890a23e8d5
Some checks failed
Update Automation Tests / Integration Tests (pull_request) Failing after 40s
Infrastructure & Permissions: - Set recovery_window_in_days=0 on secrets for immediate deletion on destroy - Add secretsmanager:UpdateSecret permission to EC2 IAM role - Move SES secret definition from ses.tf to secrets.tf for better organization - Create scripts/empty-s3-bucket.sh to handle versioned S3 object deletion - Update Makefile to use S3 cleanup script in full-destroy target Gitea Admin User Automation: - Remove non-functional GITEA_ADMIN_* environment variables from docker-compose.yml - Add CLI-based admin user creation via docker exec in deploy-gitea.yml - Add database update to disable must_change_password requirement - Fix runner token API call to use GET instead of POST Runner Setup Fixes: - Change runner gitea_instance to http://localhost:3000 (was failing with public URL) - Fix registration to work from same host as Gitea Domain Migration: - Change domain from gitea.poll-streams.com to git.poll-streams.com - Update DNS, docker-compose, nginx configs, ansible inventory, and SSL setup - Enables fresh SSL certificate (avoids Let's Encrypt rate limit) All changes enable zero-to-one deployment: make full-destroy && make full-deploy
134 lines
4.6 KiB
YAML
134 lines
4.6 KiB
YAML
---
|
|
- name: Setup Gitea Actions Runner
|
|
hosts: gitea
|
|
become: true
|
|
vars:
|
|
runner_version: "0.2.10"
|
|
runner_binary: "/usr/local/bin/act_runner"
|
|
runner_count: 2
|
|
gitea_instance: "http://localhost:3000"
|
|
secret_name: "qvest-task-db-credentials"
|
|
aws_region: "eu-central-1"
|
|
# Registration token must be provided via command line or AWS Secrets Manager
|
|
# ansible-playbook setup-runner.yml -e "gitea_runner_token=YOUR_TOKEN"
|
|
|
|
tasks:
|
|
- name: Download act_runner binary
|
|
ansible.builtin.get_url:
|
|
url: "https://dl.gitea.com/act_runner/{{ runner_version }}/act_runner-{{ runner_version }}-linux-amd64"
|
|
dest: "{{ runner_binary }}"
|
|
mode: "0755"
|
|
|
|
- name: Create runner config directories
|
|
ansible.builtin.file:
|
|
path: "/etc/act_runner-{{ item }}"
|
|
state: directory
|
|
mode: "0755"
|
|
with_sequence: start=1 end={{ runner_count }}
|
|
|
|
- name: Create runner data directories
|
|
ansible.builtin.file:
|
|
path: "/var/lib/act_runner-{{ item }}"
|
|
state: directory
|
|
mode: "0755"
|
|
with_sequence: start=1 end={{ runner_count }}
|
|
|
|
- name: Check if runners are already registered
|
|
ansible.builtin.stat:
|
|
path: "/etc/act_runner-{{ item }}/.runner"
|
|
register: runner_configs
|
|
with_sequence: start=1 end={{ runner_count }}
|
|
|
|
- name: Fetch Gitea runner token from AWS Secrets Manager
|
|
ansible.builtin.shell: |
|
|
set -o pipefail
|
|
aws secretsmanager get-secret-value \
|
|
--secret-id "{{ secret_name }}" \
|
|
--region "{{ aws_region }}" \
|
|
--query SecretString \
|
|
--output text | jq -r '.gitea_runner_token // empty'
|
|
args:
|
|
executable: /bin/bash
|
|
register: secrets_output
|
|
when:
|
|
- gitea_runner_token is not defined
|
|
- runner_configs.results | selectattr('stat.exists', 'equalto', false) | list | length > 0
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Set runner token from Secrets Manager
|
|
ansible.builtin.set_fact:
|
|
gitea_runner_token: "{{ secrets_output.stdout }}"
|
|
when:
|
|
- gitea_runner_token is not defined
|
|
- secrets_output.stdout is defined
|
|
- secrets_output.stdout | length > 0
|
|
|
|
- name: Register runners with Gitea
|
|
ansible.builtin.shell: |
|
|
{{ runner_binary }} register \
|
|
--instance {{ gitea_instance }} \
|
|
--token {{ gitea_runner_token }} \
|
|
--name {{ ansible_hostname }}-runner-{{ item }} \
|
|
--no-interactive
|
|
args:
|
|
chdir: "/etc/act_runner-{{ item }}"
|
|
when:
|
|
- gitea_runner_token is defined
|
|
- gitea_runner_token | length > 0
|
|
- not runner_configs.results[item | int - 1].stat.exists
|
|
with_sequence: start=1 end={{ runner_count }}
|
|
register: runner_registrations
|
|
changed_when: runner_registrations.rc == 0
|
|
|
|
- name: Display registration warning if token not provided
|
|
ansible.builtin.debug:
|
|
msg: "Runner registration skipped - no token provided. Re-run with -e gitea_runner_token=TOKEN"
|
|
when:
|
|
- gitea_runner_token is not defined or gitea_runner_token | length == 0
|
|
- runner_configs.results | selectattr('stat.exists', 'equalto', false) | list | length > 0
|
|
|
|
- name: Create systemd services for runners
|
|
ansible.builtin.copy:
|
|
dest: "/etc/systemd/system/act_runner-{{ item }}.service"
|
|
content: |
|
|
[Unit]
|
|
Description=Gitea Actions Runner {{ item }}
|
|
After=network.target docker.service
|
|
Requires=docker.service
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStart={{ runner_binary }} daemon
|
|
WorkingDirectory=/etc/act_runner-{{ item }}
|
|
Restart=always
|
|
RestartSec=10
|
|
User=root
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
mode: "0644"
|
|
with_sequence: start=1 end={{ runner_count }}
|
|
register: runner_services
|
|
notify: Reload systemd daemon
|
|
|
|
- name: Enable and start runner services
|
|
ansible.builtin.systemd:
|
|
name: "act_runner-{{ item }}"
|
|
enabled: true
|
|
state: started
|
|
with_sequence: start=1 end={{ runner_count }}
|
|
when: >
|
|
runner_configs.results[item | int - 1].stat.exists or
|
|
(runner_registrations.results is defined and
|
|
runner_registrations.results[item | int - 1].changed | default(false))
|
|
|
|
- name: Display runner status
|
|
ansible.builtin.debug:
|
|
msg: "Deployed {{ runner_count }} runners. Services: act_runner-1 to act_runner-{{ runner_count }}"
|
|
|
|
handlers:
|
|
- name: Reload systemd daemon
|
|
ansible.builtin.systemd:
|
|
daemon_reload: true
|