From 8c7d37f10fa94bd5447d64eaeb2f5a301dbb6ea4 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 5 Jul 2025 11:18:20 +1000 Subject: [PATCH] feat: add git server role - add role for gitea cluster - provision new postgresql database on shared-prod cluster --- hieradata/roles/infra/git/server.eyaml | 2 + hieradata/roles/infra/git/server.yaml | 101 +++++++++++++++++++++++ site/roles/manifests/infra/git/server.pp | 11 +++ 3 files changed, 114 insertions(+) create mode 100644 hieradata/roles/infra/git/server.eyaml create mode 100644 hieradata/roles/infra/git/server.yaml create mode 100644 site/roles/manifests/infra/git/server.pp diff --git a/hieradata/roles/infra/git/server.eyaml b/hieradata/roles/infra/git/server.eyaml new file mode 100644 index 0000000..8a4c66c --- /dev/null +++ b/hieradata/roles/infra/git/server.eyaml @@ -0,0 +1,2 @@ +--- +profiles::sql::postgresdb::dbpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhg1qvPHyqM3QXINxU8v0AX2e4rbfaHym0VGH3U1qoJTODYynHwhGDWzVhD9sZPej9VtqdRR1oi+PAD4VSZxFOON3y2HaPJ8nJMDLN3FeKhTK6nCNte00w8EeKXma+0fcur+wKQTSOem/yBBXt2wCxqGk1vdoHod/92wNDljUV0evrChhgjjiEc+WdScrwSl8SSxFzdRa76iahYikZC0aTZViWQwN1XoEuZW/EszmxgEfEwSygvon31JKuyfZTzZazCoUmPq9dvhNvhLbStT4USMopDYuiwrpHKdEzDe1r1Q/FOL5iDIrULAoSHRnBsqWTJ8a+HkSS2DsvOiAnQJjCDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAPcCq5Ob9rpxiqcVSBztk4gDCPmuAGDBAeUgFHheDJN6Eu+OSn9zA8kuHw0AVtPou1JERPjDIQ9QA0RQOtZATpybE=] diff --git a/hieradata/roles/infra/git/server.yaml b/hieradata/roles/infra/git/server.yaml new file mode 100644 index 0000000..355080b --- /dev/null +++ b/hieradata/roles/infra/git/server.yaml @@ -0,0 +1,101 @@ +--- +hiera_include: + - profiles::sql::postgresdb + - profiles::nginx::simpleproxy + - gitea + +# additional altnames +profiles::pki::vault::alt_names: + - git.unkin.net + - git.main.unkin.net + - git.service.consul + - git.query.consul + - "git.service.%{facts.country}-%{facts.region}.consul" + +profiles::ssh::sign::principals: + - git.unkin.net + - git.main.unkin.net + - git.service.consul + - git.query.consul + +consul::services: + git: + service_name: 'git' + address: "%{facts.networking.ip}" + port: 443 + checks: + - id: 'gitea_https_check' + name: 'Gitea HTTPS Check' + http: "https://%{facts.networking.fqdn}:443" + method: 'GET' + tls_skip_verify: true + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: git + disposition: write + +# manage a simple nginx reverse proxy +profiles::nginx::simpleproxy::nginx_vhost: 'git.query.consul' +profiles::nginx::simpleproxy::nginx_aliases: + - git.unkin.net + - git.main.unkin.net + - git.service.consul + - git.query.consul + - "git.service.%{facts.country}-%{facts.region}.consul" + +profiles::nginx::simpleproxy::proxy_port: 3000 +profiles::nginx::simpleproxy::proxy_path: '/' +nginx::client_max_body_size: 1024M + +profiles::sql::postgresdb::cluster_name: "patroni-shared-%{facts.environment}" +profiles::sql::postgresdb::dbname: gitea +profiles::sql::postgresdb::dbuser: gitea + +gitea::ensure: '1.22.4' +gitea::checksum: 'd549104f55067e6fb156e7ba060c9af488f36e12d5e747db7563fcc99eaf8532' +gitea::custom_configuration: + '': + APP_NAME: 'Gitea' + RUN_USER: 'git' + RUN_MODE: 'prod' + repository: + ROOT: '/shared/apps/gitea/repos' + FORCE_PRIVATE: false + MAX_CREATION_LIMIT: -1 + DISABLE_HTTP_GIT: false + DEFAULT_BRANCH: 'main' + DEFAULT_PRIVATE: 'last' + ui: + SHOW_USER_EMAIL: false + server: + PROTOCOL: 'http' + DOMAIN: 'git.unkin.net' + ROOT_URL: 'https://git.unkin.net' + HTTP_ADDR: '0.0.0.0' + HTTP_PORT: 3000 + START_SSH_SERVER: false + SSH_DOMAIN: 'git.unkin.net' + SSH_PORT: 2222 + SSH_LISTEN_HOST: '0.0.0.0' + OFFLINE_MODE: true + APP_DATA_PATH: '/shared/apps/gitea' + SSH_LISTEN_PORT: 22 + LFS_START_SERVER: true + database: + DB_TYPE: 'postgres' + HOST: "master.%{hiera('profiles::sql::postgresdb::cluster_name')}.service.%{facts.country}-%{facts.region}.consul:5432" + NAME: "%{hiera('profiles::sql::postgresdb::dbname')}" + USER: "%{hiera('profiles::sql::postgresdb::dbuser')}" + PASSWD: "%{hiera('profiles::sql::postgresdb::dbpass')}" + SSL_MODE: 'disable' + LOG_SQL: false + lfs: + PATH: '/shared/apps/gitea/lfs' + session: + PROVIDER: db + metrics: + ENABLED: true + ENABLED_ISSUE_BY_REPOSITORY: true + ENABLED_ISSUE_BY_LABEL: true diff --git a/site/roles/manifests/infra/git/server.pp b/site/roles/manifests/infra/git/server.pp new file mode 100644 index 0000000..489fb12 --- /dev/null +++ b/site/roles/manifests/infra/git/server.pp @@ -0,0 +1,11 @@ +# a role to deploy the gitea +class roles::infra::git::server { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::base::datavol + } +}