From a42aff635d22dcd2b89dc80751e97ab82ac485e8 Mon Sep 17 00:00:00 2001
From: Luke Murphy <lukewm@riseup.net>
Date: Thu, 26 Mar 2020 11:37:18 +0100
Subject: [PATCH] Bootstrap minio

---
 .envrc.sample            |  2 ++
 CHECKS                   |  5 +++++
 Dockerfile               |  5 +++++
 README.md                | 43 +++++++++++++++++++++++++++++++++++++
 ansible/.vault.sh        |  5 +++++
 ansible/post-deploy.yml  | 46 ++++++++++++++++++++++++++++++++++++++++
 ansible/pre-deploy.yml   | 41 +++++++++++++++++++++++++++++++++++
 ansible/requirements.yml |  3 +++
 ansible/vars/all.yml     |  4 ++++
 app.json                 |  5 +++++
 requirements.txt         |  1 +
 sbin/encrypt.sh          | 15 +++++++++++++
 12 files changed, 175 insertions(+)
 create mode 100644 .envrc.sample
 create mode 100644 CHECKS
 create mode 100644 Dockerfile
 create mode 100644 README.md
 create mode 100755 ansible/.vault.sh
 create mode 100644 ansible/post-deploy.yml
 create mode 100644 ansible/pre-deploy.yml
 create mode 100644 ansible/requirements.yml
 create mode 100644 ansible/vars/all.yml
 create mode 100644 app.json
 create mode 100644 requirements.txt
 create mode 100755 sbin/encrypt.sh

diff --git a/.envrc.sample b/.envrc.sample
new file mode 100644
index 0000000..cfe67cc
--- /dev/null
+++ b/.envrc.sample
@@ -0,0 +1,2 @@
+# The path to our pass credentials store
+export PASSWORD_STORE_DIR=$(pwd)/../infrastructure/credentials/password-store
diff --git a/CHECKS b/CHECKS
new file mode 100644
index 0000000..4c942ea
--- /dev/null
+++ b/CHECKS
@@ -0,0 +1,5 @@
+WAIT=3
+TIMEOUT=3
+ATTEMPTS=5
+
+/minio/health/ready
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..abe1807
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,5 @@
+FROM minio/minio:RELEASE.2020-03-25T07-03-04Z
+
+EXPOSE 9000
+
+COPY . ${WORKDIR}
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..9f35ba4
--- /dev/null
+++ b/README.md
@@ -0,0 +1,43 @@
+# minio
+
+> https://drone.io/
+
+## Setup
+
+### Pre-requisites
+
+1. You have SSH access to dokku.autonomic.zone
+1. You have sudo privilege escalation working
+
+```
+Host dokku.autonomic.zone
+  Hostname dokku.autonomic.zone
+  User <your-username>
+  Port 222
+  IdentityFile ~/.ssh/<your-ssh-key-private-file>
+```
+
+See the password-store under `autonomic-dokku` for your sudo password.
+
+### Environment
+
+1. Clone the [infrastructure repository](https://gitlab.com/autonomic-cooperative/infrastructure)
+1. Copy the sample file: `cp .envrc.sample .envrc`
+1. Ensure that the .envrc `PASSWORD_STORE_DIR` env var points to the `infrastructure/credentials/password-store`
+
+### Python
+
+You only need to do this if you're working with Ansible vault (encrypting/decrypting new secrets).
