~comcloudway/ansible-ccw.icu

ac1e78664a52fb19293f00c0eb4a6b7d63300f28 — Jakob Meier 1 year, 1 month ago 758e7a8 
containers/alpine-mirror: new role
patch browse .tar.gz 
10 files changed, 132 insertions(+), 0 deletions(-)

A roles/containers/alpine-mirror/README.org
A roles/containers/alpine-mirror/defaults/main.yml
A roles/containers/alpine-mirror/handlers/main.yml
A roles/containers/alpine-mirror/tasks/caddy.yml
A roles/containers/alpine-mirror/tasks/main.yml
A roles/containers/alpine-mirror/tasks/nftables.yml
A roles/containers/alpine-mirror/tasks/setup.yml
A roles/containers/alpine-mirror/templates/53_rsync.nft
A roles/containers/alpine-mirror/templates/nginx.conf
M run.yml

A roles/containers/alpine-mirror/README.org => roles/containers/alpine-mirror/README.org +13 -0
@@ 0,0 1,13 @@
* container/alpine-mirror
Ansible role used to setup a rsyncd+nginx static file server
which can be used to publish assets and download them.

#+begin_src yaml
alpine_mirror_domain: "mirror.ccw.icu"
alpine_mirror_user: "deploy"
alpine_mirror_token: "changeme"
alpine_mirror_bucket: "aports"
alpine_mirror_project_dir: "mirror"
alpine_mirror_backend_port: "29027"
alpine_mirror_frontend_port: "9027"
#+end_src


A roles/containers/alpine-mirror/defaults/main.yml => roles/containers/alpine-mirror/defaults/main.yml +8 -0
@@ 0,0 1,8 @@
---
alpine_mirror_domain: "mirror.ccw.icu"
alpine_mirror_user: "deploy"
alpine_mirror_token: "changeme"
alpine_mirror_bucket: "aports"
alpine_mirror_project_dir: "mirror"
alpine_mirror_backend_port: "29027"
alpine_mirror_frontend_port: "9027"


A roles/containers/alpine-mirror/handlers/main.yml => roles/containers/alpine-mirror/handlers/main.yml +6 -0
@@ 0,0 1,6 @@
---
- name: Restart nftables
  become: true
  ansible.builtin.service:
    name: nftables
    state: restarted


A roles/containers/alpine-mirror/tasks/caddy.yml => roles/containers/alpine-mirror/tasks/caddy.yml +29 -0
@@ 0,0 1,29 @@
---
- name: Make sure alpine-mirror caddy reverse proxy config exists
  become: true
  vars:
    project_domain: "{{ alpine_mirror_domain }}"
    project_port: "{{ alpine_mirror_frontend_port }}"
  ansible.builtin.template:
    src: ../../../network/caddy/templates/reverse-proxy.template
    dest: /etc/caddy/alpine-mirror
    mode: "0644"
    validate: caddy validate --adapter caddyfile --config %s
  register: projectconfig

- name: Make sure caddy links to the alpine-mirror config
  become: true
  ansible.builtin.lineinfile:
    path: /etc/caddy/Caddyfile
    mode: "0644"
    search_string: ^import /etc/caddy/alpine-mirror
    line: import /etc/caddy/alpine-mirror
    validate: caddy validate --adapter caddyfile --config %s
  register: caddyconfig

- name: Restart caddy
  become: true
  ansible.builtin.service:
    name: caddy
    state: restarted
  when: caddyconfig.changed or projectconfig.changed


A roles/containers/alpine-mirror/tasks/main.yml => roles/containers/alpine-mirror/tasks/main.yml +7 -0
@@ 0,0 1,7 @@
---
- name: Setup alpine mirror docker images
  ansible.builtin.include_tasks: setup.yml
- name: Setup alpine mirror reverse proxy
  ansible.builtin.include_tasks: caddy.yml
- name: Ensure the alpine mirror backend can be accessed by the CI
  ansible.builtin.include_tasks: nftables.yml


A roles/containers/alpine-mirror/tasks/nftables.yml => roles/containers/alpine-mirror/tasks/nftables.yml +8 -0
@@ 0,0 1,8 @@
---
- name: Make sure the nftables vpn rule exists
  become: true
  ansible.builtin.template:
    mode: "0644"
    src: 53_rsync.nft
    dest: /etc/nftables.d/53_alpine_mirror.nft
  notify: Restart nftables


A roles/containers/alpine-mirror/tasks/setup.yml => roles/containers/alpine-mirror/tasks/setup.yml +39 -0
@@ 0,0 1,39 @@
---
- name: Ensure alpine-mirror-project-dir exists
  ansible.builtin.file:
    path: "{{ container_dir }}/{{ alpine_mirror_project_dir }}"
    state: directory
    recurse: true

- name: Create rsync file server docker container
  community.docker.docker_container:
    name: alpine-mirror-backend
    image: codeberg.org/comcloudway/docker-rsyncd:latest
    restart_policy: unless-stopped
    env:
      RSYNC_USER: "{{ alpine_mirror_user }}"
      RSYNC_PASS: "{{ alpine_mirror_token }}"
      BUCKET_NAME: "{{ alpine_mirror_bucket }}"
    volumes:
      - "{{ container_dir }}/{{ alpine_mirror_project_dir }}/files:/storage"
    ports:
      - "{{ alpine_mirror_backend_port }}:873"

- name: Make sure nginx static file server config is installed
  ansible.builtin.template:
    src: "nginx.conf"
    dest: "{{ container_dir }}/{{ alpine_mirror_project_dir }}/nginx.conf"
    mode: "0644"

- name: Create nginx file server docker container
  community.docker.docker_container:
    name: alpine-mirror-frontend
    image: nginx:mainline-alpine
    restart_policy: unless-stopped
    volumes:
      - "{{ container_dir }}/{{ alpine_mirror_project_dir }}/files:\
        /usr/share/nginx/html/:ro"
      - "{{ container_dir }}/{{ alpine_mirror_project_dir }}/nginx.conf:\
        /etc/nginx/conf.d/default.conf/:ro"
    ports:
      - "{{ alpine_mirror_frontend_port }}:80"


A roles/containers/alpine-mirror/templates/53_rsync.nft => roles/containers/alpine-mirror/templates/53_rsync.nft +8 -0
@@ 0,0 1,8 @@
#!/usr/sbin/nft -f

table inet filter {
	chain input {
        # allow alpine mirror rsync access
		tcp dport {{ alpine_mirror_backend_port }} accept comment "Allow Alpine Mirror"
	}
}


A roles/containers/alpine-mirror/templates/nginx.conf => roles/containers/alpine-mirror/templates/nginx.conf +8 -0
@@ 0,0 1,8 @@
server {
	listen 80;
	server_name default;
	location / {
		root /usr/share/nginx/html;
		autoindex on;
	}
}


M run.yml => run.yml +6 -0
@@ 63,3 63,9 @@
  roles:
    - role: containers/wireguard
      tags: vpn
# Rsyncd based file servers
- name: Setup custom Alpine Mirror
  hosts: all
  roles:
    - role: containers/alpine-mirror
      tags: aports