CI + Dev-Workspace: disable automatic rollout and setup new Workspace (#145)
Some checks failed
ci/woodpecker/push/gitleaks Pipeline was successful
ci/woodpecker/push/ansible-lint Pipeline failed

Reviewed-on: #145
Co-authored-by: Michael Grote <michael.grote@posteo.de>
Co-committed-by: Michael Grote <michael.grote@posteo.de>
This commit is contained in:
Michael Grote 2024-07-30 20:58:24 +02:00 committed by Michael Grote
parent 47a71e9d5b
commit bb6f7d1853
8 changed files with 51 additions and 81 deletions

2
.gitignore vendored
View file

@ -1,5 +1,5 @@
.git/ .git/
vault-pass.yml vault-pass
id_ed25519 id_ed25519
id_ed25519.pub id_ed25519.pub
roles/ansible-role-pip roles/ansible-role-pip

View file

@ -4,17 +4,13 @@ depends_on:
steps: steps:
ansible-lint: ansible-lint:
image: quay.io/ansible/creator-ee:v24.2.0 image: registry.mgrote.net/ansible-devspace:latest
commands: commands:
# Secrets # Secrets
- echo $${SSHKEY} | base64 -d > ./id_ed25519 # woodpecker verschluckt linebreakes, daher mit base64 -w0 "kodiert" - echo $${SSHKEY} | base64 -d > ./id_ed25519 # woodpecker verschluckt linebreaks, daher mit base64 -w0 "kodiert"
- echo $${VAULTPASS} | base64 -d > ./vault-pass.yml # Name des Secrets in Großschreibung - echo $${VAULTPASS} | base64 -d > ./vault-pass # Name des Secrets in Großschreibung
- chmod 0400 ./id_ed25519 - chmod 0400 ./id_ed25519
# Abhängigkeiten
- pip install pykeepass Jinja2 markupsafe jmespath --user
- ansible-galaxy install -r requirements.yaml
# Doing # Doing
- ansible-lint --version
- ansible-lint --force-color --format pep8 - ansible-lint --force-color --format pep8
# https://woodpecker-ci.org/docs/usage/secrets#use-secrets-in-commands # https://woodpecker-ci.org/docs/usage/secrets#use-secrets-in-commands
secrets: [vaultpass] secrets: [vaultpass]

View file

@ -1,25 +0,0 @@
---
depends_on:
- ansible-lint
steps:
ansible-playbook:
image: quay.io/ansible/creator-ee:v24.2.0
commands:
# Secrets
- echo $${SSHKEY} | base64 -d > ./id_ed25519 # woodpecker verschluckt linebreakes, daher mit base64 -w0 "kodiert"
- echo $${VAULTPASS} | base64 -d > ./vault-pass.yml # Name des Secrets in Großschreibung
- chmod 0400 ./id_ed25519
# Abhängigkeiten
- pip install 'pykeepass==4.0.3' --user
- ansible-galaxy install -r requirements.yaml
# Debug
- ansible localhost -m debug -a "var={{ lookup('viczem.keepass.keepass', 'restic_repository_password', 'password') }}"
# Doing
#- ansible-playbook playbooks/2_all.yml playbooks/3_service/* --limit production
# https://woodpecker-ci.org/docs/usage/secrets#use-secrets-in-commands
secrets: [vaultpass, sshkey]
when:
- event: [push, pull_request_closed]
branch: master
...

View file

@ -1,3 +1,11 @@
# ansible_heimserver # ansible_heimserver
[![status-badge](https://ci.mgrote.net/api/badges/2/status.svg)](https://ci.mgrote.net/repos/2) [![status-badge](https://ci.mgrote.net/api/badges/2/status.svg)](https://ci.mgrote.net/repos/2)
## ansible-devspace
- Repository: https://git.mgrote.net/container-images/ansible-devspace
- dort mit Woodpecker-CI gebaut und in eigene Registry gepushed
- ``devspace.sh`` pulled Image, prüft ob SSH-Key und ``vault-pass`` vorhanden sind
- mountet git-Secrets
- startet Container

View file

@ -2,11 +2,9 @@
inventory = ./inventory inventory = ./inventory
nocows = 1 nocows = 1
retry_files_enabled = False retry_files_enabled = False
roles_path = ./roles roles_path = ./roles:~/.ansible/roles/
lookup_plugins = ./plugins/lookup
collections_path = ./collections
private_key_file = ./id_ed25519 private_key_file = ./id_ed25519
vault_password_file = vault-pass.yml vault_password_file = vault-pass
gathering = smart gathering = smart
[diff] [diff]
always = true always = true

37
devspace.sh Executable file
View file

@ -0,0 +1,37 @@
#!/bin/bash
IMAGE="registry.mgrote.net/ansible-devspace:latest"
# Farben
# https://stackoverflow.com/questions/5947742/how-to-change-the-output-color-of-echo-in-linux
RESET='\033[0m'
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
echo -e "${GREEN}Run checks...${RESET}"
if ! [ -f "./vault-pass" ]; then
echo -e "${RED}Vault-Pass File is missing!${RESET}"
exit 1
fi
if ! [ -f "./id_ed25519" ]; then
echo -e "${RED}SSH-Private-Key is missing!${RESET}"
exit 1
fi
if ! [ -f "$HOME/.git-credentials" ]; then
echo -e "${YELLOW}~/.git-credentials not found!${RESET}"
fi
if ! [[ $(id -u) -eq "1000" ]]; then
echo -e "${RED}Wrong UID! (!=1000)${RESET}"
exit 1
fi
echo -e "${GREEN}Pull Image...${RESET}"
docker pull ${IMAGE}
echo -e "${GREEN}Start container...${RESET}"
docker run -it \
-v "$PWD:/home/ansible-dev/ansible-homeserver" \
-v "$HOME/.git-credentials:/home/ansible-dev/.git-credentials" \
-w /home/ansible-dev/ansible-homeserver ${IMAGE}

View file

@ -1,42 +0,0 @@
collections:
- name: community.general
version: "9.2.0"
- name: community.crypto
version: "2.21.1"
- name: ansible.posix
version: "1.5.4"
- name: community.docker
version: "3.11.0"
- name: viczem.keepass
version: "0.7.5"
roles:
- name: ansible-role-bootstrap
src: git+https://git.mgrote.net/ansible-role-mirrors/ansible-role-bootstrap
version: "7.0.2"
- name: ansible-ufw
src: git+https://git.mgrote.net/ansible-role-mirrors/ansible-ufw
version: "v4.1.13"
- name: ansible-manage-lvm
src: git+https://git.mgrote.net/ansible-role-mirrors/ansible-manage-lvm
version: "v0.2.12"
- name: ansible-role-unattended-upgrades
src: git+https://git.mgrote.net/ansible-role-mirrors/ansible-role-unattended-upgrades
version: "v4.6.0"
- name: ansible-role-pip
src: git+https://git.mgrote.net/ansible-role-mirrors/ansible-role-pip
version: "3.0.3"
- name: ansible-role-nfs
src: git+https://git.mgrote.net/ansible-role-mirrors/ansible-role-nfs
version: "2.0.0"
- name: ansible-role-docker
src: git+https://git.mgrote.net/ansible-role-mirrors/ansible-role-docker
version: "7.1.0"
- name: ansible_role_ctop
src: git+https://git.mgrote.net/ansible-role-mirrors/ansible_role_ctop
version: "1.1.6"
- name: ansible_role_gitea
src: git+https://git.mgrote.net/ansible-role-mirrors/ansible_role_gitea
version: "v3.5.0"
- name: ansible-role-postgresql
src: git+https://git.mgrote.net/ansible-role-mirrors/ansible-role-postgresql
version: "3.5.2"

View file

@ -11,8 +11,6 @@
when: when:
- sanoid_syncoid_destination_host - sanoid_syncoid_destination_host
- name: add user to sudoers - name: add user to sudoers
become: true become: true
ansible.builtin.blockinfile: ansible.builtin.blockinfile: