.yamllint b/roles/geerlingguy.docker/.yamllint new file mode 100644 index 00000000..e6fc5387 --- /dev/null +++ b/roles/geerlingguy.docker/.yamllint @@ -0,0 +1,11 @@ +--- +extends: default + +rules: + line-length: + max: 200 + level: warning + +ignore: | + .github/stale.yml + .travis.yml diff --git a/roles/geerlingguy.docker/LICENSE b/roles/geerlingguy.docker/LICENSE new file mode 100644 index 00000000..4275cf3c --- /dev/null +++ b/roles/geerlingguy.docker/LICENSE @@ -0,0 +1,20 @@ +The MIT License (MIT) + +Copyright (c) 2017 Jeff Geerling + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/roles/geerlingguy.docker/README.md b/roles/geerlingguy.docker/README.md new file mode 100644 index 00000000..3090374f --- /dev/null +++ b/roles/geerlingguy.docker/README.md @@ -0,0 +1,97 @@ +# Ansible Role: Docker + +[![CI](https://github.com/geerlingguy/ansible-role-docker/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-docker/actions?query=workflow%3ACI) + +An Ansible Role that installs [Docker](https://www.docker.com) on Linux. + +## Requirements + +None. + +## Role Variables + +Available variables are listed below, along with default values (see `defaults/main.yml`): + + # Edition can be one of: 'ce' (Community Edition) or 'ee' (Enterprise Edition). + docker_edition: 'ce' + docker_package: "docker-{{ docker_edition }}" + docker_package_state: present + +The `docker_edition` should be either `ce` (Community Edition) or `ee` (Enterprise Edition). You can also specify a specific version of Docker to install using the distribution-specific format: Red Hat/CentOS: `docker-{{ docker_edition }}-`; Debian/Ubuntu: `docker-{{ docker_edition }}=`. + +You can control whether the package is installed, uninstalled, or at the latest version by setting `docker_package_state` to `present`, `absent`, or `latest`, respectively. Note that the Docker daemon will be automatically restarted if the Docker package is updated. This is a side effect of flushing all handlers (running any of the handlers that have been notified by this and any other role up to this point in the play). + + docker_service_state: started + docker_service_enabled: true + docker_restart_handler_state: restarted + +Variables to control the state of the `docker` service, and whether it should start on boot. If you're installing Docker inside a Docker container without systemd or sysvinit, you should set these to `stopped` and set the enabled variable to `no`. + + docker_install_compose: true + docker_compose_version: "1.26.0" + docker_compose_path: /usr/local/bin/docker-compose + +Docker Compose installation options. + + docker_apt_release_channel: stable + docker_apt_arch: amd64 + docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}" + docker_apt_ignore_key_error: True + docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg + +(Used only for Debian/Ubuntu.) You can switch the channel to `nightly` if you want to use the Nightly release. + +You can change `docker_apt_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror. +Usually in combination with changing `docker_apt_repository` as well. + + docker_yum_repo_url: https://download.docker.com/linux/centos/docker-{{ docker_edition }}.repo + docker_yum_repo_enable_nightly: '0' + docker_yum_repo_enable_test: '0' + docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg + +(Used only for RedHat/CentOS.) You can enable the Nightly or Test repo by setting the respective vars to `1`. + +You can change `docker_yum_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror. +Usually in combination with changing `docker_yum_repository` as well. + + docker_users: + - user1 + - user2 + +A list of system users to be added to the `docker` group (so they can use Docker on the server). + +## Use with Ansible (and `docker` Python library) + +Many users of this role wish to also use Ansible to then _build_ Docker images and manage Docker containers on the server where Docker is installed. In this case, you can easily add in the `docker` Python library using the `geerlingguy.pip` role: + +```yaml +- hosts: all + + vars: + pip_install_packages: + - name: docker + + roles: + - geerlingguy.pip + - geerlingguy.docker +``` + +## Dependencies + +None. + +## Example Playbook + +```yaml +- hosts: all + roles: + - geerlingguy.docker +``` + +## License + +MIT / BSD + +## Author Information + +This role was created in 2017 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). diff --git a/roles/geerlingguy.docker/defaults/main.yml b/roles/geerlingguy.docker/defaults/main.yml new file mode 100644 index 00000000..8d660479 --- /dev/null +++ b/roles/geerlingguy.docker/defaults/main.yml @@ -0,0 +1,31 @@ +--- +# Edition can be one of: 'ce' (Community Edition) or 'ee' (Enterprise Edition). +docker_edition: 'ce' +docker_package: "docker-{{ docker_edition }}" +docker_package_state: present + +# Service options. +docker_service_state: started +docker_service_enabled: true +docker_restart_handler_state: restarted + +# Docker Compose options. +docker_install_compose: true +docker_compose_version: "1.26.0" +docker_compose_path: /usr/local/bin/docker-compose + +# Used only for Debian/Ubuntu. Switch 'stable' to 'nightly' if needed. +docker_apt_release_channel: stable +docker_apt_arch: amd64 +docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}" +docker_apt_ignore_key_error: true +docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg + +# Used only for RedHat/CentOS/Fedora. +docker_yum_repo_url: https://download.docker.com/linux/{{ (ansible_distribution == "Fedora") | ternary("fedora","centos") }}/docker-{{ docker_edition }}.repo +docker_yum_repo_enable_nightly: '0' +docker_yum_repo_enable_test: '0' +docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg + +# A list of users who will be added to the docker group. +docker_users: [] diff --git a/roles/geerlingguy.docker/handlers/main.yml b/roles/geerlingguy.docker/handlers/main.yml new file mode 100644 index 00000000..7847bc1c --- /dev/null +++ b/roles/geerlingguy.docker/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart docker + service: "name=docker state={{ docker_restart_handler_state }}" diff --git a/roles/geerlingguy.docker/meta/main.yml b/roles/geerlingguy.docker/meta/main.yml new file mode 100644 index 00000000..fc017275 --- /dev/null +++ b/roles/geerlingguy.docker/meta/main.yml @@ -0,0 +1,35 @@ +--- +dependencies: [] + +galaxy_info: + role_name: docker + author: geerlingguy + description: Docker for Linux. + company: "Midwestern Mac, LLC" + license: "license (BSD, MIT)" + min_ansible_version: 2.4 + platforms: + - name: EL + versions: + - 7 + - 8 + - name: Fedora + versions: + - all + - name: Debian + versions: + - stretch + - buster + - name: Ubuntu + versions: + - xenial + - bionic + - focal + galaxy_tags: + - web + - system + - containers + - docker + - orchestration + - compose + - server diff --git a/roles/geerlingguy.docker/molecule/default/converge.yml b/roles/geerlingguy.docker/molecule/default/converge.yml new file mode 100644 index 00000000..629095b2 --- /dev/null +++ b/roles/geerlingguy.docker/molecule/default/converge.yml @@ -0,0 +1,24 @@ +--- +- name: Converge + hosts: all + become: true + + pre_tasks: + - name: Update apt cache. + apt: update_cache=yes cache_valid_time=600 + when: ansible_os_family == 'Debian' + + - name: Wait for systemd to complete initialization. # noqa 303 + command: systemctl is-system-running + register: systemctl_status + until: > + 'running' in systemctl_status.stdout or + 'degraded' in systemctl_status.stdout + retries: 30 + delay: 5 + when: ansible_service_mgr == 'systemd' + changed_when: false + failed_when: systemctl_status.rc > 1 + + roles: + - role: geerlingguy.docker diff --git a/roles/geerlingguy.docker/molecule/default/molecule.yml b/roles/geerlingguy.docker/molecule/default/molecule.yml new file mode 100644 index 00000000..74907107 --- /dev/null +++ b/roles/geerlingguy.docker/molecule/default/molecule.yml @@ -0,0 +1,17 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: instance + image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +provisioner: + name: ansible + playbooks: + converge: ${MOLECULE_PLAYBOOK:-converge.yml} diff --git a/roles/geerlingguy.docker/tasks/docker-compose.yml b/roles/geerlingguy.docker/tasks/docker-compose.yml new file mode 100644 index 00000000..92cf4f27 --- /dev/null +++ b/roles/geerlingguy.docker/tasks/docker-compose.yml @@ -0,0 +1,20 @@ +--- +- name: Check current docker-compose version. + command: docker-compose --version + register: docker_compose_current_version + changed_when: false + failed_when: false + +- name: Delete existing docker-compose version if it's different. + file: + path: "{{ docker_compose_path }}" + state: absent + when: > + docker_compose_current_version.stdout is defined + and docker_compose_version not in docker_compose_current_version.stdout + +- name: Install Docker Compose (if configured). + get_url: + url: https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-Linux-x86_64 + dest: "{{ docker_compose_path }}" + mode: 0755 diff --git a/roles/geerlingguy.docker/tasks/docker-users.yml b/roles/geerlingguy.docker/tasks/docker-users.yml new file mode 100644 index 00000000..b3b6e0f1 --- /dev/null +++ b/roles/geerlingguy.docker/tasks/docker-users.yml @@ -0,0 +1,7 @@ +--- +- name: Ensure docker users are added to the docker group. + user: + name: "{{ item }}" + groups: docker + append: true + with_items: "{{ docker_users }}" diff --git a/roles/geerlingguy.docker/tasks/main.yml b/roles/geerlingguy.docker/tasks/main.yml new file mode 100644 index 00000000..56449ef7 --- /dev/null +++ b/roles/geerlingguy.docker/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- include_tasks: setup-RedHat.yml + when: ansible_os_family == 'RedHat' + +- include_tasks: setup-Debian.yml + when: ansible_os_family == 'Debian' + +- name: Install Docker. + package: + name: "{{ docker_package }}" + state: "{{ docker_package_state }}" + notify: restart docker + +- name: Ensure Docker is started and enabled at boot. + service: + name: docker + state: "{{ docker_service_state }}" + enabled: "{{ docker_service_enabled }}" + +- name: Ensure handlers are notified now to avoid firewall conflicts. + meta: flush_handlers + +- include_tasks: docker-compose.yml + when: docker_install_compose | bool + +- include_tasks: docker-users.yml + when: docker_users | length > 0 diff --git a/roles/geerlingguy.docker/tasks/setup-Debian.yml b/roles/geerlingguy.docker/tasks/setup-Debian.yml new file mode 100644 index 00000000..d701135b --- /dev/null +++ b/roles/geerlingguy.docker/tasks/setup-Debian.yml @@ -0,0 +1,40 @@ +--- +- name: Ensure old versions of Docker are not installed. + package: + name: + - docker + - docker-engine + state: absent + +- name: Ensure dependencies are installed. + apt: + name: + - apt-transport-https + - ca-certificates + - gnupg2 + state: present + +- name: Add Docker apt key. + apt_key: + url: "{{ docker_apt_gpg_key }}" + id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 + state: present + register: add_repository_key + ignore_errors: "{{ docker_apt_ignore_key_error }}" + +- name: Ensure curl is present (on older systems without SNI). + package: name=curl state=present + when: add_repository_key is failed + +- name: Add Docker apt key (alternative for older systems without SNI). + shell: > + curl -sSL {{ docker_apt_gpg_key }} | sudo apt-key add - + args: + warn: false + when: add_repository_key is failed + +- name: Add Docker repository. + apt_repository: + repo: "{{ docker_apt_repository }}" + state: present + update_cache: true diff --git a/roles/geerlingguy.docker/tasks/setup-RedHat.yml b/roles/geerlingguy.docker/tasks/setup-RedHat.yml new file mode 100644 index 00000000..96072385 --- /dev/null +++ b/roles/geerlingguy.docker/tasks/setup-RedHat.yml @@ -0,0 +1,50 @@ +--- +- name: Ensure old versions of Docker are not installed. + package: + name: + - docker + - docker-common + - docker-engine + state: absent + +- name: Add Docker GPG key. + rpm_key: + key: "{{ docker_yum_gpg_key }}" + state: present + +- name: Add Docker repository. + get_url: + url: "{{ docker_yum_repo_url }}" + dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' + owner: root + group: root + mode: 0644 + +- name: Configure Docker Nightly repo. + ini_file: + dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' + section: 'docker-{{ docker_edition }}-nightly' + option: enabled + value: '{{ docker_yum_repo_enable_nightly }}' + mode: 0644 + +- name: Configure Docker Test repo. + ini_file: + dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' + section: 'docker-{{ docker_edition }}-test' + option: enabled + value: '{{ docker_yum_repo_enable_test }}' + mode: 0644 + +- name: Configure containerd on RHEL 8. + block: + - name: Ensure container-selinux is installed. + package: + name: container-selinux + state: present + + - name: Ensure containerd.io is installed. + package: + name: containerd.io + state: present + when: ansible_distribution_major_version | int == 8 diff --git a/roles/geerlingguy.dotfiles b/roles/geerlingguy.dotfiles deleted file mode 160000 index 27b50c17..00000000 --- a/roles/geerlingguy.dotfiles +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 27b50c17dc1f10e6b05c192dfa84a0785f6cc7d6 diff --git a/roles/geerlingguy.dotfiles/.ansible-lint b/roles/geerlingguy.dotfiles/.ansible-lint new file mode 100644 index 00000000..55572942 --- /dev/null +++ b/roles/geerlingguy.dotfiles/.ansible-lint @@ -0,0 +1,2 @@ +skip_list: + - '106' diff --git a/roles/geerlingguy.dotfiles/.github/FUNDING.yml b/roles/geerlingguy.dotfiles/.github/FUNDING.yml new file mode 100644 index 00000000..96b49383 --- /dev/null +++ b/roles/geerlingguy.dotfiles/.github/FUNDING.yml @@ -0,0 +1,4 @@ +# These are supported funding model platforms +--- +github: geerlingguy +patreon: geerlingguy diff --git a/roles/geerlingguy.dotfiles/.github/stale.yml b/roles/geerlingguy.dotfiles/.github/stale.yml new file mode 100644 index 00000000..c7ff1275 --- /dev/null +++ b/roles/geerlingguy.dotfiles/.github/stale.yml @@ -0,0 +1,56 @@ +# Configuration for probot-stale - https://github.com/probot/stale + +# Number of days of inactivity before an Issue or Pull Request becomes stale +daysUntilStale: 90 + +# Number of days of inactivity before an Issue or Pull Request with the stale label is closed. +# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale. +daysUntilClose: 30 + +# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled) +onlyLabels: [] + +# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable +exemptLabels: + - pinned + - security + - planned + +# Set to true to ignore issues in a project (defaults to false) +exemptProjects: false + +# Set to true to ignore issues in a milestone (defaults to false) +exemptMilestones: false + +# Set to true to ignore issues with an assignee (defaults to false) +exemptAssignees: false + +# Label to use when marking as stale +staleLabel: stale + +# Limit the number of actions per hour, from 1-30. Default is 30 +limitPerRun: 30 + +pulls: + markComment: |- + This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution! + + Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale. + + unmarkComment: >- + This pull request is no longer marked for closure. + + closeComment: >- + This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details. + +issues: + markComment: |- + This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! + + Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale. + + unmarkComment: >- + This issue is no longer marked for closure. + + closeComment: >- + This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details. diff --git a/roles/geerlingguy.dotfiles/.github/workflows/ci.yml b/roles/geerlingguy.dotfiles/.github/workflows/ci.yml new file mode 100644 index 00000000..c3a919c7 --- /dev/null +++ b/roles/geerlingguy.dotfiles/.github/workflows/ci.yml @@ -0,0 +1,67 @@ +--- +name: CI +'on': + pull_request: + push: + branches: + - master + schedule: + - cron: "0 5 * * 1" + +defaults: + run: + working-directory: 'geerlingguy.dotfiles' + +jobs: + + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.dotfiles' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install yamllint ansible-lint + + - name: Lint code. + run: | + yamllint . + ansible-lint + + molecule: + name: Molecule + runs-on: ubuntu-latest + strategy: + matrix: + distro: + - centos7 + - ubuntu1804 + + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.dotfiles' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install ansible molecule[docker] docker + + - name: Run Molecule tests. + run: molecule test + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + MOLECULE_DISTRO: ${{ matrix.distro }} diff --git a/roles/geerlingguy.dotfiles/.github/workflows/release.yml b/roles/geerlingguy.dotfiles/.github/workflows/release.yml new file mode 100644 index 00000000..474eedee --- /dev/null +++ b/roles/geerlingguy.dotfiles/.github/workflows/release.yml @@ -0,0 +1,38 @@ +--- +# This workflow requires a GALAXY_API_KEY secret present in the GitHub +# repository or organization. +# +# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy +# See: https://github.com/ansible/galaxy/issues/46 + +name: Release +'on': + push: + tags: + - '*' + +defaults: + run: + working-directory: 'geerlingguy.dotfiles' + +jobs: + + release: + name: Release + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.dotfiles' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install Ansible. + run: pip3 install ansible-base + + - name: Trigger a new import on Galaxy. + run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/roles/geerlingguy.dotfiles/.gitignore b/roles/geerlingguy.dotfiles/.gitignore new file mode 100644 index 00000000..f56f5b57 --- /dev/null +++ b/roles/geerlingguy.dotfiles/.gitignore @@ -0,0 +1,3 @@ +*.retry +*/__pycache__ +*.pyc diff --git a/roles/geerlingguy.dotfiles/.yamllint b/roles/geerlingguy.dotfiles/.yamllint new file mode 100644 index 00000000..f2033dd2 --- /dev/null +++ b/roles/geerlingguy.dotfiles/.yamllint @@ -0,0 +1,11 @@ +--- +extends: default + +rules: + line-length: + max: 120 + level: warning + +ignore: | + .github/stale.yml + .travis.yml diff --git a/roles/geerlingguy.dotfiles/LICENSE b/roles/geerlingguy.dotfiles/LICENSE new file mode 100644 index 00000000..4275cf3c --- /dev/null +++ b/roles/geerlingguy.dotfiles/LICENSE @@ -0,0 +1,20 @@ +The MIT License (MIT) + +Copyright (c) 2017 Jeff Geerling + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/roles/geerlingguy.dotfiles/README.md b/roles/geerlingguy.dotfiles/README.md new file mode 100644 index 00000000..c7b2a548 --- /dev/null +++ b/roles/geerlingguy.dotfiles/README.md @@ -0,0 +1,56 @@ +# Ansible Role: Dotfiles + +[![CI](https://github.com/geerlingguy/ansible-role-dotfiles/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-dotfiles/actions?query=workflow%3ACI) + +Installs a set of dotfiles from a given Git repository. By default, it will install my (geerlingguy's) [dotfiles](https://github.com/geerlingguy/dotfiles), but you can use any set of dotfiles you'd like, as long as they follow a conventional format. + +## Requirements + +Requires `git` on the managed machine (you can easily install it with `geerlingguy.git` if required). + +## Role Variables + +Available variables are listed below, along with default values (see `defaults/main.yml`): + + dotfiles_repo: "https://github.com/geerlingguy/dotfiles.git" + dotfiles_repo_version: master + +The git repository and branch/tag/commit hash to use for retrieving dotfiles. Dotfiles should generally be laid out within the root directory of the repository. + + dotfiles_repo_accept_hostkey: false + +Add the hostkey for the repo url if not already added. If ssh_opts contains "-o StrictHostKeyChecking=no", this parameter is ignored. + + dotfiles_repo_local_destination: "~/Documents/dotfiles" + +The local path where the `dotfiles_repo` will be cloned. + + dotfiles_home: "~" + +The home directory where dotfiles will be linked. Generally, the default should work, but in some circumstances, or when running the role as sudo on behalf of another user, you may want to specify the full path. + + dotfiles_files: + - .zshrc + - .gitignore + - .inputrc + - .vimrc + +Which files from the dotfiles repository should be linked to the `dotfiles_home`. + +## Dependencies + +None + +## Example Playbook + + - hosts: localhost + roles: + - { role: geerlingguy.dotfiles } + +## License + +MIT / BSD + +## Author Information + +This role was created in 2015 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). diff --git a/roles/geerlingguy.dotfiles/defaults/main.yml b/roles/geerlingguy.dotfiles/defaults/main.yml new file mode 100644 index 00000000..fa7d2ef6 --- /dev/null +++ b/roles/geerlingguy.dotfiles/defaults/main.yml @@ -0,0 +1,12 @@ +--- +dotfiles_repo: "https://github.com/geerlingguy/dotfiles.git" +dotfiles_repo_version: master +dotfiles_repo_accept_hostkey: false +dotfiles_repo_local_destination: "~/Documents/dotfiles" + +dotfiles_home: "~" +dotfiles_files: + - .zshrc + - .gitignore + - .inputrc + - .vimrc diff --git a/roles/geerlingguy.dotfiles/meta/main.yml b/roles/geerlingguy.dotfiles/meta/main.yml new file mode 100644 index 00000000..f08b72f5 --- /dev/null +++ b/roles/geerlingguy.dotfiles/meta/main.yml @@ -0,0 +1,28 @@ +--- +dependencies: [] + +galaxy_info: + role_name: dotfiles + author: geerlingguy + description: Dotfile installation for UNIX/Linux. + company: "Midwestern Mac, LLC" + license: "license (BSD, MIT)" + min_ansible_version: 2.2 + platforms: + - name: GenericUNIX + versions: + - all + - any + - name: GenericBSD + versions: + - all + - any + - name: GenericLinux + versions: + - all + - any + galaxy_tags: + - development + - system + - dotfiles + - configuration diff --git a/roles/geerlingguy.dotfiles/molecule/default/converge.yml b/roles/geerlingguy.dotfiles/molecule/default/converge.yml new file mode 100644 index 00000000..41f0ba45 --- /dev/null +++ b/roles/geerlingguy.dotfiles/molecule/default/converge.yml @@ -0,0 +1,13 @@ +--- +- name: Converge + hosts: all + become: true + + pre_tasks: + - name: Update apt cache. + apt: update_cache=yes cache_valid_time=600 + when: ansible_os_family == 'Debian' + + roles: + - role: geerlingguy.git + - role: geerlingguy.dotfiles diff --git a/roles/geerlingguy.dotfiles/molecule/default/molecule.yml b/roles/geerlingguy.dotfiles/molecule/default/molecule.yml new file mode 100644 index 00000000..74907107 --- /dev/null +++ b/roles/geerlingguy.dotfiles/molecule/default/molecule.yml @@ -0,0 +1,17 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: instance + image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +provisioner: + name: ansible + playbooks: + converge: ${MOLECULE_PLAYBOOK:-converge.yml} diff --git a/roles/geerlingguy.dotfiles/molecule/default/requirements.yml b/roles/geerlingguy.dotfiles/molecule/default/requirements.yml new file mode 100644 index 00000000..6208520d --- /dev/null +++ b/roles/geerlingguy.dotfiles/molecule/default/requirements.yml @@ -0,0 +1,2 @@ +--- +- src: geerlingguy.git diff --git a/roles/geerlingguy.dotfiles/tasks/main.yml b/roles/geerlingguy.dotfiles/tasks/main.yml new file mode 100644 index 00000000..35aa7916 --- /dev/null +++ b/roles/geerlingguy.dotfiles/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: Ensure dotfiles repository is cloned locally. + git: + repo: "{{ dotfiles_repo }}" + dest: "{{ dotfiles_repo_local_destination }}" + version: "{{ dotfiles_repo_version }}" + accept_hostkey: "{{ dotfiles_repo_accept_hostkey }}" +# become: false + +- name: Ensure all configured dotfiles are links. + command: "ls -F {{ dotfiles_home }}/{{ item }}" + register: existing_dotfile_info + failed_when: false + check_mode: false + changed_when: false + with_items: "{{ dotfiles_files }}" + +- name: Remove existing dotfiles file if a replacement is being linked. + file: + path: "{{ dotfiles_home }}/{{ dotfiles_files[item.0] }}" + state: absent + when: "'@' not in item.1.stdout" + with_indexed_items: "{{ existing_dotfile_info.results }}" + +- name: Link dotfiles into home folder. + file: + src: "{{ dotfiles_repo_local_destination }}/{{ item }}" + dest: "{{ dotfiles_home }}/{{ item }}" + state: link + mode: 0644 +# become: false + with_items: "{{ dotfiles_files }}" diff --git a/roles/geerlingguy.gitlab b/roles/geerlingguy.gitlab deleted file mode 160000 index 191ac780..00000000 --- a/roles/geerlingguy.gitlab +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 191ac78010c4640587c74eb8b659985644bca00e diff --git a/roles/geerlingguy.gitlab/.ansible-lint b/roles/geerlingguy.gitlab/.ansible-lint new file mode 100644 index 00000000..df620a86 --- /dev/null +++ b/roles/geerlingguy.gitlab/.ansible-lint @@ -0,0 +1,3 @@ +skip_list: + - '106' + - '403' diff --git a/roles/geerlingguy.gitlab/.github/FUNDING.yml b/roles/geerlingguy.gitlab/.github/FUNDING.yml new file mode 100644 index 00000000..96b49383 --- /dev/null +++ b/roles/geerlingguy.gitlab/.github/FUNDING.yml @@ -0,0 +1,4 @@ +# These are supported funding model platforms +--- +github: geerlingguy +patreon: geerlingguy diff --git a/roles/geerlingguy.gitlab/.github/stale.yml b/roles/geerlingguy.gitlab/.github/stale.yml new file mode 100644 index 00000000..c7ff1275 --- /dev/null +++ b/roles/geerlingguy.gitlab/.github/stale.yml @@ -0,0 +1,56 @@ +# Configuration for probot-stale - https://github.com/probot/stale + +# Number of days of inactivity before an Issue or Pull Request becomes stale +daysUntilStale: 90 + +# Number of days of inactivity before an Issue or Pull Request with the stale label is closed. +# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale. +daysUntilClose: 30 + +# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled) +onlyLabels: [] + +# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable +exemptLabels: + - pinned + - security + - planned + +# Set to true to ignore issues in a project (defaults to false) +exemptProjects: false + +# Set to true to ignore issues in a milestone (defaults to false) +exemptMilestones: false + +# Set to true to ignore issues with an assignee (defaults to false) +exemptAssignees: false + +# Label to use when marking as stale +staleLabel: stale + +# Limit the number of actions per hour, from 1-30. Default is 30 +limitPerRun: 30 + +pulls: + markComment: |- + This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution! + + Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale. + + unmarkComment: >- + This pull request is no longer marked for closure. + + closeComment: >- + This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details. + +issues: + markComment: |- + This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! + + Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale. + + unmarkComment: >- + This issue is no longer marked for closure. + + closeComment: >- + This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details. diff --git a/roles/geerlingguy.gitlab/.github/workflows/ci.yml b/roles/geerlingguy.gitlab/.github/workflows/ci.yml new file mode 100644 index 00000000..4cb86ce9 --- /dev/null +++ b/roles/geerlingguy.gitlab/.github/workflows/ci.yml @@ -0,0 +1,76 @@ +--- +name: CI +'on': + pull_request: + push: + branches: + - master + schedule: + - cron: "0 7 * * 1" + +defaults: + run: + working-directory: 'geerlingguy.gitlab' + +jobs: + + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.gitlab' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install yamllint ansible-lint + + - name: Lint code. + run: | + yamllint . + ansible-lint + + molecule: + name: Molecule + runs-on: ubuntu-latest + strategy: + matrix: + include: + - distro: centos7 + playbook: converge.yml + - distro: ubuntu1804 + playbook: converge.yml + - distro: debian9 + playbook: converge.yml + - distro: centos7 + playbook: version.yml + - distro: ubuntu1804 + playbook: version.yml + + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.gitlab' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install ansible molecule[docker] docker + + - name: Run Molecule tests. + run: molecule test + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + MOLECULE_DISTRO: ${{ matrix.distro }} + MOLECULE_PLAYBOOK: ${{ matrix.playbook }} diff --git a/roles/geerlingguy.gitlab/.github/workflows/release.yml b/roles/geerlingguy.gitlab/.github/workflows/release.yml new file mode 100644 index 00000000..b7821d07 --- /dev/null +++ b/roles/geerlingguy.gitlab/.github/workflows/release.yml @@ -0,0 +1,38 @@ +--- +# This workflow requires a GALAXY_API_KEY secret present in the GitHub +# repository or organization. +# +# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy +# See: https://github.com/ansible/galaxy/issues/46 + +name: Release +'on': + push: + tags: + - '*' + +defaults: + run: + working-directory: 'geerlingguy.gitlab' + +jobs: + + release: + name: Release + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.gitlab' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install Ansible. + run: pip3 install ansible-base + + - name: Trigger a new import on Galaxy. + run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/roles/geerlingguy.gitlab/.gitignore b/roles/geerlingguy.gitlab/.gitignore new file mode 100644 index 00000000..f56f5b57 --- /dev/null +++ b/roles/geerlingguy.gitlab/.gitignore @@ -0,0 +1,3 @@ +*.retry +*/__pycache__ +*.pyc diff --git a/roles/geerlingguy.gitlab/.yamllint b/roles/geerlingguy.gitlab/.yamllint new file mode 100644 index 00000000..84ecaec7 --- /dev/null +++ b/roles/geerlingguy.gitlab/.yamllint @@ -0,0 +1,10 @@ +--- +extends: default + +rules: + line-length: + max: 180 + level: warning + +ignore: | + .github/stale.yml diff --git a/roles/geerlingguy.gitlab/LICENSE b/roles/geerlingguy.gitlab/LICENSE new file mode 100644 index 00000000..4275cf3c --- /dev/null +++ b/roles/geerlingguy.gitlab/LICENSE @@ -0,0 +1,20 @@ +The MIT License (MIT) + +Copyright (c) 2017 Jeff Geerling + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/roles/geerlingguy.gitlab/README.md b/roles/geerlingguy.gitlab/README.md new file mode 100644 