From 2356df582b9a18cf0b72a2e0a490058541ae1486 Mon Sep 17 00:00:00 2001
From: Jakob Meier <comcloudway@ccw.icu>
Date: Mon, 21 Aug 2023 16:51:53 +0200
Subject: [PATCH] containers/homepage: new role sets up a rsyncd+nginx server
 which serves my website

---
 roles/containers/homepage/README.org          | 13 +++++++
 roles/containers/homepage/defaults/main.yml   |  8 ++++
 roles/containers/homepage/handlers/main.yml   |  6 +++
 roles/containers/homepage/tasks/caddy.yml     | 29 ++++++++++++++
 roles/containers/homepage/tasks/main.yml      |  7 ++++
 roles/containers/homepage/tasks/nftables.yml  |  8 ++++
 roles/containers/homepage/tasks/setup.yml     | 39 +++++++++++++++++++
 .../homepage/templates/53_rsync.nft           |  8 ++++
 .../containers/homepage/templates/nginx.conf  |  8 ++++
 run.yml                                       |  5 +++
 10 files changed, 131 insertions(+)
 create mode 100644 roles/containers/homepage/README.org
 create mode 100644 roles/containers/homepage/defaults/main.yml
 create mode 100644 roles/containers/homepage/handlers/main.yml
 create mode 100644 roles/containers/homepage/tasks/caddy.yml
 create mode 100644 roles/containers/homepage/tasks/main.yml
 create mode 100644 roles/containers/homepage/tasks/nftables.yml
 create mode 100644 roles/containers/homepage/tasks/setup.yml
 create mode 100644 roles/containers/homepage/templates/53_rsync.nft
 create mode 100644 roles/containers/homepage/templates/nginx.conf

diff --git a/roles/containers/homepage/README.org b/roles/containers/homepage/README.org
new file mode 100644
index 0000000..39cb9bc
--- /dev/null
+++ b/roles/containers/homepage/README.org
@@ -0,0 +1,13 @@
+* container/alpine-mirror
+Ansible role used to setup a rsyncd+nginx static file server
+which can be used to publish assets and download them.
+
+#+begin_src yaml
+alpine_mirror_domain: "mirror.ccw.icu"
+alpine_mirror_user: "deploy"
+alpine_mirror_token: "changeme"
+alpine_mirror_bucket: "aports"
+alpine_mirror_project_dir: "mirror"
+alpine_mirror_backend_port: "29027"
+alpine_mirror_frontend_port: "9027"
+#+end_src
diff --git a/roles/containers/homepage/defaults/main.yml b/roles/containers/homepage/defaults/main.yml
new file mode 100644
index 0000000..32e6fec
--- /dev/null
+++ b/roles/containers/homepage/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+homepage_domain: "ccw.icu"
+homepage_user: "deploy"
+homepage_token: "changeme"
+homepage_bucket: "pages"
+homepage_project_dir: "pages"
+homepage_backend_port: "29463"
+homepage_frontend_port: "9463"
diff --git a/roles/containers/homepage/handlers/main.yml b/roles/containers/homepage/handlers/main.yml
new file mode 100644
index 0000000..e974c82
--- /dev/null
+++ b/roles/containers/homepage/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart nftables
+  become: true
+  ansible.builtin.service:
+    name: nftables
+    state: restarted
diff --git a/roles/containers/homepage/tasks/caddy.yml b/roles/containers/homepage/tasks/caddy.yml
new file mode 100644
index 0000000..78a309e
--- /dev/null
+++ b/roles/containers/homepage/tasks/caddy.yml
@@ -0,0 +1,29 @@
+---
+- name: Make sure homepage caddy reverse proxy config exists
+  become: true
+  vars:
+    project_domain: "{{ homepage_domain }}"
+    project_port: "{{ homepage_frontend_port }}"
+  ansible.builtin.template:
+    src: ../../../network/caddy/templates/reverse-proxy.template
+    dest: /etc/caddy/homepage
+    mode: "0644"
+    validate: caddy validate --adapter caddyfile --config %s
+  register: projectconfig
+
+- name: Make sure caddy links to the homepage config
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/caddy/Caddyfile
+    mode: "0644"
+    search_string: ^import /etc/caddy/homepage
+    line: import /etc/caddy/homepage
+    validate: caddy validate --adapter caddyfile --config %s
