Adapt Drone recipes for VM setup, use PostgreSQL

2022-03-12 14:45:11 -06:00 · 2022-03-12 14:45:11 -06:00 · f35fb638d1
parent a1b07dfb9e
commit f35fb638d1
11 changed files with 94 additions and 31 deletions
--- a/data_bags/credentials/drone.json
+++ b/data_bags/credentials/drone.json
@ -1,23 +1,30 @@
 {
  "id": "drone",
  "client_id": {
-    "encrypted_data": "PHC6f0UJwuaxnhMhxUVhHMqauCu9aYDp3IFqVzsxEoEodKhg8pgTWS14T5E7\nVm4xlcR/CuLcOA==\n",
-    "iv": "on4hNp3g6pLsvfTE\n",
-    "auth_tag": "ytx40h2fsBHhDpyhwKbHog==\n",
+    "encrypted_data": "z2cWhmP46/LuBPslGiuEzRIZGbta+nAkfi2XaX0q4PA0SeWoTz3rX9P6XCaz\nDdjP/3RyN98sww==\n",
+    "iv": "2SOtcpBRCZC9YI+D\n",
+    "auth_tag": "C9PnsL3QsRBOKw1/k/p/mg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "client_secret": {
-    "encrypted_data": "HAKFqsrbL447wgropHz2rgHmyRl3G2d24svTT+TYMI0jtQFTQPZLxNZkl3ki\n42n7baNrfXN3IJeQRyxyihw0\n",
-    "iv": "pmdiLiFgSPNNP7dl\n",
-    "auth_tag": "4j98l+lZ0k4mLioJHS5VJw==\n",
+    "encrypted_data": "9s33F5MmjEaUA+7ASxYMK5f23y1HffsV9b5rO4ezlisI3K/B/MgdBZeiIDs7\nanknoytcnRJiLNUlud6ohJ4s\n",
+    "iv": "Vou+sM/jeOZc/VwJ\n",
+    "auth_tag": "f2EPlHD2JDmSlSf3eu9WFg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "rpc_secret": {
-    "encrypted_data": "ll4f3ECLQTgJj47aeqnP0Ci1ncMYTwwFw1J46Qx3gPloA2YGPwlfa82Uck1k\neSHCTSNW\n",
-    "iv": "hP5Iq9zOjELUb9d8\n",
-    "auth_tag": "WJlme717tpgbWPcXwFzyvQ==\n",
+    "encrypted_data": "VkvdD+8FTjPSfJANVPWkWGMjBU7xyqDOS2uH84fAijqkg0sS+lBej4VohHsL\nntuPAcOo\n",
+    "iv": "Uod5WEkE2FXYnhVq\n",
+    "auth_tag": "N8+wPuN/EXO5L57+uG0gsw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "postgresql_password": {
+    "encrypted_data": "DMH34mpij84Pkalr3rcuPcp2ofiIZ6ONvDRchGbxyuJ2\n",
+    "iv": "o9IDDyjp4aDB2/FB\n",
+    "auth_tag": "rgLP7dQ4n6C1hHuG5t5sxw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/nodes/postgres-2.json
+++ b/nodes/postgres-2.json
@ -20,6 +20,7 @@
      "kosmos_postgresql::primary",
      "kosmos_postgresql::firewall",
      "kosmos_gitea::pg_db",
+      "kosmos_drone::pg_db",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
--- a/roles/drone.rb
+++ b/roles/drone.rb
@ -1,5 +1,6 @@
 name "drone"

 run_list %w(
+  role[postgresql_client]
  kosmos_drone::default
 )
--- a/roles/postgresql_primary.rb
+++ b/roles/postgresql_primary.rb
@ -4,4 +4,5 @@ run_list %w(
  kosmos_postgresql::primary
  kosmos_postgresql::firewall
  kosmos_gitea::pg_db
+  kosmos_drone::pg_db
 )
--- a/site-cookbooks/kosmos_drone/attributes/default.rb
+++ b/site-cookbooks/kosmos_drone/attributes/default.rb
@ -0,0 +1,2 @@
+node.default["kosmos_drone"]["domain"] = "drone.kosmos.org"
+node.default["kosmos_drone"]["upstream_port"] = 80
--- a/site-cookbooks/kosmos_drone/metadata.rb
+++ b/site-cookbooks/kosmos_drone/metadata.rb
@ -7,5 +7,6 @@ long_description 'Installs/Configures kosmos_drone'
 version '0.1.0'
 chef_version '>= 14.0'

