From 1c59412d3424d989ef52f777e4e5ec55ee771a15 Mon Sep 17 00:00:00 2001 From: Luke Murphy Date: Sun, 22 Mar 2020 15:40:59 +0100 Subject: [PATCH] Bootstrap new approach --- .envrc.sample | 2 + ansible/.vault.sh | 5 +++ ansible/post-delete.yml | 23 +++++++++++ ansible/post-deploy.yml | 56 +++++++++++++++++++++++++++ ansible/pre-deploy.yml | 41 ++++++++++++++++++++ ansible/requirements.yml | 3 ++ ansible/vars/all.yml | 3 ++ ansible/vars/ansible_become_pass.yml | 8 ++++ ansible/vars/autonomic_admin_pass.yml | 8 ++++ ansible/vars/db_passwd.yml | 8 ++++ ansible/vars/root_db_passwd.yml | 8 ++++ requirements.txt | 1 + sbin/encrypt.sh | 15 +++++++ 13 files changed, 181 insertions(+) create mode 100644 .envrc.sample create mode 100755 ansible/.vault.sh create mode 100644 ansible/post-delete.yml create mode 100644 ansible/post-deploy.yml create mode 100644 ansible/pre-deploy.yml create mode 100644 ansible/requirements.yml create mode 100644 ansible/vars/all.yml create mode 100644 ansible/vars/ansible_become_pass.yml create mode 100644 ansible/vars/autonomic_admin_pass.yml create mode 100644 ansible/vars/db_passwd.yml create mode 100644 ansible/vars/root_db_passwd.yml create mode 100644 requirements.txt create mode 100755 sbin/encrypt.sh diff --git a/.envrc.sample b/.envrc.sample new file mode 100644 index 0000000..cfe67cc --- /dev/null +++ b/.envrc.sample @@ -0,0 +1,2 @@ +# The path to our pass credentials store +export PASSWORD_STORE_DIR=$(pwd)/../infrastructure/credentials/password-store diff --git a/ansible/.vault.sh b/ansible/.vault.sh new file mode 100755 index 0000000..8f30d37 --- /dev/null +++ b/ansible/.vault.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +set -eu -o pipefail + +echo $(pass show hosts/autonomic-dokku/vault/password) diff --git a/ansible/post-delete.yml b/ansible/post-delete.yml new file mode 100644 index 0000000..cc8feab --- /dev/null +++ b/ansible/post-delete.yml @@ -0,0 +1,23 @@ +--- +- hosts: all + gather_facts: false + tasks: + - name: Load variables + include_vars: + dir: "{{ dokku_lib_root }}/data/ansible/keycloak/vars/" + extensions: + - yml + + - name: Remove mariadb database + shell: "dokku mariadb:destroy keycloak --force" + args: + removes: /var/lib/dokku/services/mariadb/keycloak + become: true + + - name: Remove volume mount configuration directories + file: + path: "{{ item }}" + state: absent + with_items: + - /var/lib/dokku/services/mariadb/keycloak + become: true diff --git a/ansible/post-deploy.yml b/ansible/post-deploy.yml new file mode 100644 index 0000000..2ea2481 --- /dev/null +++ b/ansible/post-deploy.yml @@ -0,0 +1,56 @@ +--- +- hosts: all + gather_facts: false + tasks: + - name: Load variables + include_vars: + dir: "{{ dokku_lib_root }}/data/ansible/keycloak/vars/" + extensions: + - yml + + - name: Set HTTP 80 port proxy + dokku_ports: + app: keycloak + mappings: + - "http:80:8080" + state: present + + - name: Setup LE certificates + shell: dokku letsencrypt keycloak + args: + creates: /home/dokku/keycloak/letsencrypt/certs + + - name: Setup LE certificates renew cron job + shell: dokku letsencrypt:cron-job --add + args: + creates: /home/dokku/keycloak/letsencrypt/cron-job + + - name: Create volume mount configuration directories + file: + path: "{{ item }}" + state: directory + owner: dokku + group: dokku + with_items: + - "/home/dokku/keycloak/letsencrypt/certs/current/key.pem:/etc/x509/https/tls.key" + - "/home/dokku/keycloak/letsencrypt/certs/current/cert.pem:/etc/x509/https/tls.crt" + become: true + register: volume_mounts + + - name: Rebuild the application to mount new volumes + shell: dokku ps:rebuild keycloak + when: volume_mounts.changed + + - name: Remove automatically configured ports + dokku_ports: + app: keycloak + mappings: + - "http:8080:8080" + state: absent + + - name: Set HTTP 443 port + dokku_ports: + app: keycloak + mappings: + - "https:443:8080" + state: present diff --git a/ansible/pre-deploy.yml b/ansible/pre-deploy.yml new file mode 100644 index 0000000..059bfce --- /dev/null +++ b/ansible/pre-deploy.yml @@ -0,0 +1,41 @@ +--- +- hosts: all + gather_facts: false + tasks: + - name: Load variables + include_vars: + dir: "{{ dokku_lib_root }}/data/ansible/keycloak/vars/" + extensions: + - yml + + - name: Configure id.autonomic.zone domain + dokku_domains: + app: keycloak + domains: + - id.autonomic.zone + state: present + + - name: Create mariadb database + shell: "dokku mariadb:create keycloak --password {{ db_passwd }} --root-password {{ root_db_passwd }}" + args: + creates: /var/lib/dokku/services/mariadb/keycloak + + - name: Specify mariadb docker volume mounts + dokku_storage: + app: keycloak + mounts: + - /var/lib/dokku/services/mariadb/keycloak:/var/lib/mysql + + - name: Configure the dokku app environment + dokku_config: + app: keycloak + restart: false + config: + DB_VENDOR: "mariadb" + DOKKU_LETSENCRYPT_EMAIL: "{{ autonomic_admin_mail }}" + KEYCLOAK_PASSWORD: "{{ autonomic_admin_pass }}" + KEYCLOAK_USER: "{{ autonomic_admin_user }}" + MYSQL_DATABASE: "keycloak" + MYSQL_PASSWORD: "{{ db_passwd }}" + MYSQL_USER: "mariadb" # https://github.com/dokku/dokku-mariadb/issues/89 + MYSQL_ROOT_PASSWORD: "{{ root_db_passwd }}" diff --git a/ansible/requirements.yml b/ansible/requirements.yml new file mode 100644 index 0000000..0dddf53 --- /dev/null +++ b/ansible/requirements.yml @@ -0,0 +1,3 @@ +--- +- src: dokku_bot.ansible_dokku + version: v2020.3.15 diff --git a/ansible/vars/all.yml b/ansible/vars/all.yml new file mode 100644 index 0000000..d678d0e --- /dev/null +++ b/ansible/vars/all.yml @@ -0,0 +1,3 @@ +--- +autonomic_admin_mail: helo@autonomic.zone +autonomic_admin_user: autonomic diff --git a/ansible/vars/ansible_become_pass.yml b/ansible/vars/ansible_become_pass.yml new file mode 100644 index 0000000..abb21b9 --- /dev/null +++ b/ansible/vars/ansible_become_pass.yml @@ -0,0 +1,8 @@ +--- +ansible_become_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34396236353735666531323238656533643465303131663464613162396333313836363630666266 + 6539323631656635333864316166633064633366323936610a656137616334313534333635313232 + 35323561303763366563316631313638363333393763323935343563303963616334336639386462 + 3837383830616637360a373539613630356564363662393836366462666430353439353637303035 + 63396633303166343433313439303539313637306637663137313533316531616434 diff --git a/ansible/vars/autonomic_admin_pass.yml b/ansible/vars/autonomic_admin_pass.yml new file mode 100644 index 0000000..3a1d284 --- /dev/null +++ b/ansible/vars/autonomic_admin_pass.yml @@ -0,0 +1,8 @@ +autonomic_admin_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 35303431663632323539653636353862383432626466376263666238346263663839396638333162 + 3661306338336635653936386335646665623332376330370a363039323662616432366132316135 + 32343839356631383832366638326661323661623033343338306336313639376664373931313364 + 3732653332646462630a366563633737303934656561343461633630613666306634646433373465 + 35373966653563303664336231643134653866653135363537383230383262353634356165613631 + 3136333437386635656234386432316466386566626238333161 diff --git a/ansible/vars/db_passwd.yml b/ansible/vars/db_passwd.yml new file mode 100644 index 0000000..0d5221a --- /dev/null +++ b/ansible/vars/db_passwd.yml @@ -0,0 +1,8 @@ +db_passwd: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65626261633661356263353564376431633962663461353261316534306635376137393164393036 + 3163373239316364646165656666626462616434346365640a313832663133636132376330623132 + 30313534333135386336373566376634326339303233653336383665346463333037643265663537 + 3135333366313433340a643565653265363531633561306163303938323731393133326165336639 + 37396330363062326465386163373733653165623961626537336139633663326630666462386262 + 3463376239386531313534653834326637386635643961306436 diff --git a/ansible/vars/root_db_passwd.yml b/ansible/vars/root_db_passwd.yml new file mode 100644 index 0000000..4cc9f1c --- /dev/null +++ b/ansible/vars/root_db_passwd.yml @@ -0,0 +1,8 @@ +root_db_passwd: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 66626439333936646661366235393638343639393730633435643166666331376432616632343330 + 3564313661336331356661343465666462376430366234650a616561333233633631333135333865 + 64343963346537353534663134306466336531383037636132646662626163313061333435646661 + 3335623563616438650a366666323631383039656632333862383836313739383361333864633962 + 35303435396237346230393431363030666536646361643566636534613063376532626434653731 + 6334346166646231666165623462666638646236613133656330 diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..130e91f --- /dev/null +++ b/requirements.txt @@ -0,0 +1 @@ +ansible==2.9.6 diff --git a/sbin/encrypt.sh b/sbin/encrypt.sh new file mode 100755 index 0000000..d328761 --- /dev/null +++ b/sbin/encrypt.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -eu -o pipefail + +# Usage +# ./encrypt.sh mysecretname mysecretvalue + +declare name="$1" +declare secret="$2" + +ansible-vault \ + encrypt_string \ + --vault-password-file ansible/.vault.sh \ + --name "$name" \ + "$secret"