feat: deployment for runner

Taskfile.yml

@@ -8,7 +8,8 @@ tasks:
 
   vault: ansible-vault edit vault.yml {{.CLI_ARGS}}
   provision: ansible-playbook playbooks/provision.yml {{.CLI_ARGS}}
-  deploy: ansible-playbook playbooks/deploy.yml {{.CLI_ARGS}}
+  deploy:gitea: ansible-playbook playbooks/deploy.yml {{.CLI_ARGS}}
+  deploy:runner: ansible-playbook playbooks/runner.yml {{.CLI_ARGS}}
   restore: ansible-playbook playbooks/restore.yml {{.CLI_ARGS}}
 
   assets:
@@ -18,9 +19,13 @@ tasks:
     - cp ./assets/logo.svg ./gitea/custom/public/assets/img/favicon.svg
     - cp ./assets/logo.png ./gitea/custom/public/assets/img/apple-touch-icon.png
   
-  
-  enter:
-    cmd: ssh -i {{.KEY}} -p 2222 root@{{.IP}}
+  enter:gitea:
+    cmd: ssh {{.GITEA}}
     vars:
-      KEY: { sh: ansible-vault view vault.yml | yq -r ".secret.private_ssh_key_path" }
-      IP: { sh: cat dist/terraform_outputs.yml | jq -r ".server_ip.value" }
+      GITEA: { sh: cat ./variables.yml | yq -r ".variables.gitea_host" }
+  
+  enter:runner:
+    cmd: ssh -J {{.GITEA}} {{.RUNNER}}
+    vars:
+      GITEA: { sh: cat ./variables.yml | yq -r ".variables.gitea_host" }
+      RUNNER: { sh: cat ./variables.yml | yq -r ".variables.runner_host" }

playbooks/deploy.yml

@@ -11,7 +11,7 @@
         ansible_ssh_host: "{{ server_ip.value }}"
         ansible_user: root
         ansible_port: 22
-        ansible_private_key_file: "{{ secret.private_ssh_key_path }}"
+        ansible_private_key_file: "{{ secret.private_gitea_ssh_key_path }}"
 
 - name: Switch port to 2222.
   hosts: server_fresh
@@ -41,10 +41,7 @@
     - name: Add remote host.
       ansible.builtin.add_host:
         name: server
-        ansible_ssh_host: "{{ server_ip.value }}"
-        ansible_user: root
-        ansible_port: 2222
-        ansible_private_key_file: "{{ secret.private_ssh_key_path }}"
+        ansible_ssh_host: "{{ variables.gitea_host }}"
 
 - name: Install Docker.
   gather_facts: true
@@ -58,6 +55,7 @@
         name:
           - python3-pip
         state: present
+        update_cache: true
 
     - name: Install needed packages.
       ansible.builtin.pip:

playbooks/provision.yml

@@ -36,3 +36,31 @@
         content: "{{ terraform_apply.outputs }}"
         dest: ../dist/terraform_outputs.yml
         mode: '0755'
+
+- name: Update SSH config.
+  hosts: localhost
+  gather_facts: false
+  tags: hosts
+  vars_files:
+    - ../vault.yml
+    - ../dist/terraform_outputs.yml
+    - ../variables.yml
+  tasks:
+    - name: Add Gitea host.
+      community.general.ssh_config:
+        host: "{{ variables.gitea_host }}"
+        hostname: "{{ server_ip.value }}"
+        remote_user: root
+        forward_agent: true
+        user: user
+        port: 2222
+        identity_file: "{{ secret.private_gitea_ssh_key_path }}"
+
+    - name: Add Runner host.
+      community.general.ssh_config:
+        host: "{{ variables.runner_host }}"
+        remote_user: root
+        user: user
+        identity_file: "{{ secret.private_runner_ssh_key_path }}"
+        proxyjump: "{{ variables.gitea_host }}"
+        hostname: 10.0.10.17

playbooks/restore.yml

@@ -8,10 +8,7 @@
     - name: Add remote host.
       ansible.builtin.add_host:
         name: server
-        ansible_ssh_host: "{{ server_ip.value }}"
-        ansible_user: root
-        ansible_port: 2222
-        ansible_private_key_file: "{{ secret.private_ssh_key_path }}"
+        ansible_ssh_host: "{{ variables.gitea_host }}"
 
