gitea_admin/qvest-task
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2e368a3a7c
qvest-task/ansible/deploy-gitea.yml
gitea_admin 685de1816d feat: implement update automation and backup system with CI tests (#1) 
- Diun monitors Docker images
- Automated updates for nginx, manual approval for gitea/postgres
- Weekly cert renewal automation via cron
- Health checks with automatic rollback on failure
- AWS SES email notifications on update failures
- Daily S3 backups + pre-update snapshots
- Integration tests with Gitea Actions quality gate
- Change domain from gitea.poll-streams.com to git.poll-streams.com
- Add diagrams
2026-06-11 15:51:48 +00:00

152 lines
4.8 KiB
YAML
Raw Blame History

---
- name: Deploy Gitea application
hosts: gitea
become: true
vars:
secret_name: "qvest-task-db-credentials"
ses_secret_name: "qvest-task-ses-smtp-credentials"
aws_region: "eu-central-1"
tasks:
- name: Create application directory
ansible.builtin.file:
path: /opt/gitea
state: directory
owner: ubuntu
group: ubuntu
mode: "0755"
- name: Copy docker-compose.yml
ansible.builtin.copy:
src: ../docker/docker-compose.yml
dest: /opt/gitea/docker-compose.yml
owner: ubuntu
group: ubuntu
mode: "0644"
- name: Copy nginx configuration
ansible.builtin.copy:
src: ../docker/nginx/
dest: /opt/gitea/nginx/
owner: ubuntu
group: ubuntu
mode: "0644"
directory_mode: "0755"
- name: Fetch database credentials from Secrets Manager
ansible.builtin.shell: |
aws secretsmanager get-secret-value \
--secret-id "{{ secret_name }}" \
--region "{{ aws_region }}" \
--query SecretString \
--output text
register: db_secret
changed_when: false
- name: Parse database credentials
ansible.builtin.set_fact:
db_creds: "{{ db_secret.stdout | from_json }}"
- name: Fetch SES SMTP credentials from Secrets Manager
ansible.builtin.shell: |
aws secretsmanager get-secret-value \
--secret-id "{{ ses_secret_name }}" \
--region "{{ aws_region }}" \
--query SecretString \
--output text
register: ses_secret
changed_when: false
- name: Parse SES SMTP credentials
ansible.builtin.set_fact:
ses_creds: "{{ ses_secret.stdout | from_json }}"
- name: Create .env file
ansible.builtin.copy:
content: |
DB_USER={{ db_creds.username }}
DB_PASSWORD={{ db_creds.password }}
DB_NAME={{ db_creds.database }}
GITEA_ADMIN_USERNAME={{ db_creds.admin_username }}
GITEA_ADMIN_PASSWORD={{ db_creds.admin_password }}
GITEA_ADMIN_EMAIL={{ db_creds.admin_email }}
SMTP_HOST={{ ses_creds.smtp_host }}
SMTP_PORT={{ ses_creds.smtp_port }}
SMTP_USERNAME={{ ses_creds.smtp_username }}
SMTP_PASSWORD={{ ses_creds.smtp_password }}
ALERT_EMAIL={{ ses_creds.alert_email }}
dest: /opt/gitea/.env
owner: ubuntu
group: ubuntu
mode: "0600"
- name: Start Docker Compose services
community.docker.docker_compose_v2:
project_src: /opt/gitea
state: present
become_user: ubuntu
- name: Wait for Gitea to be ready
ansible.builtin.uri:
url: http://localhost:3000
status_code: 200
register: result
until: result.status == 200
retries: 30
delay: 10
- name: Create Gitea admin user via CLI
ansible.builtin.shell: |
docker exec --user git gitea gitea admin user create \
--username "{{ db_creds.admin_username }}" \
--password "{{ db_creds.admin_password }}" \
--email "{{ db_creds.admin_email }}" \
--admin \
--must-change-password=false
register: admin_create
failed_when:
- admin_create.rc != 0
- "'already exists' not in admin_create.stderr"
changed_when: "'New user' in admin_create.stdout"
- name: Disable password change requirement
ansible.builtin.shell: |
docker exec gitea-postgres psql -U {{ db_creds.username }} \
-d {{ db_creds.database }} \
-c "UPDATE public.user SET must_change_password = false \
WHERE name = '{{ db_creds.admin_username }}';"
changed_when: true
- name: Generate Gitea Actions runner registration token
ansible.builtin.uri:
url: http://localhost:3000/api/v1/admin/runners/registration-token
method: GET
user: "{{ db_creds.admin_username }}"
password: "{{ db_creds.admin_password }}"
force_basic_auth: true
status_code: 200
register: runner_token_response
retries: 5
delay: 5
until: runner_token_response.status == 200
- name: Update AWS Secrets Manager with runner token
ansible.builtin.shell: |
set -o pipefail
SECRET_JSON=$(aws secretsmanager get-secret-value \
--secret-id "{{ secret_name }}" \
--region "{{ aws_region }}" \
--query SecretString \
--output text)
UPDATED_JSON=$(echo "$SECRET_JSON" | jq --arg token "{{ runner_token_response.json.token }}" \
'.gitea_runner_token = $token')
aws secretsmanager update-secret \
--secret-id "{{ secret_name }}" \
--region "{{ aws_region }}" \
--secret-string "$UPDATED_JSON"
args:
executable: /bin/bash
changed_when: true
Reference in New Issue View Git Blame Copy Permalink