Copy/Pasta and adapt Gitea config

.envrc.sample

@@ -0,0 +1,2 @@
+# The path to our pass credentials store
+export PASSWORD_STORE_DIR=$(pwd)/../infrastructure/credentials/password-store

CHECKS

@@ -0,0 +1,5 @@
+WAIT=3
+TIMEOUT=3
+ATTEMPTS=5
+
+/healthz OK

ansible/.vault.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+echo $(pass show hosts/autonomic-dokku/vault/password)

ansible/post-deploy.yml

@@ -0,0 +1,40 @@
+---
+- hosts: all
+  gather_facts: false
+  tasks:
+    - name: Load variables
+      include_vars:
+        dir: "{{ dokku_lib_root }}/data/ansible/drone/vars/"
+        extensions:
+          - yml
+
+    - name: Set HTTP 80 port proxy
+      dokku_ports:
+        app: drone
+        mappings:
+          - "http:80:8000"
+        state: present
+
+    - name: Setup LE certificates
+      shell: dokku letsencrypt drone
+      args:
+        creates: /home/dokku/drone/letsencrypt/certs
+
+    - name: Setup LE certificates renew cron job
+      shell: dokku letsencrypt:cron-job --add
+      args:
+        creates: /home/dokku/drone/letsencrypt/cron-job
+
+    - name: Remove automatically configured ports
+      dokku_ports:
+        app: drone
+        mappings:
+          - "http:8000:8000"
+        state: absent
+
+    - name: Set HTTP 443 port
+      dokku_ports:
+        app: drone
+        mappings:
+          - "https:443:8000"
+        state: present

ansible/pre-deploy.yml

@@ -0,0 +1,44 @@
+---
+- hosts: all
+  gather_facts: false
+  tasks:
+    - name: Load variables
+      include_vars:
+        dir: "{{ dokku_lib_root }}/data/ansible/drone/vars/"
+        extensions:
+          - yml
+
+    - name: "Configure {{ domain }} domain"
+      dokku_domains:
+        app: drone
+        domains:
+          - "{{ domain }}"
+        state: present
+
+    - name: Create application directory
+      file:
+        path: /var/lib/drone
+        state: directory
+        owner: dokku
+        group: dokku
+      become: true
+
+    - name: Specify docker volume mounts
+      dokku_storage:
+        app: drone
+        mounts:
+          - /var/lib/drone:/data
+
+    - name: Configure the app environment
+      dokku_config:
+        app: drone
+        restart: false
+        config:
+          DOKKU_LETSENCRYPT_EMAIL: "{{ autonomic_admin_mail }}"
+          DRONE_GITEA_CLIENT_ID: "{{ gitea_client_id }}"
+          DRONE_GITEA_CLIENT_SECRET: "{{ gitea_client_secret }}"
+          DRONE_GITEA_SERVER: "{{ gitea_domain }}"
+          DRONE_GIT_ALWAYS_AUTH: "true"
+          DRONE_RPC_SECRET: "{{ rpc_secret }}"
+          DRONE_SERVER_HOST: "{{ domain }}"
+          DRONE_SERVER_PROTO: "https"

ansible/requirements.yml

@@ -0,0 +1,3 @@
+---
+- src: dokku_bot.ansible_dokku
+  version: v2020.3.15

ansible/templates/gitea.j2

@@ -0,0 +1,2 @@
+#!/bin/sh
+ssh -p {{ ssh_listen_port }} -o StrictHostKeyChecking=no git@{{ dokku_container_ip }} "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"

ansible/vars/all.yml

@@ -0,0 +1,4 @@
+---
+domain: "drone.autonomic.zone"
+autonomic_admin_mail: "helo@autonomic.zone"
+gite_domain: "git.autonomic.zone"

ansible/vars/ansible_become_pass.yml

@@ -0,0 +1,8 @@
+---
+ansible_become_pass: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  34396236353735666531323238656533643465303131663464613162396333313836363630666266
+  6539323631656635333864316166633064633366323936610a656137616334313534333635313232
+  35323561303763366563316631313638363333393763323935343563303963616334336639386462
+  3837383830616637360a373539613630356564363662393836366462666430353439353637303035
+  63396633303166343433313439303539313637306637663137313533316531616434

ansible/vars/gitea_client_id.yml

@@ -0,0 +1,7 @@
+gitea_client_id: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          64653961323438353332343365626333303863343839383030383231396233376663613665393637
+          3839643333633535623931323738323839313331626230390a386662393636343266326632333362
+          62643765656239613065663366353533383635303930353237623235623332646639333735363630
+          3330333836653664320a623432633961343664613230323665373934656630366138393264353231
+          63383937396336383730656666303437646662356538656565373538316336663234

ansible/vars/gitea_client_secret.yml

@@ -0,0 +1,8 @@
+gitea_client_secret: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          36373362613266363063383964333434666435383862336136393632653038313039623438343264
+          6537376539363338333632656365353766363536343431620a633736306232323230363263666635
+          33353338386235306665363532623432353363666366393636623163666134633538393161386232
+          6138343930623965340a386338383637633161363238633031396431323665353635303461363438
+          32393835623132656237356538306634666164343034343735376131313032396636353733303761
+          3235333336373138393731303531396164323731623039663835

ansible/vars/rpc_secret.yml

@@ -0,0 +1,8 @@
+rpc_secret: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          33346331663332396364613536313365316561616465656465653330646139333039326130336632
+          3931353462663631393536646266396237373735323433610a306632396237656133343963653530
+          34626237393165643464666133653731346335636261623935333134343137343135326334373135
+          6430653839636632350a643330666236636633336665306564303166343133396562643465373761
+          31633636326335316661313039383135366230356339376632313063386431343434633363366466
+          6530363438643965373030656537663533666236376232336162

requirements.txt

@@ -0,0 +1 @@
+ansible==2.9.6

sbin/encrypt.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+# Usage
+# ./encrypt.sh mysecretname mysecretvalue
+
+declare name="$1"
+declare secret="$2"
+
+ansible-vault \
+  encrypt_string \
+  --vault-password-file ansible/.vault.sh \
+  --name "$name" \
+  "$secret"

sbin/entrypoint.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+main() {
+    set -eu
+
+    echo "Nothing to do for now..."
+}
+
+main
+
+/bin/drone-controller "$@"