From 86bf87405a92f5a66008e6bda6e4be2e4722009a Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Sun, 7 Jun 2020 15:12:45 +0200
Subject: [PATCH] new host for drone.io

fix path of acertmgr handler
---
 group_vars/all/vars.yml         |  6 +++
 group_vars/all/vault.yml        | 82 +++++++++++++++++----------------
 hosts                           |  1 +
 roles/drone/files/drone.service | 14 ++++++
 roles/drone/handlers/main.yml   | 13 ++++++
 roles/drone/meta/main.yml       |  5 ++
 roles/drone/tasks/main.yml      | 52 +++++++++++++++++++++
 roles/drone/templates/certs.j2  | 15 ++++++
 roles/drone/templates/drone.j2  |  7 +++
 roles/drone/templates/vhost.j2  | 31 +++++++++++++
 site.yml                        |  7 ++-
 11 files changed, 193 insertions(+), 40 deletions(-)
 create mode 100644 roles/drone/files/drone.service
 create mode 100644 roles/drone/handlers/main.yml
 create mode 100644 roles/drone/meta/main.yml
 create mode 100644 roles/drone/tasks/main.yml
 create mode 100644 roles/drone/templates/certs.j2
 create mode 100644 roles/drone/templates/drone.j2
 create mode 100644 roles/drone/templates/vhost.j2

diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 6ee1111..ccbce5f 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -14,6 +14,12 @@ dns_axfr_ips:
 
 dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
 
+drone_domain: drone.binary-kitchen.de
+drone_dbname: drone
+drone_dbuser: drone
+drone_dbpass: "{{ vault_drone_dbpass }}"
+drone_secret: "{{ vault_drone_secret }}"
+
 dss_domain: dss.binary-kitchen.de
 dss_secret: "{{ vault_dss_secret }}"
 
