From ebf5f405f56f90b396c6ccb3492635a57a2ff149 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Thu, 19 Nov 2020 12:57:58 +0100 Subject: [PATCH] Initial kosmos_drone cookbook Closes #235 --- data_bags/credentials/drone.json | 24 ++++ site-cookbooks/kosmos_drone/.gitignore | 22 ++++ site-cookbooks/kosmos_drone/CHANGELOG.md | 7 ++ site-cookbooks/kosmos_drone/LICENSE | 21 ++++ site-cookbooks/kosmos_drone/README.md | 3 + site-cookbooks/kosmos_drone/chefignore | 110 ++++++++++++++++++ site-cookbooks/kosmos_drone/metadata.rb | 11 ++ .../kosmos_drone/recipes/default.rb | 85 ++++++++++++++ .../templates/docker-compose.yml.erb | 36 ++++++ .../kosmos_drone/templates/nginx_conf.erb | 34 ++++++ 10 files changed, 353 insertions(+) create mode 100644 data_bags/credentials/drone.json create mode 100644 site-cookbooks/kosmos_drone/.gitignore create mode 100644 site-cookbooks/kosmos_drone/CHANGELOG.md create mode 100644 site-cookbooks/kosmos_drone/LICENSE create mode 100644 site-cookbooks/kosmos_drone/README.md create mode 100644 site-cookbooks/kosmos_drone/chefignore create mode 100644 site-cookbooks/kosmos_drone/metadata.rb create mode 100644 site-cookbooks/kosmos_drone/recipes/default.rb create mode 100644 site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb create mode 100644 site-cookbooks/kosmos_drone/templates/nginx_conf.erb diff --git a/data_bags/credentials/drone.json b/data_bags/credentials/drone.json new file mode 100644 index 0000000..d499634 --- /dev/null +++ b/data_bags/credentials/drone.json @@ -0,0 +1,24 @@ +{ + "id": "drone", + "client_id": { + "encrypted_data": "PHC6f0UJwuaxnhMhxUVhHMqauCu9aYDp3IFqVzsxEoEodKhg8pgTWS14T5E7\nVm4xlcR/CuLcOA==\n", + "iv": "on4hNp3g6pLsvfTE\n", + "auth_tag": "ytx40h2fsBHhDpyhwKbHog==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "client_secret": { + "encrypted_data": "HAKFqsrbL447wgropHz2rgHmyRl3G2d24svTT+TYMI0jtQFTQPZLxNZkl3ki\n42n7baNrfXN3IJeQRyxyihw0\n", + "iv": "pmdiLiFgSPNNP7dl\n", + "auth_tag": "4j98l+lZ0k4mLioJHS5VJw==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "rpc_secret": { + "encrypted_data": "ll4f3ECLQTgJj47aeqnP0Ci1ncMYTwwFw1J46Qx3gPloA2YGPwlfa82Uck1k\neSHCTSNW\n", + "iv": "hP5Iq9zOjELUb9d8\n", + "auth_tag": "WJlme717tpgbWPcXwFzyvQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/site-cookbooks/kosmos_drone/.gitignore b/site-cookbooks/kosmos_drone/.gitignore new file mode 100644 index 0000000..9abf29f --- /dev/null +++ b/site-cookbooks/kosmos_drone/.gitignore @@ -0,0 +1,22 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json diff --git a/site-cookbooks/kosmos_drone/CHANGELOG.md b/site-cookbooks/kosmos_drone/CHANGELOG.md new file mode 100644 index 0000000..e781d99 --- /dev/null +++ b/site-cookbooks/kosmos_drone/CHANGELOG.md @@ -0,0 +1,7 @@ +# kosmos_drone CHANGELOG + +This file is used to list changes made in each version of the kosmos_drone cookbook. + +# 0.1.0 + +Initial release. diff --git a/site-cookbooks/kosmos_drone/LICENSE b/site-cookbooks/kosmos_drone/LICENSE new file mode 100644 index 0000000..dd321fd --- /dev/null +++ b/site-cookbooks/kosmos_drone/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2020 Kosmos Developers + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/site-cookbooks/kosmos_drone/README.md b/site-cookbooks/kosmos_drone/README.md new file mode 100644 index 0000000..f2ccd1d --- /dev/null +++ b/site-cookbooks/kosmos_drone/README.md @@ -0,0 +1,3 @@ +# kosmos_drone + +Sets up [Drone](https://www.drone.io/) using Docker Compose diff --git a/site-cookbooks/kosmos_drone/chefignore b/site-cookbooks/kosmos_drone/chefignore new file mode 100644 index 0000000..5039e1c --- /dev/null +++ b/site-cookbooks/kosmos_drone/chefignore @@ -0,0 +1,110 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db + +# SASS # +######## +.sass-cache + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +mkmf.log +REVISION +TAGS* +tmtags + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out + +# Testing # +########### +.circleci/* +.codeclimate.yml +.foodcritic +.kitchen* +.rspec +.rubocop.yml +.travis.yml +.watchr +azure-pipelines.yml +examples/* +features/* +Guardfile +kitchen.yml* +Procfile +Rakefile +spec/* +spec/* +spec/fixtures/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Cookbooks # +############# +CHANGELOG* +CONTRIBUTING* +TESTING* +CODE_OF_CONDUCT* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/site-cookbooks/kosmos_drone/metadata.rb b/site-cookbooks/kosmos_drone/metadata.rb new file mode 100644 index 0000000..5c14444 --- /dev/null +++ b/site-cookbooks/kosmos_drone/metadata.rb @@ -0,0 +1,11 @@ +name 'kosmos_drone' +maintainer 'Kosmos Developers' +maintainer_email 'mail@kosmos.org' +license 'MIT' +description 'Installs/Configures kosmos_drone' +long_description 'Installs/Configures kosmos_drone' +version '0.1.0' +chef_version '>= 14.0' + +depends "kosmos-nginx" +depends "kosmos_gitea" diff --git a/site-cookbooks/kosmos_drone/recipes/default.rb b/site-cookbooks/kosmos_drone/recipes/default.rb new file mode 100644 index 0000000..f8629fc --- /dev/null +++ b/site-cookbooks/kosmos_drone/recipes/default.rb @@ -0,0 +1,85 @@ +# +# Cookbook:: kosmos_drone +# Recipe:: default +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +package "docker-compose" +domain = "drone.kosmos.org" +deploy_path = "/opt/drone" +upstream_port = 3002 +credentials = data_bag_item("credentials", "drone") + +directory deploy_path do + action :create +end + +template "#{deploy_path}/docker-compose.yml" do + source "docker-compose.yml.erb" + sensitive true + mode 0640 + variables upstream_port: upstream_port, + domain: domain, + gitea_server: "https://#{node["kosmos_gitea"]["nginx"]["domain"]}", + client_id: credentials['client_id'], + client_secret: credentials['client_secret'], + rpc_secret: credentials['rpc_secret'], + max_procs: 4 +end + +systemd_unit "drone.service" do + content({Unit: { + Description: "drone service with docker compose", + Requires: "docker.service", + After: "docker.service", + }, + Service: { + Restart: "always", + WorkingDirectory: deploy_path, + ExecStart: "/usr/bin/docker-compose up", + ExecStartPre: "/usr/bin/docker-compose rm -f", + ExecStop: "/usr/bin/docker-compose down", + }, + Install: { + WantedBy: "multi-user.target", + }}) + action [:create, :enable, :start] +end + +template "#{node['nginx']['dir']}/sites-available/#{domain}" do + source "nginx_conf.erb" + owner 'www-data' + mode 0640 + variables server_name: domain, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", + upstream_port: upstream_port + + notifies :reload, 'service[nginx]', :delayed +end + +nginx_site domain do + action :enable +end + +nginx_certbot_site domain diff --git a/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb b/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb new file mode 100644 index 0000000..7854ce8 --- /dev/null +++ b/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb @@ -0,0 +1,36 @@ +version: '3' + +services: + drone-server: + image: drone/drone:1 + + ports: + - "<%= @upstream_port %>:80" + volumes: + - drone-server-data:/data + restart: always + environment: + - DRONE_USER_CREATE=username:greg,admin:true + - DRONE_GITEA_SERVER=<%= @gitea_server %> + - DRONE_GITEA_CLIENT_ID=<%= @client_id %> + - DRONE_GITEA_CLIENT_SECRET=<%= @client_secret %> + - DRONE_SERVER_HOST=<%= @domain %> + - DRONE_SERVER_PROTO=https # required for the Redirect URI to be built correctly + - DRONE_RPC_SECRET=<%= @rpc_secret %> + + drone-runner: + image: drone/drone-runner-docker:1 + + command: agent + restart: always + depends_on: + - drone-server + volumes: + - /var/run/docker.sock:/var/run/docker.sock + environment: + - DRONE_RPC_HOST=drone-server:80 + - DRONE_RPC_SECRET=<%= @rpc_secret %> + - DRONE_RUNNER_MAX_PROCS=<%= @max_procs %> + +volumes: + drone-server-data: diff --git a/site-cookbooks/kosmos_drone/templates/nginx_conf.erb b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb new file mode 100644 index 0000000..4226de7 --- /dev/null +++ b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb @@ -0,0 +1,34 @@ +<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> +# Generated by Chef +upstream _drone { + server localhost:<%= @upstream_port %>; +} + +server { + server_name <%= @server_name %>; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; + + add_header Strict-Transport-Security "max-age=31536000"; + + # Send real IP to the Docker container + set_real_ip_from 127.0.0.1; + set_real_ip_from 172.17.0.1; + real_ip_header X-Forwarded-For; + + client_max_body_size 20M; + + location / { + # Increase number of buffers. Default is 8 + proxy_buffers 1024 8k; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://_drone; + proxy_http_version 1.1; + } +} +<% end -%>