From ac1e78664a52fb19293f00c0eb4a6b7d63300f28 Mon Sep 17 00:00:00 2001
From: Jakob Meier <comcloudway@ccw.icu>
Date: Mon, 14 Aug 2023 20:48:00 +0200
Subject: [PATCH] containers/alpine-mirror: new role

---
 roles/containers/alpine-mirror/README.org     | 13 +++++++
 .../alpine-mirror/defaults/main.yml           |  8 ++++
 .../alpine-mirror/handlers/main.yml           |  6 +++
 .../containers/alpine-mirror/tasks/caddy.yml  | 29 ++++++++++++++
 roles/containers/alpine-mirror/tasks/main.yml |  7 ++++
 .../alpine-mirror/tasks/nftables.yml          |  8 ++++
 .../containers/alpine-mirror/tasks/setup.yml  | 39 +++++++++++++++++++
 .../alpine-mirror/templates/53_rsync.nft      |  8 ++++
 .../alpine-mirror/templates/nginx.conf        |  8 ++++
 run.yml                                       |  6 +++
 10 files changed, 132 insertions(+)
 create mode 100644 roles/containers/alpine-mirror/README.org
 create mode 100644 roles/containers/alpine-mirror/defaults/main.yml
 create mode 100644 roles/containers/alpine-mirror/handlers/main.yml
 create mode 100644 roles/containers/alpine-mirror/tasks/caddy.yml
 create mode 100644 roles/containers/alpine-mirror/tasks/main.yml
 create mode 100644 roles/containers/alpine-mirror/tasks/nftables.yml
 create mode 100644 roles/containers/alpine-mirror/tasks/setup.yml
 create mode 100644 roles/containers/alpine-mirror/templates/53_rsync.nft
 create mode 100644 roles/containers/alpine-mirror/templates/nginx.conf

diff --git a/roles/containers/alpine-mirror/README.org b/roles/containers/alpine-mirror/README.org
new file mode 100644
index 0000000..39cb9bc
--- /dev/null
+++ b/roles/containers/alpine-mirror/README.org
@@ -0,0 +1,13 @@
+* container/alpine-mirror
+Ansible role used to setup a rsyncd+nginx static file server
+which can be used to publish assets and download them.
+
+#+begin_src yaml
+alpine_mirror_domain: "mirror.ccw.icu"
+alpine_mirror_user: "deploy"
+alpine_mirror_token: "changeme"
+alpine_mirror_bucket: "aports"
+alpine_mirror_project_dir: "mirror"
+alpine_mirror_backend_port: "29027"
+alpine_mirror_frontend_port: "9027"
+#+end_src
diff --git a/roles/containers/alpine-mirror/defaults/main.yml b/roles/containers/alpine-mirror/defaults/main.yml
new file mode 100644
index 0000000..5f10810
--- /dev/null
+++ b/roles/containers/alpine-mirror/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+alpine_mirror_domain: "mirror.ccw.icu"
+alpine_mirror_user: "deploy"
+alpine_mirror_token: "changeme"
+alpine_mirror_bucket: "aports"
+alpine_mirror_project_dir: "mirror"
+alpine_mirror_backend_port: "29027"
+alpine_mirror_frontend_port: "9027"
diff --git a/roles/containers/alpine-mirror/handlers/main.yml b/roles/containers/alpine-mirror/handlers/main.yml
new file mode 100644
index 0000000..e974c82
--- /dev/null
+++ b/roles/containers/alpine-mirror/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart nftables
+  become: true
+  ansible.builtin.service:
+    name: nftables
+    state: restarted
diff --git a/roles/containers/alpine-mirror/tasks/caddy.yml b/roles/containers/alpine-mirror/tasks/caddy.yml
new file mode 100644
index 0000000..3cd8f62
--- /dev/null
+++ b/roles/containers/alpine-mirror/tasks/caddy.yml
@@ -0,0 +1,29 @@
+---
+- name: Make sure alpine-mirror caddy reverse proxy config exists
+  become: true
+  vars:
+    project_domain: "{{ alpine_mirror_domain }}"
+    project_port: "{{ alpine_mirror_frontend_port }}"
+  ansible.builtin.template:
+    src: ../../../network/caddy/templates/reverse-proxy.template
+    dest: /etc/caddy/alpine-mirror
+    mode: "0644"
+    validate: caddy validate --adapter caddyfile --config %s
+  register: projectconfig
+
+- name: Make sure caddy links to the alpine-mirror config
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/caddy/Caddyfile
+    mode: "0644"
+    search_string: ^import /etc/caddy/alpine-mirror
+    line: import /etc/caddy/alpine-mirror
+    validate: caddy validate --adapter caddyfile --config %s