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index f5df42a..cacd079 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,40 +1,44 @@
 $ANSIBLE_VAULT;1.1;AES256
-65386365643062373630613165666663396337336335653562663134376664306466663463613637
-3364303661616431613138653162333536343234633839310a306366646266346238333538326633
-35633264353932633361616531623336386331663038363832363038373833356139313065383065
-6462356264373862650a313166323366623963643839643564613462366232653361393331353430
-32393936636161653339393531363761643137306639376564613134643763333861653764373563
-65656364353964343033326266353062396330363934633933646632303236666130303838623332
-37333237316235343430333762346534636636353332363332323433666262333833636638623862
-66343239656461336138356334666363653039353861656363363963383831373962613637376631
-38323432396435373433653165386634306332323137326365643764353161616330663638376163
-64646438323331633138343932653038636638386639623433636139623266376465373266653137
-36313138396230616335653334653233333430366631383835363231393333663661646133313732
-61303430393933326432626135333637666135616634643430633433633832373435663338643130
-30666664623435303462376363313666353633313766353631343939313862356139643164333865
-38306237613735663565346266363263656161303164626632366465653939363932373631623938
-30633762376432353231323437303638313939613034303235336261303530646333656432393661
-38616366353461323839643465663039363339356330336262616539373032353466613633653662
-32373733326266323335386365633232383732383432333265333066623463616165376539356234
-63326438653530336264326437386164303139383036383361333737343861646133353464366533
-63343731366535343330616162333465633966383262313531636430383735343135306233616138
-61656432343938363430363636373533373832363565353538356462366663633639356630653331
-32386533303366353262643464653831383937333736366239633030323432653234656536393435
-63376564623361653864316462613434323932666561356532646536636130616534376231373563
-64393365653163336635366663323239363436363064353461326261363837323663623162323234
-36643436316331643331383133393830373838363865393130333864383136323064383731353065
-64633236613437646138373635396563666533393533333464633062326337623037616266636664
-31633435353266323163356434353461633763396261393762313437353162373464313534383638
-30616665623831653565613764313237333333343034326437323436323139613637333161623031
-39636238306464643635613836623361396562623366653263396633653132643937646139353261
-31623432633965643031346530336333353130666534303162373731376461353237633863303933
-30376331663833353233383161663066373965646536663461323236373466636334353235386530
-38306636666364343732393735383535333866656663613533336439636431323938633739383363
-38366665323339363966636533623635383464393831396431323161626563383432313433353035
-61356362333930653866616635333438353138353532323465633765613466646638646131316531
-34626430643066313461393535323830666266323462373331346261393130353463336362663263
-32333465653237326636306636333265643463363630626238333564613138383132393462616338
-34343237316239653362383831666233613033623964363030313731653532323831376365656535
-34653538313135623362343637663733636366646534373538303331323433653135303936336664
-31373062653338626234653537663136356537663665613864623462623130336363343862636465
-646238313932313833303933643432346133
+30386437633139313730633863633362386233316337653461616364623334323339626533333939
+6466623963336361343337333831646635383437376435620a363836386664623430303836366666
+64356564333864643030636438636364646666633662306236666131653962653235623961376436
+6534623031633033360a343535653032366130343132646430393734613838303364613632366434
+36646438316131386536363834356438353034636362316535613362383362326133353937356437
+63643731333738653232613961663831663339333935393562656665343035343039636132346438
+32646633353238346335353436633363363365376564663736316365396330383337663030616165
+64313534346261663238613663356637363161663639386364366531623837633163616438326138
+37306134326165346238343535666336353931646236373364303866623335653330336364353536
+32393138656165393939323937633038633336653162666566623932333864383733656235633561
+32366364363463316665653835363063386138303866393065633637373936623433356565376130
+66323464656534386462663835373661326139356666353031363164393564323563326637626639
+37306336616533383235326433326631303463313665356431636366306533623438383566346463
+61363732316465643432376465356363356165383833666432353235363737303634626166366465
+33373332373166646365343232323962343531303565656165333662613238363731376264663130
+61316662646431633135633531646538616435323835346566623839336638333930333066663734
+62616166643362626565643566313161656265323561666533623664666263613034653038336465
+66326639323135333435326230663432656662386439653635303832386262373263306132383463
+36656535336231316462366636646564633835306331663466363165383564313838396264316637
+64336464636537653962366563303164623964366536633938366130353064303737363533656362
+63326663383438613264373635303864353237623436333631353337383865623162656265633930
+37653466393831303761386434363563313939313234623434633865356134663831376666656262
+33353265376138623834643430643139336566666634333834333839383234663964306636356365
+36643763353831376136636164373133303939373062643335316264396137363234383835383936
+38383630373432616131303231303662396132313562356532613538303234376235313330303734
+36323464373533336637393566626334343764336536323337643930393137643636346639656435
+61626465383436303131646436643437633836366265316437306331663537616236633336353236
+30386230633930356231376264313263646135306537353932656663643432363637316132303666
+66613531393562353735613136396432303430636131373163376562383066326430313639383038
+35643031613934663966343437616566346464336263326566353565346432633762646439373636
+36336232363261313862353465336332623432656239646331393661613730396163626166643233
+38636138663432313965613831333730626532376261636239303366383463633138393431616433
+62636333373765366436343663666637643032373662616166363634653430346361646535323834
+66393437363635393564353131343361373232336638633164396262366135643766653432303566
