diff --git a/.gitea/workflows/pr-ansible-config-deployment.yaml b/.gitea/workflows/pr-ansible-config-deployment.yml similarity index 99% rename from .gitea/workflows/pr-ansible-config-deployment.yaml rename to .gitea/workflows/pr-ansible-config-deployment.yml index 466fd025..3b6c3887 100644 --- a/.gitea/workflows/pr-ansible-config-deployment.yaml +++ b/.gitea/workflows/pr-ansible-config-deployment.yml @@ -1,4 +1,5 @@ name: Gitea Branch PR & Ansible Deployment + on: workflow_dispatch: push: @@ -8,6 +9,7 @@ on: - '**.j2' - '**/pr-ansible-config-deployment.yaml' - 'ansible/**.yml' + jobs: check-and-create-pr: if: github.ref != 'refs/heads/main' @@ -18,18 +20,21 @@ jobs: uses: actions/checkout@v5 with: fetch-depth: 1 + - name: Cache tea CLI id: cache-tea uses: actions/cache@v4 with: path: /opt/hostedtoolcache/tea/0.9.2/x64 key: tea-${{ runner.os }}-0.9.2 + - name: Install tea uses: supplypike/setup-bin@v4 with: uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64' name: 'tea' version: '0.9.2' + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -37,6 +42,7 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: PR Check' notification_message: 'Checking for existing PR... 🔍' + - name: Check if open PR exists id: check-opened-pr-step continue-on-error: true @@ -44,6 +50,7 @@ jobs: tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }} pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep '\[ANSIBLE\].*${{ github.ref_name }}' | tail -1 | wc -l) echo "exists=$pr_exists" >> $GITHUB_OUTPUT + - name: Create PR if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }} run: | @@ -51,6 +58,7 @@ jobs: pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}') pr_index_new=$(expr ${pr_index_old} + 1) tea pr c -r ${{ github.repository }} -t "[ANSIBLE] Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Ansible Configs.j2" + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -58,6 +66,7 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: PR Check' notification_message: 'PR Created 🎟️' + ansible-dry-run: name: Ansible Dry Run needs: [check-and-create-pr] @@ -69,6 +78,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@v5 + - name: Cache Ansible Galaxy Collections uses: actions/cache@v3 with: @@ -76,15 +86,19 @@ jobs: key: ${{ runner.os }}-ansible-${{ hashFiles('./ansible/collections/requirements.yml') }} restore-keys: | ${{ runner.os }}-ansible- + - name: Install Ansible uses: alex-oleshkevich/setup-ansible@v1.0.1 with: version: "11.4.0" + - name: Install Vault uses: cpanato/vault-installer@main + - name: Install hvac run: | pip install hvac + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -92,6 +106,7 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: Ansible Config Dry Run @ Rinoa' notification_message: 'Starting Ansible dry run...' + - name: Ansible Playbook Dry Run uses: dawidd6/action-ansible-playbook@v3 with: @@ -103,6 +118,7 @@ jobs: options: | --check --inventory inventory/hosts.yml + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -110,6 +126,7 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: Ansible Dry Run @ Rinoa' notification_message: 'Ansible dry run completed successfully.' + pr-merge: name: PR Merge needs: [ansible-dry-run] @@ -117,12 +134,14 @@ jobs: steps: - name: Checkout uses: actions/checkout@v5 + - name: Install tea uses: supplypike/setup-bin@v4 with: uri: 'https://gitea.com/gitea/tea/releases/download/v0.9.2/tea-0.9.2-linux-amd64' name: 'tea' version: '0.9.2' + - name: PR Merge id: pr_merge run: | @@ -132,6 +151,7 @@ jobs: pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ github.ref_name }} | awk -F"," '{print $1}' | sed -e 's|"||g') tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR ${pr_index} - ${{ github.ref_name }}" --message "Merged by ${{ github.actor }}" ${pr_index} echo "pr_index=${pr_index}" >> $GITHUB_OUTPUT + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -139,6 +159,7 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: PR Merge Successful' notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.' + ansible-config-deploy: name: Ansible Config Deployment runs-on: ubuntu-latest @@ -152,25 +173,31 @@ jobs: uses: actions/checkout@v5 with: ref: main + - name: Set up Python uses: actions/setup-python@v4 with: python-version: 3.12 + - name: Cache Vault install id: cache-vault uses: actions/cache@v4 with: path: /opt/hostedtoolcache/vault/1.18.0/x64 key: vault-${{ runner.os }}-1.18.0 + - name: Install Ansible uses: alex-oleshkevich/setup-ansible@v1.0.1 with: version: "11.4.0" + - name: Install Vault uses: cpanato/vault-installer@main + - name: Install hvac run: | pip install hvac + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -178,6 +205,7 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: Ansible Config Deployment @ Rinoa' notification_message: 'Starting config deployment with Ansible...' + - name: Ansible Playbook Config Deploy uses: dawidd6/action-ansible-playbook@v3 with: @@ -188,6 +216,7 @@ jobs: requirements: collections/requirements.yml options: | --inventory inventory/hosts.yml + - name: Gotify Notification uses: eikendev/gotify-action@master with: diff --git a/.gitea/workflows/pr-cloudflare-docker-deploy.yml b/.gitea/workflows/pr-cloudflare-docker-deploy.yml index 20655307..8094d7bb 100644 --- a/.gitea/workflows/pr-cloudflare-docker-deploy.yml +++ b/.gitea/workflows/pr-cloudflare-docker-deploy.yml @@ -1,4 +1,5 @@ name: Gitea Branch PR, Cloudflare DNS, README generation, & Docker Deployment + on: workflow_dispatch: push: @@ -8,10 +9,12 @@ on: - '**/docker-compose.yml' - '**/pr-cloudflare-docker-deploy.yml' - '!ansible/**.yml' + env: FLARECTL_VERSION: '0.115.0' HC_VAULT_VERSION: '1.20.0' TEA_VERSION: '0.10.1' + jobs: check-and-create-pr: if: github.ref != 'refs/heads/main' @@ -22,18 +25,21 @@ jobs: uses: actions/checkout@v5 with: fetch-depth: 1 + - name: Cache tea CLI id: cache-tea uses: actions/cache@v4 with: path: /opt/hostedtoolcache/tea/${{ env.TEA_VERSION }}/x64 key: tea-${{ runner.os }}-${{ env.TEA_VERSION }} + - name: Install tea uses: supplypike/setup-bin@v4 with: uri: https://gitea.com/gitea/tea/releases/download/v${{ env.TEA_VERSION }}/tea-${{ env.TEA_VERSION }}-linux-amd64 name: tea version: ${{ env.TEA_VERSION }} + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -41,6 +47,7 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: PR Check' notification_message: 'Checking for existing PR... 🔍' + - name: Check if open PR exists id: check-opened-pr-step continue-on-error: true @@ -48,6 +55,7 @@ jobs: tea login add --name gitea-rinoa --url "${{ secrets.RINOA_GITEA_URL }}" --user gitea-sonarqube-bot --password "${{ secrets.BOT_GITEA_PASSWORD }}" --token ${{ secrets.BOT_GITEA_TOKEN }} pr_exists=$(tea pr list --repo ${{ github.repository }} --state open --fields index,title,head | egrep '\[DOCKER\].*${{ github.ref_name }}' | tail -1 | wc -l) echo "exists=$pr_exists" >> $GITHUB_OUTPUT + - name: Create PR if: ${{ steps.check-opened-pr-step.outputs.exists == '0' }} run: | @@ -55,6 +63,7 @@ jobs: pr_index_old=$(tea pr ls --repo ${{ github.repository }} --state all --fields index,title,head --output csv | sed -e 's|"||g' | egrep '^[0-9]' | head -1 | awk -F"," '{print $1}') pr_index_new=$(expr ${pr_index_old} + 1) tea pr c -r ${{ github.repository }} -t "[DOCKER] Automated PR for ${{ github.ref_name }} - #${pr_index_new}" -d "Automatically created PR for branch: ${{ github.ref_name }}" -a ${{ github.actor }} -L "Docker Compose" + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -62,6 +71,7 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: PR Check' notification_message: 'PR Created 🎟️' + generate-service-list: name: Generate list of added/modified/deleted services runs-on: ubuntu-latest @@ -69,11 +79,14 @@ jobs: outputs: svc_deploy_list: ${{ steps.detect_services.outputs.docker_svc_list }} steps: + - name: Checkout uses: actions/checkout@v5 + - name: Fetch base branch run: | git fetch origin ${{ github.event.pull_request.base.ref }} + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -81,10 +94,12 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: Services TBD' notification_message: 'Generating list of services to deploy...' + - name: Save both versions of docker-compose.yml run: | git show origin/main:docker-compose.yml > docker-compose-main.yml || touch docker-compose-main.yml cp docker-compose.yml docker-compose-head.yml + - name: Detect added, deleted, and modified services id: detect_services run: | @@ -114,9 +129,11 @@ jobs: echo "docker_svc_list<> "$GITHUB_OUTPUT" echo "$mod_svcs" >> "$GITHUB_OUTPUT" echo "EOF" >> "$GITHUB_OUTPUT" + - name: List of Services for (Re)Deployment run: | echo -e "${{ steps.detect_services.outputs.docker_svc_list }}" + docker-compose-dry-run: name: Docker Compose Dry Run needs: [generate-service-list] @@ -130,20 +147,24 @@ jobs: steps: - name: Checkout uses: actions/checkout@v5 + - name: Login to Gitea Container Registry run: | docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf + - name: Cache Vault install id: cache-vault uses: actions/cache@v4 with: path: /opt/hostedtoolcache/vault/${{ env.HC_VAULT_VERSION }}/x64 key: vault-${{ runner.os }}-${{ env.HC_VAULT_VERSION }} + - name: Install Vault (only if not cached) if: steps.cache-vault.outputs.cache-hit != 'true' uses: cpanato/vault-installer@main with: version: ${{ env.HC_VAULT_VERSION }} + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -151,10 +172,12 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa' notification_message: 'Starting Docker Compose dry run...' + - name: Generate .env file for Docker Compose run: | vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env echo ${DOCKER_SVC_LIST} + - name: Docker Compose Dry Run uses: hoverkraft-tech/compose-action@v2.2.0 env: @@ -165,6 +188,7 @@ jobs: up-flags: -d --remove-orphans --dry-run down-flags: --dry-run compose-flags: --dry-run + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -172,6 +196,7 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: Docker Compose Dry Run @ Rinoa' notification_message: 'Docker Compose dry run completed successfully.' + cloudflare-dns-setup: name: Cloudflare DNS Setup needs: [docker-compose-dry-run] @@ -181,17 +206,20 @@ jobs: uses: actions/checkout@v5 with: fetch-depth: 1 + - name: Cache flarectl CLI uses: actions/cache@v4 with: path: ~/.flarectl key: flarectl-${{ runner.os }}-${{ env.FLARECTL_VERSION }}-${{ hashFiles('workflow-config.yml') }} + - name: Install flarectl uses: supplypike/setup-bin@v4 with: uri: https://github.com/cloudflare/cloudflare-go/releases/download/v${{ env.FLARECTL_VERSION }}/flarectl_${{ env.FLARECTL_VERSION }}_linux_amd64.tar.gz name: flarectl version: ${{ env.FLARECTL_VERSION }} + - name: Cache Subdomain Files uses: actions/cache@v4 with: @@ -199,6 +227,7 @@ jobs: compose_subdomains.txt cloudflare_subdomains.txt key: ${{ runner.os }}-subdomains-${{ hashFiles('docker-compose.yml') }} + - name: Grab Subdomains from Docker Compose & Cloudflare id: grab-subdomains env: @@ -214,6 +243,7 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: Cloudflare Setup @ Rinoa' notification_message: 'Starting Cloudflare DNS setup...' + - name: Compare Subdomains id: compare-subdomains uses: LouisBrunner/diff-action@v2.2.0 @@ -223,6 +253,7 @@ jobs: mode: addition tolerance: mixed-better output: domain_compare.txt + - name: Create Subdomains if: steps.compare-subdomains.outputs.output != '' continue-on-error: true @@ -234,6 +265,7 @@ jobs: echo "Creating $subdomain.trez.wtf..." flarectl dns create --zone "trez.wtf" --name "${subdomain}" --type=CNAME --content "trez.wtf" --proxy true done + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -241,6 +273,7 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: Cloudflare Setup @ Rinoa' notification_message: 'Cloudflare DNS setup completed successfully.' + regenerate-readme-modified-services: name: Update README & Generate List of Modified Services runs-on: ubuntu-latest @@ -248,8 +281,10 @@ jobs: steps: - name: Checkout uses: actions/checkout@v5 + - name: Install yq uses: dcarbone/install-yq-action@v1 + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -257,25 +292,30 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: README Update' notification_message: 'Updating README...' + - name: Generate service list run: | yq '.services | to_entries | map({"service": .key, "image": .value.image})' docker-compose.yml > services.yml + - name: Generate Markdown Table uses: gazab/create-markdown-table@v1 id: service-table with: file: ./services.yml + - name: Regenerate README run: | echo "# List of Services" > README.md echo -e "\n\n" >> README.md echo "${{ steps.service-table.outputs.table }}" >> README.md + - name: Add/Commit README.md id: commit-readme uses: EndBug/add-and-commit@v9 with: message: "chore: Update README" add: "README.md" + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -283,6 +323,7 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: README Update' notification_message: 'README updated' + pr-merge: name: PR Merge needs: [regenerate-readme-modified-services] @@ -290,18 +331,21 @@ jobs: steps: - name: Checkout uses: actions/checkout@v5 + - name: Cache tea CLI id: cache-tea uses: actions/cache@v4 with: path: /opt/hostedtoolcache/tea/${{ env.TEA_VERSION }}/x64 key: tea-${{ runner.os }}-${{ env.TEA_VERSION }} + - name: Install tea uses: supplypike/setup-bin@v4 with: uri: https://gitea.com/gitea/tea/releases/download/v${{ env.TEA_VERSION }}/tea-${{ env.TEA_VERSION }}-linux-amd64 name: tea version: ${{ env.TEA_VERSION }} + - name: PR Merge id: pr_merge run: | @@ -311,6 +355,7 @@ jobs: pr_index=$(tea pr ls --repo ${{ github.repository }} --state open --fields index,title,head,state --output csv | egrep ${{ github.ref_name }} | awk -F"," '{print $1}' | sed -e 's|"||g') tea pr m --repo ${{ github.repository }} --title "Auto Merge of PR ${pr_index} - ${{ github.ref_name }}" --message "Merged by ${{ github.actor }}" ${pr_index} echo "pr_index=${pr_index}" >> $GITHUB_OUTPUT + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -318,6 +363,7 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: PR Merge Successful' notification_message: 'PR #${{ steps.pr_merge.outputs.pr_index }} merged.' + docker-compose-deploy: name: Docker Compose Deployment runs-on: ubuntu-latest @@ -333,20 +379,24 @@ jobs: uses: actions/checkout@v5 with: ref: main + - name: Cache Vault install id: cache-vault uses: actions/cache@v4 with: path: /opt/hostedtoolcache/vault/${{ env.HC_VAULT_VERSION }}/x64 key: vault-${{ runner.os }}-${{ env.HC_VAULT_VERSION }} + - name: Install Vault (only if not cached) if: steps.cache-vault.outputs.cache-hit != 'true' uses: cpanato/vault-installer@main with: version: ${{ env.HC_VAULT_VERSION }} + - name: Login to Gitea Container Registry run: | docker login -u gitea-sonarqube-bot -p ${RINOA_REGISTRY_PASSWORD} git.trez.wtf + - name: Gotify Notification uses: eikendev/gotify-action@master with: @@ -354,10 +404,12 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: Docker Compose Deployment @ Rinoa' notification_message: 'Starting Docker Compose run...' + - name: Generate .env file for deployment run: | vault kv get -format=json rinoa-docker/env | jq -r '.data.data' | jq -r 'keys[] as $k | "\($k)='\''\(.[$k])'\''"' > .env echo ${DOCKER_SVC_LIST} + - name: Docker Compose Deployment uses: hoverkraft-tech/compose-action@v2.2.0 env: @@ -367,6 +419,7 @@ jobs: ${{ needs.generate-service-list.outputs.svc_deploy_list }} up-flags: -d --remove-orphans down-flags: --dry-run + - name: Docker Compose Healthcheck uses: jaracogmbh/docker-compose-health-check-action@v1.0.0 with: @@ -375,6 +428,7 @@ jobs: compose-file: "docker-compose.yml" skip-exited: "true" skip-no-healthcheck: "true" + - name: Gotify Notification uses: eikendev/gotify-action@master with: diff --git a/.gitea/workflows/vault-auto-unseal-flow.yml b/.gitea/workflows/vault-auto-unseal-flow.yml index 871b58cb..cd789b33 100644 --- a/.gitea/workflows/vault-auto-unseal-flow.yml +++ b/.gitea/workflows/vault-auto-unseal-flow.yml @@ -1,10 +1,13 @@ name: Auto-Unseal for Vault + on: workflow_dispatch: schedule: - cron: '30 5 * * *' + env: HC_VAULT_VERSION: '1.20.0' + jobs: auto-unseal: name: Unseal Vault @@ -22,22 +25,26 @@ jobs: gotify_app_token: '${{ secrets.RINOA_RUNNER_GOTIFY_TOKEN }}' notification_title: 'GITEA: HC Vault @ Rinoa' notification_message: 'Hashicorp Vault unsealing started... 🔐' + - name: Cache Vault install id: cache-vault uses: actions/cache@v4 with: path: /opt/hostedtoolcache/vault/${{ env.HC_VAULT_VERSION }}/x64 key: vault-${{ runner.os }}-${{ env.HC_VAULT_VERSION }} + - name: Install Vault (only if not cached) if: steps.cache-vault.outputs.cache-hit != 'true' uses: cpanato/vault-installer@main with: version: ${{ env.HC_VAULT_VERSION }} + - name: Unseal Vault run: | for vault_shard in $VAULT_SHARDS; do vault operator unseal -address="${VAULT_ADDR}" -non-interactive "${vault_shard}" done + - name: Vault Unseal Completion uses: eikendev/gotify-action@master with: