tenseleyflow/shithub / be5b659

Browse files

Wire Spaces runtime storage config

Authored by espadonne
SHA
be5b659855d439b65f5f3e4dc98726d0640768b8
Parents
290fe3d
Tree
3d686ad

6 changed files

StatusFile+-
M deploy/ansible/inventory/production.example 9 0
M deploy/ansible/inventory/staging.example 10 0
M deploy/ansible/roles/shithubd/tasks/main.yml 30 0
M deploy/ansible/roles/shithubd/templates/web.env.j2 10 0
M deploy/ansible/roles/shithubd/templates/worker.env.j2 10 0
M deploy/redeploy.sh 1 0
deploy/ansible/inventory/production.examplemodified
@@ -21,6 +21,15 @@ shithub_db_pool_max=20
2121
 # Postmark sender + DKIM are configured before the deploy.
2222
 shithub_email_from="shithub <noreply@shithub.example>"
2323
 shithub_email_backend=postmark
24
+# Runtime object storage. DigitalOcean Spaces uses virtual-hosted style
25
+# addressing and TLS; region remains us-east-1 for SigV4 signing.
26
+s3_endpoint=nyc3.digitaloceanspaces.com
27
+s3_region=us-east-1
28
+s3_bucket=shithub-prod
29
+s3_access_key_id=REPLACE_ME
30
+s3_secret_access_key=REPLACE_ME
31
+s3_use_ssl=true
32
+s3_force_path_style=false
2433
 # WireGuard peer for the bare-metal monitoring box.
2534
 wg_metal_endpoint=metal.shithub.example:51820
2635
 wg_metal_pubkey=REPLACE_ME
deploy/ansible/inventory/staging.examplemodified
@@ -12,3 +12,13 @@ shithub_data_root=/data
1212
 shithub_db_pool_max=8
1313
 shithub_email_from="shithub-staging <noreply@staging.shithub.example>"
1414
 shithub_email_backend=stdout    # no real outbound mail in staging
15
+
16
+# Optional runtime object storage. Leave blank/undefined to disable
17
+# avatar uploads in staging. When set, all S3 fields are required.
18
+# s3_endpoint=nyc3.digitaloceanspaces.com
19
+# s3_region=us-east-1
20
+# s3_bucket=shithub-staging
21
+# s3_access_key_id=REPLACE_ME
22
+# s3_secret_access_key=REPLACE_ME
23
+# s3_use_ssl=true
24
+# s3_force_path_style=false
deploy/ansible/roles/shithubd/tasks/main.ymlmodified
@@ -40,6 +40,24 @@
4040
     group: "{{ shithub_group }}"
4141
     mode: "0750"
4242
43
+- name: Runtime object storage config is complete when enabled
44
+  assert:
45
+    that:
46
+      - (s3_endpoint | default("") | string | length) > 0
47
+      - (s3_bucket | default("") | string | length) > 0
48
+      - (s3_access_key_id | default("") | string | length) > 0
49
+      - (s3_secret_access_key | default("") | string | length) > 0
50
+    fail_msg: >-
51
+      Runtime object storage is partially configured. Set s3_endpoint,
52
+      s3_bucket, s3_access_key_id, and s3_secret_access_key for the
53
+      DigitalOcean Spaces bucket, or leave all s3_* variables unset to
54
+      disable avatar uploads.
55
+  when: >
56
+    (s3_endpoint | default("") | string | length) > 0 or
57
+    (s3_bucket | default("") | string | length) > 0 or
58
+    (s3_access_key_id | default("") | string | length) > 0 or
59
+    (s3_secret_access_key | default("") | string | length) > 0