+  register: caddyconfig
+
+- name: Restart caddy
+  become: true
+  ansible.builtin.service:
+    name: caddy
+    state: restarted
+  when: caddyconfig.changed or projectconfig.changed
diff --git a/roles/containers/alpine-mirror/tasks/main.yml b/roles/containers/alpine-mirror/tasks/main.yml
new file mode 100644
index 0000000..8aeb60c
--- /dev/null
+++ b/roles/containers/alpine-mirror/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Setup alpine mirror docker images
+  ansible.builtin.include_tasks: setup.yml
+- name: Setup alpine mirror reverse proxy
+  ansible.builtin.include_tasks: caddy.yml
+- name: Ensure the alpine mirror backend can be accessed by the CI
+  ansible.builtin.include_tasks: nftables.yml
diff --git a/roles/containers/alpine-mirror/tasks/nftables.yml b/roles/containers/alpine-mirror/tasks/nftables.yml
new file mode 100644
index 0000000..0ad92e6
--- /dev/null
+++ b/roles/containers/alpine-mirror/tasks/nftables.yml
@@ -0,0 +1,8 @@
+---
+- name: Make sure the nftables vpn rule exists
+  become: true
+  ansible.builtin.template:
+    mode: "0644"
+    src: 53_rsync.nft
+    dest: /etc/nftables.d/53_alpine_mirror.nft
+  notify: Restart nftables
diff --git a/roles/containers/alpine-mirror/tasks/setup.yml b/roles/containers/alpine-mirror/tasks/setup.yml
new file mode 100644
index 0000000..13d5cb0
--- /dev/null
+++ b/roles/containers/alpine-mirror/tasks/setup.yml
@@ -0,0 +1,39 @@
+---
+- name: Ensure alpine-mirror-project-dir exists
+  ansible.builtin.file:
+    path: "{{ container_dir }}/{{ alpine_mirror_project_dir }}"
+    state: directory
+    recurse: true
+
+- name: Create rsync file server docker container
+  community.docker.docker_container:
+    name: alpine-mirror-backend
+    image: codeberg.org/comcloudway/docker-rsyncd:latest
+    restart_policy: unless-stopped
+    env:
+      RSYNC_USER: "{{ alpine_mirror_user }}"
+      RSYNC_PASS: "{{ alpine_mirror_token }}"
+      BUCKET_NAME: "{{ alpine_mirror_bucket }}"
+    volumes:
+      - "{{ container_dir }}/{{ alpine_mirror_project_dir }}/files:/storage"
+    ports:
+      - "{{ alpine_mirror_backend_port }}:873"
+
+- name: Make sure nginx static file server config is installed
+  ansible.builtin.template:
+    src: "nginx.conf"
+    dest: "{{ container_dir }}/{{ alpine_mirror_project_dir }}/nginx.conf"
+    mode: "0644"
+
+- name: Create nginx file server docker container
+  community.docker.docker_container:
+    name: alpine-mirror-frontend
+    image: nginx:mainline-alpine
+    restart_policy: unless-stopped
+    volumes:
+      - "{{ container_dir }}/{{ alpine_mirror_project_dir }}/files:\
+        /usr/share/nginx/html/:ro"
+      - "{{ container_dir }}/{{ alpine_mirror_project_dir }}/nginx.conf:\
+        /etc/nginx/conf.d/default.conf/:ro"
+    ports:
+      - "{{ alpine_mirror_frontend_port }}:80"
diff --git a/roles/containers/alpine-mirror/templates/53_rsync.nft b/roles/containers/alpine-mirror/templates/53_rsync.nft
new file mode 100644
index 0000000..6fb6325
--- /dev/null
+++ b/roles/containers/alpine-mirror/templates/53_rsync.nft
@@ -0,0 +1,8 @@
+#!/usr/sbin/nft -f
+
+table inet filter {
+	chain input {
+        # allow alpine mirror rsync access
+		tcp dport {{ alpine_mirror_backend_port }} accept comment "Allow Alpine Mirror"
+	}
+}
diff --git a/roles/containers/alpine-mirror/templates/nginx.conf b/roles/containers/alpine-mirror/templates/nginx.conf
new file mode 100644
index 0000000..967daf1
--- /dev/null
+++ b/roles/containers/alpine-mirror/templates/nginx.conf
@@ -0,0 +1,8 @@
+server {
+	listen 80;
+	server_name default;
+	location / {
+		root /usr/share/nginx/html;
+		autoindex on;
+	}
+}
diff --git a/run.yml b/run.yml
index 0ab9f9d..8004bed 100644
--- a/run.yml
+++ b/run.yml
@@ -63,3 +63,9 @@
   roles:
     - role: containers/wireguard
       tags: vpn
+# Rsyncd based file servers
+- name: Setup custom Alpine Mirror
+  hosts: all
+  roles:
+    - role: containers/alpine-mirror
+      tags: aports
-- 
2.38.5