diff --git a/data_bags/credentials/drone.json b/data_bags/credentials/drone.json index d499634..1b587ba 100644 --- a/data_bags/credentials/drone.json +++ b/data_bags/credentials/drone.json @@ -1,23 +1,30 @@ { "id": "drone", "client_id": { - "encrypted_data": "PHC6f0UJwuaxnhMhxUVhHMqauCu9aYDp3IFqVzsxEoEodKhg8pgTWS14T5E7\nVm4xlcR/CuLcOA==\n", - "iv": "on4hNp3g6pLsvfTE\n", - "auth_tag": "ytx40h2fsBHhDpyhwKbHog==\n", + "encrypted_data": "z2cWhmP46/LuBPslGiuEzRIZGbta+nAkfi2XaX0q4PA0SeWoTz3rX9P6XCaz\nDdjP/3RyN98sww==\n", + "iv": "2SOtcpBRCZC9YI+D\n", + "auth_tag": "C9PnsL3QsRBOKw1/k/p/mg==\n", "version": 3, "cipher": "aes-256-gcm" }, "client_secret": { - "encrypted_data": "HAKFqsrbL447wgropHz2rgHmyRl3G2d24svTT+TYMI0jtQFTQPZLxNZkl3ki\n42n7baNrfXN3IJeQRyxyihw0\n", - "iv": "pmdiLiFgSPNNP7dl\n", - "auth_tag": "4j98l+lZ0k4mLioJHS5VJw==\n", + "encrypted_data": "9s33F5MmjEaUA+7ASxYMK5f23y1HffsV9b5rO4ezlisI3K/B/MgdBZeiIDs7\nanknoytcnRJiLNUlud6ohJ4s\n", + "iv": "Vou+sM/jeOZc/VwJ\n", + "auth_tag": "f2EPlHD2JDmSlSf3eu9WFg==\n", "version": 3, "cipher": "aes-256-gcm" }, "rpc_secret": { - "encrypted_data": "ll4f3ECLQTgJj47aeqnP0Ci1ncMYTwwFw1J46Qx3gPloA2YGPwlfa82Uck1k\neSHCTSNW\n", - "iv": "hP5Iq9zOjELUb9d8\n", - "auth_tag": "WJlme717tpgbWPcXwFzyvQ==\n", + "encrypted_data": "VkvdD+8FTjPSfJANVPWkWGMjBU7xyqDOS2uH84fAijqkg0sS+lBej4VohHsL\nntuPAcOo\n", + "iv": "Uod5WEkE2FXYnhVq\n", + "auth_tag": "N8+wPuN/EXO5L57+uG0gsw==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "postgresql_password": { + "encrypted_data": "DMH34mpij84Pkalr3rcuPcp2ofiIZ6ONvDRchGbxyuJ2\n", + "iv": "o9IDDyjp4aDB2/FB\n", + "auth_tag": "rgLP7dQ4n6C1hHuG5t5sxw==\n", "version": 3, "cipher": "aes-256-gcm" } diff --git a/nodes/postgres-2.json b/nodes/postgres-2.json index 8e02a66..8d7953a 100644 --- a/nodes/postgres-2.json +++ b/nodes/postgres-2.json @@ -20,6 +20,7 @@ "kosmos_postgresql::primary", "kosmos_postgresql::firewall", "kosmos_gitea::pg_db", + "kosmos_drone::pg_db", "apt::default", "timezone_iii::default", "timezone_iii::debian", diff --git a/roles/drone.rb b/roles/drone.rb index 4ee08ac..4c39b2c 100644 --- a/roles/drone.rb +++ b/roles/drone.rb @@ -1,5 +1,6 @@ name "drone" run_list %w( + role[postgresql_client] kosmos_drone::default ) diff --git a/roles/postgresql_primary.rb b/roles/postgresql_primary.rb index 9124bc5..7126cb2 100644 --- a/roles/postgresql_primary.rb +++ b/roles/postgresql_primary.rb @@ -4,4 +4,5 @@ run_list %w( kosmos_postgresql::primary kosmos_postgresql::firewall kosmos_gitea::pg_db + kosmos_drone::pg_db ) diff --git a/site-cookbooks/kosmos_drone/attributes/default.rb b/site-cookbooks/kosmos_drone/attributes/default.rb new file mode 100644 index 0000000..ceb7564 --- /dev/null +++ b/site-cookbooks/kosmos_drone/attributes/default.rb @@ -0,0 +1,2 @@ +node.default["kosmos_drone"]["domain"] = "drone.kosmos.org" +node.default["kosmos_drone"]["upstream_port"] = 80 diff --git a/site-cookbooks/kosmos_drone/metadata.rb b/site-cookbooks/kosmos_drone/metadata.rb index 5c14444..e0ef895 100644 --- a/site-cookbooks/kosmos_drone/metadata.rb +++ b/site-cookbooks/kosmos_drone/metadata.rb @@ -7,5 +7,6 @@ long_description 'Installs/Configures kosmos_drone' version '0.1.0' chef_version '>= 14.0' +depends "firewall" depends "kosmos-nginx" depends "kosmos_gitea" diff --git a/site-cookbooks/kosmos_drone/recipes/default.rb b/site-cookbooks/kosmos_drone/recipes/default.rb index a0a2017..8e34e9a 100644 --- a/site-cookbooks/kosmos_drone/recipes/default.rb +++ b/site-cookbooks/kosmos_drone/recipes/default.rb @@ -4,10 +4,17 @@ # package "docker-compose" -domain = "drone.kosmos.org" deploy_path = "/opt/drone" -upstream_port = 3002 credentials = data_bag_item("credentials", "drone") +drone_credentials = data_bag_item('credentials', 'drone') + +postgres_config = { + username: "drone", + password: drone_credentials["postgresql_password"], + host: "pg.kosmos.local", + port: 5432, + database: "drone" +} directory deploy_path do action :create @@ -17,13 +24,15 @@ template "#{deploy_path}/docker-compose.yml" do source "docker-compose.yml.erb" sensitive true mode 0640 - variables upstream_port: upstream_port, - domain: domain, + variables domain: node["kosmos_drone"]["domain"], + upstream_port: node["kosmos_drone"]["upstream_port"], gitea_server: "https://#{node["kosmos_gitea"]["nginx"]["domain"]}", client_id: credentials['client_id'], client_secret: credentials['client_secret'], rpc_secret: credentials['rpc_secret'], + postgres: postgres_config, max_procs: 4 + notifies :restart, "systemd_unit[drone.service]", :delayed end systemd_unit "drone.service" do @@ -45,20 +54,9 @@ systemd_unit "drone.service" do action [:create, :enable, :start] end -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf.erb" - owner 'www-data' - mode 0640 - variables server_name: domain, - ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", - upstream_port: upstream_port - - notifies :reload, 'service[nginx]', :delayed +firewall_rule 'drone' do + port [node["kosmos_drone"]["upstream_port"]] + source "10.1.1.0/24" + protocol :tcp + command :allow end - -nginx_site domain do - action :enable -end - -nginx_certbot_site domain diff --git a/site-cookbooks/kosmos_drone/recipes/nginx.rb b/site-cookbooks/kosmos_drone/recipes/nginx.rb new file mode 100644 index 0000000..fffe902 --- /dev/null +++ b/site-cookbooks/kosmos_drone/recipes/nginx.rb @@ -0,0 +1,32 @@ +# +# Cookbook:: kosmos_drone +# Recipe:: nginx +# + +domain = node["kosmos_drone"]["domain"] + +upstream_ip_addresses = [] +search(:node, "role:drone").each do |n| + upstream_ip_addresses << n["knife_zero"]["host"] +end +# No Discourse host, stop here +return if upstream_ip_addresses.empty? + +nginx_certbot_site domain + +template "#{node['nginx']['dir']}/sites-available/#{domain}" do + source "nginx_conf.erb" + owner 'www-data' + mode 0640 + variables server_name: domain, + upstream_ip_addresses: upstream_ip_addresses, + upstream_port: node["kosmos_drone"]["upstream_port"], + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" + + notifies :reload, 'service[nginx]', :delayed +end + +nginx_site domain do + action :enable +end diff --git a/site-cookbooks/kosmos_drone/recipes/pg_db.rb b/site-cookbooks/kosmos_drone/recipes/pg_db.rb new file mode 100644 index 0000000..7b2e39d --- /dev/null +++ b/site-cookbooks/kosmos_drone/recipes/pg_db.rb @@ -0,0 +1,16 @@ +# +# Cookbook:: kosmos_drone +# Recipe:: pg_db +# + +drone_credentials = data_bag_item("credentials", "drone") + +postgresql_user "drone" do + action :create + password drone_credentials["postgresql_password"] +end + +postgresql_database "drone" do + owner "drone" + action :create +end diff --git a/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb b/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb index 049a061..3089196 100644 --- a/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb +++ b/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb @@ -2,7 +2,7 @@ version: '3' services: drone-server: - image: drone/drone:2.5 + image: drone/drone:2.11 ports: - "<%= @upstream_port %>:80" @@ -17,6 +17,8 @@ services: - DRONE_SERVER_HOST=<%= @domain %> - DRONE_SERVER_PROTO=https # required for the Redirect URI to be built correctly - DRONE_RPC_SECRET=<%= @rpc_secret %> + - DRONE_DATABASE_DRIVER=postgres + - DRONE_DATABASE_DATASOURCE=postgres://<%= @postgres[:username] %>:<%= @postgres[:password] %>@<%= @postgres[:host] %>:<%= @postgres[:port] %>/<%= @postgres[:database] %>?sslmode=disable drone-runner: image: drone/drone-runner-docker:1.8 diff --git a/site-cookbooks/kosmos_drone/templates/nginx_conf.erb b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb index 4226de7..f9e1dfa 100644 --- a/site-cookbooks/kosmos_drone/templates/nginx_conf.erb +++ b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb @@ -1,7 +1,9 @@ <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> # Generated by Chef upstream _drone { - server localhost:<%= @upstream_port %>; + <% @upstream_ip_addresses.each do |upstream_ip_address| -%> + server <%= upstream_ip_address %>:<%= @upstream_port %>; + <% end -%> } server {