+34313432343965653138653634373966343337623865303937613363303237383632313334363532
+61393061616237623064333263373634373764313963396636633661623764363332333837613661
+35373730316463383835303837663136616262316161626362353437343661346266313937623931
+30316235626236383861333931353333383237623233373135613465623865313339373533323631
+35386337646539326531396438613233636561326231643030633536333635626132393463663032
+66343235626266333739366637336434306331626163316335633231656232343763323836396331
+65366434346635373865313562663666653166393631373864363934653535653265653534656266
+65303336653439336430373864343962396430623531623262326136616164633532616432663034
+363338326234396132643564306665303937
diff --git a/hosts b/hosts
index 2e5e611..858065d 100644
--- a/hosts
+++ b/hosts
@@ -22,3 +22,4 @@ sodium.binary-kitchen.net
 krypton.binary-kitchen.net
 yttrium.binary-kitchen.net
 zirconium.binary-kitchen.net
+molybdenum.binary-kitchen.net
diff --git a/roles/drone/files/drone.service b/roles/drone/files/drone.service
new file mode 100644
index 0000000..240172f
--- /dev/null
+++ b/roles/drone/files/drone.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=drone.io server
+After=network-online.target
+
+[Service]
+Type=simple
+User=drone
+EnvironmentFile=/etc/default/drone
+ExecStart=/opt/drone/bin/drone-server
+Restart=always
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/drone/handlers/main.yml b/roles/drone/handlers/main.yml
new file mode 100644
index 0000000..39f5285
--- /dev/null
+++ b/roles/drone/handlers/main.yml
@@ -0,0 +1,13 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Restart drone
+  service: name=drone state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Reload systemd
+  command: systemctl daemon-reload
diff --git a/roles/drone/meta/main.yml b/roles/drone/meta/main.yml
new file mode 100644
index 0000000..8fcf724
--- /dev/null
+++ b/roles/drone/meta/main.yml
@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }
diff --git a/roles/drone/tasks/main.yml b/roles/drone/tasks/main.yml
new file mode 100644
index 0000000..588b812
--- /dev/null
+++ b/roles/drone/tasks/main.yml
@@ -0,0 +1,52 @@
+---
+
+- name: Create user
+  user: name=drone
+
+# TODO install drone to /opt/drone/bin
+# currently it is manually compiled
+
+- name: Configure drone
+  template: src=drone.j2 dest=/etc/default/drone
+  notify: Restart drone
+
+- name: Install PostgreSQL
+  apt: name={{ item }}
+  with_items:
+  - postgresql
+  - python-psycopg2
+
+- name: Configure PostgreSQL database
+  postgresql_db: name={{ drone_dbname }}
+  become: true
+  become_user: postgres
+
+- name: Configure PostgreSQL user
+  postgresql_user: db={{ drone_dbname }} name={{ drone_dbuser }} password={{ drone_dbpass }} priv=ALL state=present
+  become: true
+  become_user: postgres
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ drone_domain }}.key -out /etc/nginx/ssl/{{ drone_domain }}.crt -days 730 -subj "/CN={{ drone_domain }}" creates=/etc/nginx/ssl/{{ drone_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for drone
+  template: src=certs.j2 dest=/etc/acertmgr/{{ drone_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/drone
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/drone dest=/etc/nginx/sites-enabled/drone state=link
+  notify: Restart nginx
+
+- name: Install systemd unit
+  copy: src=drone.service dest=/lib/systemd/system/drone.service
+  notify:
+  - Reload systemd
+  - Restart drone
+
+- name: Enable drone
+  service: name=drone enabled=yes
diff --git a/roles/drone/templates/certs.j2 b/roles/drone/templates/certs.j2
new file mode 100644
index 0000000..1340e99
--- /dev/null
+++ b/roles/drone/templates/certs.j2
@@ -0,0 +1,15 @@
+---
+
+{{ drone_domain }}:
+- path: /etc/nginx/ssl/{{ drone_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ drone_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
diff --git a/roles/drone/templates/drone.j2 b/roles/drone/templates/drone.j2
new file mode 100644
index 0000000..1adc890
--- /dev/null
+++ b/roles/drone/templates/drone.j2
@@ -0,0 +1,7 @@
+DRONE_AGENTS_ENABLED=true
+DRONE_DATABASE_DATASOURCE=postgres://{{ drone_dbuser }}:{{ drone_dbpass }}@127.0.0.1:5432/{{ drone_dbname }}
+DRONE_DATABASE_DRIVER=postgres
+DRONE_GOGS_SERVER=https://{{ gogs_domain }}
+DRONE_RPC_SECRET={{ drone_secret }}
+DRONE_SERVER_HOST={{ drone_domain }}
+DRONE_SERVER_PROTO=https
diff --git a/roles/drone/templates/vhost.j2 b/roles/drone/templates/vhost.j2
new file mode 100644
index 0000000..e11aa33
--- /dev/null
+++ b/roles/drone/templates/vhost.j2
@@ -0,0 +1,31 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ drone_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ drone_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ drone_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ drone_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ drone_domain }}.crt;
+
+	location / {
+		client_max_body_size 128M;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_pass http://localhost:8080;
+	}
+}
diff --git a/site.yml b/site.yml
index e7ddebb..0b27b96 100644
--- a/site.yml
+++ b/site.yml
@@ -8,7 +8,7 @@
   - root-keys
 
 - name: Setup unattended updates
-  hosts: [sulis.binary.kitchen, nabia.binary.kitchen, beryllium.binary-kitchen.net, boron.binary-kitchen.net, carbon.binary-kitchen.net, nitrogen.binary-kitchen.net, oxygen.binary-kitchen.net, fluorine.binary-kitchen.net, krypton.binary-kitchen.net, sodium.binary-kitchen.net, yttrium.binary-kitchen.net, zirconium.binary-kitchen.net]
+  hosts: [sulis.binary.kitchen, nabia.binary.kitchen, beryllium.binary-kitchen.net, boron.binary-kitchen.net, carbon.binary-kitchen.net, nitrogen.binary-kitchen.net, oxygen.binary-kitchen.net, fluorine.binary-kitchen.net, krypton.binary-kitchen.net, sodium.binary-kitchen.net, yttrium.binary-kitchen.net, zirconium.binary-kitchen.net, molybdenum.binary-kitchen.net]
   roles:
   - uau
 
@@ -93,3 +93,8 @@
   hosts: zirconium.binary-kitchen.net
   roles:
   - jitsi
+
+- name: Setup drone server
+  hosts: molybdenum.binary-kitchen.net
+  roles:
+  - drone