feat: add droneci module
- add droneci module for server - add droneci/server role - add consul query for droneci service - manage certificates, ssh principals, consul services/checks
This commit is contained in:
@@ -0,0 +1,78 @@
|
||||
---
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- droneci.main.unkin.net
|
||||
- droneci.service.consul
|
||||
- droneci.query.consul
|
||||
- "droneci.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- droneci.main.unkin.net
|
||||
- droneci.service.consul
|
||||
- droneci.query.consul
|
||||
|
||||
hiera_include:
|
||||
- docker
|
||||
- profiles::sql::postgresdb
|
||||
- droneci
|
||||
|
||||
docker::version: latest
|
||||
docker::curl_ensure: false
|
||||
|
||||
profiles::sql::postgresdb::dbname: droneci
|
||||
profiles::sql::postgresdb::dbuser: droneci
|
||||
profiles::sql::postgresdb::dbpass: "%{hiera('droneci_server::postgres_password')}"
|
||||
profiles::sql::postgresdb::members_lookup: true
|
||||
profiles::sql::postgresdb::members_role: roles::infra::droneci::server
|
||||
|
||||
droneci::ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
droneci::volumes:
|
||||
- type=bind,source=/var/lib/drone,target=/data
|
||||
- type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
|
||||
- type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
|
||||
droneci::env_vars:
|
||||
DRONE_GITEA_SERVER: https://git.query.consul
|
||||
DRONE_GITEA_CLIENT_ID: 3f6abbd9-1838-4d22-8023-f9bd8cf27c82
|
||||
DRONE_GITEA_CLIENT_SECRET: "%{hiera('droneci_server::gitea_client_secret')}"
|
||||
DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
|
||||
DRONE_SERVER_HOST: droneci.query.consul
|
||||
DRONE_SERVER_PROTO: https
|
||||
DRONE_TLS_CERT: /etc/pki/tls/vault/certificate.crt
|
||||
DRONE_TLS_KEY: /etc/pki/tls/vault/private.key
|
||||
DRONE_COOKIE_SECRET: "%{hiera('droneci_server::cookie_secret')}"
|
||||
DRONE_COOKIE_TIMEOUT: 720h
|
||||
DRONE_HTTP_SSL_REDIRECT: true
|
||||
DRONE_HTTP_SSL_TEMPORARY_REDIRECT: true
|
||||
DRONE_HTTP_SSL_HOST: droneci.query.consul
|
||||
DRONE_LOGS_TEXT: true
|
||||
DRONE_LOGS_PRETTY: true
|
||||
DRONE_LOGS_COLOR: true
|
||||
DRONE_DATABASE_SECRET: "%{hiera('droneci_server::database_secret')}"
|
||||
DRONE_DATABASE_DRIVER: postgres
|
||||
DRONE_DATABASE_DATASOURCE: "postgres://droneci:%{hiera('droneci_server::postgres_password')}@master.patroni-prod.service.au-syd1.consul:5432/droneci?sslmode=disable"
|
||||
DRONE_REDIS_CONNECTION: "redis://%{hiera('droneci_server::redis_password')}@redis-master-prod.service.au-syd1.consul:6379/2"
|
||||
|
||||
consul::services:
|
||||
droneci:
|
||||
service_name: 'droneci'
|
||||
tags:
|
||||
- 'drone'
|
||||
- 'droneci'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
checks:
|
||||
- id: 'droneci_https_check'
|
||||
name: 'droneci HTTPS Check'
|
||||
http: "https://%{facts.networking.fqdn}:443"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
timeout: '1s'
|
||||
profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: droneci
|
||||
disposition: write
|
||||
Reference in New Issue
Block a user