index 00000000..a84aba72 --- /dev/null +++ b/roles/geerlingguy.gitlab/README.md @@ -0,0 +1,179 @@ +# Ansible Role: GitLab + +[![CI](https://github.com/geerlingguy/ansible-role-gitlab/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-gitlab/actions?query=workflow%3ACI) + +Installs GitLab, a Ruby-based front-end to Git, on any RedHat/CentOS or Debian/Ubuntu linux system. + +GitLab's default administrator account details are below; be sure to login immediately after installation and change these credentials! + + root + 5iveL!fe + +## Requirements + +None. + +## Role Variables + +Available variables are listed below, along with default values (see `defaults/main.yml`): + + gitlab_domain: gitlab + gitlab_external_url: "https://{{ gitlab_domain }}/" + +The domain and URL at which the GitLab instance will be accessible. This is set as the `external_url` configuration setting in `gitlab.rb`, and if you want to run GitLab on a different port (besides 80/443), you can specify the port here (e.g. `https://gitlab:8443/` for port 8443). + + gitlab_git_data_dir: "/var/opt/gitlab/git-data" + +The `gitlab_git_data_dir` is the location where all the Git repositories will be stored. You can use a shared drive or any path on the system. + + gitlab_backup_path: "/var/opt/gitlab/backups" + +The `gitlab_backup_path` is the location where Gitlab backups will be stored. + + gitlab_edition: "gitlab-ce" + +The edition of GitLab to install. Usually either `gitlab-ce` (Community Edition) or `gitlab-ee` (Enterprise Edition). + + gitlab_version: '' + +If you'd like to install a specific version, set the version here (e.g. `11.4.0-ce.0` for Debian/Ubuntu, or `11.4.0-ce.0.el7` for RedHat/CentOS). + + gitlab_config_template: "gitlab.rb.j2" + +The `gitlab.rb.j2` template packaged with this role is meant to be very generic and serve a variety of use cases. However, many people would like to have a much more customized version, and so you can override this role's default template with your own, adding any additional customizations you need. To do this: + + - Create a `templates` directory at the same level as your playbook. + - Create a `templates\mygitlab.rb.j2` file (just choose a different name from the default template). + - Set the variable like: `gitlab_config_template: mygitlab.rb.j2` (with the name of your custom template). + +### SSL Configuration. + + gitlab_redirect_http_to_https: "true" + gitlab_ssl_certificate: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt" + gitlab_ssl_certificate_key: "/etc/gitlab/ssl/{{ gitlab_domain }}.key" + +GitLab SSL configuration; tells GitLab to redirect normal http requests to https, and the path to the certificate and key (the default values will work for automatic self-signed certificate creation, if set to `true` in the variable below). + + # SSL Self-signed Certificate Configuration. + gitlab_create_self_signed_cert: "true" + gitlab_self_signed_cert_subj: "/C=US/ST=Missouri/L=Saint Louis/O=IT/CN={{ gitlab_domain }}" + +Whether to create a self-signed certificate for serving GitLab over a secure connection. Set `gitlab_self_signed_cert_subj` according to your locality and organization. + + # LDAP Configuration. + gitlab_ldap_enabled: "false" + gitlab_ldap_host: "example.com" + gitlab_ldap_port: "389" + gitlab_ldap_uid: "sAMAccountName" + gitlab_ldap_method: "plain" + gitlab_ldap_bind_dn: "CN=Username,CN=Users,DC=example,DC=com" + gitlab_ldap_password: "password" + gitlab_ldap_base: "DC=example,DC=com" + +GitLab LDAP configuration; if `gitlab_ldap_enabled` is `true`, the rest of the configuration will tell GitLab how to connect to an LDAP server for centralized authentication. + + gitlab_dependencies: + - openssh-server + - postfix + - curl + - openssl + - tzdata + +Dependencies required by GitLab for certain functionality, like timezone support or email. You may change this list in your own playbook if, for example, you would like to install `exim` instead of `postfix`. + + gitlab_time_zone: "UTC" + +Gitlab timezone. + + gitlab_backup_keep_time: "604800" + +How long to keep local backups (useful if you don't want backups to fill up your drive!). + + gitlab_download_validate_certs: true + +Controls whether to validate certificates when downloading the GitLab installation repository install script. + + # Email configuration. + gitlab_email_enabled: "false" + gitlab_email_from: "gitlab@example.com" + gitlab_email_display_name: "Gitlab" + gitlab_email_reply_to: "gitlab@example.com" + +Gitlab system mail configuration. Disabled by default; set `gitlab_email_enabled` to `true` to enable, and make sure you enter valid from/reply-to values. + + # SMTP Configuration + gitlab_smtp_enable: "false" + gitlab_smtp_address: "smtp.server" + gitlab_smtp_port: "465" + gitlab_smtp_user_name: "smtp user" + gitlab_smtp_password: "smtp password" + gitlab_smtp_domain: "example.com" + gitlab_smtp_authentication: "login" + gitlab_smtp_enable_starttls_auto: "true" + gitlab_smtp_tls: "false" + gitlab_smtp_openssl_verify_mode: "none" + gitlab_smtp_ca_path: "/etc/ssl/certs" + gitlab_smtp_ca_file: "/etc/ssl/certs/ca-certificates.crt" + +Gitlab SMTP configuration; of `gitlab_smtp_enable` is `true`, the rest of the configuration will tell GitLab how to send mails using an smtp server. + + gitlab_nginx_listen_port: 8080 + +If you are running GitLab behind a reverse proxy, you may want to override the listen port to something else. + + gitlab_nginx_listen_https: "false" + +If you are running GitLab behind a reverse proxy, you may wish to terminate SSL at another proxy server or load balancer + + gitlab_nginx_ssl_verify_client: "" + gitlab_nginx_ssl_client_certificate: "" + +If you want to enable [2-way SSL Client Authentication](https://docs.gitlab.com/omnibus/settings/nginx.html#enable-2-way-ssl-client-authentication), set `gitlab_nginx_ssl_verify_client` and add a path to the client certificate in `gitlab_nginx_ssl_client_certificate`. + + gitlab_default_theme: 2 + +GitLab includes a number of themes, and you can set the default for all users with this variable. See [the included GitLab themes to choose a default](https://github.com/gitlabhq/gitlabhq/blob/master/config/gitlab.yml.example#L79-L85). + + gitlab_extra_settings: + - gitlab_rails: + - key: "trusted_proxies" + value: "['foo', 'bar']" + - key: "env" + type: "plain" + value: | + { + "http_proxy" => "https://my_http_proxy.company.com:3128", + "https_proxy" => "https://my_http_proxy.company.com:3128", + "no_proxy" => "localhost, 127.0.0.1, company.com" + } + - unicorn: + - key: "worker_processes" + value: 5 + - key: "pidfile" + value: "/opt/gitlab/var/unicorn/unicorn.pid" + +Gitlab have many other settings ([see official documentation](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template)), and you can add them with this special variable `gitlab_extra_settings` with the concerned setting and the `key` and `value` keywords. + +## Dependencies + +None. + +## Example Playbook + + - hosts: servers + vars_files: + - vars/main.yml + roles: + - { role: geerlingguy.gitlab } + +*Inside `vars/main.yml`*: + + gitlab_external_url: "https://gitlab.example.com/" + +## License + +MIT / BSD + +## Author Information + +This role was created in 2014 by [Jeff Geerling](http://jeffgeerling.com/), author of [Ansible for DevOps](http://ansiblefordevops.com/). diff --git a/roles/geerlingguy.gitlab/defaults/main.yml b/roles/geerlingguy.gitlab/defaults/main.yml new file mode 100644 index 00000000..04991861 --- /dev/null +++ b/roles/geerlingguy.gitlab/defaults/main.yml @@ -0,0 +1,75 @@ +--- +# General config. +gitlab_domain: gitlab +gitlab_external_url: "https://{{ gitlab_domain }}/" +gitlab_git_data_dir: "/var/opt/gitlab/git-data" +gitlab_edition: "gitlab-ce" +gitlab_version: '' +gitlab_backup_path: "/var/opt/gitlab/backups" +gitlab_config_template: "gitlab.rb.j2" + +# SSL Configuration. +gitlab_redirect_http_to_https: "true" +gitlab_ssl_certificate: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt" +gitlab_ssl_certificate_key: "/etc/gitlab/ssl/{{ gitlab_domain }}.key" + +# SSL Self-signed Certificate Configuration. +gitlab_create_self_signed_cert: "true" +gitlab_self_signed_cert_subj: "/C=US/ST=Missouri/L=Saint Louis/O=IT/CN={{ gitlab_domain }}" + +# LDAP Configuration. +gitlab_ldap_enabled: "false" +gitlab_ldap_host: "example.com" +gitlab_ldap_port: "389" +gitlab_ldap_uid: "sAMAccountName" +gitlab_ldap_method: "plain" +gitlab_ldap_bind_dn: "CN=Username,CN=Users,DC=example,DC=com" +gitlab_ldap_password: "password" +gitlab_ldap_base: "DC=example,DC=com" + +# SMTP Configuration +gitlab_smtp_enable: "false" +gitlab_smtp_address: "smtp.server" +gitlab_smtp_port: "465" +gitlab_smtp_user_name: "smtp user" +gitlab_smtp_password: "smtp password" +gitlab_smtp_domain: "example.com" +gitlab_smtp_authentication: "login" +gitlab_smtp_enable_starttls_auto: "true" +gitlab_smtp_tls: "false" +gitlab_smtp_openssl_verify_mode: "none" +gitlab_smtp_ca_path: "/etc/ssl/certs" +gitlab_smtp_ca_file: "/etc/ssl/certs/ca-certificates.crt" + +# 2-way SSL Client Authentication support. +gitlab_nginx_ssl_verify_client: "" +gitlab_nginx_ssl_client_certificate: "" + +# Probably best to leave this as the default, unless doing testing. +gitlab_restart_handler_failed_when: 'gitlab_restart.rc != 0' + +# Dependencies. +gitlab_dependencies: + - openssh-server + - postfix + - curl + - openssl + - tzdata + +# Optional settings. +gitlab_time_zone: "UTC" +gitlab_backup_keep_time: "604800" +gitlab_download_validate_certs: true +gitlab_default_theme: '2' + +# Email configuration. +gitlab_email_enabled: "false" +gitlab_email_from: "gitlab@example.com" +gitlab_email_display_name: "Gitlab" +gitlab_email_reply_to: "gitlab@example.com" + +# Registry configuration. +gitlab_registry_enable: "false" +gitlab_registry_external_url: "https://gitlab.example.com:4567" +gitlab_registry_nginx_ssl_certificate: "/etc/gitlab/ssl/gitlab.crt" +gitlab_registry_nginx_ssl_certificate_key: "/etc/gitlab/ssl/gitlab.key" diff --git a/roles/geerlingguy.gitlab/handlers/main.yml b/roles/geerlingguy.gitlab/handlers/main.yml new file mode 100644 index 00000000..2470b5f9 --- /dev/null +++ b/roles/geerlingguy.gitlab/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart gitlab + command: gitlab-ctl reconfigure + register: gitlab_restart + failed_when: gitlab_restart_handler_failed_when | bool diff --git a/roles/geerlingguy.gitlab/meta/main.yml b/roles/geerlingguy.gitlab/meta/main.yml new file mode 100644 index 00000000..75a0d7df --- /dev/null +++ b/roles/geerlingguy.gitlab/meta/main.yml @@ -0,0 +1,29 @@ +--- +dependencies: [] + +galaxy_info: + role_name: gitlab + author: geerlingguy + description: GitLab Git web interface + company: "Midwestern Mac, LLC" + license: "license (BSD, MIT)" + min_ansible_version: 2.0 + platforms: + - name: EL + versions: + - 7 + - 8 + - name: Debian + versions: + - all + - name: Ubuntu + versions: + - all + galaxy_tags: + - development + - web + - gitlab + - git + - repository + - ci + - integration diff --git a/roles/geerlingguy.gitlab/molecule/default/converge.yml b/roles/geerlingguy.gitlab/molecule/default/converge.yml new file mode 100644 index 00000000..8bbf8022 --- /dev/null +++ b/roles/geerlingguy.gitlab/molecule/default/converge.yml @@ -0,0 +1,21 @@ +--- +- name: Converge + hosts: all + become: true + + vars: + gitlab_restart_handler_failed_when: false + + pre_tasks: + - name: Update apt cache. + apt: update_cache=true cache_valid_time=600 + when: ansible_os_family == 'Debian' + changed_when: false + + - name: Remove the .dockerenv file so GitLab Omnibus doesn't get confused. + file: + path: /.dockerenv + state: absent + + roles: + - role: geerlingguy.gitlab diff --git a/roles/geerlingguy.gitlab/molecule/default/molecule.yml b/roles/geerlingguy.gitlab/molecule/default/molecule.yml new file mode 100644 index 00000000..74907107 --- /dev/null +++ b/roles/geerlingguy.gitlab/molecule/default/molecule.yml @@ -0,0 +1,17 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: instance + image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +provisioner: + name: ansible + playbooks: + converge: ${MOLECULE_PLAYBOOK:-converge.yml} diff --git a/roles/geerlingguy.gitlab/molecule/default/version.yml b/roles/geerlingguy.gitlab/molecule/default/version.yml new file mode 100644 index 00000000..f7060c96 --- /dev/null +++ b/roles/geerlingguy.gitlab/molecule/default/version.yml @@ -0,0 +1,31 @@ +--- +- name: Converge + hosts: all + become: true + + vars: + gitlab_restart_handler_failed_when: false + + pre_tasks: + - name: Update apt cache. + apt: update_cache=true cache_valid_time=600 + when: ansible_os_family == 'Debian' + changed_when: false + + - name: Remove the .dockerenv file so GitLab Omnibus doesn't get confused. + file: + path: /.dockerenv + state: absent + + - name: Set the test GitLab version number for Debian. + set_fact: + gitlab_version: '11.4.0-ce.0' + when: ansible_os_family == 'Debian' + + - name: Set the test GitLab version number for RedHat. + set_fact: + gitlab_version: '11.4.0-ce.0.el7' + when: ansible_os_family == 'RedHat' + + roles: + - role: geerlingguy.gitlab diff --git a/roles/geerlingguy.gitlab/tasks/main.yml b/roles/geerlingguy.gitlab/tasks/main.yml new file mode 100644 index 00000000..b978c93e --- /dev/null +++ b/roles/geerlingguy.gitlab/tasks/main.yml @@ -0,0 +1,81 @@ +--- +- name: Include OS-specific variables. + include_vars: "{{ ansible_os_family }}.yml" + +- name: Check if GitLab configuration file already exists. + stat: path=/etc/gitlab/gitlab.rb + register: gitlab_config_file + +- name: Check if GitLab is already installed. + stat: path=/usr/bin/gitlab-ctl + register: gitlab_file + +# Install GitLab and its dependencies. +- name: Install GitLab dependencies. + package: + name: "{{ gitlab_dependencies }}" + state: present + +- name: Install GitLab dependencies (Debian). + apt: + name: gnupg2 + state: present + when: ansible_os_family == 'Debian' + +- name: Download GitLab repository installation script. + get_url: + url: "{{ gitlab_repository_installation_script_url }}" + dest: /tmp/gitlab_install_repository.sh + validate_certs: "{{ gitlab_download_validate_certs }}" + when: not gitlab_file.stat.exists + +- name: Install GitLab repository. + command: bash /tmp/gitlab_install_repository.sh + register: output + when: not gitlab_file.stat.exists + +- name: Define the Gitlab package name. + set_fact: + gitlab_package_name: "{{ gitlab_edition }}{{ gitlab_package_version_separator }}{{ gitlab_version }}" + when: gitlab_version | default(false) + +- name: Install GitLab + package: + name: "{{ gitlab_package_name | default(gitlab_edition) }}" + state: present + async: 300 + poll: 5 + when: not gitlab_file.stat.exists + +# Start and configure GitLab. Sometimes the first run fails, but after that, +# restarts fix problems, so ignore failures on this run. +- name: Reconfigure GitLab (first run). + command: > + gitlab-ctl reconfigure + creates=/var/opt/gitlab/bootstrapped + failed_when: false + +- name: Create GitLab SSL configuration folder. + file: + path: /etc/gitlab/ssl + state: directory + owner: root + group: root + mode: 0700 + when: gitlab_create_self_signed_cert + +- name: Create self-signed certificate. + command: > + openssl req -new -nodes -x509 -subj "{{ gitlab_self_signed_cert_subj }}" + -days 3650 -keyout {{ gitlab_ssl_certificate_key }} -out {{ gitlab_ssl_certificate }} -extensions v3_ca + creates={{ gitlab_ssl_certificate }} + when: gitlab_create_self_signed_cert + +- name: Copy GitLab configuration file. + template: + src: "{{ gitlab_config_template }}" + dest: /etc/gitlab/gitlab.rb + owner: root + group: root + mode: 0600 + notify: restart gitlab diff --git a/roles/geerlingguy.gitlab/templates/gitlab.rb.j2 b/roles/geerlingguy.gitlab/templates/gitlab.rb.j2 new file mode 100644 index 00000000..5cc79e26 --- /dev/null +++ b/roles/geerlingguy.gitlab/templates/gitlab.rb.j2 @@ -0,0 +1,108 @@ +# The URL through which GitLab will be accessed. +external_url "{{ gitlab_external_url }}" + +# gitlab.yml configuration +gitlab_rails['time_zone'] = "{{ gitlab_time_zone }}" +gitlab_rails['backup_keep_time'] = {{ gitlab_backup_keep_time }} +gitlab_rails['gitlab_email_enabled'] = {{ gitlab_email_enabled }} +{% if gitlab_email_enabled == "true" %} +gitlab_rails['gitlab_email_from'] = "{{ gitlab_email_from }}" +gitlab_rails['gitlab_email_display_name'] = "{{ gitlab_email_display_name }}" +gitlab_rails['gitlab_email_reply_to'] = "{{ gitlab_email_reply_to }}" +{% endif %} + +# Default Theme +gitlab_rails['gitlab_default_theme'] = "{{ gitlab_default_theme }}" + +# Whether to redirect http to https. +nginx['redirect_http_to_https'] = {{ gitlab_redirect_http_to_https }} +nginx['ssl_certificate'] = "{{ gitlab_ssl_certificate }}" +nginx['ssl_certificate_key'] = "{{ gitlab_ssl_certificate_key }}" + +# The directory where Git repositories will be stored. +git_data_dirs({"default" => {"path" => "{{ gitlab_git_data_dir }}"} }) + +# The directory where Gitlab backups will be stored +gitlab_rails['backup_path'] = "{{ gitlab_backup_path }}" + +# These settings are documented in more detail at +# https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/gitlab.yml.example#L118 +gitlab_rails['ldap_enabled'] = {{ gitlab_ldap_enabled }} +{% if gitlab_ldap_enabled == "true" %} +gitlab_rails['ldap_host'] = '{{ gitlab_ldap_host }}' +gitlab_rails['ldap_port'] = {{ gitlab_ldap_port }} +gitlab_rails['ldap_uid'] = '{{ gitlab_ldap_uid }}' +gitlab_rails['ldap_method'] = '{{ gitlab_ldap_method}}' # 'ssl' or 'plain' +gitlab_rails['ldap_bind_dn'] = '{{ gitlab_ldap_bind_dn }}' +gitlab_rails['ldap_password'] = '{{ gitlab_ldap_password }}' +gitlab_rails['ldap_allow_username_or_email_login'] = true +gitlab_rails['ldap_base'] = '{{ gitlab_ldap_base }}' +{% endif %} + +# GitLab Nginx +## See https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md +{% if gitlab_nginx_listen_port is defined %} +nginx['listen_port'] = "{{ gitlab_nginx_listen_port }}" +{% endif %} +{% if gitlab_nginx_listen_https is defined %} +nginx['listen_https'] = {{ gitlab_nginx_listen_https }} +{% endif %} + +# Use smtp instead of sendmail/postfix +# More details and example configuration at +# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/smtp.md +gitlab_rails['smtp_enable'] = {{ gitlab_smtp_enable }} +{% if gitlab_smtp_enable == "true" %} +gitlab_rails['smtp_address'] = '{{ gitlab_smtp_address }}' +gitlab_rails['smtp_port'] = {{ gitlab_smtp_port }} +{% if gitlab_smtp_user_name %} +gitlab_rails['smtp_user_name'] = '{{ gitlab_smtp_user_name }}' +{% endif %} +{% if gitlab_smtp_password %} +gitlab_rails['smtp_password'] = '{{ gitlab_smtp_password }}' +{% endif %} +gitlab_rails['smtp_domain'] = '{{ gitlab_smtp_domain }}' +{% if gitlab_smtp_authentication %} +gitlab_rails['smtp_authentication'] = '{{ gitlab_smtp_authentication }}' +{% endif %} +gitlab_rails['smtp_enable_starttls_auto'] = {{ gitlab_smtp_enable_starttls_auto }} +gitlab_rails['smtp_tls'] = {{ gitlab_smtp_tls }} +gitlab_rails['smtp_openssl_verify_mode'] = '{{ gitlab_smtp_openssl_verify_mode }}' +gitlab_rails['smtp_ca_path'] = '{{ gitlab_smtp_ca_path }}' +gitlab_rails['smtp_ca_file'] = '{{ gitlab_smtp_ca_file }}' +{% endif %} + +# 2-way SSL Client Authentication. +{% if gitlab_nginx_ssl_verify_client %} +nginx['ssl_verify_client'] = "{{ gitlab_nginx_ssl_verify_client }}" +{% endif %} +{% if gitlab_nginx_ssl_client_certificate %} +nginx['ssl_client_certificate'] = "{{ gitlab_nginx_ssl_client_certificate }}" +{% endif %} + +# GitLab registry. +registry['enable'] = {{ gitlab_registry_enable }} +{% if gitlab_registry_enable == "true" %} +registry_external_url "{{ gitlab_registry_external_url }}" +registry_nginx['ssl_certificate'] = "{{ gitlab_registry_nginx_ssl_certificate }}" +registry_nginx['ssl_certificate_key'] = "{{ gitlab_registry_nginx_ssl_certificate_key }}" +{% endif %} + +{% if gitlab_extra_settings is defined %} +# Extra configuration +{% for extra in gitlab_extra_settings %} +{% for setting in extra %} +{% for kv in extra[setting] %} +{% if (kv.type is defined and kv.type == 'plain') or (kv.value is not string) %} +{{ setting }}['{{ kv.key }}'] = {{ kv.value }} +{% else %} +{{ setting }}['{{ kv.key }}'] = '{{ kv.value }}' +{% endif %} +{% endfor %} +{% endfor %} + +{% endfor %} +{% endif %} + +# To change other settings, see: +# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#changing-gitlab-yml-settings diff --git a/roles/geerlingguy.gitlab/vars/Debian.yml b/roles/geerlingguy.gitlab/vars/Debian.yml new file mode 100644 index 00000000..5da87748 --- /dev/null +++ b/roles/geerlingguy.gitlab/vars/Debian.yml @@ -0,0 +1,3 @@ +--- +gitlab_package_version_separator: '=' +gitlab_repository_installation_script_url: "https://packages.gitlab.com/install/repositories/gitlab/{{ gitlab_edition }}/script.deb.sh" diff --git a/roles/geerlingguy.gitlab/vars/RedHat.yml b/roles/geerlingguy.gitlab/vars/RedHat.yml new file mode 100644 index 00000000..e4c0e94d --- /dev/null +++ b/roles/geerlingguy.gitlab/vars/RedHat.yml @@ -0,0 +1,3 @@ +--- +gitlab_package_version_separator: '-' +gitlab_repository_installation_script_url: "https://packages.gitlab.com/install/repositories/gitlab/{{ gitlab_edition }}/script.rpm.sh" diff --git a/roles/geerlingguy.pip b/roles/geerlingguy.pip deleted file mode 160000 index fd6d58a5..00000000 --- a/roles/geerlingguy.pip +++ /dev/null @@ -1 +0,0 @@ -Subproject commit fd6d58a5719a836e89ef64cf22176e37ca312e9c diff --git a/roles/geerlingguy.pip/.ansible-lint b/roles/geerlingguy.pip/.ansible-lint new file mode 100644 index 00000000..55572942 --- /dev/null +++ b/roles/geerlingguy.pip/.ansible-lint @@ -0,0 +1,2 @@ +skip_list: + - '106' diff --git a/roles/geerlingguy.pip/.github/FUNDING.yml b/roles/geerlingguy.pip/.github/FUNDING.yml new file mode 100644 index 00000000..96b49383 --- /dev/null +++ b/roles/geerlingguy.pip/.github/FUNDING.yml @@ -0,0 +1,4 @@ +# These are supported funding model platforms +--- +github: geerlingguy +patreon: geerlingguy diff --git a/roles/geerlingguy.pip/.github/stale.yml b/roles/geerlingguy.pip/.github/stale.yml new file mode 100644 index 00000000..c7ff1275 --- /dev/null +++ b/roles/geerlingguy.pip/.github/stale.yml @@ -0,0 +1,56 @@ +# Configuration for probot-stale - https://github.com/probot/stale + +# Number of days of inactivity before an Issue or Pull Request becomes stale +daysUntilStale: 90 + +# Number of days of inactivity before an Issue or Pull Request with the stale label is closed. +# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale. +daysUntilClose: 30 + +# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled) +onlyLabels: [] + +# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable +exemptLabels: + - pinned + - security + - planned + +# Set to true to ignore issues in a project (defaults to false) +exemptProjects: false + +# Set to true to ignore issues in a milestone (defaults to false) +exemptMilestones: false + +# Set to true to ignore issues with an assignee (defaults to false) +exemptAssignees: false + +# Label to use when marking as stale +staleLabel: stale + +# Limit the number of actions per hour, from 1-30. Default is 30 +limitPerRun: 30 + +pulls: + markComment: |- + This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution! + + Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale. + + unmarkComment: >- + This pull request is no longer marked for closure. + + closeComment: >- + This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details. + +issues: + markComment: |- + This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! + + Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale. + + unmarkComment: >- + This issue is no longer marked for closure. + + closeComment: >- + This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details. diff --git a/roles/geerlingguy.pip/.github/workflows/ci.yml b/roles/geerlingguy.pip/.github/workflows/ci.yml new file mode 100644 index 00000000..a143723c --- /dev/null +++ b/roles/geerlingguy.pip/.github/workflows/ci.yml @@ -0,0 +1,71 @@ +--- +name: CI +'on': + pull_request: + push: + branches: + - master + schedule: + - cron: "0 4 * * 5" + +defaults: + run: + working-directory: 'geerlingguy.pip' + +jobs: + + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.pip' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install yamllint ansible-lint + + - name: Lint code. + run: | + yamllint . + ansible-lint + + molecule: + name: Molecule + runs-on: ubuntu-latest + strategy: + matrix: + distro: + - centos8 + - centos7 + - fedora32 + - ubuntu2004 + - ubuntu1804 + - debian10 + + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.pip' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install ansible molecule[docker] docker + + - name: Run Molecule tests. + run: molecule test + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + MOLECULE_DISTRO: ${{ matrix.distro }} diff --git a/roles/geerlingguy.pip/.github/workflows/release.yml b/roles/geerlingguy.pip/.github/workflows/release.yml new file mode 100644 index 00000000..408b7055 --- /dev/null +++ b/roles/geerlingguy.pip/.github/workflows/release.yml @@ -0,0 +1,38 @@ +--- +# This workflow requires a GALAXY_API_KEY secret present in the GitHub +# repository or organization. +# +# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy +# See: https://github.com/ansible/galaxy/issues/46 + +name: Release +'on': + push: + tags: + - '*' + +defaults: + run: + working-directory: 'geerlingguy.pip' + +jobs: + + release: + name: Release + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.pip' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install Ansible. + run: pip3 install ansible-base + + - name: Trigger a new import on Galaxy. + run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/roles/geerlingguy.pip/.gitignore b/roles/geerlingguy.pip/.gitignore new file mode 100644 index 00000000..f56f5b57 --- /dev/null +++ b/roles/geerlingguy.pip/.gitignore @@ -0,0 +1,3 @@ +*.retry +*/__pycache__ +*.pyc diff --git a/roles/geerlingguy.pip/.yamllint b/roles/geerlingguy.pip/.yamllint new file mode 100644 index 00000000..76a383c6 --- /dev/null +++ b/roles/geerlingguy.pip/.yamllint @@ -0,0 +1,10 @@ +--- +extends: default + +rules: + line-length: + max: 120 + level: warning + +ignore: | + .github/stale.yml diff --git a/roles/geerlingguy.pip/LICENSE b/roles/geerlingguy.pip/LICENSE new file mode 100644 index 00000000..4275cf3c --- /dev/null +++ b/roles/geerlingguy.pip/LICENSE @@ -0,0 +1,20 @@ +The MIT License (MIT) + +Copyright (c) 2017 Jeff Geerling + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/roles/geerlingguy.pip/README.md b/roles/geerlingguy.pip/README.md new file mode 100644 index 00000000..f5d6a465 --- /dev/null +++ b/roles/geerlingguy.pip/README.md @@ -0,0 +1,76 @@ +# Ansible Role: Pip (for Python) + +[![CI](https://github.com/geerlingguy/ansible-role-pip/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-pip/actions?query=workflow%3ACI) + +An Ansible Role that installs [Pip](https://pip.pypa.io) on Linux. + +## Requirements + +On RedHat/CentOS, you may need to have EPEL installed before running this role. You can use the `geerlingguy.repo-epel` role if you need a simple way to ensure it's installed. + +## Role Variables + +Available variables are listed below, along with default values (see `defaults/main.yml`): + + pip_package: python3-pip + +The name of the packge to install to get `pip` on the system. For older systems that don't have Python 3 available, you can set this to `python-pip`. + + pip_executable: pip3 + +The role will try to autodetect the pip executable based on the `pip_package` (e.g. `pip` for Python 2 and `pip3` for Python 3). You can also override this explicitly, e.g. `pip_executable: pip3.6`. + + pip_install_packages: [] + +A list of packages to install with pip. Examples below: + + pip_install_packages: + # Specify names and versions. + - name: docker + version: "1.2.3" + - name: awscli + version: "1.11.91" + + # Or specify bare packages to get the latest release. + - docker + - awscli + + # Or uninstall a package. + - name: docker + state: absent + + # Or update a package ot the latest version. + - name: docker + state: latest + + # Or force a reinstall. + - name: docker + state: forcereinstall + + # Or install a package in a particular virtualenv. + - name: docker + virtualenv: /my_app/venv + +## Dependencies + +None. + +## Example Playbook + + - hosts: all + + vars: + pip_install_packages: + - name: docker + - name: awscli + + roles: + - geerlingguy.pip + +## License + +MIT / BSD + +## Author Information + +This role was created in 2017 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). diff --git a/roles/geerlingguy.pip/defaults/main.yml b/roles/geerlingguy.pip/defaults/main.yml new file mode 100644 index 00000000..e51000ba --- /dev/null +++ b/roles/geerlingguy.pip/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# For Python 3, use python3-pip. +pip_package: python3-pip +pip_executable: "{{ 'pip3' if pip_package.startswith('python3') else 'pip' }}" + +pip_install_packages: [] diff --git a/roles/geerlingguy.pip/meta/main.yml b/roles/geerlingguy.pip/meta/main.yml new file mode 100644 index 00000000..908669d9 --- /dev/null +++ b/roles/geerlingguy.pip/meta/main.yml @@ -0,0 +1,31 @@ +--- +dependencies: [] + +galaxy_info: + role_name: pip + author: geerlingguy + description: Pip (Python package manager) for Linux. + issue_tracker_url: https://github.com/geerlingguy/ansible-role-pip/issues + company: "Midwestern Mac, LLC" + license: "MIT" + min_ansible_version: 2.4 + platforms: + - name: EL + versions: + - all + - name: Fedora + versions: + - all + - name: Debian + versions: + - all + - name: Ubuntu + versions: + - all + galaxy_tags: + - system + - server + - packaging + - python + - pip + - tools diff --git a/roles/geerlingguy.pip/molecule/default/converge.yml b/roles/geerlingguy.pip/molecule/default/converge.yml new file mode 100644 index 00000000..e0151a53 --- /dev/null +++ b/roles/geerlingguy.pip/molecule/default/converge.yml @@ -0,0 +1,28 @@ +--- +- name: Converge + hosts: all + become: true + + vars: + pip_install_packages: + # Test installing a specific version of a package. + - name: ipaddress + version: "1.0.18" + # Test installing a package by name. + - colorama + + pre_tasks: + - name: Update apt cache. + apt: update_cache=true cache_valid_time=600 + when: ansible_os_family == 'Debian' + + - name: Set package name for older OSes. + set_fact: + pip_package: python-pip + when: > + (ansible_os_family == 'RedHat') and (ansible_distribution_major_version | int < 8) + or (ansible_distribution == 'Debian') and (ansible_distribution_major_version | int < 10) + or (ansible_distribution == 'Ubuntu') and (ansible_distribution_major_version | int < 18) + + roles: + - role: geerlingguy.pip diff --git a/roles/geerlingguy.pip/molecule/default/molecule.yml b/roles/geerlingguy.pip/molecule/default/molecule.yml new file mode 100644 index 00000000..74907107 --- /dev/null +++ b/roles/geerlingguy.pip/molecule/default/molecule.yml @@ -0,0 +1,17 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: instance + image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +provisioner: + name: ansible + playbooks: + converge: ${MOLECULE_PLAYBOOK:-converge.yml} diff --git a/roles/geerlingguy.pip/tasks/main.yml b/roles/geerlingguy.pip/tasks/main.yml new file mode 100644 index 00000000..dda7fac9 --- /dev/null +++ b/roles/geerlingguy.pip/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: Ensure Pip is installed. + package: + name: "{{ pip_package }}" + state: present + +- name: Ensure pip_install_packages are installed. + pip: + name: "{{ item.name | default(item) }}" + version: "{{ item.version | default(omit) }}" + virtualenv: "{{ item.virtualenv | default(omit) }}" + state: "{{ item.state | default(omit) }}" + executable: "{{ pip_executable }}" + with_items: "{{ pip_install_packages }}" diff --git a/roles/oefenweb.ufw b/roles/oefenweb.ufw deleted file mode 160000 index 14548ed9..00000000 --- a/roles/oefenweb.ufw +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 14548ed99b9135b7c886aaf6d1289c4a6c8d1a62 diff --git a/roles/oefenweb.ufw/.ansible-lint b/roles/oefenweb.ufw/.ansible-lint new file mode 100644 index 00000000..cb8e2acf --- /dev/null +++ b/roles/oefenweb.ufw/.ansible-lint @@ -0,0 +1,2 @@ +skip_list: + - '405' diff --git a/roles/oefenweb.ufw/.gitignore b/roles/oefenweb.ufw/.gitignore new file mode 100644 index 00000000..f74c83aa --- /dev/null +++ b/roles/oefenweb.ufw/.gitignore @@ -0,0 +1,30 @@ +# OS generated files # +###################### +.DS_Store +.DS_Store? +._* +.Spotlight-V100 +.Trashes +Icon? +ehthumbs.db +Thumbs.db + +# IDE files # +################# +/.settings +/.buildpath +/.project +/nbproject +*.komodoproject +*.kpf +/.idea + +# Vagrant files # +.virtualbox/ +.vagrant/ +vagrant_ansible_inventory_* +ansible.cfg + +# Other files # +############### +!empty diff --git a/roles/oefenweb.ufw/.travis.yml b/roles/oefenweb.ufw/.travis.yml new file mode 100644 index 00000000..7fb3b9a2 --- /dev/null +++ b/roles/oefenweb.ufw/.travis.yml @@ -0,0 +1,89 @@ +--- +sudo: required +dist: xenial + +language: python +python: + - "2.7" + - "3.5" + +env: + - ANSIBLE_VERSION=latest + - ANSIBLE_VERSION=2.10.2 + - ANSIBLE_VERSION=2.10.1 + - ANSIBLE_VERSION=2.10.0 + - ANSIBLE_VERSION=2.9.14 + - ANSIBLE_VERSION=2.9.13 + - ANSIBLE_VERSION=2.9.12 + - ANSIBLE_VERSION=2.9.11 + - ANSIBLE_VERSION=2.9.10 + - ANSIBLE_VERSION=2.9.9 + - ANSIBLE_VERSION=2.9.8 + - ANSIBLE_VERSION=2.9.7 + - ANSIBLE_VERSION=2.9.6 + - ANSIBLE_VERSION=2.9.5 + - ANSIBLE_VERSION=2.9.4 + - ANSIBLE_VERSION=2.9.3 + - ANSIBLE_VERSION=2.9.2 + - ANSIBLE_VERSION=2.9.1 + - ANSIBLE_VERSION=2.9.0 + - ANSIBLE_VERSION=2.8.16 + - ANSIBLE_VERSION=2.8.15 + - ANSIBLE_VERSION=2.8.14 + - ANSIBLE_VERSION=2.8.13 + - ANSIBLE_VERSION=2.8.12 + - ANSIBLE_VERSION=2.8.11 + - ANSIBLE_VERSION=2.8.10 + - ANSIBLE_VERSION=2.8.9 + - ANSIBLE_VERSION=2.8.8 + - ANSIBLE_VERSION=2.8.7 + - ANSIBLE_VERSION=2.8.6 + - ANSIBLE_VERSION=2.8.5 + - ANSIBLE_VERSION=2.8.4 + - ANSIBLE_VERSION=2.8.3 + - ANSIBLE_VERSION=2.8.2 + - ANSIBLE_VERSION=2.8.1 + - ANSIBLE_VERSION=2.8.0 + +branches: + only: + - master + +matrix: + allow_failures: + # https://github.com/ansible/ansible/issues/56674 + - env: ANSIBLE_VERSION=2.8.0 + +before_install: + - sudo apt-get update -qq + + # Remove ufw + - sudo apt-get remove --purge --yes ufw + +install: + # Install Ansible. + - if [ "$ANSIBLE_VERSION" = "latest" ]; then pip install ansible; else pip install ansible==$ANSIBLE_VERSION; fi + - if [ "$ANSIBLE_VERSION" = "latest" ]; then pip install ansible-lint; fi + +script: + # Check the role/playbook's syntax. + - ansible-playbook -i tests/inventory tests/test.yml --syntax-check + + # Run the role/playbook with ansible-playbook. + - ansible-playbook -i tests/inventory tests/test.yml -vvvv + + # Run the role/playbook again, checking to make sure it's idempotent. + - > + ansible-playbook -i tests/inventory tests/test.yml + | grep -q 'changed=0.*failed=0' + && (echo 'Idempotence test: pass' && exit 0) + || (echo 'Idempotence test: fail' && exit 1) + + - if [ "$ANSIBLE_VERSION" = "latest" ]; then ansible-lint tests/test.yml; fi + +notifications: + email: false + webhooks: https://galaxy.ansible.com/api/v1/notifications/ + slack: + rooms: + secure: "If2mqrqZs5q6yZ9bs9qq+pmgCEMCTv1Nk3vQjax9N+xFoIvnRi1v0drEekibKgns8eg0Mg/Tya7xxXokqFhs3wVY64r43v86HFLS2MVDTaMYAxK3kRd4x8R5INIAN1U7Dtsk8RQbIngzGJPZwOfmOtY1qQ5p3RLMM+6zEBQOO7U=" diff --git a/roles/oefenweb.ufw/LICENSE.txt b/roles/oefenweb.ufw/LICENSE.txt new file mode 100644 index 00000000..5708f355 --- /dev/null +++ b/roles/oefenweb.ufw/LICENSE.txt @@ -0,0 +1,19 @@ +Copyright (c) Oefenweb.nl + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is furnished +to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/roles/oefenweb.ufw/README.md b/roles/oefenweb.ufw/README.md new file mode 100644 index 00000000..703ec0df --- /dev/null +++ b/roles/oefenweb.ufw/README.md @@ -0,0 +1,93 @@ +## ufw + +[![Build Status](https://travis-ci.org/Oefenweb/ansible-ufw.svg?branch=master)](https://travis-ci.org/Oefenweb/ansible-ufw) +[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-ufw-blue.svg)](https://galaxy.ansible.com/Oefenweb/ufw) + +Set up ufw in Debian-like systems. + +#### Requirements + +None + +#### Variables + +* `ufw_default_incoming_policy` [default: `deny`]: Default (incoming) policy +* `ufw_default_outgoing_policy` [default: `allow`]: Default (outgoing) policy + +* `ufw_logging` [default: `off`]: Log level + +* `ufw_rules` [default: see `defaults/main.yml`]: Rules to apply + +* `ufw_etc_default_ipv6` [default: `true`]: Set to yes to apply rules to support IPv6 +* `ufw_etc_default_default_input_policy` [default: `DROP`]: Set the default input policy to `ACCEPT`, `DROP`, or `REJECT`. Please note that if you change this you will most likely want to adjust your rules +* `ufw_etc_default_default_output_policy` [default: `ACCEPT`]: Set the default output policy to `ACCEPT`, `DROP`, or `REJECT`. Please note that if you change this you will most likely want to adjust your rules +* `ufw_etc_default_default_forward_policy` [default: `DROP`]: Set the default forward policy to `ACCEPT`, `DROP` or `REJECT`. Please note that if you change this you will most likely want to adjust your rules +* `ufw_etc_default_default_application_policy` [default: `SKIP`]: Set the default application policy to `ACCEPT`, `DROP`, `REJECT` or `SKIP`. Please note that setting this to `ACCEPT` may be a security risk +* `ufw_etc_default_manage_builtins` [default: `false`]: By default, ufw only touches its own chains. Set this to 'yes' to have ufw manage the built-in chains too. Warning: setting this to 'yes' will break non-ufw managed firewall rules +* `ufw_etc_default_ipt_sysctl` [default: `/etc/ufw/sysctl.conf`]: IPT backend, only enable if using iptables backend +* `ufw_etc_default_ipt_modules` [default: `[nf_conntrack_ftp, nf_nat_ftp, nf_conntrack_netbios_ns]`]: Extra connection tracking modules to load. Complete list can be found in `net/netfilter/Kconfig` of your kernel source + +## Dependencies + +None + +#### Example + +```yaml +--- +- hosts: all + roles: + - ufw +``` + +##### Allow ssh +```yaml +- hosts: all + roles: + - ufw + vars: + ufw_rules: + - rule: allow + to_port: 22 + protocol: tcp + comment: 'allow incoming connection on standard ssh port' +``` + +##### Allow all traffic on eth1 +```yaml +- hosts: all + roles: + - ufw + vars: + ufw_rules: + - rule: allow + interface: eth1 + to_port: '' + comment: 'allow all traffic on interface eth1' +``` + +##### Allow snmp traffic from 1.2.3.4 on eth0 +```yaml +- hosts: all + roles: + - ufw + vars: + ufw_rules: + - rule: allow + interface: eth0 + from_ip: 1.2.3.4 + to_port: 161 + protocol: udp +``` + +#### License + +MIT + +#### Author Information + +Mischa ter Smitten (based on work of weareinteractive) + +#### Feedback, bug-reports, requests, ... + +Are [welcome](https://github.com/Oefenweb/ansible-ufw/issues)! diff --git a/roles/oefenweb.ufw/Vagrantfile b/roles/oefenweb.ufw/Vagrantfile new file mode 100644 index 00000000..653c851f --- /dev/null +++ b/roles/oefenweb.ufw/Vagrantfile @@ -0,0 +1,77 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby ts=2 sw=2 tw=0 et : + +role = File.basename(File.expand_path(File.dirname(__FILE__))) + +boxes = [ + { + :name => "ubuntu-1204", + :box => "bento/ubuntu-12.04", + :ip => '10.0.0.11', + :cpu => "50", + :ram => "256" + }, + { + :name => "ubuntu-1404", + :box => "bento/ubuntu-14.04", + :ip => '10.0.0.12', + :cpu => "50", + :ram => "256" + }, + { + :name => "ubuntu-1604", + :box => "bento/ubuntu-16.04", + :ip => '10.0.0.13', + :cpu => "50", + :ram => "256" + }, + { + :name => "ubuntu-1804", + :box => "bento/ubuntu-18.04", + :ip => '10.0.0.14', + :cpu => "50", + :ram => "384" + }, + { + :name => "debian-7", + :box => "bento/debian-7", + :ip => '10.0.0.15', + :cpu => "50", + :ram => "256" + }, + { + :name => "debian-8", + :box => "bento/debian-8", + :ip => '10.0.0.16', + :cpu => "50", + :ram => "256" + }, + { + :name => "debian-9", + :box => "bento/debian-9", + :ip => '10.0.0.17', + :cpu => "50", + :ram => "256" + }, +] + +Vagrant.configure("2") do |config| + boxes.each do |box| + config.vm.define box[:name] do |vms| + vms.vm.box = box[:box] + vms.vm.hostname = "ansible-#{role}-#{box[:name]}" + + vms.vm.provider "virtualbox" do |v| + v.customize ["modifyvm", :id, "--cpuexecutioncap", box[:cpu]] + v.customize ["modifyvm", :id, "--memory", box[:ram]] + end + + vms.vm.network :private_network, ip: box[:ip] + + vms.vm.provision :ansible do |ansible| + ansible.playbook = "tests/vagrant.yml" + ansible.verbose = "vv" + end + end + end +end diff --git a/roles/oefenweb.ufw/defaults/main.yml b/roles/oefenweb.ufw/defaults/main.yml new file mode 100644 index 00000000..37730c66 --- /dev/null +++ b/roles/oefenweb.ufw/defaults/main.yml @@ -0,0 +1,25 @@ +# defaults file for ufw +--- +ufw_default_incoming_policy: deny +ufw_default_outgoing_policy: allow + +ufw_logging: 'off' + +ufw_rules: + - rule: allow + interface: "{{ ansible_default_ipv4['interface'] }}" + to_port: 22 + protocol: tcp + +# /etc/default/ufw +ufw_etc_default_ipv6: true +ufw_etc_default_default_input_policy: DROP +ufw_etc_default_default_output_policy: ACCEPT +ufw_etc_default_default_forward_policy: DROP +ufw_etc_default_default_application_policy: SKIP +ufw_etc_default_manage_builtins: false +ufw_etc_default_ipt_sysctl: /etc/ufw/sysctl.conf +ufw_etc_default_ipt_modules: + - nf_conntrack_ftp + - nf_nat_ftp + - nf_conntrack_netbios_ns diff --git a/roles/oefenweb.ufw/files/empty b/roles/oefenweb.ufw/files/empty new file mode 100644 index 00000000..e69de29b diff --git a/roles/oefenweb.ufw/handlers/main.yml b/roles/oefenweb.ufw/handlers/main.yml new file mode 100644 index 00000000..2a77d703 --- /dev/null +++ b/roles/oefenweb.ufw/handlers/main.yml @@ -0,0 +1,5 @@ +# handlers file for ufw +--- +- name: reload ufw + ufw: + state: reloaded diff --git a/roles/oefenweb.ufw/meta/main.yml b/roles/oefenweb.ufw/meta/main.yml new file mode 100644 index 00000000..d72ba350 --- /dev/null +++ b/roles/oefenweb.ufw/meta/main.yml @@ -0,0 +1,26 @@ +# meta file for ufw +--- +galaxy_info: + role_name: ufw + author: Mischa ter Smitten + company: Oefenweb.nl B.V. + description: Set up ufw in Debian-like systems + license: MIT + min_ansible_version: 2.8.0 + platforms: + - name: Ubuntu + versions: + - precise + - trusty + - xenial + - bionic + - name: Debian + versions: + - wheezy + - jessie + - stretch + galaxy_tags: + - system + - networking + - firewall +dependencies: [] diff --git a/roles/oefenweb.ufw/tasks/configure.yml b/roles/oefenweb.ufw/tasks/configure.yml new file mode 100644 index 00000000..aa39ca87 --- /dev/null +++ b/roles/oefenweb.ufw/tasks/configure.yml @@ -0,0 +1,77 @@ +# tasks file for ufw +--- +- name: configure | create (local facts) directory + file: + path: /etc/ansible/facts.d/ + state: directory + owner: root + group: root + mode: 0755 + tags: + - ufw-configure-facts + +- name: configure | update configuration file(s) + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: 0644 + with_items: + - src: etc/default/ufw.j2 + dest: /etc/default/ufw + - src: etc/ansible/facts.d/ufw.fact.j2 + dest: /etc/ansible/facts.d/ufw.fact + register: configuration + tags: + - ufw-configure-facts + +- name: configure | reset + ufw: + state: reset + when: configuration is changed + tags: + - ufw-configure-reset + +- name: configure | default (incoming) policy + ufw: + policy: "{{ ufw_default_incoming_policy }}" + direction: incoming + notify: reload ufw + tags: + - ufw-configure-default-policy + - ufw-configure-default-policy-incoming + +- name: configure | default (outgoing) policy + ufw: + policy: "{{ ufw_default_outgoing_policy }}" + direction: outgoing + notify: reload ufw + tags: + - ufw-configure-default-policy + - ufw-configure-default-policy-outgoing + +- name: configure | rules + ufw: + rule: "{{ item.rule }}" + interface: "{{ item.interface | default('') }}" + direction: "{{ item.direction | default('in') }}" + from_ip: "{{ item.from_ip | default('any') }}" + to_ip: "{{ item.to_ip | default('any') }}" + from_port: "{{ item.from_port | default('') }}" + to_port: "{{ item.to_port | default('') }}" + protocol: "{{ item.protocol | default('any') }}" + route: "{{ item.route | default(omit) }}" + log: "{{ item.log | default(false) }}" + comment: "{{ item.comment | default(omit) }}" + with_items: "{{ ufw_rules }}" + notify: reload ufw + tags: + - ufw-configure-rules + +- name: configure | logging + ufw: + logging: "{{ ufw_logging }}" + notify: reload ufw + tags: + - ufw-configure-logging diff --git a/roles/oefenweb.ufw/tasks/fix-dropped-ssh-sessions.yml b/roles/oefenweb.ufw/tasks/fix-dropped-ssh-sessions.yml new file mode 100644 index 00000000..d4186e0b --- /dev/null +++ b/roles/oefenweb.ufw/tasks/fix-dropped-ssh-sessions.yml @@ -0,0 +1,17 @@ +# tasks file for ufw +--- +- name: check if conntrack exists + stat: + path: /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal + register: _nf_conntrack_tcp_be_liberal + +- name: fix dropped ssh sessions | configure kernel + sysctl: + name: net.netfilter.nf_conntrack_tcp_be_liberal + value: '1' + state: present + sysctl_set: true + reload: true + when: _nf_conntrack_tcp_be_liberal.stat.exists + tags: + - ufw-fix-dropped-ssh-sessions-configure-kernel diff --git a/roles/oefenweb.ufw/tasks/install.yml b/roles/oefenweb.ufw/tasks/install.yml new file mode 100644 index 00000000..02c34c08 --- /dev/null +++ b/roles/oefenweb.ufw/tasks/install.yml @@ -0,0 +1,10 @@ +# tasks file for ufw +--- +- name: install | dependencies + apt: + name: "{{ ufw_dependencies }}" + state: "{{ apt_install_state | default('latest') }}" + update_cache: true + cache_valid_time: "{{ apt_update_cache_valid_time | default(3600) }}" + tags: + - ufw-install-dependencies diff --git a/roles/oefenweb.ufw/tasks/main.yml b/roles/oefenweb.ufw/tasks/main.yml new file mode 100644 index 00000000..5de837c6 --- /dev/null +++ b/roles/oefenweb.ufw/tasks/main.yml @@ -0,0 +1,39 @@ +# tasks file for ufw +--- +- name: facts | set + set_fact: + kernel_version: "{{ ansible_kernel | regex_search('^([0-9]+\\.[0-9]+\\.[0-9]+)') }}" + tags: + - configuration + - ufw + - ufw-facts + +# see https://askubuntu.com/a/1064533/261010, https://www.spinics.net/lists/netfilter-devel/msg55682.html +- include: fix-dropped-ssh-sessions.yml + when: + - kernel_version is version('4.14', '>=') + - kernel_version is version('5', '<') + tags: + - configuration + - ufw + - ufw-fix-dropped-ssh-sessions + +- include: install.yml + tags: + - configuration + - ufw + - ufw-install + +- include: configure.yml + tags: + - configuration + - ufw + - ufw-configure + +- name: start and enable service + ufw: + state: enabled + tags: + - configuration + - ufw + - ufw-start-enable-service diff --git a/roles/oefenweb.ufw/templates/etc/ansible/facts.d/ufw.fact.j2 b/roles/oefenweb.ufw/templates/etc/ansible/facts.d/ufw.fact.j2 new file mode 100644 index 00000000..ad9d5186 --- /dev/null +++ b/roles/oefenweb.ufw/templates/etc/ansible/facts.d/ufw.fact.j2 @@ -0,0 +1 @@ +{{ ufw_facts | to_nice_json }} diff --git a/roles/oefenweb.ufw/templates/etc/default/ufw.j2 b/roles/oefenweb.ufw/templates/etc/default/ufw.j2 new file mode 100644 index 00000000..4b00d509 --- /dev/null +++ b/roles/oefenweb.ufw/templates/etc/default/ufw.j2 @@ -0,0 +1,46 @@ +# {{ ansible_managed }} + +# /etc/default/ufw +# + +# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback +# accepted). You will need to 'disable' and then 'enable' the firewall for +# the changes to take affect. +IPV6={{ 'yes' if ufw_etc_default_ipv6 else 'no' }} + +# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if +# you change this you will most likely want to adjust your rules. +DEFAULT_INPUT_POLICY="{{ ufw_etc_default_default_input_policy }}" + +# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if +# you change this you will most likely want to adjust your rules. +DEFAULT_OUTPUT_POLICY="{{ ufw_etc_default_default_output_policy }}" + +# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that +# if you change this you will most likely want to adjust your rules +DEFAULT_FORWARD_POLICY="{{ ufw_etc_default_default_forward_policy }}" + +# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please +# note that setting this to ACCEPT may be a security risk. See 'man ufw' for +# details +DEFAULT_APPLICATION_POLICY="{{ ufw_etc_default_default_application_policy }}" + +# By default, ufw only touches its own chains. Set this to 'yes' to have ufw +# manage the built-in chains too. Warning: setting this to 'yes' will break +# non-ufw managed firewall rules +MANAGE_BUILTINS={{ 'yes' if ufw_etc_default_manage_builtins else 'no' }} + +# +# IPT backend +# +# only enable if using iptables backend +IPT_SYSCTL={{ ufw_etc_default_ipt_sysctl }} + +# Extra connection tracking modules to load. Complete list can be found in +# net/netfilter/Kconfig of your kernel source. Some common modules: +# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support +# nf_conntrack_netbios_ns: NetBIOS (samba) client support +# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT +# nf_conntrack_ftp, nf_nat_ftp: active FTP support +# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side) +IPT_MODULES="{{ ufw_etc_default_ipt_modules | join(' ') }}" diff --git a/roles/oefenweb.ufw/tests/inventory b/roles/oefenweb.ufw/tests/inventory new file mode 100644 index 00000000..2fbb50c4 --- /dev/null +++ b/roles/oefenweb.ufw/tests/inventory @@ -0,0 +1 @@ +localhost diff --git a/roles/oefenweb.ufw/tests/test.yml b/roles/oefenweb.ufw/tests/test.yml new file mode 100644 index 00000000..8c28d0f6 --- /dev/null +++ b/roles/oefenweb.ufw/tests/test.yml @@ -0,0 +1,7 @@ +# test file for ufw +--- +- hosts: localhost + connection: local + become: true + roles: + - ../../ diff --git a/roles/oefenweb.ufw/tests/vagrant.yml b/roles/oefenweb.ufw/tests/vagrant.yml new file mode 100644 index 00000000..aa0b5e2c --- /dev/null +++ b/roles/oefenweb.ufw/tests/vagrant.yml @@ -0,0 +1,7 @@ +# test file for ufw +--- +- hosts: all + remote_user: vagrant + become: true + roles: + - ../../ diff --git a/roles/oefenweb.ufw/vars/main.yml b/roles/oefenweb.ufw/vars/main.yml new file mode 100644 index 00000000..63ef6a69 --- /dev/null +++ b/roles/oefenweb.ufw/vars/main.yml @@ -0,0 +1,10 @@ +# vars file for ufw +--- +ufw_dependencies: + - ufw + +ufw_facts: + default_incoming_policy: "{{ ufw_default_incoming_policy }}" + default_outgoing_policy: "{{ ufw_default_outgoing_policy }}" + logging: "{{ ufw_logging }}" + rules: "{{ ufw_rules }}" diff --git a/roles/riemers.gitlab-runner b/roles/riemers.gitlab-runner deleted file mode 160000 index ef3335cd..00000000 --- a/roles/riemers.gitlab-runner +++ /dev/null @@ -1 +0,0 @@ -Subproject commit ef3335cd4e5c966243722ff6ec9e35dec6d90d79 diff --git a/roles/riemers.gitlab-runner/.gitignore b/roles/riemers.gitlab-runner/.gitignore new file mode 100644 index 00000000..bb8ca254 --- /dev/null +++ b/roles/riemers.gitlab-runner/.gitignore @@ -0,0 +1 @@ +ansible.cfg diff --git a/roles/riemers.gitlab-runner/.travis.yml b/roles/riemers.gitlab-runner/.travis.yml new file mode 100644 index 00000000..17100811 --- /dev/null +++ b/roles/riemers.gitlab-runner/.travis.yml @@ -0,0 +1,64 @@ +--- +jobs: + include: + - os: linux + dist: focal + python: "3.8" + language: python + addons: + apt: + packages: + - python3-pip + install: + # Install ansible + - sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 1 + - echo $PATH + - pip3 install ansible flask + # Check ansible version + - ansible --version + # Create ansible.cfg with correct roles_path + #- printf '[defaults]\nroles_path=../' > ansible.cfg + - "{ echo '[defaults]'; echo 'roles_path = ../'; } > ansible.cfg" + script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + # Running tests + - ansible-playbook tests/test.yml -i tests/inventory + after_failure: + - touch ~/mock_ci.pid && cat ~/mock_ci.pid + - touch ~/mock_ci.log && cat ~/mock_ci.log + - os: osx + osx_image: xcode10.3 + # See https://github.com/travis-ci/travis-ci/issues/2312#issuecomment-422830059 + #language: python + language: generic + install: + # Install ansible + - pip install ansible flask + # Check ansible version + - ansible --version + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' > ansible.cfg + script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + # Running tests + - ansible-playbook tests/test.yml -i tests/inventory + after_failure: + - touch ~/mock_ci.pid && cat ~/mock_ci.pid + - touch ~/mock_ci.log && cat ~/mock_ci.log + - os: windows + language: shell + install: + - powershell -ExecutionPolicy ByPass -File tests/travis-bootstrap-ansible.ps1 + - wsl ansible --version + script: + - wsl mkdir -p tests/roles/ansible-gitlab-runner/ + - cd tests/roles/ansible-gitlab-runner/ + - wsl ln -s ../../../* . + - cd ../../ + - wsl ansible-playbook test.yml -i inventory --syntax-check + # Running tests + - wsl ansible-playbook test.yml -i inventory --extra-vars 'ansible_user=ansible ansible_password=Ans1ble_User! ansible_connection=winrm ansible_winrm_server_cert_validation=ignore ansible_ssh_port=5986' +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/roles/riemers.gitlab-runner/LICENSE b/roles/riemers.gitlab-runner/LICENSE new file mode 100644 index 00000000..35494fcc --- /dev/null +++ b/roles/riemers.gitlab-runner/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2016 Harold Barker + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/roles/riemers.gitlab-runner/README.md b/roles/riemers.gitlab-runner/README.md new file mode 100644 index 00000000..e8ff641d --- /dev/null +++ b/roles/riemers.gitlab-runner/README.md @@ -0,0 +1,165 @@ +GitLab Runner [![Build Status](https://api.travis-ci.org/riemers/ansible-gitlab-runner.svg?branch=master)](https://travis-ci.org/riemers/ansible-gitlab-runner) [![Ansible Role](https://img.shields.io/badge/role-riemers.gitlab--runner-blue.svg?maxAge=2592000)](https://galaxy.ansible.com/riemers/gitlab-runner/) +============= + +This role will install the [official GitLab Runner](https://gitlab.com/gitlab-org/gitlab-runner) +(fork from haroldb) with updates. Needed something simple and working, this did the trick for me. Open for changes though. + +Requirements +------------ + +This role requires Ansible 2.7 or higher. + +Role Variables +-------------- + +- `gitlab_runner_package_name` - **Since Gitlab 10.x** The package name of `gitlab-ci-multi-runner` has been renamed to `gitlab-runner`. In order to install a version < 10.x you will need to define this variable `gitlab_runner_package_name: gitlab-ci-multi-runner`. +- `gitlab_runner_wanted_version` or `gitlab_runner_package_version` - To install a specific version of the gitlab runner (by default it installs the latest). +On Mac OSX and Windows, use e.g. `gitlab_runner_wanted_version: 12.4.1`. +On Linux, use `gitlab_runner_package_version` instead. +- `gitlab_runner_concurrent` - The maximum number of global jobs to run concurrently. Defaults to the number of processor cores. +- `gitlab_runner_registration_token` - The GitLab registration token. If this is specified, a runner will be registered to a GitLab server. +- `gitlab_runner_coordinator_url` - The GitLab coordinator URL. Defaults to `https://gitlab.com`. +- `gitlab_runner_sentry_dsn` - Enable tracking of all system level errors to Sentry +- `gitlab_runner_listen_address` - Enable `/metrics` endpoint for Prometheus scraping. +- `gitlab_runner_runners` - A list of gitlab runners to register & configure. Defaults to a single shell executor. +- `gitlab_runner_skip_package_repo_install`- Skip the APT or YUM repository installation (by default, false). You should provide a repository containing the needed packages before running this role. + +See the [`defaults/main.yml`](https://github.com/riemers/ansible-gitlab-runner/blob/master/defaults/main.yml) file listing all possible options which you can be passed to a runner registration command. + +### Gitlab Runners cache +For each gitlab runner in gitlab_runner_runners you can set cache options. At the moment role support s3 or gcs types. +Example configurration for s3 can be: +```yaml +gitlab_runner_runners: + cache_type: "s3" + cache_path: "cache" + cache_shared: true + cache_s3_server_address: "s3.amazonaws.com" + cache_s3_access_key: "" + cache_s3_secret_key: "" + cache_s3_bucket_name: " + cache_s3_bucket_location: "eu-west-1" + cache_s3_insecure: false +``` + +## Autoscale Runner Machine vars for AWS (optional) + +- `gitlab_runner_machine_options: []` - Foremost you need to pass an array of dedicated vars in the machine_options to configure your scaling runner: + + + `amazonec2-access-key` and `amazonec2-secret-key` the keys of the dedicated IAM user with permission for EC2 + + `amazonec2-zone` + + `amazonec2-region` + + `amazonec2-vpc-id` + + `amazonec2-subnet-id` + + `amazonec2-use-private-address=true` + + `amazonec2-security-group` + + `amazonec2-instance-type` + + you can also set `amazonec2-tags` to identify you instance more easily via aws-cli or the console. + +- `MachineDriver` - which should be set to `amzonec2` when working on AWS +- `MachineName` - Name of the machine. It **must** contain `%s`, which will be replaced with a unique machine identifier. +- `IdleCount` - Number of machines, that need to be created and waiting in Idle state. +- `IdleTime` - Time (in seconds) for machine to be in Idle state before it is removed. + +In addition you could set *off peak* settings. This lets you select a regular time periods when no work is done. For example most of commercial companies are working from Monday to Friday in a fixed hours, eg. from 10am to 6pm. In the rest of the week - from Monday to Friday at 12am-9am and 6pm-11pm and whole Saturday and Sunday - no one is working. These time periods we’re naming here as Off Peak. + +- `gitlab_runner_machine_off_peak_periods` +- `gitlab_runner_machine_off_peak_idle_time` +- `gitlab_runner_machine_off_peak_idle_count` + +### Read Sources +For details follow these links: + +- [gitlab-docs/runner: advanced configuration: runners.machine section](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section) +- [gitlab-docs/runner: autoscale: supported cloud-providers](https://docs.gitlab.com/runner/configuration/autoscale.html#supported-cloud-providers) +- [gitlab-docs/runner: autoscale_aws: runners.machine section](https://docs.gitlab.com/runner/configuration/runner_autoscale_aws/#the-runnersmachine-section) + +See the [config for more options](https://github.com/riemers/ansible-gitlab-runner/blob/master/tasks/register-runner.yml) + +Example Playbook +---------------- +```yaml +- hosts: all + become: true + vars_files: + - vars/main.yml + roles: + - { role: riemers.gitlab-runner } +``` + +Inside `vars/main.yml` +```yaml +gitlab_runner_coordinator_url: https://gitlab.com +gitlab_runner_registration_token: '12341234' +gitlab_runner_runners: + - name: 'Example Docker GitLab Runner' + # token is an optional override to the global gitlab_runner_registration_token + token: 'abcd' + # url is an optional override to the global gitlab_runner_coordinator_url + url: 'https://my-own-gitlab.mydomain.com' + executor: docker + docker_image: 'alpine' + tags: + - node + - ruby + - mysql + docker_volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + - "/cache" + extra_configs: + runners.docker: + memory: 512m + allowed_images: ["ruby:*", "python:*", "php:*"] + runners.docker.sysctls: + net.ipv4.ip_forward: "1" +``` + +## autoscale setup on AWS +how `vars/main.yml` would look like, if you setup an autoscaling GitLab-Runner on AWS: + +```yaml +gitlab_runner_registration_token: 'HUzTMgnxk17YV8Rj8ucQ' +gitlab_runner_coordinator_url: 'https://gitlab.com' +gitlab_runner_runners: + - name: 'Example autoscaling GitLab Runner' + state: present + # token is an optional override to the global gitlab_runner_registration_token + token: 'HUzTMgnxk17YV8Rj8ucQ' + executor: 'docker+machine' + # Maximum number of jobs to run concurrently on this specific runner. + # Defaults to 0, simply means don't limit. + concurrent_specific: '0' + docker_image: 'alpine' + # Indicates whether this runner can pick jobs without tags. + run_untagged: true + extra_configs: + runners.machine: + IdleCount: 1 + IdleTime: 1800 + MaxBuilds: 10 + MachineDriver: 'amazonec2' + MachineName: 'git-runner-%s' + MachineOptions: ["amazonec2-access-key={{ lookup('env','AWS_IAM_ACCESS_KEY') }}", "amazonec2-secret-key={{ lookup('env','AWS_IAM_SECRET_KEY') }}", "amazonec2-zone={{ lookup('env','AWS_EC2_ZONE') }}", "amazonec2-region={{ lookup('env','AWS_EC2_REGION') }}", "amazonec2-vpc-id={{ lookup('env','AWS_VPC_ID') }}", "amazonec2-subnet-id={{ lookup('env','AWS_SUBNET_ID') }}", "amazonec2-use-private-address=true", "amazonec2-tags=gitlab-runner", "amazonec2-security-group={{ lookup('env','AWS_EC2_SECURITY_GROUP') }}", "amazonec2-instance-type={{ lookup('env','AWS_EC2_INSTANCE_TYPE') }}"] + +``` + +### NOTE +from https://docs.gitlab.com/runner/executors/docker_machine.html: + +>The **first time** you’re using Docker Machine, it’s best to execute **manually** `docker-machine create...