+depends "firewall"
 depends "kosmos-nginx"
 depends "kosmos_gitea"
--- a/site-cookbooks/kosmos_drone/recipes/default.rb
+++ b/site-cookbooks/kosmos_drone/recipes/default.rb
@ -4,10 +4,17 @@
 #

 package "docker-compose"
-domain = "drone.kosmos.org"
 deploy_path = "/opt/drone"
-upstream_port = 3002
 credentials = data_bag_item("credentials", "drone")
+drone_credentials = data_bag_item('credentials', 'drone')
+
+postgres_config = {
+  username: "drone",
+  password: drone_credentials["postgresql_password"],
+  host: "pg.kosmos.local",
+  port: 5432,
+  database: "drone"
+}

 directory deploy_path do
  action :create
@ -17,13 +24,15 @@ template "#{deploy_path}/docker-compose.yml" do
  source "docker-compose.yml.erb"
  sensitive true
  mode 0640
-  variables upstream_port: upstream_port,
-            domain: domain,
+  variables domain: node["kosmos_drone"]["domain"],
+            upstream_port: node["kosmos_drone"]["upstream_port"],
            gitea_server: "https://#{node["kosmos_gitea"]["nginx"]["domain"]}",
            client_id: credentials['client_id'],
            client_secret: credentials['client_secret'],
            rpc_secret: credentials['rpc_secret'],
+            postgres: postgres_config,
            max_procs: 4
+  notifies :restart, "systemd_unit[drone.service]", :delayed
 end

 systemd_unit "drone.service" do
@ -45,20 +54,9 @@ systemd_unit "drone.service" do
  action [:create, :enable, :start]
 end

-template "#{node['nginx']['dir']}/sites-available/#{domain}" do
-  source "nginx_conf.erb"
-  owner 'www-data'
-  mode 0640
-  variables server_name:   domain,
-            ssl_cert:      "/etc/letsencrypt/live/#{domain}/fullchain.pem",
-            ssl_key:       "/etc/letsencrypt/live/#{domain}/privkey.pem",
-            upstream_port: upstream_port
-
-  notifies :reload, 'service[nginx]', :delayed
+firewall_rule 'drone' do
+  port     [node["kosmos_drone"]["upstream_port"]]
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
 end
-
-nginx_site domain do
-  action :enable
-end
-
-nginx_certbot_site domain
--- a/site-cookbooks/kosmos_drone/recipes/nginx.rb
+++ b/site-cookbooks/kosmos_drone/recipes/nginx.rb
@ -0,0 +1,32 @@
+#
+# Cookbook:: kosmos_drone
+# Recipe:: nginx
+#
+
+domain = node["kosmos_drone"]["domain"]
+
+upstream_ip_addresses = []
+search(:node, "role:drone").each do |n|
+  upstream_ip_addresses << n["knife_zero"]["host"]
+end
+# No Discourse host, stop here
+return if upstream_ip_addresses.empty?
+
+nginx_certbot_site domain
+
+template "#{node['nginx']['dir']}/sites-available/#{domain}" do
+  source "nginx_conf.erb"
+  owner 'www-data'
+  mode 0640
+  variables server_name:   domain,
+            upstream_ip_addresses: upstream_ip_addresses,
+            upstream_port: node["kosmos_drone"]["upstream_port"],
+            ssl_cert:      "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:       "/etc/letsencrypt/live/#{domain}/privkey.pem"
+
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_site domain do
+  action :enable
+end
--- a/site-cookbooks/kosmos_drone/recipes/pg_db.rb
+++ b/site-cookbooks/kosmos_drone/recipes/pg_db.rb
@ -0,0 +1,16 @@
+#
+# Cookbook:: kosmos_drone
+# Recipe:: pg_db
+#
+
+drone_credentials = data_bag_item("credentials", "drone")
+
+postgresql_user "drone" do
+  action :create
+  password drone_credentials["postgresql_password"]
+end
+
+postgresql_database "drone" do
+  owner "drone"
+  action :create
+end
--- a/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb
+++ b/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb
@ -2,7 +2,7 @@ version: '3'

 services:
  drone-server:
-    image: drone/drone:2.5
+    image: drone/drone:2.11

    ports:
      - "<%= @upstream_port %>:80"
@ -17,6 +17,8 @@ services:
      - DRONE_SERVER_HOST=<%= @domain %>
      - DRONE_SERVER_PROTO=https # required for the Redirect URI to be built correctly
      - DRONE_RPC_SECRET=<%= @rpc_secret %>
+      - DRONE_DATABASE_DRIVER=postgres
+      - DRONE_DATABASE_DATASOURCE=postgres://<%= @postgres[:username] %>:<%= @postgres[:password] %>@<%= @postgres[:host] %>:<%= @postgres[:port] %>/<%= @postgres[:database] %>?sslmode=disable

  drone-runner:
    image: drone/drone-runner-docker:1.8
--- a/site-cookbooks/kosmos_drone/templates/nginx_conf.erb
+++ b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb
@ -1,7 +1,9 @@
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 # Generated by Chef
 upstream _drone {
-  server   localhost:<%= @upstream_port %>;
+  <% @upstream_ip_addresses.each do |upstream_ip_address| -%>
+  server   <%= upstream_ip_address %>:<%= @upstream_port %>;
+  <% end -%>
 }

 server {