From 0034fde1ad6067cee83b1ec3e2ba171a1df21358 Mon Sep 17 00:00:00 2001 From: cuqmbr Date: Tue, 1 Jul 2025 13:08:48 +0300 Subject: [PATCH] add forgejo provisioning and installation --- ansible/22_forgejo.yml | 16 +++ .../common/group_vars/load_balancers.yml | 18 +++ .../common/group_vars/monitoring.yml | 6 + .../inventories/dev/group_vars/forgejo.yml | 132 ++++++++++++++++++ ansible/inventories/dev/hosts.yml | 3 + ansible/notes.txt | 2 + ansible/roles/forgejo/defaults/main.yml | 34 +++++ ansible/roles/forgejo/files/forgejo.service | 19 +++ ansible/roles/forgejo/handlers/main.yml | 6 + ansible/roles/forgejo/meta/main.yml | 10 ++ .../forgejo/molecule/default/converge.yml | 14 ++ .../forgejo/molecule/default/molecule.yml | 14 ++ ansible/roles/forgejo/tasks/main.yml | 93 ++++++++++++ ansible/roles/forgejo/templates/app.ini.j2 | 103 ++++++++++++++ .../prometheus_nginx_exporter/meta/main.yml | 1 + terraform/common/firewall_ipsets.tf | 25 +++- terraform/dev/forgejo.tf | 109 +++++++++++++++ terraform/dev/postgresql.tf | 9 ++ 18 files changed, 612 insertions(+), 2 deletions(-) create mode 100644 ansible/22_forgejo.yml create mode 100644 ansible/inventories/dev/group_vars/forgejo.yml create mode 100644 ansible/roles/forgejo/defaults/main.yml create mode 100644 ansible/roles/forgejo/files/forgejo.service create mode 100644 ansible/roles/forgejo/handlers/main.yml create mode 100644 ansible/roles/forgejo/meta/main.yml create mode 100644 ansible/roles/forgejo/molecule/default/converge.yml create mode 100644 ansible/roles/forgejo/molecule/default/molecule.yml create mode 100644 ansible/roles/forgejo/tasks/main.yml create mode 100644 ansible/roles/forgejo/templates/app.ini.j2 create mode 100644 terraform/dev/forgejo.tf diff --git a/ansible/22_forgejo.yml b/ansible/22_forgejo.yml new file mode 100644 index 0000000..a948ac1 --- /dev/null +++ b/ansible/22_forgejo.yml @@ -0,0 +1,16 @@ +--- + +- hosts: forgejo + gather_facts: false + + pre_tasks: + - name: Update apt cache. + ansible.builtin.apt: + update_cache: true + cache_valid_time: 86400 + + roles: + - role: roles/init + - role: roles/fluent_bit + - role: roles/prometheus_node_exporter + - role: roles/forgejo diff --git a/ansible/inventories/common/group_vars/load_balancers.yml b/ansible/inventories/common/group_vars/load_balancers.yml index 10a36c6..1bff5a4 100644 --- a/ansible/inventories/common/group_vars/load_balancers.yml +++ b/ansible/inventories/common/group_vars/load_balancers.yml @@ -51,6 +51,24 @@ nginx_settings: statements: - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for - proxy_set_header X-Real-IP $remote_addr + - upstream: + name: forgejo + servers: + - 192.168.0.20:3000 + server: + listen_port: 80 + names: + - gitea.dev.cuqmbr.xyz + - gitea.dev.cuqmbr.home + - git.dev.cuqmbr.xyz + - git.dev.cuqmbr.home + statements: + - proxy_set_header Connection $http_connection + - proxy_set_header Upgrade $http_upgrade + - proxy_set_header Host $host + - proxy_set_header X-Real-IP $remote_addr + - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for + - proxy_set_header X-Forwarded-Proto $scheme # name: prometheus # servers: # - 192.168.0.252:9090 diff --git a/ansible/inventories/common/group_vars/monitoring.yml b/ansible/inventories/common/group_vars/monitoring.yml index b15fd6a..78193ab 100644 --- a/ansible/inventories/common/group_vars/monitoring.yml +++ b/ansible/inventories/common/group_vars/monitoring.yml @@ -54,6 +54,12 @@ prometheus_options: labels: env: dev hostname: searxng + - targets: + # forgejo + - 192.168.0.20:9100 + labels: + env: dev + hostname: forgejo - targets: # bastion - 192.168.0.254:9100 diff --git a/ansible/inventories/dev/group_vars/forgejo.yml b/ansible/inventories/dev/group_vars/forgejo.yml new file mode 100644 index 0000000..c9cb61e --- /dev/null +++ b/ansible/inventories/dev/group_vars/forgejo.yml @@ -0,0 +1,132 @@ +--- + +users: + - name: admin + password_hash: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 30623138653735643561343061356531373430393662383764633038383238383837626636393432 + 3138653539356430306266663864343563616332656131310a343632323363653665646363366437 + 66643430626437333461656231303339656435346261336238313036306431396333643965666631 + 3665393163623266320a373838313538626438623330393533353931336331623464613664633430 + 32303734396634376431383936643431313561303864343930393363623130663236666636353637 + 63613237383666656263316661333031643032323266636464313839653065316138343035346161 + 64313037336666353136383462333832373031623637636630326330313832333265386632343139 + 30306638356434376635346637346134653064613236326333656566383137353166393063333563 + 32623638343263313463313062303465626439356461613235656661623364656138 + ssh_public_keys: + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0" + opendoas_settings: "permit persist admin as root" + - name: ansible + password_hash: "" + ssh_public_keys: + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0" + opendoas_settings: "permit nopass ansible" + + + +forgejo_clean_binaries: false +forgejo_version: 11.0.2 + +forgejo_app_name: "cuqmbr's Forgejo" +forgejo_app_slogan: "" +forgejo_run_mode: prod + +forgejo_db_type: postgres +forgejo_db_host: 192.168.0.3:5432 +forgejo_db_name: forgejo_db +forgejo_db_username: forgejo +forgejo_db_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 32373165333932643133666362336336326538646533303763343465336338393538666235616464 + 3065363334323132633161646437366636653462333237350a643161303166376532636562373331 + 39353331613939643639323431653233356161313937616536656363643933643734393032623831 + 3562373130643365630a633836326638666261386330653134333938306162646466393133316335 + 39323030373266393239353633343863313566356533636539666463336538656535613137373634 + 64633934393538336630373233373961613735363838333237356332313461303231323031313630 + 31663564373062306165373238376430653837316139353663313730376339386233633330653234 + 38386138316334376635616532383530663163663666643430666432623633303166376338613761 + 62373866303234613635366432333661393465636335626537353561643035306265666139663238 + 63623835303537626162653564303430383962646531373330323639643635393665633564303237 + 333866366330316466636164326130303031 +forgejo_ssl_mode: disable + +forgejo_server_domain: git.dev.cuqmbr.xyz +forgejo_server_root_url: http://git.dev.cuqmbr.xyz +forgejo_server_http_address: 0.0.0.0 +forgejo_server_http_port: 3000 +forgejo_server_ssh_port: 22 +forgejo_server_lfs_secret: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65316236393837386464643938366564623532303139383765306631643864643363356561643666 + 6335343266313432366136323932306536623261643236640a363738366366303030383537633033 + 62356465313061376464633634333238316466633464626134363932373963373963383262666534 + 3134343137323734660a326638636162636539636663386437643034313661323266633361646461 + 31653534326664393138666237353438393739613565643137653438626462653165366136353039 + 3538653438613964653965303932643062306230383832633639 + +forgejo_mailer_from: "\"cuqmbr's Forgejo\" " +forgejo_mailer_protocol: smtps +forgejo_mailer_address: mail.cuqmbr.xyz +forgejo_mailer_port: 465 +forgejo_mailer_user: no-reply@cuqmbr.xyz +forgejo_mailer_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 31356466316634336162653164316232653865393539656336356130353764316537633535396433 + 3862343463633864336633373036323364373863613439310a663461636136366532633639313139 + 32336632623631346236336263306633326261393238346632653733343163643737383537393939 + 6263326538363633350a316666323566646638316535333934626638356434353864373566653338 + 37303436626261333863313961386465353831633537636537343166666438326138 + +forgejo_security_install_lock: true +forgejo_security_internal_token: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 37396532353265376134316465336263616562373030663762333165363362313135653434383961 + 6334363937636138383865353639333261376437393839320a333834643939373231623134393865 + 31646263626533326533306136323735313237343437653265393534313739353930316462313765 + 3933643737663934320a363661353761646133366133366539306331396634626162306430346364 + 39313833336264666634393765336232643961393364646664643538396336316364623430343034 + 64643932613961613931336339353462373438333631633533363633656638383235353939313831 + 31313165623130633034613566343461663661323834303930323832343766313661643033626238 + 32613830383031346361343735393535623931356438383539303038343562373264343666373165 + 65333632303535626237373835353665623237353734383436346664663036376538 + +forgejo_oauth2_jwt_secret: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 62663534346334366537303037613331396164323637643033383961383165333239313934316661 + 6461323764383861663237323066333132393434386137330a343239346561373139386164626562 + 35653437653762663231643439346139373133303738366139663332376461323531333065333732 + 6466373034346231650a363164373264633432393639323232633565656436663761343634616366 + 37643964383837376630303036363737343464666461336533393362313830376335326530306139 + 6331323465376131656666306361623637643864616665333436 + + +fluentbit_settings: + service: + flush: 1 + daemon: false + log_level: info + http_server: false + pipeline: + inputs: + - name: systemd + tag: systemd_input + filters: + - name: rewrite_tag + match: systemd_input + rule: $_SYSTEMD_UNIT ^(forgejo.service)$ forgejo false + - name: rewrite_tag + match: systemd_input + rule: $_SYSTEMD_UNIT ^(forgejo.service.+|(?!forgejo.service).*)$ systemd false + - name: record_modifier + match: forgejo + allowlist_key: + - MESSAGE + outputs: + - name: loki + host: 192.168.0.252 + labels: "env=dev,hostname=forgejo,service_name=forgejo" + match: forgejo + - name: loki + host: 192.168.0.252 + labels: "env=dev,hostname=forgejo,service_name=systemd" + match: systemd diff --git a/ansible/inventories/dev/hosts.yml b/ansible/inventories/dev/hosts.yml index 793e27f..2bfa258 100644 --- a/ansible/inventories/dev/hosts.yml +++ b/ansible/inventories/dev/hosts.yml @@ -10,3 +10,6 @@ all: searxng: hosts: 192.168.0.15: + forgejo: + hosts: + 192.168.0.20: diff --git a/ansible/notes.txt b/ansible/notes.txt index 32034a9..bcbc46d 100644 --- a/ansible/notes.txt +++ b/ansible/notes.txt @@ -1 +1,3 @@ export user="ansible"; ansible-playbook -u "${user}" --ssh-common-args "-o ProxyCommand='ssh -p 22 -W %h:%p -q ${user}@bastion.cuqmbr.home'" -J -b --become-method doas -i inventories/hosts.yml 10_monitoring.yml + +https://github.com/ansiblebook/ansible_role_ssh/blob/main/molecule/default/molecule.yml diff --git a/ansible/roles/forgejo/defaults/main.yml b/ansible/roles/forgejo/defaults/main.yml new file mode 100644 index 0000000..4457c80 --- /dev/null +++ b/ansible/roles/forgejo/defaults/main.yml @@ -0,0 +1,34 @@ +--- + +forgejo_clean_binaries: false +forgejo_version: 10.0.3 + +forgejo_app_name: "cuqmbr's Forgejo" +forgejo_app_slogan: "" +forgejo_run_mode: prod + +forgejo_db_type: postgres +forgejo_db_host: 127.0.0.1:5432 +forgejo_db_name: forgejo_db +forgejo_db_username: forgejo +forgejo_db_password: 123 +forgejo_ssl_mode: disable + +forgejo_server_domain: git.dev.cuqmbr.xyz +forgejo_server_root_url: https://git.dev.cuqmbr.xyz +forgejo_server_http_address: 0.0.0.0 +forgejo_server_http_port: 3000 +forgejo_server_ssh_port: 22 +forgejo_server_lfs_secret: 123 + +forgejo_mailer_from: "\"cuqmbr's Forgejo\" " +forgejo_mailer_protocol: smtps +forgejo_mailer_address: mail.cuqmbr.xyz +forgejo_mailer_port: 465 +forgejo_mailer_user: no-reply@cuqmbr.xyz +forgejo_mailer_password: 123 + +forgejo_security_install_lock: false +forgejo_security_internal_token: 123 + +forgejo_oauth2_jwt_secret: 123 diff --git a/ansible/roles/forgejo/files/forgejo.service b/ansible/roles/forgejo/files/forgejo.service new file mode 100644 index 0000000..c933529 --- /dev/null +++ b/ansible/roles/forgejo/files/forgejo.service @@ -0,0 +1,19 @@ +# Managed with Ansible + +[Unit] +Description=Forgejo +After=syslog.target +After=network.target + +[Service] +RestartSec=2s +Type=simple +User=git +Group=git +WorkingDirectory=/var/lib/forgejo/ +ExecStart=/usr/local/bin/forgejo web --config /etc/forgejo/app.ini +Restart=always +Environment=USER=forgejo HOME=/home/git FORGEJO_WORK_DIR=/var/lib/forgejo + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/forgejo/handlers/main.yml b/ansible/roles/forgejo/handlers/main.yml new file mode 100644 index 0000000..aa3d6a8 --- /dev/null +++ b/ansible/roles/forgejo/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: Restart forgejo service. + ansible.builtin.service: + name: forgejo + state: restarted diff --git a/ansible/roles/forgejo/meta/main.yml b/ansible/roles/forgejo/meta/main.yml new file mode 100644 index 0000000..d8e79c1 --- /dev/null +++ b/ansible/roles/forgejo/meta/main.yml @@ -0,0 +1,10 @@ +--- +galaxy_info: + role_name: forgejo + author: cuqmbr-homelab + description: Install and configure Forgejo. + # issue_tracker_url: http://example.com/issue/tracker + license: MIT + min_ansible_version: "2.1" + galaxy_tags: [] +dependencies: [] diff --git a/ansible/roles/forgejo/molecule/default/converge.yml b/ansible/roles/forgejo/molecule/default/converge.yml new file mode 100644 index 0000000..4eaad1d --- /dev/null +++ b/ansible/roles/forgejo/molecule/default/converge.yml @@ -0,0 +1,14 @@ +--- + +- name: Converge + hosts: all + gather_facts: false + + pre_tasks: + - name: Update apt cache. + ansible.builtin.apt: + update_cache: true + cache_valid_time: 86400 + + roles: + - forgejo diff --git a/ansible/roles/forgejo/molecule/default/molecule.yml b/ansible/roles/forgejo/molecule/default/molecule.yml new file mode 100644 index 0000000..b82ddb2 --- /dev/null +++ b/ansible/roles/forgejo/molecule/default/molecule.yml @@ -0,0 +1,14 @@ +--- +driver: + name: docker +platforms: + - name: cuqmbr-homelab.forgejo_debian-12 + image: docker.io/geerlingguy/docker-debian12-ansible:latest + pre_build_image: true + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + cgroupns_mode: host + privileged: true + published_ports: + - 127.0.0.1:80:3000 diff --git a/ansible/roles/forgejo/tasks/main.yml b/ansible/roles/forgejo/tasks/main.yml new file mode 100644 index 0000000..d58b437 --- /dev/null +++ b/ansible/roles/forgejo/tasks/main.yml @@ -0,0 +1,93 @@ +--- + +- name: Install dependencies. + ansible.builtin.apt: + name: + - git + - git-lfs + state: present + +- name: Create forgejo user. + ansible.builtin.user: + name: git + password: '!' + system: true + home: /home/git + state: present + +- name: Create forgejo config directory. + ansible.builtin.file: + path: /etc/forgejo + owner: root + group: git + mode: "0770" + state: directory + +- name: Create forgejo data directory. + ansible.builtin.file: + path: /var/lib/forgejo + owner: git + group: git + mode: "0750" + state: directory + +- name: Clean forgejo binaries. + when: forgejo_clean_binaries + block: + + - name: Get all forgejo binaries. + ansible.builtin.find: + paths: /usr/local/bin/ + patterns: forgejo* + register: forgejo_binary_find + + - name: Delete forgejo binary files. + ansible.builtin.file: + path: "{{ item.path }}" + state: absent + loop: "{{ forgejo_binary_find.files }}" + + +- name: Download forgejo binary. + ansible.builtin.get_url: + url: "https://codeberg.org/forgejo/forgejo/releases/download\ + /v{{ forgejo_version }}/forgejo-{{ forgejo_version }}-linux-amd64" + dest: "/usr/local/bin/forgejo-{{ forgejo_version }}" + owner: root + group: root + mode: "0555" + +- name: Creaty symlink to forgejo binary. + ansible.builtin.file: + src: "/usr/local/bin/forgejo-{{ forgejo_version }}" + dest: /usr/local/bin/forgejo + owner: root + group: root + mode: "0555" + state: link + notify: + - Restart forgejo service. + +- name: Install forgejo service file. + ansible.builtin.copy: + src: forgejo.service + dest: /etc/systemd/system/forgejo.service + owner: root + group: root + mode: "0644" + +- name: Install forgejo configuration file. + ansible.builtin.template: + src: app.ini.j2 + dest: /etc/forgejo/app.ini + owner: root + group: git + mode: "0660" + notify: + - Restart forgejo service. + +- name: Enable and start forgejo service. + ansible.builtin.service: + name: forgejo + state: started + enabled: true diff --git a/ansible/roles/forgejo/templates/app.ini.j2 b/ansible/roles/forgejo/templates/app.ini.j2 new file mode 100644 index 0000000..08c6e48 --- /dev/null +++ b/ansible/roles/forgejo/templates/app.ini.j2 @@ -0,0 +1,103 @@ +; Managed with Ansible + +; https://codeberg.org/forgejo/forgejo/src/branch/forgejo/custom/conf/app.example.ini + +APP_NAME = {{ forgejo_app_name }} +APP_SLOGAN = {{ forgejo_app_slogan }} +RUN_USER = git +WORK_PATH = /var/lib/forgejo +RUN_MODE = {{ forgejo_run_mode }} + +[database] +DB_TYPE = {{ forgejo_db_type }} +HOST = {{ forgejo_db_host }} +NAME = {{ forgejo_db_name }} +USER = {{ forgejo_db_username }} +PASSWD = """{{ forgejo_db_password }}""" +SCHEMA = +SSL_MODE = {{ forgejo_ssl_mode }} +PATH = /var/lib/forgejo/data/forgejo.db +LOG_SQL = false + +[repository] +ROOT = /var/lib/forgejo/data/forgejo-repositories +MAX_CREATION_LIMIT = 10 +ENABLE_PUSH_CREATE_USER = true +ENABLE_PUSH_CREATE_ORG = true +DEFAULT_PUSH_CREATE_PRIVATE = true +DEFAULT_REPO_UNITS = repo.code,repo.releases +DEFAULT_MIRROR_REPO_UNITS = repo.code +DISABLE_STARS = true +DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true + +[server] +SSH_DOMAIN = {{ forgejo_server_domain }} +DOMAIN = {{ forgejo_server_domain }} +HTTP_PORT = {{ forgejo_server_http_port }} +ROOT_URL = {{ forgejo_server_root_url }} +APP_DATA_PATH = /var/lib/forgejo/data +DISABLE_SSH = false +SSH_PORT = {{ forgejo_server_ssh_port }} +LFS_START_SERVER = true +LFS_JWT_SECRET = {{ forgejo_server_lfs_secret }} +OFFLINE_MODE = true + +[lfs] +PATH = /var/lib/forgejo/data/lfs + +[mailer] +ENABLED = true +FROM = {{ forgejo_mailer_from }} +PROTOCOL = {{ forgejo_mailer_protocol }} +SMTP_ADDR = {{ forgejo_mailer_address }} +SMTP_PORT = {{ forgejo_mailer_port }} +USER = {{ forgejo_mailer_user }} +PASSWD = `{{ forgejo_mailer_password }}` + +[service] +REGISTER_EMAIL_CONFIRM = false +ENABLE_NOTIFY_MAIL = true +DISABLE_REGISTRATION = true +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +ENABLE_CAPTCHA = false +REQUIRE_SIGNIN_VIEW = false +DEFAULT_KEEP_EMAIL_PRIVATE = true +DEFAULT_ALLOW_CREATE_ORGANIZATION = true +DEFAULT_ENABLE_TIMETRACKING = true +NO_REPLY_ADDRESS = noreply.localhost + +[openid] +ENABLE_OPENID_SIGNIN = false +ENABLE_OPENID_SIGNUP = false + +[cron.update_checker] +ENABLED = true + +[session] +PROVIDER = file + +[log] +MODE = console +LEVEL = info +ROOT_PATH = /var/lib/forgejo/log + +[repository.upload] +FILE_MAX_SIZE = 5 +MAX_FILES = 5 + +[repository.pull-request] +DEFAULT_MERGE_STYLE = merge + +[repository.signing] +DEFAULT_TRUST_MODEL = committer + +[security] +INSTALL_LOCK = {{ forgejo_security_install_lock }} +INTERNAL_TOKEN = {{ forgejo_security_internal_token }} +PASSWORD_HASH_ALGO = pbkdf2_hi + +[oauth2] +JWT_SECRET = {{ forgejo_oauth2_jwt_secret }} + +[ui] +AMBIGUOUS_UNICODE_DETECTION = false diff --git a/ansible/roles/prometheus_nginx_exporter/meta/main.yml b/ansible/roles/prometheus_nginx_exporter/meta/main.yml index fbb8fb8..675db96 100644 --- a/ansible/roles/prometheus_nginx_exporter/meta/main.yml +++ b/ansible/roles/prometheus_nginx_exporter/meta/main.yml @@ -1,3 +1,4 @@ +--- galaxy_info: role_name: prometheus_nginx_exporter author: cuqmbr-homelab diff --git a/terraform/common/firewall_ipsets.tf b/terraform/common/firewall_ipsets.tf index 3c2b47e..b8432b6 100644 --- a/terraform/common/firewall_ipsets.tf +++ b/terraform/common/firewall_ipsets.tf @@ -1,6 +1,6 @@ resource "proxmox_virtual_environment_firewall_ipset" "dev_loggers" { - name = "loggers" + name = "dev-loggers" comment = "Nodes that send logs to Monitoring Node." cidr { @@ -32,11 +32,32 @@ resource "proxmox_virtual_environment_firewall_ipset" "dev_loggers" { name = "192.168.0.15" comment = "searxng" } + + cidr { + name = "192.168.0.20" + comment = "forgejo" + } +} + +resource "proxmox_virtual_environment_firewall_ipset" "dev_postgres_clients" { + + name = "dev-postgres-clients" + comment = "Nodes that can connect to postgres Node." + + cidr { + name = "192.168.0.20" + comment = "forgejo" + } +} + +output "dev_postgres_clients_ipset" { + value = proxmox_virtual_environment_firewall_ipset.dev_postgres_clients + sensitive = true } resource "proxmox_virtual_environment_firewall_ipset" "dev_valkey_clients" { - name = "valkey_clients" + name = "dev-valkey-clients" comment = "Nodes that can connect to valkey Node." cidr { diff --git a/terraform/dev/forgejo.tf b/terraform/dev/forgejo.tf new file mode 100644 index 0000000..feba0b8 --- /dev/null +++ b/terraform/dev/forgejo.tf @@ -0,0 +1,109 @@ +resource "proxmox_virtual_environment_container" "forgejo" { + node_name = "pve" + + vm_id = 1050 + + tags = ["dev"] + + unprivileged = true + + cpu { + cores = 1 + } + + memory { + dedicated = 1024 + } + + disk { + datastore_id = var.datastore_id + size = 16 + } + + network_interface { + bridge = var.internal_network_bridge_name + name = "eth-dev" + firewall = true + enabled = true + } + + initialization { + hostname = "forgejo" + ip_config { + ipv4 { + address = "192.168.0.20/24" + gateway = "192.168.0.1" + } + } + user_account { + keys = [var.ssh_public_key] + } + } + + operating_system { + template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst" + type = "debian" + } + + started = true + + startup { + order = 500 + up_delay = 0 + down_delay = 0 + } + + features { + nesting = true + } +} + +resource "proxmox_virtual_environment_firewall_options" "forgejo" { + depends_on = [proxmox_virtual_environment_container.forgejo] + + node_name = proxmox_virtual_environment_container.forgejo.node_name + vm_id = proxmox_virtual_environment_container.forgejo.vm_id + + enabled = true + dhcp = true + input_policy = "DROP" + output_policy = "ACCEPT" +} + +resource "proxmox_virtual_environment_firewall_rules" "forgejo" { + depends_on = [proxmox_virtual_environment_container.forgejo] + + node_name = proxmox_virtual_environment_container.forgejo.node_name + vm_id = proxmox_virtual_environment_container.forgejo.vm_id + + rule { + type = "in" + source = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[1].ipv4[0].address)[0] + proto = "tcp" + dport = "22" + action = "ACCEPT" + comment = "SSH from Bastion." + } + + rule { + type = "in" + proto = "icmp" + dport = "8" + action = "ACCEPT" + comment = "Ping." + } + + rule { + type = "in" + source = split("/", data.terraform_remote_state.common.outputs.load_balancer_ct.initialization[0].ip_config[1].ipv4[0].address)[0] + proto = "tcp" + dport = "3000" + action = "ACCEPT" + comment = "Forgejo Web." + } + + rule { + security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name + comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." + } +} diff --git a/terraform/dev/postgresql.tf b/terraform/dev/postgresql.tf index 1f0cce1..5d71346 100644 --- a/terraform/dev/postgresql.tf +++ b/terraform/dev/postgresql.tf @@ -97,4 +97,13 @@ resource "proxmox_virtual_environment_firewall_rules" "postgresql" { security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." } + + rule { + type = "in" + source = "+${data.terraform_remote_state.common.outputs.dev_postgres_clients_ipset.name}" + proto = "tcp" + dport = "5432" + action = "ACCEPT" + comment = "Access postgres from client nodes." + } }