` with your chosen driver and **all options from the MachineOptions** section. This will set up the Docker Machine environment properly and will also be a good validation of the specified options. After this, you *can destroy the machine* with `docker-machine rm [machine_name]` and start the Runner. + +Example: + +`docker-machine create -d amazonec2 --amazonec2-zone=a --amazonec2-region=us-east-1 --amazonec2-vpc-id=vpc-11111111 --amazonec2-subnet-id=subnet-1111111 --amazonec2-use-private-address=true --amazonec2-tags=gitlab-runner --amazonec2-instance-type=t3.medium test + +docker-machine rm test +` + +Contributors +------------ +Feel free to add your name to the readme if you make a PR. A full list of people from the PR's is [here](https://github.com/riemers/ansible-gitlab-runner/pulls?q=is%3Apr+is%3Aclosed) + +- Gastrofix for adding Mac Support +- Matthias Schmieder for adding Windows Support +- dniwdeus & rosenstrauch for adding AWS autoscale option + diff --git a/roles/riemers.gitlab-runner/defaults/main.yml b/roles/riemers.gitlab-runner/defaults/main.yml new file mode 100644 index 00000000..7aa4fe4f --- /dev/null +++ b/roles/riemers.gitlab-runner/defaults/main.yml @@ -0,0 +1,161 @@ +--- +# for versions >= 10.x +gitlab_runner_package_name: 'gitlab-runner' + +gitlab_runner_system_mode: yes + +# gitlab_runner_package_version for version pinning on debian/redhat +# The following are for version pinning on MacOSX +gitlab_runner_wanted_version: latest + +# This variable should not be modified usually as it depends on the gitlab_runner_wanted_version variable +gitlab_runner_wanted_tag: "{{ 'latest' if gitlab_runner_wanted_version == 'latest' else ('v' + gitlab_runner_wanted_version) }}" + +# Overridden based on platform +gitlab_runner_config_file: "{{ __gitlab_runner_config_file_system_mode if gitlab_runner_system_mode else __gitlab_runner_config_file_user_mode }}" +gitlab_runner_config_file_location: "{{ gitlab_runner_config_file | dirname }}" +gitlab_runner_executable: "{{ gitlab_runner_package_name }}" + +# Maximum number of global jobs to run concurrently +gitlab_runner_concurrent: '{{ ansible_processor_vcpus }}' + +# GitLab coordinator URL +gitlab_runner_coordinator_url: 'https://gitlab.com' +# GitLab registration token +gitlab_runner_registration_token: '' + +gitlab_runner_sentry_dsn: '' + +# Prometheus Metrics & Monitoring +gitlab_runner_listen_address: '' + +# Skip the APT or YUM repository installation +# You should provide a repository containing the needed packages before running this role. +# Use this if you use a mirror repository +# gitlab_runner_skip_package_repo_install: true + +# The credentials for the Windows user used to run the gitlab-runner service. +# Those credentials will be passed to `gitlab-runner.exe install`. +# https://docs.gitlab.com/runner/install/windows.html +gitlab_runner_windows_service_user: '' +gitlab_runner_windows_service_password: '' + +# gitlab_runner_container_install +gitlab_runner_container_install: false + +# default state to restart +gitlab_runner_restart_state: "restarted" + +# A list of runners to register and configure +gitlab_runner_runners: + # The identifier of the runner. + - name: '{{ ansible_hostname }}' + # set to 'absent' if you want to delete the runner. Defaults to 'present'. + state: present + # The executor used by the runner. + executor: 'shell' + # Set maximum build log size in kilobytes. + output_limit: 4096 + # Maximum number of jobs to run concurrently on this specific runner. + # Defaults to 0, simply means don't limit. + concurrent_specific: '0' + # The default Docker image to use. Required when executor is `docker`. + docker_image: '' + # The tags assigned to the runner. + tags: [] + # Indicates whether this runner can pick jobs without tags. + run_untagged: true + # Docker privileged mode + docker_privileged: false + # Runner Locked. When a runner is locked, it cannot be assigned to other projects + locked: 'false' + # Add container to a custom network + docker_network_mode: bridge + # Custom environment variables injected to build environment + env_vars: [] + # Sets the clone_url. The default is not set. + # clone_url: + # + # Sets the pre_clone_script. The default is not set. + # pre_clone_script: + # + # Sets the pre_build_script. The default is not set. + # pre_build_script: + # + # Sets the post_build_script. The default is not set. + # post_build_script: + # + # Runner SSH user + # ssh_user: '' + # + # Runner SSH host + # ssh_host: '' + # + # Runner SSH port + # ssh_port: '' + # + # Runner SSH password + # ssh_password: '' + # + # Runner SSH identity file + # ssh_identity_file: '' + # + # Cache type + # cache_type: 's3|gcs' + # + # Cache path + # cache_path: prefix/key + # + # Cache shared + # cache_shared: false + # + # Cache S3 server address + # cache_s3_server_address: "s3.amazonaws.com" + # + # Cache S3 access key + # cache_s3_access_key: "AMAZON_S3_ACCESS_KEY" + # + # Cache S3 secret key + # cache_s3_secret_key: "AMAZON_S3_SECRET_KEY" + # + # Cache S3 bucket name + # cache_s3_bucket_name: "my-bucket" + # + # Cache S3 bucket location + # cache_s3_bucket_location: "eu-west-1" + # + # Cache S3 insecure + # cache_s3_insecure: false + # + # Cache GCS Bucket name + # cache_gcs_bucket_name: "my-bucket" + # + # Cache GCS CredentialsFile + # cache_gcs_credentials_file: "/path/to/key_file.json" + # + # Cache GCS Access ID + # cache_gcs_access_id: "cache-access-account@project.iam.gserviceaccount.com" + # + # Cache GCS Private Key + # cache_gcs_private_key: "-----BEGIN PRIVATE KEY-----\nXXXXXX\n-----END PRIVATE KEY-----\n" + # + # Builds directory + # builds_dir: '/builds_dir' + # + # Cache directory + # cache_dir: '/cache' + # + # Extra registration option + # extra_registration_option: '--maximum-timeout=3600' + # + # Extra configuration options to change in the config.toml file + # This parameter is a dictionary where the first level keys are TOML section names + # Full list of configuration are available on Gitlab Runner documentation: + # See https://docs.gitlab.com/runner/configuration/advanced-configuration.html + # + # extra_configs: + # runners.docker: + # memory: 512m + # allowed_images: ["ruby:*", "python:*", "php:*"] + # runners.docker.sysctls: + # net.ipv4.ip_forward: "1" diff --git a/roles/riemers.gitlab-runner/handlers/main.yml b/roles/riemers.gitlab-runner/handlers/main.yml new file mode 100644 index 00000000..c47f7aa5 --- /dev/null +++ b/roles/riemers.gitlab-runner/handlers/main.yml @@ -0,0 +1,25 @@ +--- +# non macOS +- name: restart_gitlab_runner + service: name=gitlab-runner state={{ gitlab_runner_restart_state }} + become: yes + when: ansible_os_family != 'Darwin' and ansible_os_family != 'Windows' and not gitlab_runner_container_install + +# macOS +- name: restart_gitlab_runner_macos + command: "{{ gitlab_runner_executable }} restart" + become: "{{ gitlab_runner_system_mode }}" + when: ansible_os_family == 'Darwin' + +- name: restart_gitlab_runner_windows + win_command: "{{ gitlab_runner_executable }} restart" + args: + chdir: "{{ gitlab_runner_config_file_location }}" + when: ansible_os_family == 'Windows' + +# Container +- name: restart_gitlab_runner_container + docker_container: + name: "{{ gitlab_runner_container_name }}" + restart: yes + when: gitlab_runner_container_install diff --git a/roles/riemers.gitlab-runner/meta/main.yml b/roles/riemers.gitlab-runner/meta/main.yml new file mode 100644 index 00000000..67578839 --- /dev/null +++ b/roles/riemers.gitlab-runner/meta/main.yml @@ -0,0 +1,28 @@ +--- +galaxy_info: + author: Erik-jan Riemers + description: GitLab Runner + license: MIT + min_ansible_version: 2.0 + platforms: + - name: EL + versions: + - all + - name: Ubuntu + versions: + - all + - name: Debian + version: + - all + - name: MacOSX + versions: + - all + - name: Windows + versions: + - all + galaxy_tags: + - gitlab + - runner + - ci + +dependencies: [] diff --git a/roles/riemers.gitlab-runner/tasks/Container.yml b/roles/riemers.gitlab-runner/tasks/Container.yml new file mode 100644 index 00000000..dd1058b0 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/Container.yml @@ -0,0 +1,74 @@ +--- +- name: (Container) Install Gitlab Runner + import_tasks: install-container.yml + when: gitlab_runner_container_install + +- name: (Container) List configured runners + docker_container: + name: "{{ gitlab_runner_container_name }}" + image: "{{ gitlab_runner_container_image }}:{{ gitlab_runner_container_tag }}" + command: list + mounts: + - type: bind + source: "/srv/{{ gitlab_runner_container_name }}" + target: /etc/gitlab-runner + cleanup: yes + interactive: yes + tty: yes + detach: no + register: configured_runners + changed_when: False + check_mode: no + +- name: (Container) Check runner is registered + docker_container: + name: "{{ gitlab_runner_container_name }}" + image: "{{ gitlab_runner_container_image }}:{{ gitlab_runner_container_tag }}" + command: verify + mounts: + - type: bind + source: "/srv/{{ gitlab_runner_container_name }}" + target: /etc/gitlab-runner + cleanup: yes + interactive: yes + tty: yes + detach: no + register: verified_runners + ignore_errors: True + changed_when: False + check_mode: no + +- name: configured_runners? + debug: + msg: "{{configured_runners.container.Output}}" + +- name: verified_runners? + debug: + msg: "{{verified_runners.container.Output}}" + +- name: (Container) Register GitLab Runner + include_tasks: register-runner-container.yml + when: gitlab_runner.token is defined or gitlab_runner_registration_token | string | length > 0 # Ensure value is set + loop: "{{ gitlab_runner_runners }}" + loop_control: + index_var: gitlab_runner_index + loop_var: gitlab_runner + +- name: (Container) Set global options + import_tasks: global-setup.yml + +- name: (Container) Configure GitLab Runner + import_tasks: config-runners-container.yml + +- name: (Container) Start the container + docker_container: + name: "{{ gitlab_runner_container_name }}" + image: "{{ gitlab_runner_container_image }}:{{ gitlab_runner_container_tag }}" + restart_policy: "{{ gitlab_runner_container_restart_policy }}" + mounts: + - type: bind + source: "/srv/{{ gitlab_runner_container_name }}" + target: /etc/gitlab-runner + - type: bind + source: /var/run/docker.sock + target: /var/run/docker.sock diff --git a/roles/riemers.gitlab-runner/tasks/Unix.yml b/roles/riemers.gitlab-runner/tasks/Unix.yml new file mode 100644 index 00000000..da2c5339 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/Unix.yml @@ -0,0 +1,40 @@ +- name: Install GitLab Runner (Debian) + import_tasks: install-debian.yml + when: ansible_os_family == 'Debian' + +- name: Install GitLab Runner (RedHat) + import_tasks: install-redhat.yml + when: ansible_os_family == 'RedHat' + +- name: Install GitLab Runner (macOS) + import_tasks: install-macos.yml + when: ansible_os_family == 'Darwin' + +- name: (Unix) List configured runners + command: "{{ gitlab_runner_executable }} list" + register: configured_runners + changed_when: False + check_mode: no + become: yes + +- name: (Unix) Check runner is registered + command: "{{ gitlab_runner_executable }} verify" + register: verified_runners + ignore_errors: True + changed_when: False + check_mode: no + become: yes + +- name: (Unix) Register GitLab Runner + include_tasks: register-runner.yml + when: gitlab_runner.token is defined or gitlab_runner_registration_token | string | length > 0 # Ensure value is set + loop: "{{ gitlab_runner_runners }}" + loop_control: + index_var: gitlab_runner_index + loop_var: gitlab_runner + +- name: Set global options (macOS/Debian/RedHat) + import_tasks: global-setup.yml + +- name: (Unix) Configure GitLab Runner + import_tasks: config-runners.yml diff --git a/roles/riemers.gitlab-runner/tasks/Windows.yml b/roles/riemers.gitlab-runner/tasks/Windows.yml new file mode 100644 index 00000000..59e2cd52 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/Windows.yml @@ -0,0 +1,38 @@ +- name: Install GitLab Runner (Windows) + import_tasks: install-windows.yml + +- name: (Windows) List configured runners + win_command: "{{ gitlab_runner_executable }} list" + args: + chdir: "{{ gitlab_runner_config_file_location }}" + register: configured_runners + changed_when: False + check_mode: no + +- name: (Windows) Check runner is registered + win_command: "{{ gitlab_runner_executable }} verify" + args: + chdir: "{{ gitlab_runner_config_file_location }}" + register: verified_runners + ignore_errors: True + changed_when: False + check_mode: no + +- name: (Windows) Register GitLab Runner + include_tasks: register-runner-windows.yml + when: gitlab_runner.token is defined or gitlab_runner_registration_token | string | length > 0 # Ensure value is set + loop: "{{ gitlab_runner_runners }}" + loop_control: + index_var: gitlab_runner_index + loop_var: gitlab_runner + +- name: (Windows) Set global options + import_tasks: global-setup-windows.yml + +- name: (Windows) Configure GitLab Runner + import_tasks: config-runners-windows.yml + +- name: (Windows) Start GitLab Runner + win_command: "{{ gitlab_runner_executable }} start" + args: + chdir: "{{ gitlab_runner_config_file_location }}" \ No newline at end of file diff --git a/roles/riemers.gitlab-runner/tasks/config-runner-container.yml b/roles/riemers.gitlab-runner/tasks/config-runner-container.yml new file mode 100644 index 00000000..e74aab7a --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/config-runner-container.yml @@ -0,0 +1,37 @@ +--- +- name: Create temporary file + tempfile: + state: file + path: "{{ temp_runner_config_dir.path }}" + prefix: "gitlab-runner.{{ runner_config_index }}." + register: temp_runner_config + check_mode: no + changed_when: false + +- name: Isolate runner configuration + copy: + dest: "{{ temp_runner_config.path }}" + content: "{{ runner_config }}" + check_mode: no + changed_when: false + +- include_tasks: update-config-runner.yml + when: + - ('name = "'+gitlab_runner.name|default(ansible_hostname+'-'+gitlab_runner_index|string)+'"') in runner_config + - gitlab_runner.state|default('present') == 'present' + loop: "{{ gitlab_runner_runners }}" + loop_control: + index_var: gitlab_runner_index + loop_var: gitlab_runner + +- name: Remove runner config + file: + path: "{{ temp_runner_config.path }}" + state: absent + when: + - ('name = "'+gitlab_runner.name|default(ansible_hostname+'-'+gitlab_runner_index|string)+'"') in runner_config + - gitlab_runner.state|default('present') == 'absent' + loop: "{{ gitlab_runner_runners }}" + loop_control: + index_var: gitlab_runner_index + loop_var: gitlab_runner diff --git a/roles/riemers.gitlab-runner/tasks/config-runner-windows.yml b/roles/riemers.gitlab-runner/tasks/config-runner-windows.yml new file mode 100644 index 00000000..b0623c47 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/config-runner-windows.yml @@ -0,0 +1,37 @@ +--- +- name: (Windows) Create temporary file + win_tempfile: + state: file + path: "{{ temp_runner_config_dir.path }}" + prefix: "gitlab-runner.{{ runner_config_index }}." + register: temp_runner_config + check_mode: no + changed_when: false + +- name: (Windows) Isolate runner configuration + win_copy: + dest: "{{ temp_runner_config.path }}" + content: "{{ runner_config }}" + check_mode: no + changed_when: false + +- include_tasks: update-config-runner-windows.yml + when: + - ('name = "'+gitlab_runner.name|default(ansible_hostname+'-'+gitlab_runner_index|string)+'"') in runner_config + - gitlab_runner.state|default('present') == 'present' + loop: "{{ gitlab_runner_runners }}" + loop_control: + index_var: gitlab_runner_index + loop_var: gitlab_runner + +- name: (Windows) Remove runner config + win_file: + path: "{{ temp_runner_config.path }}" + state: absent + when: + - ('name = "'+gitlab_runner.name|default(ansible_hostname+'-'+gitlab_runner_index|string)+'"') in runner_config + - gitlab_runner.state|default('present') == 'absent' + loop: "{{ gitlab_runner_runners }}" + loop_control: + index_var: gitlab_runner_index + loop_var: gitlab_runner diff --git a/roles/riemers.gitlab-runner/tasks/config-runner.yml b/roles/riemers.gitlab-runner/tasks/config-runner.yml new file mode 100644 index 00000000..e74aab7a --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/config-runner.yml @@ -0,0 +1,37 @@ +--- +- name: Create temporary file + tempfile: + state: file + path: "{{ temp_runner_config_dir.path }}" + prefix: "gitlab-runner.{{ runner_config_index }}." + register: temp_runner_config + check_mode: no + changed_when: false + +- name: Isolate runner configuration + copy: + dest: "{{ temp_runner_config.path }}" + content: "{{ runner_config }}" + check_mode: no + changed_when: false + +- include_tasks: update-config-runner.yml + when: + - ('name = "'+gitlab_runner.name|default(ansible_hostname+'-'+gitlab_runner_index|string)+'"') in runner_config + - gitlab_runner.state|default('present') == 'present' + loop: "{{ gitlab_runner_runners }}" + loop_control: + index_var: gitlab_runner_index + loop_var: gitlab_runner + +- name: Remove runner config + file: + path: "{{ temp_runner_config.path }}" + state: absent + when: + - ('name = "'+gitlab_runner.name|default(ansible_hostname+'-'+gitlab_runner_index|string)+'"') in runner_config + - gitlab_runner.state|default('present') == 'absent' + loop: "{{ gitlab_runner_runners }}" + loop_control: + index_var: gitlab_runner_index + loop_var: gitlab_runner diff --git a/roles/riemers.gitlab-runner/tasks/config-runners-container.yml b/roles/riemers.gitlab-runner/tasks/config-runners-container.yml new file mode 100644 index 00000000..ef71ccf1 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/config-runners-container.yml @@ -0,0 +1,36 @@ +--- +- name: Get existing config.toml + slurp: + src: "{{ gitlab_runner_config_file }}" + register: runner_config_file + +- name: Get pre-existing runner configs + set_fact: + runner_configs: "{{ (runner_config_file['content'] | b64decode).split('[[runners]]\n') }}" + +- name: Create temporary directory + tempfile: + state: directory + suffix: gitlab-runner-config + register: temp_runner_config_dir + check_mode: no + changed_when: false + +- name: Write config section for each runner + include_tasks: config-runner-container.yml + loop: "{{ runner_configs }}" + loop_control: + index_var: runner_config_index + loop_var: runner_config + +- name: Assemble new config.toml + assemble: + src: "{{ temp_runner_config_dir.path }}" + dest: "{{ gitlab_runner_config_file }}" + delimiter: '[[runners]]\n' + backup: yes + validate: | + docker run -i --rm -v %s:/gitlab-runner.conf + {{ gitlab_runner_container_image }}:{{ gitlab_runner_container_tag }} + verify -c /gitlab-runner.conf + mode: 0600 diff --git a/roles/riemers.gitlab-runner/tasks/config-runners-windows.yml b/roles/riemers.gitlab-runner/tasks/config-runners-windows.yml new file mode 100644 index 00000000..9699d3ab --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/config-runners-windows.yml @@ -0,0 +1,68 @@ +--- +- name: (Windows) Get existing config.toml + slurp: + src: "{{ gitlab_runner_config_file }}" + register: runner_config_file + +- name: (Windows) Get pre-existing global config + set_fact: + runner_global_config: "{{ (runner_config_file['content'] | b64decode).split('[[runners]]')[0] }}" + +- name: (Windows) Get pre-existing runner configs + set_fact: + runner_configs: "{{ (runner_config_file['content'] | b64decode).split('[[runners]]')[1:] }}" + +- name: (Windows) Create temporary directory + win_tempfile: + state: directory + suffix: gitlab-runner-config + register: temp_runner_config_dir + check_mode: no + changed_when: false + +- name: (Windows) Write config section for each runner + include_tasks: config-runner-windows.yml + loop: "{{ runner_configs }}" + loop_control: + index_var: runner_config_index + loop_var: runner_config + +- name: (Windows) Assemble new config.toml + when: not ansible_check_mode + block: + - name: (Windows) Create temporary file config.toml + win_tempfile: + state: file + suffix: temp + register: config_toml_temp + + - name: (Windows) Write global config to file + win_lineinfile: + insertbefore: BOF + path: "{{ config_toml_temp.path }}" + line: "[[runners]]" + + - name: (Windows) Write global config to file + win_lineinfile: + insertbefore: BOF + path: "{{ config_toml_temp.path }}" + line: "{{ runner_global_config }}" + + - name: (Windows) Create temporary file runners-config.toml + win_tempfile: + state: file + suffix: temp + register: runners_config_toml_temp + + - name: (Windows) Assemble runners files in config dir + win_shell: dir -rec | gc | out-file "{{ runners_config_toml_temp.path }}" + args: + chdir: "{{ temp_runner_config_dir.path }}" + + - name: (Windows) Assemble new config.toml + win_shell: gc "{{ config_toml_temp.path }}","{{ runners_config_toml_temp.path }}" | Set-Content "{{ gitlab_runner_config_file }}" + + - name: (Windows) Verify config + win_command: "{{ gitlab_runner_executable }} verify" + args: + chdir: "{{ gitlab_runner_config_file_location }}" \ No newline at end of file diff --git a/roles/riemers.gitlab-runner/tasks/config-runners.yml b/roles/riemers.gitlab-runner/tasks/config-runners.yml new file mode 100644 index 00000000..0dd87842 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/config-runners.yml @@ -0,0 +1,35 @@ +--- +- name: Get existing config.toml + slurp: + src: "{{ gitlab_runner_config_file }}" + register: runner_config_file + become: "{{ gitlab_runner_system_mode }}" + +- name: Get pre-existing runner configs + set_fact: + runner_configs: "{{ (runner_config_file['content'] | b64decode).split('[[runners]]\n') }}" + +- name: Create temporary directory + tempfile: + state: directory + suffix: gitlab-runner-config + register: temp_runner_config_dir + check_mode: no + changed_when: false + +- name: Write config section for each runner + include_tasks: config-runner.yml + loop: "{{ runner_configs }}" + loop_control: + index_var: runner_config_index + loop_var: runner_config + +- name: Assemble new config.toml + assemble: + src: "{{ temp_runner_config_dir.path }}" + dest: "{{ gitlab_runner_config_file }}" + delimiter: '[[runners]]\n' + backup: yes + validate: "{{ gitlab_runner_executable }} verify -c %s" + mode: 0600 + become: "{{ gitlab_runner_system_mode }}" diff --git a/roles/riemers.gitlab-runner/tasks/global-setup-windows.yml b/roles/riemers.gitlab-runner/tasks/global-setup-windows.yml new file mode 100644 index 00000000..847d8c75 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/global-setup-windows.yml @@ -0,0 +1,49 @@ +--- +- name: (Windows) Create .gitlab-runner dir + win_file: + path: "{{ gitlab_runner_config_file_location }}" + state: directory + +- name: (Windows) Ensure config.toml exists + win_file: + path: "{{ gitlab_runner_config_file }}" + state: touch + modification_time: preserve + access_time: preserve + +- name: (Windows) Set concurrent option + win_lineinfile: + dest: "{{ gitlab_runner_config_file }}" + regexp: '^(\s*)concurrent =.*' + line: '$1concurrent = {{ gitlab_runner_concurrent }}' + state: present + backrefs: yes + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + - restart_gitlab_runner_windows + +- name: (Windows) Add listen_address to config + win_lineinfile: + dest: "{{ gitlab_runner_config_file }}" + regexp: '^listen_address =.*' + line: 'listen_address = "{{ gitlab_runner_listen_address }}"' + insertafter: '\s*concurrent.*' + state: present + when: gitlab_runner_listen_address | length > 0 # Ensure value is set + notify: + - restart_gitlab_runner + - restart_gitlab_runner_windows + +- name: (Windows) Add sentry dsn to config + win_lineinfile: + dest: "{{ gitlab_runner_config_file }}" + regexp: '^sentry_dsn =.*' + line: 'sentry_dsn = "{{ gitlab_runner_sentry_dsn }}"' + insertafter: '\s*concurrent.*' + state: present + when: gitlab_runner_sentry_dsn | length > 0 # Ensure value is set + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + - restart_gitlab_runner_windows diff --git a/roles/riemers.gitlab-runner/tasks/global-setup.yml b/roles/riemers.gitlab-runner/tasks/global-setup.yml new file mode 100644 index 00000000..12cf357d --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/global-setup.yml @@ -0,0 +1,53 @@ +--- +- name: Create .gitlab-runner dir + file: + path: "{{ gitlab_runner_config_file_location }}" + state: directory + mode: '0755' + become: "{{ gitlab_runner_system_mode }}" + +- name: Ensure config.toml exists + file: + path: "{{ gitlab_runner_config_file }}" + state: touch + modification_time: preserve + access_time: preserve + become: "{{ gitlab_runner_system_mode }}" + +- name: Set concurrent option + lineinfile: + dest: "{{ gitlab_runner_config_file }}" + regexp: '^(\s*)concurrent =' + line: '\1concurrent = {{ gitlab_runner_concurrent }}' + state: present + backrefs: yes + become: "{{ gitlab_runner_system_mode }}" + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Add listen_address to config + lineinfile: + dest: "{{ gitlab_runner_config_file }}" + regexp: '^listen_address =' + line: 'listen_address = "{{ gitlab_runner_listen_address }}"' + insertafter: '\s*concurrent.*' + state: present + when: gitlab_runner_listen_address | length > 0 # Ensure value is set + become: "{{ gitlab_runner_system_mode }}" + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Add sentry dsn to config + lineinfile: + dest: "{{ gitlab_runner_config_file }}" + regexp: '^sentry_dsn =' + line: 'sentry_dsn = "{{ gitlab_runner_sentry_dsn }}"' + insertafter: '\s*concurrent.*' + state: present + when: gitlab_runner_sentry_dsn | length > 0 # Ensure value is set + become: "{{ gitlab_runner_system_mode }}" + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos diff --git a/roles/riemers.gitlab-runner/tasks/install-container.yml b/roles/riemers.gitlab-runner/tasks/install-container.yml new file mode 100644 index 00000000..aa9e5248 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/install-container.yml @@ -0,0 +1,10 @@ +--- +- name: (Container) Pull Image from Registry + docker_image: + name: "{{ gitlab_runner_container_image }}:{{ gitlab_runner_container_tag }}" + source: pull + +- name: (Container) Define Container volume Path + file: + state: directory + path: "/srv/{{ gitlab_runner_container_name }}" diff --git a/roles/riemers.gitlab-runner/tasks/install-debian.yml b/roles/riemers.gitlab-runner/tasks/install-debian.yml new file mode 100644 index 00000000..020eb13c --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/install-debian.yml @@ -0,0 +1,52 @@ +--- + +- name: (Debian) Get Gitlab repository installation script + get_url: + url: "https://packages.gitlab.com/install/repositories/runner/{{ gitlab_runner_package_name }}/script.deb.sh" + dest: /tmp/gitlab-runner.script.deb.sh + mode: 0744 + when: gitlab_runner_skip_package_repo_install is not defined or not gitlab_runner_skip_package_repo_install + +- name: (Debian) Install Gitlab repository + command: bash /tmp/gitlab-runner.script.deb.sh + args: + creates: "/etc/apt/sources.list.d/runner_{{ gitlab_runner_package_name }}.list" + become: true + when: gitlab_runner_skip_package_repo_install is not defined or not gitlab_runner_skip_package_repo_install + +- name: (Debian) Update gitlab_runner_package_name + set_fact: + gitlab_runner_package: "{{ gitlab_runner_package_name }}={{ gitlab_runner_package_version }}" + gitlab_runner_package_state: "present" + when: gitlab_runner_package_version is defined + +- name: (Debian) Set gitlab_runner_package_name + set_fact: + gitlab_runner_package: "{{ gitlab_runner_package_name }}" + gitlab_runner_package_state: "latest" + when: gitlab_runner_package_version is not defined + +- name: (Debian) Install GitLab Runner + apt: + name: "{{ gitlab_runner_package }}" + state: "{{ gitlab_runner_package_state }}" + become: true + environment: + GITLAB_RUNNER_DISABLE_SKEL: "true" + when: ansible_distribution_release in ["buster", "focal"] + +- name: (Debian) Install GitLab Runner + apt: + name: "{{ gitlab_runner_package }}" + state: "{{ gitlab_runner_package_state }}" + become: true + when: ansible_distribution_release not in ["buster", "focal"] + +- name: (Debian) Remove ~/gitlab-runner/.bash_logout on debian buster and ubuntu focal + file: + path: /home/gitlab-runner/.bash_logout + state: absent + when: ansible_distribution_release in ["buster", "focal"] + +- name: Set systemd reload options + import_tasks: systemd-reload.yml diff --git a/roles/riemers.gitlab-runner/tasks/install-macos.yml b/roles/riemers.gitlab-runner/tasks/install-macos.yml new file mode 100644 index 00000000..552c1417 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/install-macos.yml @@ -0,0 +1,69 @@ +- name: (MacOS) PRE-CHECK GitLab Runner exists + block: + - name: (MacOS) Check gitlab-runner executable exists + stat: + path: "{{ gitlab_runner_executable }}" + register: gitlab_runner_exists + + - name: (MacOS) Set fact -> gitlab_runner_exists + set_fact: + gitlab_runner_exists: "{{ gitlab_runner_exists.stat.exists }}" + + - name: (MacOS) Get existing version + shell: "{{ gitlab_runner_executable }} --version | awk '/Version: ([\\d\\.]*)/{print $2}'" + register: existing_version_shell + failed_when: no + check_mode: no + changed_when: no + + - name: (MacOS) Set fact -> gitlab_runner_existing_version + set_fact: + gitlab_runner_existing_version: "{{ existing_version_shell.stdout if existing_version_shell.rc == 0 else '0' }}" + +- name: (MacOS) INSTALL GitLab Runner for macOS + block: + - name: (MacOS) Download GitLab Runner + get_url: + url: "{{ gitlab_runner_download_url }}" + dest: "{{ gitlab_runner_executable }}" + force: yes + + - name: (MacOS) Setting Permissions for gitlab-runner executable + file: + path: "{{ gitlab_runner_executable }}" + owner: "{{ ansible_user_id | string }}" + group: "{{ ansible_user_gid | string }}" + mode: '+x' + + - name: (MacOS) Install GitLab Runner + command: "{{ gitlab_runner_executable }} install" + + - name: (MacOS) Start GitLab Runner + command: "{{ gitlab_runner_executable }} start" + + when: (not gitlab_runner_exists) + +- name: (MacOS) UPGRADE GitLab Runner for macOS + block: + - name: (MacOS) Stop GitLab Runner + command: "{{ gitlab_runner_executable }} stop" + + - name: (MacOS) Download GitLab Runner + get_url: + url: "{{ gitlab_runner_download_url }}" + dest: "{{ gitlab_runner_executable }}" + force: yes + + - name: (MacOS) Setting Permissions for gitlab-runner executable + file: + path: "{{ gitlab_runner_executable }}" + owner: "{{ ansible_user_id | string }}" + group: "{{ ansible_user_gid | string }}" + mode: '+x' + become: yes + + - name: (MacOS) Start GitLab Runner + command: "{{ gitlab_runner_executable }} start" + when: + - gitlab_runner_exists + - gitlab_runner_existing_version != gitlab_runner_wanted_version or gitlab_runner_wanted_version == 'latest' diff --git a/roles/riemers.gitlab-runner/tasks/install-redhat.yml b/roles/riemers.gitlab-runner/tasks/install-redhat.yml new file mode 100644 index 00000000..32d27c1e --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/install-redhat.yml @@ -0,0 +1,38 @@ +--- + +- name: (RedHat) Get Gitlab repository installation script + get_url: + url: "https://packages.gitlab.com/install/repositories/runner/{{ gitlab_runner_package_name }}/script.rpm.sh" + dest: /tmp/gitlab-runner.script.rpm.sh + mode: 0744 + when: gitlab_runner_skip_package_repo_install is not defined or not gitlab_runner_skip_package_repo_install + +- name: (RedHat) Install Gitlab repository + shell: > + os=el dist={{ '7' if ansible_distribution_major_version | int == 8 else ansible_distribution_major_version }} + bash /tmp/gitlab-runner.script.rpm.sh + args: + creates: "/etc/yum.repos.d/runner_{{ gitlab_runner_package_name }}.repo" + become: true + when: gitlab_runner_skip_package_repo_install is not defined or not gitlab_runner_skip_package_repo_install + +- name: (RedHat) Update gitlab_runner_package_name + set_fact: + gitlab_runner_package: "{{ gitlab_runner_package_name }}-{{ gitlab_runner_package_version }}" + gitlab_runner_package_state: "present" + when: gitlab_runner_package_version is defined + +- name: (RedHat) Set gitlab_runner_package_name + set_fact: + gitlab_runner_package: "{{ gitlab_runner_package_name }}" + gitlab_runner_package_state: "latest" + when: gitlab_runner_package_version is not defined + +- name: (RedHat) Install GitLab Runner + package: + name: "{{ gitlab_runner_package }}" + state: "{{ gitlab_runner_package_state }}" + become: true + +- name: Set systemd reload options + import_tasks: systemd-reload.yml diff --git a/roles/riemers.gitlab-runner/tasks/install-windows.yml b/roles/riemers.gitlab-runner/tasks/install-windows.yml new file mode 100644 index 00000000..4fa6f942 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/install-windows.yml @@ -0,0 +1,67 @@ +- name: (Windows) PRE-CHECK GitLab Runner exists + block: + - name: (Windows) Check gitlab-runner executable exists + win_stat: + path: "{{ gitlab_runner_executable }}" + register: gitlab_runner_exists + + - name: (Windows) Set fact -> gitlab_runner_exists + set_fact: + gitlab_runner_exists: "{{ gitlab_runner_exists.stat.exists }}" + + - name: (Windows) Get existing version + win_shell: "{{ gitlab_runner_executable }} --version | Select-String 'Version:' -CaseSensitive | %{ $_.Line.Split(' ')[-1].Trim(); }" + register: existing_version_shell + failed_when: no + check_mode: no + changed_when: no + + - name: (Windows) Set fact -> gitlab_runner_existing_version + set_fact: + gitlab_runner_existing_version: "{{ existing_version_shell.stdout | trim if existing_version_shell.rc == 0 else '0' }}" + +- name: (Windows) INSTALL GitLab Runner for Windows + block: + - name: (Windows) Ensure install directory exists + win_file: + path: "{{ gitlab_runner_install_directory }}" + state: directory + + - name: (Windows) Download GitLab Runner + win_get_url: + url: "{{ gitlab_runner_download_url }}" + dest: "{{ gitlab_runner_executable }}" + force: yes + + - name: (Windows) Install GitLab Runner + win_command: "{{ gitlab_runner_executable }} install" + args: + chdir: "{{ gitlab_runner_config_file_location }}" + when: (gitlab_runner_windows_service_user | length == 0) or (gitlab_runner_windows_service_password | length == 0) + + - name: (Windows) Install GitLab Runner + win_command: "{{ gitlab_runner_executable }} install --user \"{{ gitlab_runner_windows_service_user }}\" --password \"{{ gitlab_runner_windows_service_password }}\"" + args: + chdir: "{{ gitlab_runner_config_file_location }}" + when: + - gitlab_runner_windows_service_user | length > 0 + - gitlab_runner_windows_service_password | length > 0 + + when: (not gitlab_runner_exists) + +- name: (Windows) Make sure runner is stopped + win_command: "{{ gitlab_runner_executable }} stop" + ignore_errors: yes + when: + - gitlab_runner_exists + +- name: (Windows) UPGRADE GitLab Runner for Windows + block: + - name: (Windows) Download GitLab Runner + win_get_url: + url: "{{ gitlab_runner_download_url }}" + dest: "{{ gitlab_runner_executable }}" + force: yes + when: + - gitlab_runner_exists + - gitlab_runner_existing_version != gitlab_runner_wanted_version or gitlab_runner_wanted_version == 'latest' diff --git a/roles/riemers.gitlab-runner/tasks/line-config-runner-windows.yml b/roles/riemers.gitlab-runner/tasks/line-config-runner-windows.yml new file mode 100644 index 00000000..eab6b88e --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/line-config-runner-windows.yml @@ -0,0 +1,14 @@ +--- +- name: (Windows) Ensure section exists + win_lineinfile: + path: "{{ temp_runner_config.path }}" + regexp: '^(\s*)\[{{ section|regex_escape }}\]$' + line: '{{ " " * (section.split(".")|length -1) }}[{{ section }}]' + +- name: (Windows) Modify existing line + win_lineinfile: + path: "{{ temp_runner_config.path }}" + insertafter: '\s+\[{{ section | regex_escape }}\]' + regexp: '^(\s*){{ line | to_json | regex_escape }} =.*' + line: '{{ " " * (section.split(".")|length) }}{{ line | to_json }} = {{ gitlab_runner.extra_configs[section][line] | to_json }}' + register: modified_config_line diff --git a/roles/riemers.gitlab-runner/tasks/line-config-runner.yml b/roles/riemers.gitlab-runner/tasks/line-config-runner.yml new file mode 100644 index 00000000..8f9be281 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/line-config-runner.yml @@ -0,0 +1,14 @@ +--- +- name: Ensure section exists + lineinfile: + path: "{{ temp_runner_config.path }}" + regexp: '^(\s*)\[{{ section|regex_escape }}\]$' + line: '{{ " " * (section.split(".")|length -1) }}[{{ section }}]' + +- name: Modify existing line + lineinfile: + path: "{{ temp_runner_config.path }}" + insertafter: '\s+\[{{ section | regex_escape }}\]' + regexp: '^(\s*){{ line | to_json | regex_escape }} =' + line: '{{ " " * (section.split(".")|length) }}{{ line | to_json }} = {{ gitlab_runner.extra_configs[section][line] | to_json }}' + register: modified_config_line diff --git a/roles/riemers.gitlab-runner/tasks/main.yml b/roles/riemers.gitlab-runner/tasks/main.yml new file mode 100644 index 00000000..10fd1aa9 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Load platform-specific variables + include_vars: "{{ lookup('first_found', possible_files) }}" + vars: + possible_files: + files: + - '{{ ansible_distribution }}.yml' + - '{{ ansible_os_family }}.yml' + - default.yml + paths: + - 'vars' + +- name: Install Gitlab Runner (Container) + import_tasks: Container.yml + when: gitlab_runner_container_install + +- name: Install GitLab Runner (Unix) + import_tasks: Unix.yml + when: ansible_os_family != 'Windows' and not gitlab_runner_container_install + +- name: Install GitLab Runner (Windows) + import_tasks: Windows.yml + when: ansible_os_family == 'Windows' and not gitlab_runner_container_install diff --git a/roles/riemers.gitlab-runner/tasks/register-runner-container.yml b/roles/riemers.gitlab-runner/tasks/register-runner-container.yml new file mode 100644 index 00000000..fabb1604 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/register-runner-container.yml @@ -0,0 +1,114 @@ +--- +- name: Clear Config File + block: + - name: remove config.toml file + file: + path: "{{ gitlab_runner_config_file }}" + state: absent + + - name: Ensure config.toml exists + file: + path: "{{ gitlab_runner_config_file }}" + state: touch + modification_time: preserve + access_time: preserve + when: (verified_runners.container.Output.find("Verifying runner... is removed") != -1) + +- name: Register runner to GitLab + docker_container: + name: "{{ gitlab_runner_container_name }}" + image: "{{ gitlab_runner_container_image }}:{{ gitlab_runner_container_tag }}" + command: | + register + --non-interactive + --url '{{ gitlab_runner_coordinator_url }}' + --registration-token '{{ gitlab_runner.token|default(gitlab_runner_registration_token) }}' + --description '{{ gitlab_runner.name|default(ansible_hostname+"-"+gitlab_runner_index|string) }}' + --tag-list '{{ gitlab_runner.tags|default([]) | join(",") }}' + {% if gitlab_runner.clone_url|default(false) %} + --clone-url "{{ gitlab_runner.clone_url }}" + {% endif %} + {% if gitlab_runner.run_untagged|default(true) %} + --run-untagged + {% endif %} + --executor '{{ gitlab_runner.executor|default("shell") }}' + --limit '{{ gitlab_runner.concurrent_specific|default(0) }}' + --output-limit '{{ gitlab_runner.output_limit|default(4096) }}' + --locked='{{ gitlab_runner.locked|default(false) }}' + {% for env_var in gitlab_runner.env_vars|default([]) %} + --env '{{ env_var }}' + {% endfor %} + {% if gitlab_runner.pre_clone_script|default(false) %} + --pre-clone-script "{{ gitlab_runner.pre_clone_script }}" + {% endif %} + {% if gitlab_runner.pre_build_script|default(false) %} + --pre-build-script "{{ gitlab_runner.pre_build_script }}" + {% endif %} + {% if gitlab_runner.post_build_script|default(false) %} + --post-build-script "{{ gitlab_runner.post_build_script }}" + {% endif %} + --docker-image '{{ gitlab_runner.docker_image|default("alpine") }}' + {% if gitlab_runner.docker_privileged|default(false) %} + --docker-privileged + {% endif %} + {% if gitlab_runner.docker_tlsverify|default(false) %} + --docker-tlsverify '{{ gitlab_runner.docker_tlsverify|default("true") }}' + {% endif %} + {% if gitlab_runner.docker_dns|default(false) %} + --docker-dns '{{ gitlab_runner.docker_dns|default("1.1.1.1") }}' + {% endif %} + {% for volume in gitlab_runner.docker_volumes | default([]) %} + --docker-volumes "{{ volume }}" + {% endfor %} + --ssh-user '{{ gitlab_runner.ssh_user|default("") }}' + --ssh-host '{{ gitlab_runner.ssh_host|default("") }}' + --ssh-port '{{ gitlab_runner.ssh_port|default("") }}' + --ssh-password '{{ gitlab_runner.ssh_password|default("") }}' + --ssh-identity-file '{{ gitlab_runner.ssh_identity_file|default("") }}' + {% if gitlab_runner.cache_type is defined %} + --cache-type '{{ gitlab_runner.cache_type }}' + {% endif %} + {% if gitlab_runner.cache_shared|default(false) %} + --cache-shared + {% endif %} + {% if gitlab_runner.cache_path is defined %} + --cache-path '{{ gitlab_runner.cache_path }}' + {% endif %} + {% if gitlab_runner.cache_s3_server_address is defined %} + --cache-s3-server-address '{{ gitlab_runner.cache_s3_server_address }}' + {% if gitlab_runner.cache_s3_access_key is defined %} + --cache-s3-access-key '{{ gitlab_runner.cache_s3_access_key }}' + {% endif %} + {% if gitlab_runner.cache_s3_secret_key is defined %} + --cache-s3-secret-key '{{ gitlab_runner.cache_s3_secret_key }}' + {% endif %} + {% endif %} + {% if gitlab_runner.cache_s3_bucket_name is defined %} + --cache-s3-bucket-name '{{ gitlab_runner.cache_s3_bucket_name }}' + {% endif %} + {% if gitlab_runner.cache_s3_bucket_location is defined %} + --cache-s3-bucket-location '{{ gitlab_runner.cache_s3_bucket_location }}' + {% endif %} + {% if gitlab_runner.builds_dir|default(false) %} + --builds-dir '{{ gitlab_runner.builds_dir }}' + {% endif %} + {% if gitlab_runner.cache_dir|default(false) %} + --cache-dir '{{ gitlab_runner.cache_dir }}' + {% endif %} + {% if gitlab_runner.cache_s3_insecure|default(false) %} + --cache-s3-insecure + {% endif %} + {% if gitlab_runner.extra_registration_option is defined %} + {{ gitlab_runner.extra_registration_option }} + {% endif %} + mounts: + - type: bind + source: "/srv/{{ gitlab_runner_container_name }}" + target: /etc/gitlab-runner + cleanup: yes + auto_remove: yes + when: (verified_runners.container.Output.find("Verifying runner... is removed") != -1) or + ((configured_runners.container.Output.find('\n' + gitlab_runner.name|default(ansible_hostname+'-'+gitlab_runner_index|string)) == -1) and + (gitlab_runner.state|default('present') == 'present')) + no_log: false + diff --git a/roles/riemers.gitlab-runner/tasks/register-runner-windows.yml b/roles/riemers.gitlab-runner/tasks/register-runner-windows.yml new file mode 100644 index 00000000..6b02ca50 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/register-runner-windows.yml @@ -0,0 +1,118 @@ +--- +- name: (Windows) Clear Config File + block: + - name: (Windows) remove config.toml file + win_file: + path: "{{ gitlab_runner_config_file }}" + state: absent + + - name: (Windows) Create .gitlab-runner dir + win_file: + path: "{{ gitlab_runner_config_file_location }}" + state: directory + + - name: (Windows) Ensure config.toml exists + win_file: + path: "{{ gitlab_runner_config_file }}" + state: touch + modification_time: preserve + access_time: preserve + when: (verified_runners.stderr.find("Verifying runner... is removed") != -1) + +- name: (Windows) Register runner to GitLab + win_shell: > + {{ gitlab_runner_executable }} register + --non-interactive + --url '{{ gitlab_runner.url|default(gitlab_runner_coordinator_url) }}' + --registration-token '{{ gitlab_runner.token|default(gitlab_runner_registration_token) }}' + --description '{{ gitlab_runner.name|default(ansible_hostname+"-"+gitlab_runner_index|string) }}' + --tag-list '{{ gitlab_runner.tags|default([]) | join(",") }}' + {% if gitlab_runner.clone_url|default(false) %} + --clone-url "{{ gitlab_runner.clone_url }}" + {% endif %} + {% if gitlab_runner.run_untagged|default(true) %} + --run-untagged + {% endif %} + --executor '{{ gitlab_runner.executor|default("shell") }}' + {% if gitlab_runner.shell is defined %} + --shell '{{ gitlab_runner.shell }}' + {% endif %} + --limit '{{ gitlab_runner.concurrent_specific|default(0) }}' + --output-limit '{{ gitlab_runner.output_limit|default(4096) }}' + --locked='{{ gitlab_runner.locked|default(false) }}' + {% for env_var in gitlab_runner.env_vars|default([]) %} + --env '{{ env_var }}' + {% endfor %} + {% if gitlab_runner.pre_clone_script|default(false) %} + --pre-clone-script "{{ gitlab_runner.pre_clone_script }}" + {% endif %} + {% if gitlab_runner.pre_build_script|default(false) %} + --pre-build-script "{{ gitlab_runner.pre_build_script }}" + {% endif %} + {% if gitlab_runner.post_build_script|default(false) %} + --post-build-script "{{ gitlab_runner.post_build_script }}" + {% endif %} + --docker-image '{{ gitlab_runner.docker_image|default("alpine") }}' + {% if gitlab_runner.docker_privileged|default(false) %} + --docker-privileged + {% endif %} + {% for volume in gitlab_runner.docker_volumes | default([]) %} + --docker-volumes "{{ volume }}" + {% endfor %} + {% if gitlab_runner.ssh_user is defined %} + --ssh-user '{{ gitlab_runner.ssh_user }}' + {% endif %} + {% if gitlab_runner.ssh_host is defined %} + --ssh-host '{{ gitlab_runner.ssh_host }}' + {% endif %} + {% if gitlab_runner.ssh_port is defined %} + --ssh-port '{{ gitlab_runner.ssh_port }}' + {% endif %} + {% if gitlab_runner.ssh_password is defined %} + --ssh-password '{{ gitlab_runner.ssh_password }}' + {% endif %} + {% if gitlab_runner.ssh_identity_file is defined %} + --ssh-identity-file '{{ gitlab_runner.ssh_identity_file }}' + {% endif %} + {% if gitlab_runner.cache_type is defined %} + --cache-type '{{ gitlab_runner.cache_type }}' + {% endif %} + {% if gitlab_runner.cache_shared|default(false) %} + --cache-shared + {% endif %} + {% if gitlab_runner.cache_path is defined %} + --cache-path '{{ gitlab_runner.cache_path }}' + {% endif %} + {% if gitlab_runner.cache_s3_server_address is defined %} + --cache-s3-server-address '{{ gitlab_runner.cache_s3_server_address }}' + {% endif %} + {% if gitlab_runner.cache_s3_access_key is defined %} + --cache-s3-access-key '{{ gitlab_runner.cache_s3_access_key }}' + {% endif %} + {% if gitlab_runner.cache_s3_secret_key is defined %} + --cache-s3-secret-key '{{ gitlab_runner.cache_s3_secret_key }}' + {% endif %} + {% if gitlab_runner.cache_s3_bucket_name is defined %} + --cache-s3-bucket-name '{{ gitlab_runner.cache_s3_bucket_name }}' + {% endif %} + {% if gitlab_runner.cache_s3_bucket_location is defined %} + --cache-s3-bucket-location '{{ gitlab_runner.cache_s3_bucket_location }}' + {% endif %} + {% if gitlab_runner.builds_dir|default(false) %} + --builds-dir '{{ gitlab_runner.builds_dir }}' + {% endif %} + {% if gitlab_runner.cache_dir|default(false) %} + --cache-dir '{{ gitlab_runner.cache_dir }}' + {% endif %} + {% if gitlab_runner.cache_s3_insecure|default(false) %} + --cache-s3-insecure + {% endif %} + {% if gitlab_runner.extra_registration_option is defined %} + {{ gitlab_runner.extra_registration_option }} + {% endif %} + when: (verified_runners.stderr.find("Verifying runner... is removed") != -1) or + ((configured_runners.stderr.find('\n' + gitlab_runner.name|default(ansible_hostname+'-'+gitlab_runner_index|string)) == -1) and + (gitlab_runner.state|default('present') == 'present')) + args: + chdir: "{{ gitlab_runner_config_file_location }}" + #no_log: true diff --git a/roles/riemers.gitlab-runner/tasks/register-runner.yml b/roles/riemers.gitlab-runner/tasks/register-runner.yml new file mode 100644 index 00000000..29e59f97 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/register-runner.yml @@ -0,0 +1,117 @@ +--- +- name: Clear Config File + block: + - name: remove config.toml file + file: + path: "{{ gitlab_runner_config_file }}" + state: absent + become: "{{ gitlab_runner_system_mode }}" + + - name: Create .gitlab-runner dir + file: + path: "{{ gitlab_runner_config_file_location }}" + state: directory + mode: '0755' + become: "{{ gitlab_runner_system_mode }}" + + - name: Ensure config.toml exists + file: + path: "{{ gitlab_runner_config_file }}" + state: touch + modification_time: preserve + access_time: preserve + become: "{{ gitlab_runner_system_mode }}" + when: (verified_runners.stderr.find("Verifying runner... is removed") != -1) + +- name: Register runner to GitLab + command: > + {{ gitlab_runner_executable }} register + --non-interactive + --url '{{ gitlab_runner.url|default(gitlab_runner_coordinator_url) }}' + --registration-token '{{ gitlab_runner.token|default(gitlab_runner_registration_token) }}' + --description '{{ gitlab_runner.name|default(ansible_hostname+"-"+gitlab_runner_index|string) }}' + --tag-list '{{ gitlab_runner.tags|default([]) | join(",") }}' + {% if gitlab_runner.clone_url|default(false) %} + --clone-url "{{ gitlab_runner.clone_url }}" + {% endif %} + {% if gitlab_runner.run_untagged|default(true) %} + --run-untagged + {% endif %} + --executor '{{ gitlab_runner.executor|default("shell") }}' + {% if gitlab_runner.shell is defined %} + --shell '{{ gitlab_runner.shell }}' + {% endif %} + --limit '{{ gitlab_runner.concurrent_specific|default(0) }}' + --output-limit '{{ gitlab_runner.output_limit|default(4096) }}' + --locked='{{ gitlab_runner.locked|default(false) }}' + {% for env_var in gitlab_runner.env_vars|default([]) %} + --env '{{ env_var }}' + {% endfor %} + {% if gitlab_runner.pre_clone_script|default(false) %} + --pre-clone-script "{{ gitlab_runner.pre_clone_script }}" + {% endif %} + {% if gitlab_runner.pre_build_script|default(false) %} + --pre-build-script "{{ gitlab_runner.pre_build_script }}" + {% endif %} + {% if gitlab_runner.post_build_script|default(false) %} + --post-build-script "{{ gitlab_runner.post_build_script }}" + {% endif %} + --docker-image '{{ gitlab_runner.docker_image|default("alpine") }}' + {% if gitlab_runner.docker_privileged|default(false) %} + --docker-privileged + {% endif %} + {% if gitlab_runner.docker_tlsverify|default(false) %} + --docker-tlsverify '{{ gitlab_runner.docker_tlsverify|default("true") }}' + {% endif %} + {% if gitlab_runner.docker_dns|default(false) %} + --docker-dns '{{ gitlab_runner.docker_dns|default("1.1.1.1") }}' + {% endif %} + {% for volume in gitlab_runner.docker_volumes | default([]) %} + --docker-volumes "{{ volume }}" + {% endfor %} + --ssh-user '{{ gitlab_runner.ssh_user|default("") }}' + --ssh-host '{{ gitlab_runner.ssh_host|default("") }}' + --ssh-port '{{ gitlab_runner.ssh_port|default("") }}' + --ssh-password '{{ gitlab_runner.ssh_password|default("") }}' + --ssh-identity-file '{{ gitlab_runner.ssh_identity_file|default("") }}' + {% if gitlab_runner.cache_type is defined %} + --cache-type '{{ gitlab_runner.cache_type }}' + {% endif %} + {% if gitlab_runner.cache_shared|default(false) %} + --cache-shared + {% endif %} + {% if gitlab_runner.cache_path is defined %} + --cache-path '{{ gitlab_runner.cache_path }}' + {% endif %} + {% if gitlab_runner.cache_s3_server_address is defined %} + --cache-s3-server-address '{{ gitlab_runner.cache_s3_server_address }}' + {% if gitlab_runner.cache_s3_access_key is defined %} + --cache-s3-access-key '{{ gitlab_runner.cache_s3_access_key }}' + {% endif %} + {% if gitlab_runner.cache_s3_secret_key is defined %} + --cache-s3-secret-key '{{ gitlab_runner.cache_s3_secret_key }}' + {% endif %} + {% endif %} + {% if gitlab_runner.cache_s3_bucket_name is defined %} + --cache-s3-bucket-name '{{ gitlab_runner.cache_s3_bucket_name }}' + {% endif %} + {% if gitlab_runner.cache_s3_bucket_location is defined %} + --cache-s3-bucket-location '{{ gitlab_runner.cache_s3_bucket_location }}' + {% endif %} + {% if gitlab_runner.builds_dir|default(false) %} + --builds-dir '{{ gitlab_runner.builds_dir }}' + {% endif %} + {% if gitlab_runner.cache_dir|default(false) %} + --cache-dir '{{ gitlab_runner.cache_dir }}' + {% endif %} + {% if gitlab_runner.cache_s3_insecure|default(false) %} + --cache-s3-insecure + {% endif %} + {% if gitlab_runner.extra_registration_option is defined %} + {{ gitlab_runner.extra_registration_option }} + {% endif %} + when: (verified_runners.stderr.find("Verifying runner... is removed") != -1) or + ((configured_runners.stderr.find('\n' + gitlab_runner.name|default(ansible_hostname+'-'+gitlab_runner_index|string)) == -1) and + (gitlab_runner.state|default('present') == 'present')) + no_log: true + become: "{{ gitlab_runner_system_mode }}" diff --git a/roles/riemers.gitlab-runner/tasks/section-config-runner-windows.yml b/roles/riemers.gitlab-runner/tasks/section-config-runner-windows.yml new file mode 100644 index 00000000..3aad7a06 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/section-config-runner-windows.yml @@ -0,0 +1,5 @@ +--- +- include: line-config-runner-windows.yml + loop: "{{ gitlab_runner.extra_configs[section] | list }}" + loop_control: + loop_var: line diff --git a/roles/riemers.gitlab-runner/tasks/section-config-runner.yml b/roles/riemers.gitlab-runner/tasks/section-config-runner.yml new file mode 100644 index 00000000..7c3de49d --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/section-config-runner.yml @@ -0,0 +1,5 @@ +--- +- include: line-config-runner.yml + loop: "{{ gitlab_runner.extra_configs[section] | list }}" + loop_control: + loop_var: line diff --git a/roles/riemers.gitlab-runner/tasks/systemd-reload.yml b/roles/riemers.gitlab-runner/tasks/systemd-reload.yml new file mode 100644 index 00000000..d5d87d38 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/systemd-reload.yml @@ -0,0 +1,37 @@ +--- + +- name: Ensure /etc/systemd/system/gitlab-runner.service.d/ exists + become: yes + file: + path: /etc/systemd/system/gitlab-runner.service.d + state: directory + owner: root + group: root + mode: 0755 + +- name: Add reload command to GitLab Runner system service + become: yes + copy: + dest: /etc/systemd/system/gitlab-runner.service.d/exec-reload.conf + content: | + [Service] + ExecReload=/bin/kill -HUP $MAINPID + register: gitlab_runner_exec_reload + +# https://docs.gitlab.com/runner/configuration/init.html#overriding-systemd +- name: Configure graceful stop for GitLab Runner system service + become: yes + copy: + dest: /etc/systemd/system/gitlab-runner.service.d/kill.conf + content: | + [Service] + TimeoutStopSec={{ gitlab_runner_timeout_stop_seconds }} + KillSignal=SIGQUIT + when: gitlab_runner_timeout_stop_seconds > 0 + register: gitlab_runner_kill_timeout + +- name: Force systemd to reread configs + become: yes + systemd: + daemon_reload: yes + when: gitlab_runner_exec_reload.changed or gitlab_runner_kill_timeout diff --git a/roles/riemers.gitlab-runner/tasks/update-config-runner-windows.yml b/roles/riemers.gitlab-runner/tasks/update-config-runner-windows.yml new file mode 100644 index 00000000..2f9a1ab5 --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/update-config-runner-windows.yml @@ -0,0 +1,339 @@ +--- +- name: (Windows) Print "[[runners]]" section + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + line: '[[runners]]' + state: present + insertbefore: BOF + +- name: (Windows) Set concurrent limit option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*limit =.*' + line: ' limit = {{ gitlab_runner.concurrent_specific|default(0) }}' + state: present + insertafter: '^\s*name =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set coordinator URL + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*url =.*' + line: ' url = {{ gitlab_runner_coordinator_url | to_json }}' + state: present + insertafter: '^\s*limit =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set clone URL + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*clone_url =' + line: ' clone_url = {{ gitlab_runner.clone_url | to_json }}' + state: present + insertafter: '^\s*url =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner + when: gitlab_runner.clone_url is defined + +- name: (Windows) Set environment option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*environment =.*' + line: ' environment = {{ gitlab_runner.env_vars|default([]) | to_json }}' + state: present + insertafter: '^\s*url =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set pre_clone_script + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*pre_clone_script =' + line: ' pre_clone_script = {{ gitlab_runner.pre_clone_script | to_json }}' + state: present + insertafter: '^\s*url =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner + when: gitlab_runner.pre_clone_script is defined + +- name: (Windows) Set pre_build_script + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*pre_build_script =' + line: ' pre_build_script = {{ gitlab_runner.pre_build_script | to_json }}' + state: present + insertafter: '^\s*url =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner + when: gitlab_runner.pre_build_script is defined + +- name: (Windows) Set post_build_script + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*post_build_script =' + line: ' post_build_script = {{ gitlab_runner.post_build_script | to_json }}' + state: present + insertafter: '^\s*url =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner + when: gitlab_runner.post_build_script is defined + +- name: (Windows) Set runner executor option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*executor =.*' + line: ' executor = {{ gitlab_runner.executor|default("shell") | to_json }}' + state: present + insertafter: '^\s*url =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set runner shell option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*shell =.*' + line: ' shell = {{ gitlab_runner.shell|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.shell is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set output_limit option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*output_limit =.*' + line: ' output_limit = {{ gitlab_runner.output_limit|default(4096) }}' + state: present + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set runner docker image option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*image =.*' + line: ' image = {{ gitlab_runner.docker_image|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.docker_image is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set docker privileged option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*privileged =.*' + line: ' privileged = {{ gitlab_runner.docker_privileged|default(false) | lower }}' + state: "{{ 'present' if gitlab_runner.docker_privileged is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set docker volumes option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*volumes =.*' + line: ' volumes = {{ gitlab_runner.docker_volumes|default([])|to_json }}' + state: "{{ 'present' if gitlab_runner.docker_volumes is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set cache type option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*Type =.