tenseleyflow/shithub / ca1982c

Browse files

S37: Ansible shithubd role + env templates

Authored by espadonne
SHA
ca1982cc644dd43d484955356d1e3dea57132779
Parents
811b72f
Tree
3387727

4 changed files

StatusFile+-
A deploy/ansible/roles/shithubd/handlers/main.yml 11 0
A deploy/ansible/roles/shithubd/tasks/main.yml 85 0
A deploy/ansible/roles/shithubd/templates/web.env.j2 25 0
A deploy/ansible/roles/shithubd/templates/worker.env.j2 16 0
deploy/ansible/roles/shithubd/handlers/main.ymladded
@@ -0,0 +1,11 @@
1
+---
2
+- name: daemon-reload
3
+  systemd: { daemon_reload: yes }
4
+- name: restart shithubd-web
5
+  systemd: { name: shithubd-web, state: restarted, enabled: yes }
6
+- name: restart shithubd-worker
7
+  systemd: { name: shithubd-worker, state: restarted, enabled: yes }
8
+- name: enable shithubd-cron
9
+  systemd: { name: shithubd-cron.timer, state: started, enabled: yes }
10
+- name: restart sshd
11
+  systemd: { name: ssh, state: restarted }
deploy/ansible/roles/shithubd/tasks/main.ymladded
@@ -0,0 +1,85 @@
1
+---
2
+# SPDX-License-Identifier: AGPL-3.0-or-later
3
+#
4
+# shithubd app role: installs the binary, env files, systemd units.
5
+# Binary is built locally and uploaded — no in-place compile on prod.
6
+
7
+- name: Repo + temp dirs on the block volume
8
+  file:
9
+    path: "{{ item }}"
10
+    state: directory
11
+    owner: "{{ shithub_user }}"
12
+    group: "{{ shithub_group }}"
13
+    mode: "0750"
14
+  loop:
15
+    - "{{ shithub_data_root }}/repos"
16
+    - "{{ shithub_data_root }}/tmp"
17
+    - /var/lib/shithub/binaries
18
+
19
+- name: Upload shithubd binary (built by `make deploy` locally)
20
+  copy:
21
+    src: "{{ playbook_dir }}/../../bin/shithubd"
22
+    dest: "/usr/local/bin/shithubd"
23
+    mode: "0755"
24
+    owner: root
25
+    group: root
26
+
27
+- name: Archive a versioned copy under /var/lib/shithub/binaries (rollback path)
28
+  shell: cp /usr/local/bin/shithubd /var/lib/shithub/binaries/shithubd-$(date +%Y%m%d-%H%M%S)
29
+  args:
30
+    creates: /var/lib/shithub/binaries/shithubd-{{ ansible_date_time.iso8601_basic_short }}
31
+
32
+- name: Web env file (0600 — secrets)
33
+  template:
34
+    src: web.env.j2
35
+    dest: /etc/shithub/web.env
36
+    owner: "{{ shithub_user }}"
37
+    group: "{{ shithub_group }}"
38
+    mode: "0600"
39
+  notify: restart shithubd-web
40
+
41
+- name: Worker env file (0600 — secrets)
42
+  template:
43
+    src: worker.env.j2
44
+    dest: /etc/shithub/worker.env
45
+    owner: "{{ shithub_user }}"
46
+    group: "{{ shithub_group }}"
47
+    mode: "0600"
48
+  notify: restart shithubd-worker
49
+
50
+- name: systemd unit — web
51
+  copy:
52
+    src: "{{ playbook_dir }}/../systemd/shithubd-web.service"
53
+    dest: /etc/systemd/system/shithubd-web.service
54
+    mode: "0644"
55
+  notify: [daemon-reload, restart shithubd-web]
56
+
57
+- name: systemd unit — worker
58
+  copy:
59
+    src: "{{ playbook_dir }}/../systemd/shithubd-worker.service"
60
+    dest: /etc/systemd/system/shithubd-worker.service
61
+    mode: "0644"
62
+  notify: [daemon-reload, restart shithubd-worker]
63
+
64
+- name: systemd unit — cron service + timer
65
+  copy:
66
+    src: "{{ playbook_dir }}/../systemd/{{ item }}"
67
+    dest: "/etc/systemd/system/{{ item }}"
68
+    mode: "0644"
69
+  loop:
70
+    - shithubd-cron.service
71
+    - shithubd-cron.timer
72
+  notify: [daemon-reload, enable shithubd-cron]
73
+
74
+- name: sshd_config — render with AKC line for git-over-SSH
75
+  template:
76
+    src: "{{ playbook_dir }}/../sshd_config.j2"
77
+    dest: /etc/ssh/sshd_config
78
+    mode: "0644"
79
+  notify: restart sshd
80
+
81
+- name: Enable + start shithubd-web
82
+  systemd: { name: shithubd-web, state: started, enabled: yes }
83
+
84
+- name: Enable + start shithubd-worker
85
+  systemd: { name: shithubd-worker, state: started, enabled: yes }
deploy/ansible/roles/shithubd/templates/web.env.j2added
@@ -0,0 +1,25 @@
1
+# Managed by Ansible — 0600, owned by {{ shithub_user }}.
2
+# Sourced by shithubd-web.service via EnvironmentFile=.
3
+#
4
+# Secrets are pulled from sops/1Password at deploy time and never
5
+# committed. The Jinja `{{ ... }}` references resolve from the
6
+# inventory + the operator's secret store.
7
+
8
+SHITHUB_DATABASE_URL=postgresql://shithub:{{ shithub_db_password }}@127.0.0.1:5432/shithub?sslmode=disable
9
+SHITHUB_BASE_URL=https://{{ shithub_domain }}
10
+SHITHUB_SITE_NAME=shithub
11
+SHITHUB_EMAIL_FROM={{ shithub_email_from }}
12
+SHITHUB_EMAIL_BACKEND={{ shithub_email_backend }}
13
+SHITHUB_LISTEN_ADDR=127.0.0.1:8080
14
+SHITHUB_REPOS_ROOT={{ shithub_data_root }}/repos
15
+SHITHUB_TMP_ROOT={{ shithub_data_root }}/tmp
16
+
17
+# Session + AEAD keys (32-byte base64). Operator mints once and
18
+# rotates per the runbook.
19
+SHITHUB_SESSION_KEY={{ shithub_session_key_b64 }}
20
+SHITHUB_TOTP_KEY={{ shithub_totp_key_b64 }}
21
+
22
+# Postmark transactional sender; DKIM/SPF configured before deploy.
23
+{% if shithub_email_backend == "postmark" %}
24
+SHITHUB_POSTMARK_SERVER_TOKEN={{ shithub_postmark_token }}
25
+{% endif %}
deploy/ansible/roles/shithubd/templates/worker.env.j2added
@@ -0,0 +1,16 @@
1
+# Managed by Ansible — 0600.
2
+# Sourced by shithubd-worker.service via EnvironmentFile=.
3
+
4
+SHITHUB_DATABASE_URL=postgresql://shithub:{{ shithub_db_password }}@127.0.0.1:5432/shithub?sslmode=disable
5
+SHITHUB_REPOS_ROOT={{ shithub_data_root }}/repos
6
+SHITHUB_TMP_ROOT={{ shithub_data_root }}/tmp
7
+SHITHUB_BASE_URL=https://{{ shithub_domain }}
8
+SHITHUB_SITE_NAME=shithub
9
+SHITHUB_EMAIL_FROM={{ shithub_email_from }}
10
+SHITHUB_EMAIL_BACKEND={{ shithub_email_backend }}
11
+SHITHUB_TOTP_KEY={{ shithub_totp_key_b64 }}
12
+SHITHUB_WORKERS=4
13
+
14
+{% if shithub_email_backend == "postmark" %}
15
+SHITHUB_POSTMARK_SERVER_TOKEN={{ shithub_postmark_token }}
16
+{% endif %}