Merge pull request #559 from SURFscz/surfconext/test2

Surfconext/test2

.github/workflows/ci-runner.yml

@@ -82,4 +82,3 @@ jobs:
             echo ===netstat===; netstat -lnp;
           '"
         if: failure()
-

environments/ci/group_vars/all.yml

@@ -11,6 +11,7 @@ secrets_users_file: "environments/vm/secrets/users.yml"
 admin_email: "admin@{{base_domain}}"
 
 is_aws: false
+is_dev: true
 experimental_features: true
 debian_dist: "bookworm"  # CI needs bookworm because of SSP
 

environments/docker/group_vars/all.yml

@@ -12,6 +12,8 @@ secrets_users_file: "environments/docker/secrets/users.yml"
 admin_email: "admin@{{base_domain}}"
 
 is_aws: false
+is_dev: true
+sram_ansible_nolog: false
 experimental_features: true
 
 servers:

environments/docker/group_vars/container.yml

@@ -40,24 +40,25 @@ firewall_v4_incoming:
 ## Docker
 ####################################################
 containers:
-  db: sram-db
-  redis: sram-redis
-  sbs: sram-sbs
-  sbs_server: sram-sbs-server
-  ldap: sram-ldap
-  metadata: sram-metadata
-  pyff: sram-pyff
-  plsc: sram-plsc
+  db: "sram-db"
+  redis: "sram-redis"
+  sbs: "sram-sbs"
+  sbs_server: "sram-sbs-server"
+  sbs_migration: "sram-sbs-migration"
+  ldap: "sram-ldap"
+  metadata: "sram-metadata"
+  pyff: "sram-pyff"
+  plsc: "sram-plsc"
 
 images:
-  db: mariadb:11
-  redis: redis:7
-  sbs: ghcr.io/surfscz/sram-sbs-client:main
-  sbs_server: ghcr.io/surfscz/sram-sbs-server:main
-  ldap: ghcr.io/surfscz/sram-ldap:main
-  metadata: ghcr.io/surfscz/sram-metadata:main
-  pyff: ghcr.io/surfscz/sram-pyff:main
-  plsc: ghcr.io/surfscz/sram-plsc:main
+  db: "docker.io/library/mariadb:11"
+  redis: "docker.io/library/redis:7"
+  sbs: "ghcr.io/surfscz/sram-sbs-client:main"
+  sbs_server: "ghcr.io/surfscz/sram-sbs-server:main"
+  ldap: "ghcr.io/surfscz/sram-ldap:main"
+  metadata: "ghcr.io/openconext/openconext-basecontainers/apache2:latest"
+  pyff: "ghcr.io/surfscz/sram-pyff:main"
+  plsc: "ghcr.io/surfscz/sram-plsc:main"
 
 traefik_network: traefik
 internal_network: sram

environments/vm/group_vars/all.yml

@@ -11,6 +11,8 @@ secrets_users_file: "environments/vm/secrets/users.yml"
 admin_email: "admin@{{base_domain}}"
 
 is_aws: false
+is_dev: true
+sram_ansible_nolog: false
 experimental_features: true
 
 servers:

provision.yml

@@ -63,7 +63,7 @@
     - { role: "users",          tags: ["common","users"]         }
     - { role: "logging",        tags: ["common","logging"]       }
     - { role: "firewall",       tags: ["common","firewall"],
-        when: "not is_docker" }
+        when: "not is_dev" }
     - { role: "ntp",            tags: ["common","ntp"]           }
     - { role: "aws-cleanup",    tags: ["common","clean"]         }
     - { role: "mail",           tags: ["common","mail"]          }
@@ -82,7 +82,7 @@
     - { role: "backup_collector",  tags: ["bhr2","backup-collector"]  }
     - { role: "logging_collector", tags: ["bhr2","logging-collector"] }
     - { role: "zabbix-server",     tags: ["bhr2","zabbix-server"],
-        when: "not is_docker" }
+        when: "not is_dev" }
 
 - name: "bhr11"
   hosts: "bhr11"
@@ -108,11 +108,11 @@
   tasks:
     - { name: "version", import_tasks: "tasks/versions.yml", tags: ["common"]  }
   roles:
-    - { role: "docker_db",                    tags: ["db", "docker-db"] }
-    - { role: "docker_pyff",                  tags: ["meta", "docker-pyff"] }
-    - { role: "docker_metadata",              tags: ["meta", "docker-metadata"] }
-    - { role: "docker_plsc",                  tags: ["plsc", "docker-plsc"] }
-    - { role: "docker_sbs",                   tags: ["sbs", "docker-sbs"] }
+    - { role: "docker_db",       tags: ["db",    "docker-db"      ], when: is_dev }
+    - { role: "docker_redis",    tags: ["redis", "docker-redis"   ] }
+    - { role: "docker_sbs",      tags: ["sbs",   "docker-sbs"     ] }
+    - { role: "docker_metadata", tags: ["meta",  "docker-meta"    ] }
+    - { role: "docker_plsc",     tags: ["plsc",  "docker-plsc"    ] }
 
 - name: "container_ldap"
   hosts: "container_ldap"
@@ -191,17 +191,17 @@
     - { role: "sram_monitor",         tags: ["bhr13","sram-monitor"]   }
     - { role: "scim_monitor",         tags: ["bhr13","scim-monitor"]   }
 
-- name: "demo clients demo1"
-  hosts: "demo1"
-  tasks:
-    - { name: "version", import_tasks: "tasks/versions.yml", tags: ["common"] }
-  roles:
-    - { role: "docker",               tags: ["demo1","demo-docker"] }
-    - { role: "demo-apache",          tags: ["demo1","demo-apache"]  }
-    - { role: "letsencrypt",          tags: ["demo1","demo-letsencrypt"] }
-    - { role: "demo-etherpad",        tags: ["demo1","demo-etherpad"]  }
-    - { role: "demo-weblogin",        tags: ["demo1","demo-weblogin"]  }
-    - { role: "demo-wordpress",       tags: ["demo1","demo-wordpress"]  }
+# - name: "demo clients demo1"
+#   hosts: "demo1"
+#   tasks:
+#     - { name: "version", import_tasks: "tasks/versions.yml", tags: ["common"] }
+#   roles:
+#     - { role: "docker",               tags: ["demo1","demo-docker"] }
+#     - { role: "demo-apache",          tags: ["demo1","demo-apache"]  }
+#     - { role: "letsencrypt",          tags: ["demo1","demo-letsencrypt"] }
+#     - { role: "demo-etherpad",        tags: ["demo1","demo-etherpad"]  }
+#     - { role: "demo-weblogin",        tags: ["demo1","demo-weblogin"]  }
+#     - { role: "demo-wordpress",       tags: ["demo1","demo-wordpress"]  }
 
 - name: "ci-runner"
   hosts: "bhr12"

roles/apt/tasks/main.yml

@@ -1,23 +1,23 @@
 ---
 - name: set up apt repo
   template:
-    src: sources.list.j2
-    dest: /etc/apt/sources.list
-    force: yes
-  register: apt_sources
+    src: "sources.list.j2"
+    dest: "/etc/apt/sources.list"
+    force: true
+  register: "apt_sources"
 
 # we need to do this manually, because ansible's apt module doesn't handle the default-release
 # setting correctly
 - name: Update cache
   command:
-    cmd: apt-get update
-  when: apt_sources.changed
+    cmd: "apt-get update"
+  when: "apt_sources.changed"
 
 - name: regularly update package lists
   copy:
-    src: 00-scz-update
-    dest: /etc/apt/apt.conf.d/00-scz-update
-  when: "not is_docker"
+    src: "00-scz-update"
+    dest: "/etc/apt/apt.conf.d/00-scz-update"
+  when: "not is_dev"
 
 - name: remove unneccessary packages
   apt:
@@ -34,7 +34,7 @@
 - name: Install common tools / clients
   apt:
     update_cache: yes
-    state: present
+    state: "present"
     name:
       - "acl"
       - "apt-transport-https"
@@ -70,7 +70,7 @@
     cache_valid_time: 86400
     update_cache: yes
     autoclean: yes
-  when: "not is_docker"
+  when: "not is_dev"
 
 - name: install VMware clients
   apt:
@@ -82,7 +82,7 @@
 # apt module doesn't support autoremove very well, yet
 - name: Remove obsolete packages
   command: "/usr/bin/apt --yes --purge autoremove"
-  register: result
+  register: "result"
   changed_when: "'0 upgraded, 0 newly installed, 0 to remove' not in result.stdout"
-  when: "not is_docker"
+  when: "not is_dev"
 

roles/certificates/tasks/main.yml

@@ -4,13 +4,13 @@
 - name: Create ssl_certs_dir
   file:
     path: "{{ ssl_certs_dir }}"
-    state: directory
+    state: "directory"
     mode: '0755'
 
