From 6860106321a3ea696edecb00af5a4129b4fb4919 Mon Sep 17 00:00:00 2001
From: Luke Murphy <lukewm@riseup.net>
Date: Tue, 24 Mar 2020 13:57:22 +0100
Subject: [PATCH] Copy/Pasta and adapt Gitea config

---
 .envrc.sample                        |  2 ++
 CHECKS                               |  5 ++++
 ansible/.vault.sh                    |  5 ++++
 ansible/post-deploy.yml              | 40 +++++++++++++++++++++++++
 ansible/pre-deploy.yml               | 44 ++++++++++++++++++++++++++++
 ansible/requirements.yml             |  3 ++
 ansible/templates/gitea.j2           |  2 ++
 ansible/vars/all.yml                 |  4 +++
 ansible/vars/ansible_become_pass.yml |  8 +++++
 ansible/vars/gitea_client_id.yml     |  7 +++++
 ansible/vars/gitea_client_secret.yml |  8 +++++
 ansible/vars/rpc_secret.yml          |  8 +++++
 requirements.txt                     |  1 +
 sbin/encrypt.sh                      | 15 ++++++++++
 sbin/entrypoint.sh                   | 13 ++++++++
 15 files changed, 165 insertions(+)
 create mode 100644 .envrc.sample
 create mode 100644 CHECKS
 create mode 100755 ansible/.vault.sh
 create mode 100644 ansible/post-deploy.yml
 create mode 100644 ansible/pre-deploy.yml
 create mode 100644 ansible/requirements.yml
 create mode 100755 ansible/templates/gitea.j2
 create mode 100644 ansible/vars/all.yml
 create mode 100644 ansible/vars/ansible_become_pass.yml
 create mode 100644 ansible/vars/gitea_client_id.yml
 create mode 100644 ansible/vars/gitea_client_secret.yml
 create mode 100644 ansible/vars/rpc_secret.yml
 create mode 100644 requirements.txt
 create mode 100755 sbin/encrypt.sh
 create mode 100755 sbin/entrypoint.sh

diff --git a/.envrc.sample b/.envrc.sample
new file mode 100644
index 0000000..cfe67cc
--- /dev/null
+++ b/.envrc.sample
@@ -0,0 +1,2 @@
+# The path to our pass credentials store
+export PASSWORD_STORE_DIR=$(pwd)/../infrastructure/credentials/password-store
diff --git a/CHECKS b/CHECKS
new file mode 100644
index 0000000..6dadd31
--- /dev/null
+++ b/CHECKS
@@ -0,0 +1,5 @@
+WAIT=3
+TIMEOUT=3
+ATTEMPTS=5
+
+/healthz OK
diff --git a/ansible/.vault.sh b/ansible/.vault.sh
new file mode 100755
index 0000000..8f30d37
--- /dev/null
+++ b/ansible/.vault.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+echo $(pass show hosts/autonomic-dokku/vault/password)
diff --git a/ansible/post-deploy.yml b/ansible/post-deploy.yml
new file mode 100644
index 0000000..5e24e1f
--- /dev/null
+++ b/ansible/post-deploy.yml
@@ -0,0 +1,40 @@
+---
+- hosts: all
+  gather_facts: false
+  tasks:
+    - name: Load variables
+      include_vars:
+        dir: "{{ dokku_lib_root }}/data/ansible/drone/vars/"
+        extensions:
+          - yml
+
+    - name: Set HTTP 80 port proxy
+      dokku_ports:
+        app: drone
+        mappings:
+          - "http:80:8000"
+        state: present
+
+    - name: Setup LE certificates
+      shell: dokku letsencrypt drone
+      args:
+        creates: /home/dokku/drone/letsencrypt/certs
+
+    - name: Setup LE certificates renew cron job
+      shell: dokku letsencrypt:cron-job --add
+      args:
+        creates: /home/dokku/drone/letsencrypt/cron-job
+
+    - name: Remove automatically configured ports
+      dokku_ports:
+        app: drone
+        mappings:
+          - "http:8000:8000"
+        state: absent
+
+    - name: Set HTTP 443 port
+      dokku_ports:
+        app: drone
+        mappings:
+          - "https:443:8000"
+        state: present
diff --git a/ansible/pre-deploy.yml b/ansible/pre-deploy.yml
new file mode 100644
index 0000000..d107d0f
--- /dev/null
+++ b/ansible/pre-deploy.yml
@@ -0,0 +1,44 @@
+---
+- hosts: all
+  gather_facts: false
+  tasks:
+    - name: Load variables
+      include_vars:
+        dir: "{{ dokku_lib_root }}/data/ansible/drone/vars/"
+        extensions:
+          - yml
+
+    - name: "Configure {{ domain }} domain"
+      dokku_domains:
+        app: drone
+        domains:
+          - "{{ domain }}"
+        state: present
+
+    - name: Create application directory
+      file:
+        path: /var/lib/drone
+        state: directory
+        owner: dokku
+        group: dokku
+      become: true
+
+    - name: Specify docker volume mounts
+      dokku_storage:
+        app: drone
+        mounts:
+          - /var/lib/drone:/data
+
+    - name: Configure the app environment
+      dokku_config:
+        app: drone
+        restart: false
+        config:
+          DOKKU_LETSENCRYPT_EMAIL: "{{ autonomic_admin_mail }}"
+          DRONE_GITEA_CLIENT_ID: "{{ gitea_client_id }}"
+          DRONE_GITEA_CLIENT_SECRET: "{{ gitea_client_secret }}"
+          DRONE_GITEA_SERVER: "{{ gitea_domain }}"
+          DRONE_GIT_ALWAYS_AUTH: "true"
+          DRONE_RPC_SECRET: "{{ rpc_secret }}"
+          DRONE_SERVER_HOST: "{{ domain }}"
+          DRONE_SERVER_PROTO: "https"
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
new file mode 100644
index 0000000..0dddf53
--- /dev/null
+++ b/ansible/requirements.yml
@@ -0,0 +1,3 @@
+---
+- src: dokku_bot.ansible_dokku
+  version: v2020.3.15
diff --git a/ansible/templates/gitea.j2 b/ansible/templates/gitea.j2
new file mode 100755
index 0000000..414f8bc
--- /dev/null
+++ b/ansible/templates/gitea.j2
@@ -0,0 +1,2 @@
+#!/bin/sh
+ssh -p {{ ssh_listen_port }} -o StrictHostKeyChecking=no git@{{ dokku_container_ip }} "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
diff --git a/ansible/vars/all.yml b/ansible/vars/all.yml
new file mode 100644
index 0000000..5c07399
--- /dev/null
+++ b/ansible/vars/all.yml
@@ -0,0 +1,4 @@
+---
+domain: "drone.autonomic.zone"
+autonomic_admin_mail: "helo@autonomic.zone"
+gite_domain: "git.autonomic.zone"
diff --git a/ansible/vars/ansible_become_pass.yml b/ansible/vars/ansible_become_pass.yml
new file mode 100644
index 0000000..abb21b9
--- /dev/null
+++ b/ansible/vars/ansible_become_pass.yml
@@ -0,0 +1,8 @@
+---
+ansible_become_pass: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  34396236353735666531323238656533643465303131663464613162396333313836363630666266
+  6539323631656635333864316166633064633366323936610a656137616334313534333635313232
+  35323561303763366563316631313638363333393763323935343563303963616334336639386462
+  3837383830616637360a373539613630356564363662393836366462666430353439353637303035
+  63396633303166343433313439303539313637306637663137313533316531616434
diff --git a/ansible/vars/gitea_client_id.yml b/ansible/vars/gitea_client_id.yml
new file mode 100644
index 0000000..375be3e
--- /dev/null
+++ b/ansible/vars/gitea_client_id.yml
@@ -0,0 +1,7 @@
+gitea_client_id: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          64653961323438353332343365626333303863343839383030383231396233376663613665393637
+          3839643333633535623931323738323839313331626230390a386662393636343266326632333362
+          62643765656239613065663366353533383635303930353237623235623332646639333735363630
+          3330333836653664320a623432633961343664613230323665373934656630366138393264353231
+          63383937396336383730656666303437646662356538656565373538316336663234
diff --git a/ansible/vars/gitea_client_secret.yml b/ansible/vars/gitea_client_secret.yml
new file mode 100644
index 0000000..76d00a2
--- /dev/null
+++ b/ansible/vars/gitea_client_secret.yml
@@ -0,0 +1,8 @@
+gitea_client_secret: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          36373362613266363063383964333434666435383862336136393632653038313039623438343264
+          6537376539363338333632656365353766363536343431620a633736306232323230363263666635
+          33353338386235306665363532623432353363666366393636623163666134633538393161386232
+          6138343930623965340a386338383637633161363238633031396431323665353635303461363438
+          32393835623132656237356538306634666164343034343735376131313032396636353733303761
+          3235333336373138393731303531396164323731623039663835
diff --git a/ansible/vars/rpc_secret.yml b/ansible/vars/rpc_secret.yml
new file mode 100644
index 0000000..1443a01
--- /dev/null
+++ b/ansible/vars/rpc_secret.yml
@@ -0,0 +1,8 @@
+rpc_secret: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          33346331663332396364613536313365316561616465656465653330646139333039326130336632
+          3931353462663631393536646266396237373735323433610a306632396237656133343963653530
+          34626237393165643464666133653731346335636261623935333134343137343135326334373135
+          6430653839636632350a643330666236636633336665306564303166343133396562643465373761
+          31633636326335316661313039383135366230356339376632313063386431343434633363366466
+          6530363438643965373030656537663533666236376232336162
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..130e91f
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1 @@
+ansible==2.9.6
diff --git a/sbin/encrypt.sh b/sbin/encrypt.sh
new file mode 100755
index 0000000..d328761
--- /dev/null
+++ b/sbin/encrypt.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+# Usage
+# ./encrypt.sh mysecretname mysecretvalue
+
+declare name="$1"
+declare secret="$2"
+
+ansible-vault \
+  encrypt_string \
+  --vault-password-file ansible/.vault.sh \
+  --name "$name" \
+  "$secret"
diff --git a/sbin/entrypoint.sh b/sbin/entrypoint.sh
new file mode 100755
index 0000000..995b77c
--- /dev/null
+++ b/sbin/entrypoint.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+main() {
+    set -eu
+
+    echo "Nothing to do for now..."
+}
+
+main
+
+/bin/drone-controller "$@"