*' + line: ' Type = {{ gitlab_runner.cache_type|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_type is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set cache path option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*Path =.*' + line: ' Path = {{ gitlab_runner.cache_path|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_path is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set cache s3 server addresss + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*ServerAddress =.*' + line: ' ServerAddress = {{ gitlab_runner.cache_s3_server_address|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_s3_server_address is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.s3\]' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set cache s3 access key + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*AccessKey =.*' + line: ' AccessKey = {{ gitlab_runner.cache_s3_access_key|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_s3_access_key is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.s3\]' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set cache s3 secret key + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*SecretKey =.*' + line: ' SecretKey = {{ gitlab_runner.cache_s3_secret_key|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_s3_secret_key is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.s3\]' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + + +- name: (Windows) Set cache shared option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*Shared =.*' + line: ' Shared = {{ gitlab_runner.cache_shared|default("") | lower }}' + state: "{{ 'present' if gitlab_runner.cache_shared is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set cache s3 bucket name option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*BucketName =.*' + line: ' BucketName = {{ gitlab_runner.cache_s3_bucket_name|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_s3_bucket_name is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.s3\]' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set cache s3 bucket location option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*BucketLocation =.*' + line: ' BucketLocation = {{ gitlab_runner.cache_s3_bucket_location|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_s3_bucket_location is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.s3\]' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set cache s3 insecure option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*Insecure =.*' + line: ' Insecure = {{ gitlab_runner.cache_s3_insecure|default("") | lower }}' + state: "{{ 'present' if gitlab_runner.cache_s3_insecure is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.s3\]' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set ssh user option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*user =.*' + line: ' user = {{ gitlab_runner.ssh_user|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.ssh_user is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set ssh host option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*host =.*' + line: ' host = {{ gitlab_runner.ssh_host|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.ssh_host is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set ssh port option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*port =.*' + line: ' port = {{ gitlab_runner.ssh_port|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.ssh_port is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set ssh password option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*password =.*' + line: ' password = {{ gitlab_runner.ssh_password|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.ssh_password is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set ssh identity file option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*identity_file =.*' + line: ' identity_file = {{ gitlab_runner.ssh_identity_file|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.ssh_identity_file is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set builds dir file option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*builds_dir =.*' + line: ' builds_dir = {{ gitlab_runner.builds_dir|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.builds_dir is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- name: (Windows) Set cache dir file option + win_lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*cache_dir =.*' + line: ' cache_dir = {{ gitlab_runner.cache_dir|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_dir is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: restart_gitlab_runner_windows + +- include: section-config-runner-windows.yml + loop: "{{ gitlab_runner.extra_configs|list }}" + loop_control: + loop_var: section + when: + - gitlab_runner.extra_configs is defined + - gitlab_runner.extra_configs|list|length > 0 diff --git a/roles/riemers.gitlab-runner/tasks/update-config-runner.yml b/roles/riemers.gitlab-runner/tasks/update-config-runner.yml new file mode 100644 index 00000000..252bb05c --- /dev/null +++ b/roles/riemers.gitlab-runner/tasks/update-config-runner.yml @@ -0,0 +1,578 @@ +--- +- name: Set concurrent limit option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*limit =' + line: ' limit = {{ gitlab_runner.concurrent_specific|default(0) }}' + state: present + insertafter: '^\s*name =' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set coordinator URL + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*url =' + line: ' url = {{ gitlab_runner_coordinator_url | to_json }}' + state: present + insertafter: '^\s*limit =' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set clone URL + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*clone_url =' + line: ' clone_url = {{ gitlab_runner.clone_url | to_json }}' + state: present + insertafter: '^\s*url =' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + when: gitlab_runner.clone_url is defined + +- name: Set environment option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*environment =' + line: ' environment = {{ gitlab_runner.env_vars|default([]) | to_json }}' + state: present + insertafter: '^\s*url =' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set pre_clone_script + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*pre_clone_script =' + line: ' pre_clone_script = {{ gitlab_runner.pre_clone_script | to_json }}' + state: present + insertafter: '^\s*url =' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + when: gitlab_runner.pre_clone_script is defined + +- name: Set pre_build_script + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*pre_build_script =' + line: ' pre_build_script = {{ gitlab_runner.pre_build_script | to_json }}' + state: present + insertafter: '^\s*url =' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + when: gitlab_runner.pre_build_script is defined + +- name: Set post_build_script + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*post_build_script =' + line: ' post_build_script = {{ gitlab_runner.post_build_script | to_json }}' + state: present + insertafter: '^\s*url =' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + when: gitlab_runner.post_build_script is defined + +- name: Set runner executor option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*executor =' + line: ' executor = {{ gitlab_runner.executor|default("shell") | to_json }}' + state: present + insertafter: '^\s*url =' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set runner shell option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*shell =' + line: ' shell = {{ gitlab_runner.shell|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.shell is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set runner executor section + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*\[runners\.{{ gitlab_runner.executor|default("shell") }}\]' + line: ' [runners.{{ gitlab_runner.executor|replace("docker+machine","machine")|default("shell") }}]' + state: "{{ 'absent' if (gitlab_runner.executor|default('shell')) == 'shell' else 'present' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set output_limit option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*output_limit =' + line: ' output_limit = {{ gitlab_runner.output_limit|default(4096) }}' + state: present + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + + +#### [runners.docker] section #### +- name: Set runner docker image option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*image =' + line: ' image = {{ gitlab_runner.docker_image|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.docker_image is defined else 'absent' }}" + insertafter: '^\s*\[runners\.docker\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set docker privileged option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*privileged =' + line: ' privileged = {{ gitlab_runner.docker_privileged|default(false) | lower }}' + state: "{{ 'present' if gitlab_runner.docker_privileged is defined else 'absent' }}" + insertafter: '^\s*\[runners\.docker\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set docker tlsverify option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*tls_verify =' + line: ' tls_verify = {{ gitlab_runner.docker_tlsverify|default(false) | lower }}' + state: "{{ 'present' if gitlab_runner.docker_tlsverify is defined else 'absent' }}" + insertafter: '^\s*\[runners\.docker\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set docker DNS option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*dns =' + line: ' dns = {{ gitlab_runner.docker_dns|default(false) | to_json }}' + state: "{{ 'present' if gitlab_runner.docker_dns is defined else 'absent' }}" + insertafter: '^\s*\[runners\.docker\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set docker volumes option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*volumes =' + line: ' volumes = {{ gitlab_runner.docker_volumes|default([])|to_json }}' + state: "{{ 'present' if gitlab_runner.docker_volumes is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set runner docker network option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*network_mode =' + line: ' network_mode = {{ gitlab_runner.docker_network_mode|default("bridge") | to_json }}' + state: "{{ 'present' if gitlab_runner.docker_network_mode is defined else 'absent' }}" + insertafter: '^\s*\[runners\.docker\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + + +#### [runners.cache] section #### +- name: Set cache section + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*\[runners\.cache\]' + line: ' [runners.cache]' + state: present + insertafter: EOF + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set cache s3 section + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*\[runners\.cache\.s3\]' + line: ' [runners.cache.s3]' + state: "{{ 'present' if gitlab_runner.cache_type is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set cache gcs section + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*\[runners\.cache\.gcs\]' + line: ' [runners.cache.gcs]' + state: "{{ 'present' if gitlab_runner.cache_gcs_bucket_name is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set cache type option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*Type =' + line: ' Type = {{ gitlab_runner.cache_type|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_type is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set cache path option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*Path =' + line: ' Path = {{ gitlab_runner.cache_path|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_path is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set cache shared option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*Shared =' + line: ' Shared = {{ gitlab_runner.cache_shared|default("") | lower }}' + state: "{{ 'present' if gitlab_runner.cache_shared is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + + +#### [runners.cache.s3] section #### +- name: Set cache s3 server addresss + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*ServerAddress =' + line: ' ServerAddress = {{ gitlab_runner.cache_s3_server_address|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_s3_server_address is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.s3\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set cache s3 access key + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*AccessKey =' + line: ' AccessKey = {{ gitlab_runner.cache_s3_access_key|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_s3_access_key is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.s3\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set cache s3 secret key + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*SecretKey =' + line: ' SecretKey = {{ gitlab_runner.cache_s3_secret_key|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_s3_secret_key is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.s3\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set cache s3 bucket name option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*BucketName =' + line: ' BucketName = {{ gitlab_runner.cache_s3_bucket_name|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_s3_bucket_name is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.s3\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + when: gitlab_runner.cache_type is defined and gitlab_runner.cache_type == 's3' + +- name: Set cache s3 bucket location option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*BucketLocation =' + line: ' BucketLocation = {{ gitlab_runner.cache_s3_bucket_location|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_s3_bucket_location is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.s3\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set cache s3 insecure option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*Insecure =' + line: ' Insecure = {{ gitlab_runner.cache_s3_insecure|default("") | lower }}' + state: "{{ 'present' if gitlab_runner.cache_s3_insecure is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.s3\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + + +#### [runners.cache.gcs] section #### +- name: Set cache gcs bucket name + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*BucketName =' + line: ' BucketName = {{ gitlab_runner.cache_gcs_bucket_name|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_gcs_bucket_name is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.gcs\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + when: gitlab_runner.cache_type is defined and gitlab_runner.cache_type == 'gcs' + +- name: Set cache gcs credentials file + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*CredentialsFile =' + line: ' CredentialsFile = {{ gitlab_runner.cache_gcs_credentials_file|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_gcs_credentials_file is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.gcs\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set cache gcs access id + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*AccessID =' + line: ' AccessID = {{ gitlab_runner.cache_gcs_access_id|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_gcs_access_id is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.gcs\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set cache gcs private key + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*PrivateKey =' + line: ' PrivateKey = {{ gitlab_runner.cache_gcs_private_key|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_gcs_private_key is defined else 'absent' }}" + insertafter: '^\s*\[runners\.cache\.gcs\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + + +#### [runners.ssh] section ##### +- name: Set ssh user option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*user =' + line: ' user = {{ gitlab_runner.ssh_user|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.ssh_user is defined else 'absent' }}" + insertafter: '^\s*\[runners\.ssh\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set ssh host option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*host =' + line: ' host = {{ gitlab_runner.ssh_host|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.ssh_host is defined else 'absent' }}" + insertafter: '^\s*\[runners\.ssh\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set ssh port option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*port =' + line: ' port = "{{ gitlab_runner.ssh_port|default("") | to_json }}"' + state: "{{ 'present' if gitlab_runner.ssh_port is defined else 'absent' }}" + insertafter: '^\s*\[runners\.ssh\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set ssh password option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*password =' + line: ' password = {{ gitlab_runner.ssh_password|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.ssh_password is defined else 'absent' }}" + insertafter: '^\s*\[runners\.ssh\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set ssh identity file option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*identity_file =' + line: ' identity_file = {{ gitlab_runner.ssh_identity_file|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.ssh_identity_file is defined else 'absent' }}" + insertafter: '^\s*\[runners\.ssh\]' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set builds dir file option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*builds_dir =' + line: ' builds_dir = {{ gitlab_runner.builds_dir|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.builds_dir is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Set cache dir file option + lineinfile: + dest: "{{ temp_runner_config.path }}" + regexp: '^\s*cache_dir =' + line: ' cache_dir = {{ gitlab_runner.cache_dir|default("") | to_json }}' + state: "{{ 'present' if gitlab_runner.cache_dir is defined else 'absent' }}" + insertafter: '^\s*executor =' + backrefs: no + check_mode: no + notify: + - restart_gitlab_runner + - restart_gitlab_runner_macos + +- name: Ensure directory permissions + file: + dest: "{{ item }}" + state: directory + owner: "{{ gitlab_runner_runtime_owner|default(omit) }}" + group: "{{ gitlab_runner_runtime_group|default(omit) }}" + mode: 0770 + modification_time: preserve + access_time: preserve + recurse: yes + loop: + - "{{ gitlab_runner.builds_dir | default(\"\") }}" + - "{{ gitlab_runner.cache_dir | default(\"\") }}" + when: item|length + +- name: Ensure directory access test + command: "/usr/bin/test -r {{ item }}" + loop: + - "{{ gitlab_runner.builds_dir | default(\"\") }}" + - "{{ gitlab_runner.cache_dir | default(\"\") }}" + when: item|length + changed_when: False + become: yes + become_user: "{{ gitlab_runner_runtime_owner|default(omit) }}" + register: ensure_directory_access + ignore_errors: true + +- name: Ensure directory access fail on error + fail: + msg: "Error: user gitlab-runner failed to test access to {{ item.item }}. Check parent folder(s) permissions" + loop: "{{ ensure_directory_access.results }}" + when: + - item.rc is defined and item.rc != 0 + +- include: section-config-runner.yml + loop: "{{ gitlab_runner.extra_configs|list }}" + loop_control: + loop_var: section + when: + - gitlab_runner.extra_configs is defined + - gitlab_runner.extra_configs|list|length > 0 diff --git a/roles/riemers.gitlab-runner/tests/files/mock_gitlab_runner_ci.py b/roles/riemers.gitlab-runner/tests/files/mock_gitlab_runner_ci.py new file mode 100644 index 00000000..f6aa9b6f --- /dev/null +++ b/roles/riemers.gitlab-runner/tests/files/mock_gitlab_runner_ci.py @@ -0,0 +1,69 @@ +from __future__ import print_function +import os +import sys +import logging +import random + +from flask import Flask, Blueprint, request, jsonify + +app = Flask(__name__) +bp = Blueprint(__name__, 'api', url_prefix='/api/v4') + + +@bp.route('/runners', methods=['POST']) +def register_runner(): + logging.info("Got register_runner request: {!r}".format(request.data)) + req = request.json + res = {} + + token = req['token'] + if token.isalnum() and token.islower(): + res['token'] = "{}{}".format(token.upper(), random.randint(100, 999)) + status = 201 + elif token.isalnum() and token.isupper(): + status = 403 + else: + status = 400 + + return jsonify(res), status + + +@bp.route('/runners/verify', methods=['POST']) +def verify_runner(): + logging.info("Got verify_runner request: {!r}".format(request.data)) + req = request.json + res = {} + + token = req['token'] + if token.isalnum() and token.isupper(): + status = 200 + elif token.isalnum() and token.islower(): + status = 403 + else: + status = 400 + + return jsonify(res), status + + +app.register_blueprint(bp) + + +if __name__ == '__main__': + pid = str(os.getpid()) + pidfile = os.path.expanduser(sys.argv[1]) + + if os.path.isfile(pidfile): + print("{} already exists, exiting".format(pidfile)) + sys.exit(1) + + port = int(sys.argv[2]) + + with open(pidfile, 'w') as f: + f.write(pid) + + logging.basicConfig(level=logging.DEBUG) + + try: + app.run(port=port, debug=False) + finally: + os.unlink(pidfile) diff --git a/roles/riemers.gitlab-runner/tests/inventory b/roles/riemers.gitlab-runner/tests/inventory new file mode 100644 index 00000000..05614f63 --- /dev/null +++ b/roles/riemers.gitlab-runner/tests/inventory @@ -0,0 +1 @@ +localhost ansible_connection=local \ No newline at end of file diff --git a/roles/riemers.gitlab-runner/tests/test.yml b/roles/riemers.gitlab-runner/tests/test.yml new file mode 100644 index 00000000..8a362f4a --- /dev/null +++ b/roles/riemers.gitlab-runner/tests/test.yml @@ -0,0 +1,51 @@ +--- +- hosts: localhost + tasks: + - name: Load platform-specific variables + include_vars: "{{ lookup('first_found', possible_files) }}" + vars: + possible_files: + files: + - '{{ ansible_distribution }}.yml' + - '{{ ansible_os_family }}.yml' + - default.yml + paths: + - 'vars' + - name: Copy the mock gitlab CI server + copy: + src: mock_gitlab_runner_ci.py + dest: "~/mock_gitlab_runner_ci.py" + when: run_mock_server + - name: Ensure mock CI pidfile is absent + file: + path: "~/mock_ci.pid" + state: absent + when: run_mock_server + - name: Start the mock CI + shell: "python ~/mock_gitlab_runner_ci.py ~/mock_ci.pid 6060 >~/mock_ci.log 2>&1" + async: 3600 + poll: 0 + register: mock_server + when: run_mock_server + - name: Wait for pidfile to be created + wait_for: + host: 127.0.0.1 + port: 6060 + delay: 1 + timeout: 30 + when: run_mock_server + +- hosts: localhost + roles: + - ansible-gitlab-runner + +- hosts: localhost + tasks: + - name: Get pid mock gitlab CI server + slurp: + src: "~/mock_ci.pid" + register: pidfile_b64 + when: run_mock_server + - name: kill the mock CI + command: "kill {{ pidfile_b64.content | b64decode }}" + when: run_mock_server diff --git a/roles/riemers.gitlab-runner/tests/travis-bootstrap-ansible.ps1 b/roles/riemers.gitlab-runner/tests/travis-bootstrap-ansible.ps1 new file mode 100644 index 00000000..c402e66a --- /dev/null +++ b/roles/riemers.gitlab-runner/tests/travis-bootstrap-ansible.ps1 @@ -0,0 +1,18 @@ +# Creating local ansible user +$secpwd = ConvertTo-SecureString "Ans1ble_User!" -AsPlainText -Force +New-LocalUser "ansible" -Password $secpwd -FullName "ansible" -Description "ansible user" +Add-LocalGroupMember -Group "Administrators" -Member "ansible" + +# Install Ubuntu 1804 on WSL +& choco install -y --ignore-checksums wsl-ubuntu-1804 + +# Install Ansbile +& C:/Windows/System32/bash.exe -c "export DEBIAN_FRONTEND=noninteractive && apt update && apt install -y python3 python3-pip" +& wsl pip3 install ansible pywinrm + +# Prepare system that it can be accessed by ansible +$url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1" +$file = "$env:temp\ConfigureRemotingForAnsible.ps1" + +(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file) +powershell.exe -ExecutionPolicy ByPass -File $file \ No newline at end of file diff --git a/roles/riemers.gitlab-runner/tests/vars/Windows.yml b/roles/riemers.gitlab-runner/tests/vars/Windows.yml new file mode 100644 index 00000000..fdfcce39 --- /dev/null +++ b/roles/riemers.gitlab-runner/tests/vars/Windows.yml @@ -0,0 +1,48 @@ +gitlab_runner_runners: + - name: "Shell Runner" + tags: + - windows + - shell + executor: shell + state: present + - name: "Shell Bash Runner" + tags: + - windows + - shell + - bash + executor: shell + shell: bash + state: present + - name: "Shell Cmd Runner" + tags: + - windows + - shell + - cmd + executor: shell + shell: cmd + state: present + - name: "Shell Runner S3 Cache" + tags: + - windows + - shell + executor: shell + cache_type: s3 + cache_shared: true + cache_s3_server_address: mycache.example.com + cache_s3_access_key: myaccess-key + cache_s3_secret_key: mysecret-key + cache_s3_bucket_name: build-cache-bucket + cache_s3_insecure: false + state: present + - name: "Docker Runner" + tags: + - windows + - docker + executor: docker-windows + state: present + +gitlab_runner_listen_address: '0.0.0.0:9001' + +run_mock_server: no +gitlab_runner_coordinator_url: "http://localhost:7070/" +gitlab_runner_registration_token: '' diff --git a/roles/riemers.gitlab-runner/tests/vars/default.yml b/roles/riemers.gitlab-runner/tests/vars/default.yml new file mode 100644 index 00000000..b4973f78 --- /dev/null +++ b/roles/riemers.gitlab-runner/tests/vars/default.yml @@ -0,0 +1,57 @@ +--- +gitlab_runner_runners: + - name: 'vagrant-shell' + executor: shell + tags: + - node + - ruby + - mysql + - name: 'vagrant-shell-sh' + executor: shell + shell: sh + tags: + - sh + - name: 'vagrant-docker' + executor: docker + docker_image: 'docker:stable' + tags: + - node + - ruby + - mysql + - name: 'vagrant-docker-cache' + executor: docker + docker_image: 'docker:stable' + tags: + - node + - ruby + - mysql + - cache + cache_type: s3 + cache_shared: true + cache_s3_server_address: mycache.example.com + cache_s3_access_key: myaccess-key + cache_s3_secret_key: mysecret-key + cache_s3_bucket_name: build-cache-bucket + cache_s3_insecure: false + + - name: 'vagrant-docker-cache-gcs' + executor: docker + docker_image: 'docker:stable' + tags: + - node + - ruby + - mysql + - cache + cache_type: gcs + cache_shared: true + cache_gcs_bucket_name: gcs-cache-bucket + cache_gcs_credentials_file: '/etc/gitlab-runner/credentials.json' + cache_gcs_access_id: 'cache-access-account@project.iam.gserviceaccount.com' + cache_gcs_private_key: "-----BEGIN PRIVATE KEY-----\nXXXXXX\n-----END PRIVATE KEY-----\n" + +run_mock_server: yes +gitlab_runner_coordinator_url: "http://localhost:6060/" +gitlab_runner_registration_token: 'notreal' + +gitlab_runner_system_mode: yes +... diff --git a/roles/riemers.gitlab-runner/vars/Darwin.yml b/roles/riemers.gitlab-runner/vars/Darwin.yml new file mode 100644 index 00000000..07d9d9fe --- /dev/null +++ b/roles/riemers.gitlab-runner/vars/Darwin.yml @@ -0,0 +1,5 @@ +--- + +gitlab_runner_download_url: 'https://gitlab-runner-downloads.s3.amazonaws.com/{{ gitlab_runner_wanted_tag }}/binaries/gitlab-runner-darwin-amd64' + +gitlab_runner_executable: "/usr/local/bin/{{ gitlab_runner_package_name }}" diff --git a/roles/riemers.gitlab-runner/vars/Debian.yml b/roles/riemers.gitlab-runner/vars/Debian.yml new file mode 100644 index 00000000..9b7bd965 --- /dev/null +++ b/roles/riemers.gitlab-runner/vars/Debian.yml @@ -0,0 +1,8 @@ +--- + +gitlab_runner_executable: "/usr/bin/{{ gitlab_runner_package_name }}" + +gitlab_runner_runtime_owner: gitlab-runner +gitlab_runner_runtime_group: gitlab-runner +gitlab_runner_restart_state: reloaded +gitlab_runner_timeout_stop_seconds: 720 diff --git a/roles/riemers.gitlab-runner/vars/RedHat.yml b/roles/riemers.gitlab-runner/vars/RedHat.yml new file mode 100644 index 00000000..2927eacc --- /dev/null +++ b/roles/riemers.gitlab-runner/vars/RedHat.yml @@ -0,0 +1,8 @@ +--- + +gitlab_runner_executable: "/usr/bin/{{ gitlab_runner_package_name }}" + +gitlab_runner_runtime_owner: gitlab-runner +gitlab_runner_runtime_group: gitlab-runner +gitlab_runner_restart_state: reloaded +gitlab_runner_timeout_stop_seconds: 7200 diff --git a/roles/riemers.gitlab-runner/vars/Windows.yml b/roles/riemers.gitlab-runner/vars/Windows.yml new file mode 100644 index 00000000..22fcd1ae --- /dev/null +++ b/roles/riemers.gitlab-runner/vars/Windows.yml @@ -0,0 +1,9 @@ +--- + +gitlab_runner_download_url: 'https://gitlab-runner-downloads.s3.amazonaws.com/{{ gitlab_runner_wanted_tag }}/binaries/gitlab-runner-windows-amd64.exe' + +gitlab_runner_install_directory: "c:/gitlab-runner/" +gitlab_runner_config_file_location: "{{ gitlab_runner_install_directory }}" +gitlab_runner_config_file: "{{ gitlab_runner_config_file_location }}/config.toml" # on Windows + +gitlab_runner_executable: "{{gitlab_runner_install_directory}}/{{ gitlab_runner_package_name }}.exe" \ No newline at end of file diff --git a/roles/riemers.gitlab-runner/vars/default.yml b/roles/riemers.gitlab-runner/vars/default.yml new file mode 100644 index 00000000..aef02964 --- /dev/null +++ b/roles/riemers.gitlab-runner/vars/default.yml @@ -0,0 +1,7 @@ +--- +gitlab_runner_container_install: false +gitlab_runner_container_image: gitlab/gitlab-runner +gitlab_runner_container_tag: latest +gitlab_runner_container_name: gitlab-runner +gitlab_runner_container_restart_policy: unless-stopped +gitlab_runner_restart_state: restarted diff --git a/roles/riemers.gitlab-runner/vars/main.yml b/roles/riemers.gitlab-runner/vars/main.yml new file mode 100644 index 00000000..af1e5c99 --- /dev/null +++ b/roles/riemers.gitlab-runner/vars/main.yml @@ -0,0 +1,6 @@ +--- +# vars file for gitlab-runner + +# Useful default paths for config files on Mac/Linux platforms +__gitlab_runner_config_file_system_mode: "/etc/gitlab-runner/config.toml" +__gitlab_runner_config_file_user_mode: "~/.gitlab-runner/config.toml" diff --git a/roles/robertdebock.bootstrap b/roles/robertdebock.bootstrap deleted file mode 160000 index a07b6a58..00000000 --- a/roles/robertdebock.bootstrap +++ /dev/null @@ -1 +0,0 @@ -Subproject commit a07b6a583db3ff39c380ee1cb2f2bc85b103b8f6 diff --git a/roles/robertdebock.bootstrap/.ansible-lint b/roles/robertdebock.bootstrap/.ansible-lint new file mode 100644 index 00000000..eba57d1a --- /dev/null +++ b/roles/robertdebock.bootstrap/.ansible-lint @@ -0,0 +1,8 @@ +# +# Ansible managed +# +exclude_paths: + - ./meta/exception.yml + - ./meta/preferences.yml + - ./molecule/default/verify.yml + - ./.tox diff --git a/roles/robertdebock.bootstrap/.github/FUNDING.yml b/roles/robertdebock.bootstrap/.github/FUNDING.yml new file mode 100644 index 00000000..67320f05 --- /dev/null +++ b/roles/robertdebock.bootstrap/.github/FUNDING.yml @@ -0,0 +1,2 @@ +--- +github: robertdebock diff --git a/roles/robertdebock.bootstrap/.github/ISSUE_TEMPLATE/bug_report.md b/roles/robertdebock.bootstrap/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 00000000..f39b5dc5 --- /dev/null +++ b/roles/robertdebock.bootstrap/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,31 @@ +--- +name: Bug report +about: Create a report to help me improve + +--- + +## Describe the bug +A clear and concise description of what the bug is. + +## Playbook + +Please paste the playbook you are using. (Consider `requirements.yml` and +optionally the command you've invoked.) + + +```yaml +--- +YOUR PLAYBOOK HERE +``` + +## Output + +Show at least the error, possible related output, maybe just all the output. + +## Environment + +- Control node OS: [e.g. Debian 9] (`cat /etc/os-release`) +- Control node Ansible version: [e.g. 2.9.1] (`ansible --version`) +- Managed node OS: [e.g. CentOS 7] (`cat /etc/os-release`) + +Please consider [sponsoring me](https://github.com/sponsors/robertdebock). diff --git a/roles/robertdebock.bootstrap/.github/ISSUE_TEMPLATE/feature_request.md b/roles/robertdebock.bootstrap/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 00000000..55a93c40 --- /dev/null +++ b/roles/robertdebock.bootstrap/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,19 @@ +--- +name: Feature request +about: Suggest an idea for this project + +--- + +## Proposed feature + +A clear and concise description of what you want to happen. + +## Rationale + +Why is this feature required? + +## Additional context + +Add any other context about the feature request here. + +Please consider [sponsoring me](https://github.com/sponsors/robertdebock). diff --git a/roles/robertdebock.bootstrap/.github/pull_request_template.md b/roles/robertdebock.bootstrap/.github/pull_request_template.md new file mode 100644 index 00000000..b1578c0c --- /dev/null +++ b/roles/robertdebock.bootstrap/.github/pull_request_template.md @@ -0,0 +1,11 @@ +--- +name: Pull request +about: Describe the proposed change + +--- + +**Describe the change** +A clear and concise description of what the pull request is. + +**Testing** +In case a feature was added, how were tests performed? diff --git a/roles/robertdebock.bootstrap/.github/settings.yml b/roles/robertdebock.bootstrap/.github/settings.yml new file mode 100644 index 00000000..4729c2c1 --- /dev/null +++ b/roles/robertdebock.bootstrap/.github/settings.yml @@ -0,0 +1,8 @@ +--- +# +# Ansible managed +# +repository: + description: Prepare your system to be managed by Ansible. + homepage: https://robertdebock.nl/ + topics: bootstrap, python, sudo, ansible, molecule, tox, playbook, hacktoberfest diff --git a/roles/robertdebock.bootstrap/.github/workflows/galaxy.yml b/roles/robertdebock.bootstrap/.github/workflows/galaxy.yml new file mode 100644 index 00000000..1d36b740 --- /dev/null +++ b/roles/robertdebock.bootstrap/.github/workflows/galaxy.yml @@ -0,0 +1,18 @@ +--- +# +# Ansible managed +# + +name: Release to Ansible Galaxy + +on: + release: + types: [created, edited, published, released] +jobs: + release: + runs-on: ubuntu-20.04 + steps: + - name: galaxy + uses: robertdebock/galaxy-action@1.1.0 + with: + galaxy_api_key: ${{ secrets.galaxy_api_key }} diff --git a/roles/robertdebock.bootstrap/.github/workflows/molecule.yml b/roles/robertdebock.bootstrap/.github/workflows/molecule.yml new file mode 100644 index 00000000..f0d855e5 --- /dev/null +++ b/roles/robertdebock.bootstrap/.github/workflows/molecule.yml @@ -0,0 +1,71 @@ +--- +# +# Ansible managed +# + +name: Ansible Molecule + +on: + push: + tags_ignore: + - '*' + pull_request: + schedule: + - cron: '2 2 2 * *' + +jobs: + lint: + runs-on: ubuntu-20.04 + steps: + - name: checkout + uses: actions/checkout@v2 + with: + path: "${{ github.repository }}" + - name: molecule + uses: robertdebock/molecule-action@2.6.8 + with: + command: lint + test: + needs: + - lint + runs-on: ubuntu-20.04 + strategy: + fail-fast: false + matrix: + config: + - image: "amazonlinux" + tag: "latest" + - image: "centos" + tag: "7" + - image: "centos" + tag: "latest" + - image: "debian" + tag: "latest" + - image: "debian" + tag: "bullseye" + - image: "fedora" + tag: "32" + - image: "fedora" + tag: "latest" + - image: "fedora" + tag: "rawhide" + - image: "opensuse" + tag: "latest" + - image: "ubuntu" + tag: "latest" + - image: "ubuntu" + tag: "bionic" + steps: + - name: checkout + uses: actions/checkout@v2 + with: + path: "${{ github.repository }}" + - name: disable apparmor for mysql + run: sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/ + - name: parse apparmor for mysql + run: sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld + - name: molecule + uses: robertdebock/molecule-action@2.6.8 + with: + image: ${{ matrix.config.image }} + tag: ${{ matrix.config.tag }} diff --git a/roles/robertdebock.bootstrap/.github/workflows/requirements2png.yml b/roles/robertdebock.bootstrap/.github/workflows/requirements2png.yml new file mode 100644 index 00000000..e94938d4 --- /dev/null +++ b/roles/robertdebock.bootstrap/.github/workflows/requirements2png.yml @@ -0,0 +1,34 @@ +--- +# +# Ansible managed +# + +on: + - push + +name: Ansible Graphviz + +jobs: + build: + runs-on: ubuntu-20.04 + steps: + - name: checkout + uses: actions/checkout@v2 + with: + path: ${{ github.repository }} + - name: create png + uses: robertdebock/graphviz-action@1.0.7 + - name: Commit files + run: | + cd ${{ github.repository }} + git config --local user.email "github-actions[bot]@users.noreply.github.com" + git config --local user.name "github-actions[bot]" + git add requirements.dot requirements.png + git commit -m "Add generated files" + - name: save to png branch + uses: ad-m/github-push-action@master + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + directory: ${{ github.repository }} + force: true + branch: png diff --git a/roles/robertdebock.bootstrap/.github/workflows/todo.yml b/roles/robertdebock.bootstrap/.github/workflows/todo.yml new file mode 100644 index 00000000..3e6e4177 --- /dev/null +++ b/roles/robertdebock.bootstrap/.github/workflows/todo.yml @@ -0,0 +1,20 @@ +--- +# +# Ansible managed +# + +name: "TODO 2 Issue" + +on: + push: + +jobs: + build: + runs-on: "ubuntu-20.04" + steps: + - uses: "actions/checkout@master" + - name: "TODO to Issue" + uses: "alstr/todo-to-issue-action@v2.3" + id: "todo" + with: + TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/roles/robertdebock.bootstrap/.gitignore b/roles/robertdebock.bootstrap/.gitignore new file mode 100644 index 00000000..982db11f --- /dev/null +++ b/roles/robertdebock.bootstrap/.gitignore @@ -0,0 +1,4 @@ +.molecule +*.log +*.swp +.tox diff --git a/roles/robertdebock.bootstrap/.gitlab-ci.yml b/roles/robertdebock.bootstrap/.gitlab-ci.yml new file mode 100644 index 00000000..c107d29b --- /dev/null +++ b/roles/robertdebock.bootstrap/.gitlab-ci.yml @@ -0,0 +1,46 @@ +--- +image: robertdebock/github-action-molecule:2.6.6 + +services: + - docker:dind + +variables: + DOCKER_HOST: "tcp://docker:2375" + PY_COLORS: 1 + +molecule: + script: + - image=${image} tag=${tag} molecule test + rules: + - if: $CI_COMMIT_REF_NAME == "master" + retry: 2 + parallel: + matrix: + - image: "amazonlinux" + tag: "latest" + - image: "centos" + tag: "7" + - image: "centos" + tag: "latest" + - image: "debian" + tag: "latest" + - image: "debian" + tag: "bullseye" + - image: "fedora" + tag: "32" + - image: "fedora" + tag: "latest" + - image: "fedora" + tag: "rawhide" + - image: "opensuse" + tag: "latest" + - image: "ubuntu" + tag: "latest" + - image: "ubuntu" + tag: "bionic" + +galaxy: + script: + - ansible-galaxy role import --api-key ${GALAXY_API_KEY} ${CI_PROJECT_NAMESPACE} ${CI_PROJECT_NAME} + rules: + - if: $CI_COMMIT_TAG != null diff --git a/roles/robertdebock.bootstrap/.pre-commit-config.yaml b/roles/robertdebock.bootstrap/.pre-commit-config.yaml new file mode 100644 index 00000000..056388eb --- /dev/null +++ b/roles/robertdebock.bootstrap/.pre-commit-config.yaml @@ -0,0 +1,26 @@ +--- +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.4.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-added-large-files + + - repo: https://github.com/adrienverge/yamllint + rev: v1.25.0 + hooks: + - id: yamllint + args: [-c=.yamllint] + + - repo: https://github.com/ansible/ansible-lint + rev: v4.3.7 + hooks: + - id: ansible-lint + pass_filenames: false + + - repo: https://github.com/robertdebock/pre-commit + rev: v1.1.2 + hooks: + - id: ansible_role_find_unused_variable + - id: ansible_role_find_empty_files diff --git a/roles/robertdebock.bootstrap/.travis.yml b/roles/robertdebock.bootstrap/.travis.yml new file mode 100644 index 00000000..21201e18 --- /dev/null +++ b/roles/robertdebock.bootstrap/.travis.yml @@ -0,0 +1,30 @@ +--- +# +# Ansible managed +# +language: python + +os: linux +dist: xenial + +python: + - "3.9" + +services: + - docker + +cache: + - pip + +install: + - pip install --upgrade pip + - pip install yamllint + - pip install ansible-lint + +script: + - yamllint . + - ansible-lint + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ + email: false diff --git a/roles/robertdebock.bootstrap/.yamllint b/roles/robertdebock.bootstrap/.yamllint new file mode 100644 index 00000000..894450cd --- /dev/null +++ b/roles/robertdebock.bootstrap/.yamllint @@ -0,0 +1,15 @@ +--- +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + line-length: disable + truthy: disable + +ignore: | + .tox/ diff --git a/roles/robertdebock.bootstrap/CODE_OF_CONDUCT.md b/roles/robertdebock.bootstrap/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..0d97a6fb --- /dev/null +++ b/roles/robertdebock.bootstrap/CODE_OF_CONDUCT.md @@ -0,0 +1,46 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. + +## Our Standards + +Examples of behaviour that contributes to creating a positive environment include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behaviour by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a professional setting + +## Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable behaviour and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behaviour. + +Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviours that they deem inappropriate, threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behaviour may be reported by contacting the project team at robert@meinit.nl. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] + +[homepage]: http://contributor-covenant.org +[version]: http://contributor-covenant.org/version/1/4/ diff --git a/roles/robertdebock.bootstrap/CONTRIBUTING.md b/roles/robertdebock.bootstrap/CONTRIBUTING.md new file mode 100644 index 00000000..2ef8c236 --- /dev/null +++ b/roles/robertdebock.bootstrap/CONTRIBUTING.md @@ -0,0 +1,76 @@ +# [Please contribute](#please-contribute) + +You can really make a difference by: + +- [Making an issue](https://help.github.com/articles/creating-an-issue/). A well described issue helps a lot. (Have a look at the [known issues](https://github.com/search?q=user%3Arobertdebock+is%3Aissue+state%3Aopen).) +- [Making a pull request](https://services.github.com/on-demand/github-cli/open-pull-request-github) when you see the error in code. + +I'll try to help and take every contribution seriously. + +It's a great opportunity for me to learn how you use the role and also an opportunity to get into the habit of contributing to open source software. + +## [Step by step](#step-by-step) + +Here is how you can help, a lot of steps are related to GitHub, not specifically my roles. + +### [1. Make an issue.](#1-make-an-issue) + +When you spot an issue, [create an issue](https://github.com/robertdebock/ansible-role-bootstrap/issues). + +Making the issue help me and others to find similar problems in the future. + +### [2. Fork the project.](#2-fork-the-project) + +On the top right side of [the repository on GitHub](https://github.com/robertdebock/ansible-role-bootstrap), click `fork`. This copies everything to your GitHub namespace. + +### [3. Make the changes](#3-make-the-changes) + +In you own GitHub namespace, make the required changes. + +I typically do that by cloning the repository (in your namespace) locally: + +``` +git clone git@github.com:YOURNAMESPACE/ansible-role-bootstrap.git +``` + +Now you can start to edit on your laptop. + +### [4. Optionally: test your changes](#4-optionally-test-your-changes) + +Install [molecule](https://molecule.readthedocs.io/en/stable/) and [Tox](https://tox.readthedocs.io/): + +``` +pip install molecule tox ansible-lint docker +``` + +And run `molecule test`. If you want to test a specific distribution, set `image` and optionally `tag`: + +``` +image=centos tag=7 molecule test +``` + +Once it start to work, you can test multiple version of Ansible: + +``` +image=centos tag=7 tox +``` + +### [5. Optionally: Regenerate all dynamic content](#5-optionally-regenerate-all-dynamic-content) + +You can use [Ansible Generator](https://github.com/robertdebock/ansible-generator) to regenerate all dynamic content. + +If you don't do it, I'll do it later for you. + +### [6. Make a pull request](#6-make-a-pull-request) + +[GitHub](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork) on pull requests. + +In the comment-box, you can [refer to the issue number](https://help.github.com/en/github/writing-on-github/autolinked-references-and-urls) by using #123, where 123 is the issue number. + +### [7. Wait](#7-wait) + +Now I'll get a message that you've added some code. Thank you, really. + +CI starts to test your changes. You can follow the progress on Travis. + +Please consider [sponsoring me](https://github.com/sponsors/robertdebock). diff --git a/roles/robertdebock.bootstrap/LICENSE b/roles/robertdebock.bootstrap/LICENSE new file mode 100644 index 00000000..e770af82 --- /dev/null +++ b/roles/robertdebock.bootstrap/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2021 Robert de Bock (robert@meinit.nl) + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/roles/robertdebock.bootstrap/README.md b/roles/robertdebock.bootstrap/README.md new file mode 100644 index 00000000..fd155f55 --- /dev/null +++ b/roles/robertdebock.bootstrap/README.md @@ -0,0 +1,103 @@ +# [bootstrap](#bootstrap) + +Prepare your system to be managed by Ansible. + +|GitHub|GitLab|Quality|Downloads|Version| +|------|------|-------|---------|-------| +|[![github](https://github.com/robertdebock/ansible-role-bootstrap/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-bootstrap/actions)|[![gitlab](https://gitlab.com/robertdebock/ansible-role-bootstrap/badges/master/pipeline.svg)](https://gitlab.com/robertdebock/ansible-role-bootstrap)|[![quality](https://img.shields.io/ansible/quality/21642)](https://galaxy.ansible.com/robertdebock/bootstrap)|[![downloads](https://img.shields.io/ansible/role/d/21642)](https://galaxy.ansible.com/robertdebock/bootstrap)|[![Version](https://img.shields.io/github/release/robertdebock/ansible-role-bootstrap.svg)](https://github.com/robertdebock/ansible-role-bootstrap/releases/)| + +## [Example Playbook](#example-playbook) + +This example is taken from `molecule/resources/converge.yml` and is tested on each push, pull request and release. +```yaml +--- +- name: Converge + hosts: all + become: yes + gather_facts: no + + roles: + - role: robertdebock.bootstrap +``` + +Also see a [full explanation and example](https://robertdebock.nl/how-to-use-these-roles.html) on how to use these roles. + +## [Role Variables](#role-variables) + +These variables are set in `defaults/main.yml`: +```yaml +--- +# defaults file for bootstrap + +# The user to use to connect to machines. +bootstrap_user: root + +# Do you want to wait for the host to be available? +bootstrap_wait_for_host: no + +# The number of seconds you want to wait during connection test before failing. +bootstrap_timeout: 3 +``` + +## [Requirements](#requirements) + +- pip packages listed in [requirements.txt](https://github.com/robertdebock/ansible-role-bootstrap/blob/master/requirements.txt). + + +## [Context](#context) + +This role is a part of many compatible roles. Have a look at [the documentation of these roles](https://robertdebock.nl/) for further information. + +Here is an overview of related roles: +![dependencies](https://raw.githubusercontent.com/robertdebock/ansible-role-bootstrap/png/requirements.png "Dependencies") + +## [Compatibility](#compatibility) + +This role has been tested on these [container images](https://hub.docker.com/u/robertdebock): + +|container|tags| +|---------|----| +|amazon|Candidate| +|el|7, 8| +|debian|all| +|fedora|all| +|opensuse|all| +|ubuntu|focal, bionic| + +The minimum version of Ansible required is 2.10, tests have been done to: + +- The previous version. +- The current version. +- The development version. + +## [Exceptions](#exceptions) + +Some variarations of the build matrix do not work. These are the variations and reasons why the build won't work: + +| variation | reason | +|---------------------------|------------------------| +| alpine:edge | Failed to create temporary directory. | + + +If you find issues, please register them in [GitHub](https://github.com/robertdebock/ansible-role-bootstrap/issues) + +## [License](#license) + +Apache-2.0 + +## [Contributors](#contributors) + +I'd like to thank everybody that made contributions to this repository. It motivates me, improves the code and is just fun to collaborate. + +- [rembik](https://github.com/rembik) +- [jellevandehaterd](https://github.com/jellevandehaterd) +- [fzarifian](https://github.com/fzarifian) +- [kmonticolo](https://github.com/kmonticolo) +- [CrystalStiletto](https://github.com/CrystalStiletto) +- [infothrill](https://github.com/infothrill) + +## [Author Information](#author-information) + +[Robert de Bock](https://robertdebock.nl/) + +Please consider [sponsoring me](https://github.com/sponsors/robertdebock). diff --git a/roles/robertdebock.bootstrap/SECURITY.md b/roles/robertdebock.bootstrap/SECURITY.md new file mode 100644 index 00000000..cdbc6628 --- /dev/null +++ b/roles/robertdebock.bootstrap/SECURITY.md @@ -0,0 +1,25 @@ +# [Security Policy](#security-policy) + +This software implements other software, it's not very likely that this software introduces new vulnerabilities. + +## [Supported Versions](#supported-versions) + +The current major version is supported. For example if the current version is 3.4.1: + +| Version | Supported | +| ------- | ------------------ | +| 3.4.1 | :white_check_mark: | +| 3.4.x | :white_check_mark: | +| 3.x.x | :white_check_mark: | +| 2.0.0 | :x: | +| 1.0.0 | :x: | + +## [Reporting a Vulnerability](#reporting-a-vulnarability) + +Please [open an issue](https://github.com/robertdebock/ansible-role-bootstrap/issues) describing the vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. + +Please consider [sponsoring me](https://github.com/sponsors/robertdebock). diff --git a/roles/robertdebock.bootstrap/defaults/main.yml b/roles/robertdebock.bootstrap/defaults/main.yml new file mode 100644 index 00000000..6c8972a4 --- /dev/null +++ b/roles/robertdebock.bootstrap/defaults/main.yml @@ -0,0 +1,11 @@ +--- +# defaults file for bootstrap + +# The user to use to connect to machines. +bootstrap_user: root + +# Do you want to wait for the host to be available? +bootstrap_wait_for_host: no + +# The number of seconds you want to wait during connection test before failing. +bootstrap_timeout: 3 diff --git a/roles/robertdebock.bootstrap/meta/exception.yml b/roles/robertdebock.bootstrap/meta/exception.yml new file mode 100644 index 00000000..ede849b1 --- /dev/null +++ b/roles/robertdebock.bootstrap/meta/exception.yml @@ -0,0 +1,4 @@ +--- +exceptions: + - variation: alpine:edge + reason: "Failed to create temporary directory." diff --git a/roles/robertdebock.bootstrap/meta/main.yml b/roles/robertdebock.bootstrap/meta/main.yml new file mode 100644 index 00000000..22b8b530 --- /dev/null +++ b/roles/robertdebock.bootstrap/meta/main.yml @@ -0,0 +1,41 @@ +--- +galaxy_info: + author: Robert de Bock + role_name: bootstrap + description: Prepare your system to be managed by Ansible. + license: Apache-2.0 + company: none + min_ansible_version: "2.10" + + platforms: + # Broken: idempotence, gather_facts: Failed to create temporary directory. + # - name: Alpine + # versions: + # - all + - name: Amazon + versions: + - Candidate + - name: EL + versions: + - 7 + - 8 + - name: Debian + versions: + - all + - name: Fedora + versions: + - all + - name: OpenSUSE + versions: + - all + - name: Ubuntu + versions: + - focal + - bionic + + galaxy_tags: + - bootstrap + - python + - sudo + +dependencies: [] diff --git a/roles/robertdebock.bootstrap/meta/preferences.yml b/roles/robertdebock.bootstrap/meta/preferences.yml new file mode 100644 index 00000000..e7fdebfd --- /dev/null +++ b/roles/robertdebock.bootstrap/meta/preferences.yml @@ -0,0 +1,2 @@ +--- +tox_parallel: yes diff --git a/roles/robertdebock.bootstrap/molecule/default/converge.yml b/roles/robertdebock.bootstrap/molecule/default/converge.yml new file mode 100644 index 00000000..3cd3d548 --- /dev/null +++ b/roles/robertdebock.bootstrap/molecule/default/converge.yml @@ -0,0 +1,8 @@ +--- +- name: Converge + hosts: all + become: yes + gather_facts: no + + roles: + - role: ansible-role-bootstrap diff --git a/roles/robertdebock.bootstrap/molecule/default/molecule.yml b/roles/robertdebock.bootstrap/molecule/default/molecule.yml new file mode 100644 index 00000000..82a49e11 --- /dev/null +++ b/roles/robertdebock.bootstrap/molecule/default/molecule.yml @@ -0,0 +1,30 @@ +--- +# +# Ansible managed +# +dependency: + name: galaxy + options: + role-file: requirements.yml +lint: | + set -e + yamllint . + ansible-lint +driver: + name: docker +platforms: + - name: "bootstrap-${image:-fedora}-${tag:-latest}${TOX_ENVNAME}" + image: "${namespace:-robertdebock}/${image:-fedora}:${tag:-latest}" + command: /sbin/init + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: yes + pre_build_image: yes +provisioner: + name: ansible + config_options: + defaults: + stdout_callback: yaml + bin_ansible_callbacks: yes +verifier: + name: ansible diff --git a/roles/robertdebock.bootstrap/molecule/default/verify.yml b/roles/robertdebock.bootstrap/molecule/default/verify.yml new file mode 100644 index 00000000..ff3ec4ee --- /dev/null +++ b/roles/robertdebock.bootstrap/molecule/default/verify.yml @@ -0,0 +1,14 @@ +--- +- name: Verify + hosts: all + become: no + gather_facts: no + + tasks: + - name: test connection + ping: + + - name: try the package module + package: + name: gzip + state: present diff --git a/roles/robertdebock.bootstrap/requirements.txt b/roles/robertdebock.bootstrap/requirements.txt new file mode 100644 index 00000000..ba1d384f --- /dev/null +++ b/roles/robertdebock.bootstrap/requirements.txt @@ -0,0 +1,10 @@ +# These role have been tested with these PIP component. +# To install the required version yourself, use a command as: +# `python -m pip --user install -r requirements.txt` +# See the pip requirements file documentation for details: +# https://pip.pypa.io/en/stable/user_guide/#requirements-files +# +# Tests run on the previous and current (latest) version of Ansible. +ansible>=2.10 +# Some Jinja2 filters are used that are available in the newer releases. +jinja2>=2.11.2 diff --git a/roles/robertdebock.bootstrap/tasks/assert.yml b/roles/robertdebock.bootstrap/tasks/assert.yml new file mode 100644 index 00000000..dde1156e --- /dev/null +++ b/roles/robertdebock.bootstrap/tasks/assert.yml @@ -0,0 +1,23 @@ +--- + +- name: test if bootstrap_user is set correctly + assert: + that: + - bootstrap_user is defined + - bootstrap_user is string + quiet: yes + +- name: test if bootstrap_wait_for_host is set correctly + assert: + that: + - bootstrap_wait_for_host is defined + - bootstrap_wait_for_host is boolean + quiet: yes + +- name: test if bootstrap_timeout is set correctly + assert: + that: + - bootstrap_timeout is defined + - bootstrap_timeout is number + - bootstrap_timeout >= 0 + quiet: yes diff --git a/roles/robertdebock.bootstrap/tasks/gather_facts.yml b/roles/robertdebock.bootstrap/tasks/gather_facts.yml new file mode 100644 index 00000000..6ea1d984 --- /dev/null +++ b/roles/robertdebock.bootstrap/tasks/gather_facts.yml @@ -0,0 +1,29 @@ +--- +- name: lookup bootstrap facts + become: no + raw: "cat /etc/os-release" + check_mode: no + register: bootstrap_facts + changed_when: no + vars: + ansible_user: "{{ bootstrap_user }}" + +- name: set bootstrap facts (I) + set_fact: + bootstrap_distribution: "{{ item }}" + bootstrap_distribution_major_version: "{{ bootstrap_facts.stdout_lines | join(',') | regex_replace( + '^.*VERSION_ID=\"(\\d{1,2})(\\.\\d{1,4})*?\".*$','\\1') | default('NA') }}" + loop: "{{ bootstrap_os_family_map | dict2items | map(attribute='value') | flatten }}" + when: + - bootstrap_facts.rc == 0 + - bootstrap_distribution is not defined + - bootstrap_facts.stdout is regex('PRETTY_NAME=.'~ bootstrap_search[item] | default(item) ~'.*') + +- name: set bootstrap facts (II) + set_fact: + bootstrap_os_family: "{{ item.key }}" + loop: "{{ bootstrap_os_family_map | dict2items }}" + loop_control: + label: "{{ item.key }}" + when: + - bootstrap_distribution in item.value diff --git a/roles/robertdebock.bootstrap/tasks/main.yml b/roles/robertdebock.bootstrap/tasks/main.yml new file mode 100644 index 00000000..a6047a51 --- /dev/null +++ b/roles/robertdebock.bootstrap/tasks/main.yml @@ -0,0 +1,58 @@ +--- +# tasks file for bootstrap + +- name: include assert.yml + import_tasks: assert.yml + run_once: yes + delegate_to: localhost + +- name: wait for host + wait_for: + port: "{{ ansible_port | default('22') }}" + host: "{{ (ansible_ssh_host | default(ansible_host) | default(inventory_hostname)) }}" + connection: local + become: no + when: + - ansible_connection is defined + - ansible_connection not in [ "docker", "container" ] + - bootstrap_wait_for_host | bool + +- name: prepare system + block: + - name: test connection + wait_for_connection: + timeout: "{{ bootstrap_timeout }}" + register: bootstrap_connect + changed_when: no + rescue: + - name: gather bootstrap facts + include_tasks: "gather_facts.yml" + + - name: install bootstrap packages + raw: "{{ bootstrap_install.raw }}" + register: bootstrap_install_packages + changed_when: + - (bootstrap_install.stdout_regex in bootstrap_install_packages.stdout and + bootstrap_os_family in [ "Alpine", "Archlinux", "Gentoo" ]) or + (bootstrap_install.stdout_regex not in bootstrap_install_packages.stdout and + bootstrap_os_family in [ "Debian", "RedHat", "Suse" ]) + vars: + ansible_user: "{{ bootstrap_user }}" + always: + - name: set bootstrap_ansible_user + set_fact: + bootstrap_ansible_user: "{{ ansible_user | default(omit) if bootstrap_connect is succeeded else bootstrap_user }}" + changed_when: no + +- name: ensure system is prepared + block: + - name: gather ansible facts + setup: + + - name: install bootstrap packages + package: + name: "{{ item }}" + state: present + loop: "{{ bootstrap_facts_packages.split() }}" + vars: + ansible_user: "{{ bootstrap_ansible_user | default(omit) }}" diff --git a/roles/robertdebock.bootstrap/tox.ini b/roles/robertdebock.bootstrap/tox.ini new file mode 100644 index 00000000..0b19c6eb --- /dev/null +++ b/roles/robertdebock.bootstrap/tox.ini @@ -0,0 +1,26 @@ +# +# Ansible managed +# +[tox] +minversion = 3.20 +# These environments are disabled: +# previous: Because collections don't work. ETA Fix: ansible-2.11 released. +envlist = py{39}-ansible-{current,next} + +skipsdist = true + +[testenv] +deps = + previous: ansible>=2.9, <2.10 + current: ansible + next: git+https://github.com/ansible/ansible.git@devel + molecule[docker]>=3, <4 + docker>=4.2, <4.3 + ansible-lint +commands = molecule test +setenv = + TOX_ENVNAME={envname} + PY_COLORS=1 + ANSIBLE_FORCE_COLOR=1 + +passenv = namespace image tag diff --git a/roles/robertdebock.bootstrap/vars/main.yml b/roles/robertdebock.bootstrap/vars/main.yml new file mode 100644 index 00000000..f5bc44a9 --- /dev/null +++ b/roles/robertdebock.bootstrap/vars/main.yml @@ -0,0 +1,70 @@ +--- +# vars file for bootstrap + +_bootstrap_packages: + Alpine: python3 sudo + Archlinux: python sudo + Debian: python3 sudo gnupg python3-apt + Gentoo: python sudo gentoolkit + RedHat: python3 sudo + Suse: python3 python3-xml sudo + Amazon: python sudo + CentOS_7: python sudo + Debian_8: python sudo gnupg + Debian_9: python sudo gnupg + RedHat_7: python sudo + +_bootstrap_install: + Alpine: + raw: "LANG=C apk update ; apk add {{ bootstrap_packages }}" + stdout_regex: 'Installing' + Archlinux: + raw: "LANG=C pacman -Sy --noconfirm {{ bootstrap_packages }}" + stdout_regex: ' installing python' + Debian: + raw: "LANG=C apt-get update && apt-get install -y {{ bootstrap_packages }}" + stdout_regex: ' 0 newly installed' + Gentoo: + raw: "LANG=C equery l {{ bootstrap_packages }} || + (emaint -a sync ; emerge -qkv {{ bootstrap_packages }} ; echo 'changed')" + stdout_regex: 'changed' + RedHat: + raw: "LANG=C yum -y install {{ bootstrap_packages }}" + stdout_regex: 'Nothing' + Suse: + raw: "LANG=C zypper -n install {{ bootstrap_packages }}" + stdout_regex: 'Nothing' + +# See URL for available OS families and search queries +# https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/facts/system/distribution.py +bootstrap_os_family_map: + Alpine: [Alpine] + Archlinux: [Archlinux, Antergos, Manjaro] + Debian: [Debian, Ubuntu, Raspbian, Neon, KDE neon, + Linux Mint, SteamOS, Devuan, Kali, 'Cumulus Linux'] + Gentoo: [Gentoo, Funtoo] + RedHat: [RedHat, Fedora, CentOS, Scientific, SLC, + Ascendos, CloudLinux, PSBM, OracleLinux, OVS, + OEL, Amazon, Virtuozzo, XenServer, Alibaba] + Suse: [SLED, 'openSUSE Tumbleweed', 'openSUSE Leap', + SLES_SAP, SUSE_LINUX, SLES, openSUSE, SuSE] + +bootstrap_search: + Archlinux: 'Arch Linux' + OracleLinux: 'Oracle Linux' + RedHat: 'Red Hat' + +# Map the right set of packages, based on gathered bootstrap facts. +bootstrap_packages: "{{ _bootstrap_packages[bootstrap_distribution ~'_'~ bootstrap_distribution_major_version]|default( + _bootstrap_packages[bootstrap_distribution])|default( + _bootstrap_packages[bootstrap_os_family]) }}" + +# Map the right install command, based on gathered bootstrap facts. +bootstrap_install: "{{ _bootstrap_install[bootstrap_distribution ~'_'~ bootstrap_distribution_major_version]|default( + _bootstrap_install[bootstrap_distribution])|default( + _bootstrap_install[bootstrap_os_family]) }}" + +# Map the right set of packages, based on gathered ansible_facts. +bootstrap_facts_packages: "{{ _bootstrap_packages[ansible_distribution ~'_'~ ansible_distribution_major_version]|default( + _bootstrap_packages[ansible_distribution])|default( + _bootstrap_packages[ansible_os_family]) }}" diff --git a/roles/ryandaniels.create_users b/roles/ryandaniels.create_users deleted file mode 160000 index 2ceb27b0..00000000 --- a/roles/ryandaniels.create_users +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 2ceb27b08ffb0581d410f98eee89c320d3347dd1 diff --git a/roles/ryandaniels.create_users/.gitignore b/roles/ryandaniels.create_users/.gitignore new file mode 100644 index 00000000..c5a19509 --- /dev/null +++ b/roles/ryandaniels.create_users/.gitignore @@ -0,0 +1,7 @@ +.vaultpass +.retry +secret +*.secret +.venv +.vscode +*.tmp diff --git a/roles/ryandaniels.create_users/.travis.yml b/roles/ryandaniels.create_users/.travis.yml new file mode 100644 index 00000000..be7f6f51 --- /dev/null +++ b/roles/ryandaniels.create_users/.travis.yml @@ -0,0 +1,95 @@ +--- +language: python +python: "2.7" + +before_install: + # Make sure everything's up to date. + - sudo apt-get update -qq + +install: + # Install Ansible. + - pip install ansible + # - | + # if [ -f requirements.yml ]; then + # ansible-galaxy install --roles-path ../ -r requirements.yml + # fi + + # Add ansible.cfg to pick up roles path. +# - "printf '[defaults]\nroles_path = ../' > ansible.cfg" + - "{ echo '[defaults]'; echo 'roles_path = ../'; } >> ansible.cfg" + +script: + # Check the role/playbook's syntax. + - ansible-playbook -i tests/inventory tests/test.yml --syntax-check + - ansible-playbook -i tests/inventory tests/test-passchange.yml --syntax-check + + # Run the role/playbook with ansible-playbook. + - "ansible-playbook -i tests/inventory tests/test.yml --connection=local --become" + + # Run the role/playbook again, checking to make sure it's idempotent. + - > + ansible-playbook -i tests/inventory tests/test.yml --connection=local --become + | grep -q 'changed=0.*failed=0' + && (echo 'Idempotence test: pass' && exit 0) + || (echo 'Idempotence test: fail' && exit 1) + + # Check users are setup + - id testuser101 | grep --silent "testuser101" + - id testuser102 | grep --silent "testuser102" + - id testuser103 | grep --silent "testuser103" + - id testuser104 | grep --silent "testuser104" + - id testuser105 | grep --silent "testuser105" + - id testuser106 | grep --silent "testuser106" + - id testuser107 | grep --silent "testuser107" + - id testuser108 | grep --silent "testuser108" + - id testuser109 | grep --silent "testuser109" + - id testuser110 | grep --silent "testuser110" + - id testuser111 | grep --silent "testuser111" + - sudo grep testuser101 /etc/shadow | awk -F":" '{exit $2!="$6$/y5RGZnFaD3f$96xVdOAnldEtSxivDY02h.DwPTrJgGQl8/MTRRrFAwKTYbFymeKH/1Rxd3k.RQfpgebM6amLK3xAaycybdc.60"}' + - sudo grep testuser102 /etc/shadow | awk -F":" '{exit $2!="$6$F/KXFzMa$ZIDqtYtM6sOC3UmRntVsTcy1rnsvw.6tBquOhX7Sb26jxskXpve8l6DYsQyI1FT8N5I5cL0YkzW7bLbSCMtUw1"}' + - grep --silent "^testuser101:" /etc/group + - ls -lgd /home/testuser101 | awk '{exit $3!="testuser101"}' + - sudo ls -lg /home/testuser101/.ssh/authorized_keys | awk '{exit $3!="testuser101"}' + - sudo cat /home/testuser101/.ssh/authorized_keys | wc -l | grep --silent "2" + - sudo chage -l testuser101 | grep "Account expires" | awk '{exit $4!="never"}' + - sudo chage -l testuser105 | grep "Account expires" | awk '{exit $4!="Jan"}' + - sudo cat /etc/sudoers|grep --silent "^testuser102 " + # Check UID is set as specified + - grep sshuser /etc/passwd | awk -F":" '{exit $3!="1099"}' + # Check group(s) are set for users + - grep "^groupcommon:" /etc/group | grep --silent testuser106 + - grep "^testgroupweb:" /etc/group | grep --silent testuser107 + # Check group not set on webserver + - grep "^testgroupdb:" /etc/group | grep --silent testuser107 || echo "success, testgroupdb not found" + # Check primary group set + - id -gn testuser105 | grep --silent "group105primary" + # Check primary group id set + - id -gn testuser106 | grep --silent "group106primary" + - id -g testuser106 | grep --silent 2222 + # Check ssh key for user was created + - sudo cat /home/testuser108/.ssh/id_rsa | grep --silent "BEGIN RSA PRIVATE KEY" + - sudo cat /home/testuser109/.ssh/id_rsa | grep --silent "BEGIN RSA PRIVATE KEY" + # Check no ssh key for user was created + - sudo test ! -f /home/testuser110/.ssh/id_rsa + # Check key is encrypted + - sudo cat /home/testuser109/.ssh/id_rsa | grep --silent "ENCRYPTED" + # Check key size is correct + - sudo ssh-keygen -lf /home/testuser109/.ssh/id_rsa | awk '{exit $1!="4096"}' + # Check if not system account + - id -u testuser101 | awk '{exit ($1<1000)?"0":"1"}' || echo "success, not system account" + # Check if system account + - id -u testuser111 | awk '{exit ($1<1000)?"0":"1"}' + # Run the role/playbook again but change a password, and change password where on_create is set + - "ansible-playbook -i tests/inventory tests/test-passchange.yml --connection=local --become" + + # Check password changed or not + - sudo grep testuser101 /etc/shadow | awk -F":" '{exit $2!="$6$/y5RGZnFaD3f$96xVdOAnldEtSxivDY02h.DwPTrJgGQl8/MTRRrFAwKTYbFymeKH/1Rxd3k.RQfpgebM6amLK3xAaycybdc.60"}' + - sudo grep testuser102 /etc/shadow | awk -F":" '{exit $2!="$6$F/KXFzMa$ZIDqtYtM6sOC3UmRnt__NEW_SHOULD_CHANGE__6jxskXpve8l6DYsQyI1FT8N5I5cL0YkzW7bLbSCMtUw1"}' + # Confirm you locked yourself out + - sudo grep testuser103 /etc/shadow | awk -F":" '{exit $2!="!"}' + # Confirm ssh key was changed and only 1 entry in file + - sudo grep --silent "^ssh-rsa AAABNEW.... test104@server" /home/testuser104/.ssh/authorized_keys + - sudo cat /home/testuser104/.ssh/authorized_keys | wc -l | grep --silent "1" + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/roles/ryandaniels.create_users/LICENSE b/roles/ryandaniels.create_users/LICENSE new file mode 100644 index 00000000..1305c8c9 --- /dev/null +++ b/roles/ryandaniels.create_users/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2017 Ryan Daniels + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/roles/ryandaniels.create_users/README.md b/roles/ryandaniels.create_users/README.md new file mode 100644 index 00000000..c546bd6e --- /dev/null +++ b/roles/ryandaniels.create_users/README.md @@ -0,0 +1,230 @@ +# ansible-role-create-users + +[![Build Status](https://travis-ci.org/ryandaniels/ansible-role-create-users.svg?branch=master)](https://travis-ci.org/ryandaniels/ansible-role-create-users) + +Role to manage users on linux. +Manage users in the user list config file (list is in the file vars/secret). +Add users (with specific uid), change passwords, lock/unlock user accounts, manage sudo access (per user), add ssh key(s) for sshkey based authentication, set user's primary group and gid, add user (append) to group(s) and group will be created if doesn't exist. +This is done on a per "group" basis (Ansible group variables), as set in the config file. The group comes from the Ansible group as set for a server in the inventory file. + +More detailed example can be found in the blog post: [User Management with Ansible](https://ryandaniels.ca/blog/ansible-user-management/) + +Note: Deleting users is not done on purpose. + +## Distros tested + +* Ubuntu 18.04 / 16.04 +* CentOS / RHEL: 7.x, 6.5, 5.9 + +## Dependencies + +Requires Ansible 2.6 (due to previous [bug 20096](https://github.com/ansible/ansible/issues/20096) with un-expiring users) + +## ansible-vault + +Use ansible-vault to encrypt sensitive info from git. + +```bash +cat vars/secret +#encrypt if cleartext (before git commit/push) +ansible-vault encrypt vars/secret + +#Edit encrypted file: +ansible-vault edit vars/secret + +vi .vaultpass +-Enter the password for Ansible Vault from Password Safe +chmod 600 .vaultpass +vi ansible.cfg +#Insert the following lines +[defaults] +vault_password_file = ./.vaultpass +``` + +## .gitignore + +```bash +vi .gitignore +#Insert the following lines +.vaultpass +.retry +secret +*.secret +``` + +## How to generate password + +* on Ubuntu - Install "whois" package + +```bash +mkpasswd --method=SHA-512 +``` + +* on RedHat - Use Python + +```bash +python -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))' +``` + +## Default Settings + +```yaml +--- +#Note: 'debug_enabled_default: true' will put hashed passwords in the output. +debug_enabled_default: false +default_update_password: on_create +default_shell: /bin/bash +``` + +## User Settings + +File Location: vars/secret + +* **username**: username - no spaces **(required)** +* **uid**: The numerical value of the user's ID (optional) +* **user_state**: present|lock **(required)** +* **password**: sha512 encrypted password (optional). If not set, password is set to "!" +* **update_password**: always|on_create (optional, default is on_create to be safe). + **WARNING**: when 'always', password will be change to password value. + If you are using 'always' on an **existing** users, **make sure to have the password set**. +* **comment**: Full name and Department or description of application (optional) (But you should set this!) +* **primarygroup**: Primary group name (optional). +* **primarygid**: Primary group ID (optional). If same gid is reused on server the playbook will fail. If same duplicate group is specified with different gid, last configured will be used. + **WARNING**: changing the primarygroup and/or primarygid of **existing** users will not change permissions of existing files belonging to that user. Also old entries will remain in /etc/group. Use with caution. +* **groups**: Comma separated list of groups the user will be added to (appended). If group doesn't exist it will be created on the specific server. This is not the primary group (primary group is not modified) +* **shell**: path to shell (optional, default is /bin/bash) +* **ssh_key**: ssh key for ssh key based authentication (optional) + NOTE: 1 key can go on single line, but if multiple keys, use formatting below from first example. +* **exclusive_ssh_key**: yes|no (optional, default: no) + **WARNING**: exclusive_ssh_key: yes - will remove any ssh keys not defined here! no - will add any key specified. +* **generate_ssh_key**: Whether to generate a SSH key for the user in question. (optional, default is 'no') + NOTE: This will not overwrite an existing SSH key +* **ssh_key_bits**: Optionally specify number of bits in SSH key to create. (optional, default set by ssh-keygen) +* **ssh_key_passphrase**: Set a passphrase for the SSH key. If no passphrase is provided, the SSH key will default to having no passphrase. +* **use_sudo**: yes|no (optional, default no) +* **use_sudo_nopass**: yes|no (optional, default no). yes = passwordless sudo. +* **system**: yes|no (optional, default no). yes = create system account (uid < 1000). Does not work on existing users. +* **servers**: sub-element list of servers where changes are made. **(required)** + These are the Ansible groups from your Ansible inventory file. In below examples, `webserver` would be the 3 servers in the `webserver` Ansible inventory `webserver1`, `webserver2`, and `webserver3`. + +Note: + You can have duplicate usernames on different servers, if you want to have different settings. See below example of testuser102 has sudo on servers defined as the `webserver` group in the inventory, but no sudo on the `database` group. + +## Example Ansible Inventory file + +```yaml +[webserver] +webserver1 +webserver2 +webserver3 + +[database] +db1 +db2 +db3 + +[monitoring] +monitor1 +``` + +## Example config file (vars/secret) + +```yaml +--- +users: + - username: testuser101 + password: $6$/y5RGZnFaD3f$96xVdOAnldEtSxivDY02h.DwPTrJgGQl8/MTRRrFAwKTYbFymeKH/1Rxd3k.RQfpgebM6amLK3xAaycybdc.60 + update_password: on_create + comment: Test User 100 + shell: /bin/bash + ssh_key: | + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8crAHG/a9QBD4zO0ZHIjdRXy+ySKviXVCMIJ3/NMIAAzDyIsPKToUJmIApHHHF1/hBllqzBSkPEMwgFbXjyqTeVPHF8V0iq41n0kgbulJG testuser101@server1 + ssh-rsa AAAA.... testuser101@server2 + exclusive_ssh_key: yes + use_sudo: no + use_sudo_nopass: no + user_state: present + servers: + - webserver + - database + - monitoring + + - username: testuser102 + password: $6$F/KXFzMa$ZIDqtYtM6sOC3UmRntVsTcy1rnsvw.6tBquOhX7Sb26jxskXpve8l6DYsQyI1FT8N5I5cL0YkzW7bLbSCMtUw1 + update_password: always + comment: Test User 101 + groups: testcommon, testgroup102web + shell: /bin/sh + use_sudo: yes + user_state: present + servers: + - webserver + + - username: testuser102 + password: $6$F/KXFzMa$ZIDqtYtM6sOC3UmRntVsTcy1rnsvw.6tBquOhX7Sb26jxskXpve8l6DYsQyI1FT8N5I5cL0YkzW7bLbSCMtUw1 + update_password: always + comment: Test User 101 + groups: testcommon, testgroup102db + shell: /bin/sh + user_state: present + servers: + - database + + - username: testuser103 + password: $6$wBxBAqRmG6O$gPbg9hYShkuIe3YKMFujwiKsPKZHNFwoK4yCyTOlploljz53YSoPdCn9P5k8Qm0z062Q.8hvJ6DnnQQjwtrnS0 + user_state: present + servers: + - webserver + + - username: testuser104 + primarygroup: testgroup104primary + ssh_key: ssh-rsa AAAB.... test103@server + exclusive_ssh_key: no + use_sudo: no + user_state: present + servers: + - webserver + - monitoring + + - username: testuser105 + uid: 1099 + password: $6$XEnyI5UYSw$Rlc6tXtECtqdJ3uFitrbBlec1/8Fx2obfgFST419ntJqaX8sfPQ9xR7vj7dGhQsfX8zcSX3tumzR7/vwlIH6p/ + primarygroup: testgroup105primary + primarygid: 2222 + ssh_key: ssh-rsa AAAB.... test107@server + generate_ssh_key: yes + ssh_key_bits: 4096 + use_sudo: no + user_state: lock + servers: + - webserver + - database +``` + +## Example Playbook create-users.yml + +```bash +--- +- hosts: '{{inventory}}' + vars_files: + - vars/secret + become: yes + roles: + - create-users +``` + +## Prep + +* install ansible +* create keys +* ssh to client to add entry to known_hosts file +* configure client server authorized_keys +* run ansible commands + +## Usage + +Create all users + +```bash +ansible-playbook create-users.yml --ask-vault-pass --extra-vars "inventory=all-dev" -i hosts +``` diff --git a/roles/ryandaniels.create_users/defaults/main.yml b/roles/ryandaniels.create_users/defaults/main.yml new file mode 100644 index 00000000..edef989c --- /dev/null +++ b/roles/ryandaniels.create_users/defaults/main.yml @@ -0,0 +1,5 @@ +--- +#Note: 'debug_enabled_default: true' will put hashed passwords in the output. +debug_enabled_default: false +default_update_password: on_create +default_shell: /bin/bash diff --git a/roles/ryandaniels.create_users/meta/main.yml b/roles/ryandaniels.create_users/meta/main.yml new file mode 100644 index 00000000..10d0a040 --- /dev/null +++ b/roles/ryandaniels.create_users/meta/main.yml @@ -0,0 +1,36 @@ +--- +galaxy_info: + role_name: create-users + author: Ryan Daniels + description: Role to manage users on linux + license: MIT + min_ansible_version: 2.6 + platforms: + - name: EL + versions: + - all + - name: GenericUNIX + versions: + - all + - any + - name: Fedora + versions: + - all + - name: Ubuntu + versions: + - all + - name: GenericLinux + versions: + - all + - any + - name: Debian + versions: + - all + galaxy_tags: + - system + - users + - ssh + - accounts + - user + +dependencies: [] diff --git a/roles/ryandaniels.create_users/tasks/main.yml b/roles/ryandaniels.create_users/tasks/main.yml new file mode 100644 index 00000000..c35955be --- /dev/null +++ b/roles/ryandaniels.create_users/tasks/main.yml @@ -0,0 +1,193 @@ +--- +- name: debug variable group_names + debug: var=group_names + when: debug_enabled_default | bool + +- name: debug variable users + debug: var=users + when: debug_enabled_default | bool + +- name: Add group | create primary group before adding user to group + group: + name: "{{ item.0.primarygroup }}" + gid: "{{ item.0.primarygid | default(omit) }}" + state: present + when: item.0.primarygroup is defined and item.1 in group_names + with_subelements: + - "{{ users }}" + - servers + loop_control: + label: "primarygroup: {{ item.0.primarygroup if item.0.primarygroup is defined else '' }}, primarygid: {{ item.0.primarygid if item.0.primarygid is defined else 'default' }}" # noqa 204 + +# Get unique list of groups to create on the server (var is different on each server) +# Still keeps formatting of comma separated list and converts to list (even if whitespace) +- name: set_fact - get groups as list per server + set_fact: + groups_as_list: "{{ (groups_as_list|default([]) + item.0.groups.split(','))|map('trim')|list|sort|unique }}" + with_subelements: + - "{{ users }}" + - servers + when: item.0.groups is defined and item.1 in group_names + loop_control: + label: "username: {{ item.0.username }}, groups_as_list: {{ item.0.groups if item.0.groups is defined else '' }}" + +- name: debug show groups_as_list + debug: var=groups_as_list + when: debug_enabled_default | bool + +- name: Add group | create groups before adding user to group + group: + name: "{{ item }}" + state: present + when: groups_as_list is defined + loop: "{{ groups_as_list }}" + loop_control: + label: "groups: {{ item }}" + +- name: Add users | create users, shell, home dirs + user: + name: "{{ item.0.username }}" + uid: "{{ item.0.uid | default(omit, True) }}" + password: "{{ item.0.password if item.0.password is defined else '!' }}" + update_password: "{{ item.0.update_password if item.0.update_password is defined else default_update_password }}" + group: "{{ item.0.primarygroup | default(omit) }}" + groups: "{{ item.0.groups | default(omit) }}" + shell: "{{ item.0.shell if item.0.shell is defined else default_shell }}" + createhome: yes + system: "{{ item.0.system | default(omit) }}" + comment: "{{ item.0.comment if item.0.comment is defined else '' }}" + state: present #hard-coded in case user sets state of absent. Choice made to never delete accounts! +# expires: -1 #unlock account if locked ###Doesn't work like chage.. +# command: chage -E -1 {{ item.0.username }} #unlock password authentication +# register: user_results + when: (item.0.user_state == 'present' or item.0.user_state == 'lock') and item.1 in group_names +#works but not multiple servers #and 'centos6' in "{{ group_names }}" + with_subelements: + - "{{ users }}" + - servers + loop_control: + label: "username: {{ item.0.username }}, user_state: {{ item.0.user_state }}, password: {{ 'True' if item.0.password is defined else 'False' }}, update_password: {{ item.0.update_password if item.0.update_password is defined else default_update_password }}, primarygroup: {{ item.0.primarygroup if item.0.primarygroup is defined else ''}}, groups: {{ item.0.groups if item.0.groups is defined else ''}}, servers: {{ item.1 if item.1 is defined else '' }}, group_names: {{ group_names }}" # noqa 204 + +- name: Add users | Unlock password login (set expiry to -1) + user: + name: "{{ item.0.username }}" + expires: -1 #unlock account if locked +# command: chage -E -1 {{ item.0.username }} #unlock password authentication +# register: user_results + when: item.0.user_state == 'present' and item.1 in group_names + with_subelements: + - "{{ users }}" + - servers + loop_control: + label: "username: {{ item.0.username }}, user_state: {{ item.0.user_state }}" + +#- debug: var=user_results + +#DONE: Change to user module once -1 bug fixed. +#DONE: Follow issue https://github.com/ansible/ansible/issues/20096 +# - name: Add users | Unlock password login (set expiry to -1) +# chage: +# user: "{{ item.0.username }}" +# sp_expire: -1 +# # command: chage -E -1 {{ item.username }} #unlock password authentication +# when: item.0.user_state == 'present' and item.1 in group_names +# with_subelements: +# - "{{ users }}" +# - servers +# loop_control: +# label: "username: {{item.0.username}}, user_state: {{ item.0.user_state }}" + +##DONE user module doesn't work properly? expires=0 doesn't change anything. expires=1+ always updates?? +##Use chage module instead +# - name: Lock users | Lock password & ssh key authentication +# chage: +# user: "{{ item.0.username }}" +# sp_expire: 0 +# # command: chage -E 0 {{ item.0.username }} #Alternative lock password & ssh key authentication +# when: item.0.user_state == 'lock' and item.1 in group_names +# with_subelements: +# - "{{ users }}" +# - servers +# loop_control: +# label: "username: {{item.0.username}}, user_state: {{ item.0.user_state }}" + +- name: Lock users | Lock password & ssh key authentication + user: + name: "{{ item.0.username }}" + expires: 0 #lock account if not locked +# command: chage -E 0 {{ item.0.username }} #Alternative lock password & ssh key authentication +# register: user_results + when: item.0.user_state == 'lock' and item.1 in group_names + with_subelements: + - "{{ users }}" + - servers + loop_control: + label: "username: {{ item.0.username }}, user_state: {{ item.0.user_state }}" + +#Not needed, sp_expire -1 locks password authentication as well. +#- name: Lock users | Lock password login +# command: passwd -l {{ item.username }} #lock password authentication +# when: item.user_state == 'lock' +# with_items: "{{ users }}" + +- name: SSH Keys | Add authorized key for ssh key authentication + authorized_key: + user: "{{ item.0.username }}" + key: "{{ item.0.ssh_key }}" + exclusive: "{{ item.0.exclusive_ssh_key if item.0.exclusive_ssh_key is defined else 'no' }}" + state: present + when: item.0.ssh_key is defined and item.1 in group_names + with_subelements: + - "{{ users }}" + - servers + loop_control: + label: "username: {{ item.0.username }}, ssh_key: {{ 'True' if item.0.ssh_key is defined else 'False' }}, exclusive_ssh_key: {{ item.0.exclusive_ssh_key if item.0.exclusive_ssh_key is defined else 'False' }}" # noqa 204 + +- name: SSH Keys | Generate ssh key + user: + name: "{{ item.0.username }}" + generate_ssh_key: "{{ item.0.generate_ssh_key | default(false) }}" + ssh_key_bits: "{{ item.0.ssh_key_bits | default(omit) }}" + ssh_key_passphrase: "{{ item.0.ssh_key_passphrase | default(omit) }}" + when: item.0.generate_ssh_key is defined and item.1 in group_names + with_subelements: + - "{{ users }}" + - servers + loop_control: + label: "username: {{ item.0.username }}, generate_ssh_key: {{ 'True' if item.0.generate_ssh_key is defined else 'False' }}, ssh_key_bits: {{ item.0.ssh_key_bits if item.0.ssh_key_bits is defined else '' }}, ssh_key_passphrase: {{ 'True' if item.0.ssh_key_passphrase is defined else 'False' }} " + +- name: Sudo | add to sudoers file and validate + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^{{ item.0.username }} ' +# line: '{{ item.0.username }} ALL=(ALL) NOPASSWD:ALL' + line: "{{ item.0.username }} ALL=(ALL) {{ 'NOPASSWD:' if ( item.0.use_sudo_nopass|d(false) ) else '' }}ALL" + validate: 'visudo -cf %s' + environment: + PATH: /usr/sbin:/usr/local/sbin:/sbin + # TODO: Fix literal compare + when: item.0.use_sudo|d(false)|bool == true and item.1 in group_names # noqa 601 + with_subelements: + - "{{ users }}" + - servers + loop_control: + label: "username: {{ item.0.username }}, use_sudo: {{ item.0.use_sudo|d(false) }}, use_sudo_nopass: {{ item.0.use_sudo_nopass|d(false) }}" +#environment fixes Redhat issue of hard-coded path to visudo + +- name: Sudo | remove from sudoers file and validate + lineinfile: + dest: /etc/sudoers + state: absent + regexp: '^{{ item.0.username }} ' + line: '{{ item.0.username }}' + validate: 'visudo -cf %s' + environment: + PATH: /usr/sbin:/usr/local/sbin:/sbin + # TODO: Fix literal compare + when: item.0.use_sudo|d(false)|bool == false and item.1 in group_names # noqa 601 + with_subelements: + - "{{ users }}" + - servers + loop_control: + label: "username: {{ item.0.username }}, use_sudo: {{ item.0.use_sudo|d(false) }}" diff --git a/roles/ryandaniels.create_users/tests/inventory b/roles/ryandaniels.create_users/tests/inventory new file mode 100644 index 00000000..a5f89b3c --- /dev/null +++ b/roles/ryandaniels.create_users/tests/inventory @@ -0,0 +1,2 @@ +[webserver] +localhost diff --git a/roles/ryandaniels.create_users/tests/test-passchange.yml b/roles/ryandaniels.create_users/tests/test-passchange.yml new file mode 100644 index 00000000..aeb4bb75 --- /dev/null +++ b/roles/ryandaniels.create_users/tests/test-passchange.yml @@ -0,0 +1,91 @@ +--- +- hosts: localhost + remote_user: root + + vars: + debug_enabled_default: false + + users: + - username: testuser101 + password: $6$/y5RGZnFaD3f$96xVdOAnldEtS__NEW_SHOULD_NOT_CHANGE__bFymeKH/1Rxd3k.RQfpgebM6amLK3xAaycybdc.60 + update_password: on_create + comment: Test User 100 + shell: /bin/bash + ssh_key: | + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8crAHG/a9QBD4zO0ZHIjdRXy+ySKviXVCMIJ3/NMIAAzDyIsPKToUJmIApHHHF1/hBllqzBSkPEMwgFbXjyqTeVPHF8V0iq41n0kgbulJG testuser101@server1 + ssh-rsa AAAA.... testuser101@server2 + exclusive_ssh_key: yes + use_sudo: no + user_state: present + servers: + - webserver + - database + - monitoring + + - username: testuser102 + password: $6$F/KXFzMa$ZIDqtYtM6sOC3UmRnt__NEW_SHOULD_CHANGE__6jxskXpve8l6DYsQyI1FT8N5I5cL0YkzW7bLbSCMtUw1 + update_password: always + comment: Test User 101 + groups: testnew102 + shell: /bin/sh + use_sudo: yes + user_state: present + servers: + - webserver + - database + - monitoring + + - username: testuser103 + update_password: always + use_sudo: no + user_state: present + servers: + - webserver + - database + - monitoring + + - username: testuser104 + ssh_key: ssh-rsa AAABNEW.... test104@server + exclusive_ssh_key: yes + use_sudo: no + user_state: present + servers: + - webserver + - database + - monitoring + + - username: testuser105 + uid: 1099 + password: $6$XEnyI5UYSw$Rlc6tXtECtqdJ3uFitrbBlec1/8Fx2obfgFST419ntJqaX8sfPQ9xR7vj7dGhQsfX8zcSX3tumzR7/vwlIH6p/ + primarygroup: group105primary + ssh_key: ssh-rsa AAAB.... test107@server + use_sudo: no + user_state: lock + servers: + - webserver + - database + - monitoring + + - username: testuser106 + user_state: present + primarygroup: group106primary + primarygid: 2222 + groups: groupcommon + servers: + - webserver + - database + + - username: testuser107 + user_state: present + groups: groupcommon, testgroupweb + servers: + - webserver + + - username: testuser107 + user_state: present + groups: groupcommon, testgroupdb + servers: + - database + + roles: + - ansible-role-create-users diff --git a/roles/ryandaniels.create_users/tests/test.yml b/roles/ryandaniels.create_users/tests/test.yml new file mode 100644 index 00000000..5e759192 --- /dev/null +++ b/roles/ryandaniels.create_users/tests/test.yml @@ -0,0 +1,126 @@ +--- +- hosts: localhost + remote_user: root + + vars: + debug_enabled_default: false + + users: + - username: testuser101 + password: $6$/y5RGZnFaD3f$96xVdOAnldEtSxivDY02h.DwPTrJgGQl8/MTRRrFAwKTYbFymeKH/1Rxd3k.RQfpgebM6amLK3xAaycybdc.60 + update_password: on_create + comment: Test User 100 + shell: /bin/bash + ssh_key: | + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8crAHG/a9QBD4zO0ZHIjdRXy+ySKviXVCMIJ3/NMIAAzDyIsPKToUJmIApHHHF1/hBllqzBSkPEMwgFbXjyqTeVPHF8V0iq41n0kgbulJG testuser101@server1 + ssh-rsa AAAA.... testuser101@server2 + exclusive_ssh_key: yes + use_sudo: no + user_state: present + servers: + - webserver + - database + - monitoring + + - username: testuser102 + password: $6$F/KXFzMa$ZIDqtYtM6sOC3UmRntVsTcy1rnsvw.6tBquOhX7Sb26jxskXpve8l6DYsQyI1FT8N5I5cL0YkzW7bLbSCMtUw1 + update_password: always + comment: Test User 101 + groups: testnew102 + shell: /bin/sh + use_sudo: yes + user_state: present + servers: + - webserver + - database + - monitoring + + - username: testuser103 + password: $6$wBxBAqRmG6O$gPbg9hYShkuIe3YKMFujwiKsPKZHNFwoK4yCyTOlploljz53YSoPdCn9P5k8Qm0z062Q.8hvJ6DnnQQjwtrnS0 + update_password: always + use_sudo: no + user_state: present + servers: + - webserver + - database + - monitoring + + - username: testuser104 + ssh_key: ssh-rsa AAAB.... test104@server + exclusive_ssh_key: no + use_sudo: no + user_state: present + servers: + - webserver + - database + - monitoring + + - username: testuser105 + uid: 1099 + password: $6$XEnyI5UYSw$Rlc6tXtECtqdJ3uFitrbBlec1/8Fx2obfgFST419ntJqaX8sfPQ9xR7vj7dGhQsfX8zcSX3tumzR7/vwlIH6p/ + primarygroup: group105primary + ssh_key: ssh-rsa AAAB.... test107@server + use_sudo: no + user_state: lock + servers: + - webserver + - database + - monitoring + + - username: testuser106 + user_state: present + primarygroup: group106primary + primarygid: 2222 + groups: groupcommon + servers: + - webserver + - database + + - username: testuser107 + user_state: present + groups: groupcommon, testgroupweb + servers: + - webserver + + - username: testuser107 + user_state: present + groups: groupcommon, testgroupdb + servers: + - database + + - username: testuser108 + user_state: present + generate_ssh_key: yes + servers: + - webserver + - database + - monitoring + + - username: testuser109 + user_state: present + generate_ssh_key: yes + ssh_key_bits: 4096 + ssh_key_passphrase: "use_vault_instead_of_cleartext_for_production" + servers: + - webserver + - database + - monitoring + + - username: testuser110 + user_state: present + generate_ssh_key: no + servers: + - webserver + - database + - monitoring + + - username: testuser111 + user_state: present + system: yes + servers: + - webserver + - database + - monitoring + + roles: + - ansible-role-create-users