+  register: caddyconfig
+
+- name: Restart caddy
+  become: true
+  ansible.builtin.service:
+    name: caddy
+    state: restarted
+  when: caddyconfig.changed or projectconfig.changed
diff --git a/roles/containers/homepage/tasks/main.yml b/roles/containers/homepage/tasks/main.yml
new file mode 100644
index 0000000..9d41ae9
--- /dev/null
+++ b/roles/containers/homepage/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Setup homepage docker images
+  ansible.builtin.include_tasks: setup.yml
+- name: Setup homepage reverse proxy
+  ansible.builtin.include_tasks: caddy.yml
+- name: Ensure the homepage backend can be accessed by the CI
+  ansible.builtin.include_tasks: nftables.yml
diff --git a/roles/containers/homepage/tasks/nftables.yml b/roles/containers/homepage/tasks/nftables.yml
new file mode 100644
index 0000000..898c2f3
--- /dev/null
+++ b/roles/containers/homepage/tasks/nftables.yml
@@ -0,0 +1,8 @@
+---
+- name: Make sure the nftables vpn rule exists
+  become: true
+  ansible.builtin.template:
+    mode: "0644"
+    src: 53_rsync.nft
+    dest: /etc/nftables.d/53_homepage.nft
+  notify: Restart nftables
diff --git a/roles/containers/homepage/tasks/setup.yml b/roles/containers/homepage/tasks/setup.yml
new file mode 100644
index 0000000..0742eb2
--- /dev/null
+++ b/roles/containers/homepage/tasks/setup.yml
@@ -0,0 +1,39 @@
+---
+- name: Ensure homepage-project-dir exists
+  ansible.builtin.file:
+    path: "{{ container_dir }}/{{ homepage_project_dir }}"
+    state: directory
+    recurse: true
+
+- name: Create rsync file server docker container
+  community.docker.docker_container:
+    name: homepage-backend
+    image: codeberg.org/comcloudway/docker-rsyncd:latest
+    restart_policy: unless-stopped
+    env:
+      RSYNC_USER: "{{ homepage_user }}"
+      RSYNC_PASS: "{{ homepage_token }}"
+      BUCKET_NAME: "{{ homepage_bucket }}"
+    volumes:
+      - "{{ container_dir }}/{{ homepage_project_dir }}/files:/storage"
+    ports:
+      - "{{ homepage_backend_port }}:873"
+
+- name: Make sure nginx static file server config is installed
+  ansible.builtin.template:
+    src: "nginx.conf"
+    dest: "{{ container_dir }}/{{ homepage_project_dir }}/nginx.conf"
+    mode: "0644"
+
+- name: Create nginx file server docker container
+  community.docker.docker_container:
+    name: homepage-frontend
+    image: nginx:mainline-alpine
+    restart_policy: unless-stopped
+    volumes:
+      - "{{ container_dir }}/{{ homepage_project_dir }}/files:\
+        /usr/share/nginx/html/:ro"
+      - "{{ container_dir }}/{{ homepage_project_dir }}/nginx.conf:\
+        /etc/nginx/conf.d/default.conf/:ro"
+    ports:
+      - "{{ homepage_frontend_port }}:80"
diff --git a/roles/containers/homepage/templates/53_rsync.nft b/roles/containers/homepage/templates/53_rsync.nft
new file mode 100644
index 0000000..05e4fc7
--- /dev/null
+++ b/roles/containers/homepage/templates/53_rsync.nft
@@ -0,0 +1,8 @@
+#!/usr/sbin/nft -f
+
+table inet filter {
+	chain input {
+        # allow homepage rsync access
+		tcp dport {{ homepage_backend_port }} accept comment "Allow Homepage deployment"
+	}
+}
diff --git a/roles/containers/homepage/templates/nginx.conf b/roles/containers/homepage/templates/nginx.conf
new file mode 100644
index 0000000..967daf1
--- /dev/null
+++ b/roles/containers/homepage/templates/nginx.conf
@@ -0,0 +1,8 @@
+server {
+	listen 80;
+	server_name default;
+	location / {
+		root /usr/share/nginx/html;
+		autoindex on;
+	}
+}
diff --git a/run.yml b/run.yml
index 8680860..5e14927 100644
--- a/run.yml
+++ b/run.yml
@@ -69,3 +69,8 @@
   roles:
     - role: containers/alpine-mirror
       tags: aports
+- name: Setup homepage
+  hosts: all
+  roles:
+    - role: containers/homepage
+      tags: homepage
-- 
2.38.5