60
+
4361
 - name: Web env file (0640 — group-readable for ssh-shell wrapper)
4462
   # The git user (running ssh-shell via the AKC's forced command)
4563
   # is in the shithub group and needs to source this file via the
@@ -62,6 +80,18 @@
6280
     mode: "0600"
6381
   notify: restart shithubd-worker
6482
83
+- name: Storage check — repos root and runtime object bucket
84
+  shell: |
85
+    set -a
86
+    . /etc/shithub/web.env
87
+    set +a
88
+    /usr/local/bin/shithubd storage check
89
+  args:
90
+    executable: /bin/bash
91
+  become_user: "{{ shithub_user }}"
92
+  changed_when: false
93
+  when: not ansible_check_mode
94
+
6595
 - name: systemd unit — web
6696
   copy:
6797
     src: "{{ playbook_dir }}/../systemd/shithubd-web.service"
deploy/ansible/roles/shithubd/templates/web.env.j2modified
@@ -29,6 +29,16 @@ SHITHUB_AUTH__SSH__HOST=git@{{ shithub_domain }}
2929
3030
 # storage
3131
 SHITHUB_STORAGE__REPOS_ROOT={{ shithub_data_root }}/repos
32
+{% if s3_bucket | default("") %}
33
+# DigitalOcean Spaces runtime bucket via its S3-compatible API.
34
+SHITHUB_STORAGE__S3__ENDPOINT={{ s3_endpoint }}
35
+SHITHUB_STORAGE__S3__REGION={{ s3_region | default("us-east-1") }}
36
+SHITHUB_STORAGE__S3__ACCESS_KEY_ID={{ s3_access_key_id }}
37
+SHITHUB_STORAGE__S3__SECRET_ACCESS_KEY={{ s3_secret_access_key }}
38
+SHITHUB_STORAGE__S3__BUCKET={{ s3_bucket }}
39
+SHITHUB_STORAGE__S3__USE_SSL={{ (s3_use_ssl | default(true)) | ternary("true", "false") }}
40
+SHITHUB_STORAGE__S3__FORCE_PATH_STYLE={{ (s3_force_path_style | default(false)) | ternary("true", "false") }}
41
+{% endif %}
3242
3343
 # AEAD keys (32-byte base64). Aliased single-underscore names.
3444
 SHITHUB_SESSION_KEY={{ shithub_session_key_b64 }}
deploy/ansible/roles/shithubd/templates/worker.env.j2modified
@@ -12,6 +12,16 @@ SHITHUB_AUTH__EMAIL_FROM={{ shithub_email_from }}
1212
 SHITHUB_AUTH__EMAIL_BACKEND={{ shithub_email_backend }}
1313
1414
 SHITHUB_STORAGE__REPOS_ROOT={{ shithub_data_root }}/repos
15
+{% if s3_bucket | default("") %}
16
+# DigitalOcean Spaces runtime bucket via its S3-compatible API.
17
+SHITHUB_STORAGE__S3__ENDPOINT={{ s3_endpoint }}
18
+SHITHUB_STORAGE__S3__REGION={{ s3_region | default("us-east-1") }}
19
+SHITHUB_STORAGE__S3__ACCESS_KEY_ID={{ s3_access_key_id }}
20
+SHITHUB_STORAGE__S3__SECRET_ACCESS_KEY={{ s3_secret_access_key }}
21
+SHITHUB_STORAGE__S3__BUCKET={{ s3_bucket }}
22
+SHITHUB_STORAGE__S3__USE_SSL={{ (s3_use_ssl | default(true)) | ternary("true", "false") }}
23
+SHITHUB_STORAGE__S3__FORCE_PATH_STYLE={{ (s3_force_path_style | default(false)) | ternary("true", "false") }}
24
+{% endif %}
1525
1626
 SHITHUB_TOTP_KEY={{ shithub_totp_key_b64 }}
1727
deploy/redeploy.shmodified
@@ -45,6 +45,7 @@ set -a
4545
 . /etc/shithub/web.env
4646
 set +a
4747
 "$BIN" migrate up
48
+"$BIN" storage check
4849
4950
 systemctl restart shithubd-web
5051
 systemctl restart shithubd-worker