+
+```bash
+$ python3 -m venv .venv
+$ source .venv/bin/activate
+$ pip install -r requirements.txt
+```
+
+## Deploy
+
+```bash
+$ git remote add dokku dokku@dokku.autonomic.zone:minio
+$ git push dokku
+```
diff --git a/ansible/.vault.sh b/ansible/.vault.sh
new file mode 100755
index 0000000..8f30d37
--- /dev/null
+++ b/ansible/.vault.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+echo $(pass show hosts/autonomic-dokku/vault/password)
diff --git a/ansible/post-deploy.yml b/ansible/post-deploy.yml
new file mode 100644
index 0000000..6422ea5
--- /dev/null
+++ b/ansible/post-deploy.yml
@@ -0,0 +1,46 @@
+---
+- hosts: all
+  gather_facts: false
+  tasks:
+    - name: Load variables
+      include_vars:
+        dir: "{{ dokku_lib_root }}/data/ansible/minio/vars/"
+        extensions:
+          - yml
+
+    - name: Set HTTP 80 port proxy
+      dokku_ports:
+        app: minio
+        mappings:
+          - "http:80:{{ http_port }}"
+        state: present
+
+    - name: Setup LE certificates
+      shell: dokku letsencrypt minio
+      args:
+        creates: /home/dokku/minio/letsencrypt/certs
+
+    - name: Setup LE certificates renew cron job
+      shell: dokku letsencrypt:cron-job --add
+      args:
+        creates: /home/dokku/minio/letsencrypt/cron-job
+
+    - name: Specify certificate docker volume mounts
+      dokku_storage:
+        app: keycloak
+        mounts:
+          - /home/dokku/minio/letsencrypt/certs:/root/.minio/certs
+
+    - name: Remove automatically configured ports
+      dokku_ports:
+        app: minio
+        mappings:
+          - "http:{{ http_port }}:{{ http_port }}"
+        state: absent
+
+    - name: Set HTTP 443 port
+      dokku_ports:
+        app: minio
+        mappings:
+          - "https:443:{{ http_port }}"
+        state: present
diff --git a/ansible/pre-deploy.yml b/ansible/pre-deploy.yml
new file mode 100644
index 0000000..80954e1
--- /dev/null
+++ b/ansible/pre-deploy.yml
@@ -0,0 +1,41 @@
+---
+- hosts: all
+  gather_facts: false
+  tasks:
+    - name: Load variables
+      include_vars:
+        dir: "{{ dokku_lib_root }}/data/ansible/minio/vars/"
+        extensions:
+          - yml
+
+    - name: "Configure {{ domain }} domain"
+      dokku_domains:
+        app: minio
+        domains:
+          - "{{ domain }}"
+        state: present
+
+    - name: Create application directories
+      file:
+        path: "{{ item }}"
+        state: directory
+        owner: git
+        group: git
+      with_items:
+        - /var/lib/minio
+      become: true
+
+    - name: Specify docker volume mount
+      dokku_storage:
+        app: minio
+        mounts:
+          - /var/run/minio:/data
+
+    - name: Configure the app environment
+      dokku_config:
+        app: minio
+        restart: false
+        config:
+          DOKKU_LETSENCRYPT_EMAIL: "{{ autonomic_admin_mail }}"
+          MINIO_ACCESS_KEY: "{{ minio_access_key }}"
+          MINIO_SECRET_KEY: "{{ minio_secret_key }}"
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
new file mode 100644
index 0000000..0dddf53
--- /dev/null
+++ b/ansible/requirements.yml
@@ -0,0 +1,3 @@
+---
+- src: dokku_bot.ansible_dokku
+  version: v2020.3.15
diff --git a/ansible/vars/all.yml b/ansible/vars/all.yml
new file mode 100644
index 0000000..5054e49
--- /dev/null
+++ b/ansible/vars/all.yml
@@ -0,0 +1,4 @@
+---
+domain: "minio.autonomic.zone"
+autonomic_admin_mail: "helo@autonomic.zone"
+http_port: "9000"
diff --git a/app.json b/app.json
new file mode 100644
index 0000000..a3a91ae
--- /dev/null
+++ b/app.json
@@ -0,0 +1,5 @@
+{
+  "name": "minio",
+  "description": "High Performance, Kubernetes-Friendly Object Storage",
+  "repository": "https://git.autonomic.zone/autonomic-cooperative/minio"
+}
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..130e91f
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1 @@
+ansible==2.9.6
diff --git a/sbin/encrypt.sh b/sbin/encrypt.sh
new file mode 100755
index 0000000..d328761
--- /dev/null
+++ b/sbin/encrypt.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+# Usage
+# ./encrypt.sh mysecretname mysecretvalue
+
+declare name="$1"
+declare secret="$2"
+
+ansible-vault \
+  encrypt_string \
+  --vault-password-file ansible/.vault.sh \
+  --name "$name" \
+  "$secret"