 - name: Ensure group "ssl-cert" exists
   group:
-    name: ssl-cert
-    state: present
+    name: "ssl-cert"
+    state: "present"
     system: true
 
 - name: write backend wildcard key
@@ -45,7 +45,7 @@
     owner: "root"
     group: "root"
     mode: "0644"
-  when: "is_docker"
+  when: "is_dev"
   notify: "update certificates"
 
 - name: remove obsolete files
@@ -56,9 +56,9 @@
     - "vm.scz-vm.crt"
     - "scz-vm.crt"
     - "sram-https.crt"
-  when: "not is_docker"
+  when: "not is_dev"
   notify: "update certificates"
 
 # make sure all certificates are up to date after this role has run
 - name: Flush handlers
-  meta: flush_handlers
+  meta: "flush_handlers"

roles/docker/tasks/docker_setup.yml

@@ -0,0 +1,59 @@
+---
+# this role is used to install docker on the host
+# only used on dev hosts
+
+- name: Add Docker GPG key.
+  ansible.builtin.apt_key:
+    url: "https://download.docker.com/linux/debian/gpg"
+    state: "present"
+
+- name: Add Docker repository.
+  ansible.builtin.apt_repository:
+    repo: "deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable"
+    state: "present"
+
+- name: Create docker config directory
+  ansible.builtin.file:
+    path: "/etc/docker"
+    state: "directory"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+
+- name: Install docker config
+  ansible.builtin.copy:
+    content: |
+      {
+        "log-driver": "journald",
+        "log-opts": {
+        }
+      }
+    dest: "/etc/docker/daemon.json"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+
+- name: Install docker
+  ansible.builtin.apt:
+    name: "docker-ce"
+    state: "present"
+  notify:
+    - "start docker"
+
+- name: Add ansible user to docker group
+  ansible.builtin.user:
+    name: "ansible"
+    groups: "docker"
+    append: true
+
+# hackish way to allow name resolution from the host
+# it watches the docker daemon and updates /etc/hosts on the host
+- name: Install name resolution container
+  docker_container:
+    name: "name-resolver"
+    image: "dvdarias/docker-hoster"
+    state: "started"
+    restart_policy: "always"
+    volumes:
+      - "/var/run/docker.sock:/tmp/docker.sock"
+      - "/etc/hosts:/tmp/hosts"

roles/docker/tasks/main.yml

@@ -1,64 +1,10 @@
 ---
 - name: Install docker
-  block:
-    - name: Add Docker GPG key.
-      ansible.builtin.apt_key:
-        url: "https://download.docker.com/linux/debian/gpg"
-        state: "present"
-
-    - name: Add Docker repository.
-      ansible.builtin.apt_repository:
-        repo: "deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable"
-        state: "present"
-
-    - name: Create docker config directory
-      ansible.builtin.file:
-        path: "/etc/docker"
-        state: "directory"
-        owner: "root"
-        group: "root"
-        mode: "0755"
-
-    - name: Install docker config
-      ansible.builtin.copy:
-        content: |
-          {
-            "log-driver": "journald",
-            "log-opts": {
-            }
-          }
-        dest: "/etc/docker/daemon.json"
-        owner: "root"
-        group: "root"
-        mode: "0644"
-
-    - name: Install docker
-      ansible.builtin.apt:
-        name: "docker-ce"
-        state: "present"
-      notify:
-        - "start docker"
-
-    - name: Add ansible user to docker group
-      ansible.builtin.user:
-        name: "ansible"
-        groups: "docker"
-        append: true
-
-    # hackish way to allow name resolution from the host
-    # it watches the docker daemon and updates /etc/hosts on the host
-    - name: Install name resolution container
-      docker_container:
-        name: "name-resolver"
-        image: "dvdarias/docker-hoster"
-        state: "started"
-        restart_policy: "always"
-        volumes:
-          - "/var/run/docker.sock:/tmp/docker.sock"
-          - "/etc/hosts:/tmp/hosts"
-
-  when: "environment_name=='vm'"
+  include_tasks: "docker_setup.yml"
+  when: "is_dev"
 
 - name: Create the internal network
   community.docker.docker_network:
     name: "{{internal_network}}"
+    enable_ipv6: false
+    state: "present"