 - name: Deploy artifact to instance.
   hosts: server
@@ -33,6 +30,7 @@
         object: "{{ secret.restore.key | mandatory(msg='You must specify the key of the data.') }}"
         dest: /root/snapshot.tar.gz
         mode: get
+        endpoint_url: "{{ secret.restore.endpoint }}"
         region: "{{ secret.restore.region }}"
         access_key: "{{ secret.restore.access_key }}"
         secret_key: "{{ secret.restore.secret_key }}"

playbooks/runner.yml

@@ -0,0 +1,113 @@
+- name: Set up for fresh host.
+  gather_facts: false
+  hosts: localhost
+  vars_files:
+    - ../vault.yml
+    - ../variables.yml
+  tasks:
+    - name: Add runner host.
+      ansible.builtin.add_host:
+        name: runner
+        ansible_ssh_host: "{{ variables.runner_host }}"
+        ansible_ssh_extra_args: "-J {{ variables.gitea_host }}"
+
+    - name: Add Gitea host.
+      ansible.builtin.add_host:
+        name: gitea
+        ansible_ssh_host: "{{ variables.gitea_host }}"
+
+- name: Install Docker.
+  gather_facts: true
+  hosts: runner
+  vars_files:
+    - ../vault.yml
+    - ../dist/terraform_outputs.yml
+  tasks:
+    - name: Install PIP.
+      ansible.builtin.apt:
+        name:
+          - python3-pip
+        state: present
+        update_cache: true
+
+    - name: Install needed packages.
+      ansible.builtin.pip:
+        name:
+          - botocore
+          - boto3
+          - packaging
+        state: present
+        break_system_packages: true
+
+    - name: Download Docker repository key.
+      ansible.builtin.apt_key:
+        url: https://download.docker.com/linux/debian/gpg
+        state: present
+
+    - name: Download Docker repository.
+      ansible.builtin.apt_repository:
+        repo: "deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
+        state: present
+
+    - name: Remove bad packages.
+      ansible.builtin.apt:
+        state: absent
+        package:
+          - docker.io
+          - docker-doc
+          - docker-compose
+          - podman-docker
+          - containerd
+          - runc
+
+    - name: Download Docker dependencies.
+      ansible.builtin.apt:
+        state: present
+        package:
+          - ca-certificates
+          - curl
+
+    - name: Download Docker packages.
+      ansible.builtin.apt:
+        state: present
+        update_cache: true
+        package:
+          - docker-ce
+          - docker-ce-cli
+          - containerd.io
+          - docker-buildx-plugin
+          - docker-compose-plugin
+
+- name: Get registration token for Runner.
+  hosts: gitea
+  gather_facts: false
+  tasks:
+    - name: Get registration token.
+      community.docker.docker_container_exec:
+        container: server
+        command: gitea actions grt
+      register: output
+
+    - name: Set fact.
+      ansible.builtin.set_fact:
+        registration_token: "{{ output.stdout }}"
+      delegate_to: localhost
+      delegate_facts: true
+
+- name: Deploy Runner.
+  hosts: runner
+  gather_facts: true
+  tasks:
+    - name: Deploy image.
+      community.docker.docker_container:
+        name: runner
+        image: docker.io/gitea/act_runner:nightly
+        env:
+          CONFIG_FILE: /config.yaml
+          GITEA_INSTANCE_URL: git.maximhutz.com
+          GITEA_RUNNER_REGISTRATION_TOKEN: "{{ hostvars['localhost']['registration_token'] }}"
+          GITEA_RUNNER_NAME: "Main Runner"
+        volumes:
+          - ./config.yaml:/config.yaml
+          - ./data:/data
+          - /var/run/docker.sock:/var/run/docker.sock

terraform/install.sh

@@ -1,31 +0,0 @@
-#!/bin/sh
-
-## Install extras.
-rpm --rebuilddb
-amazon-linux-extras install docker ansible2 python3.8 -y
-
-# Make Docker work.
-systemctl enable docker
-systemctl start docker
-
-# Set up the correct version of Python (for Ansible).
-ln -sf /usr/bin/python3.8 /usr/bin/python3
-ln -sf /usr/bin/pip3.8 /usr/bin/pip3
-pip3 install botocore boto3 requests packaging --user ssm-user
-python3 -m pip install -U pip
-
-# Add some swap space.
-dd if=/dev/zero of=/swapfile bs=128M count=8
-chmod 600 /swapfile
-mkswap /swapfile
-swapon /swapfile
-
-# Stop SSH (because we have SSM.)
-service sshd stop
-
-# Install Docker Compose.
-curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
-chmod +x /usr/local/bin/docker-compose
-
-# ERROR: SSM User not created yet.
-sudo usermod -aG docker ssm-user

terraform/main.tf

@@ -1,3 +1,17 @@
+resource "hcloud_network" "network" {
+  name     = "network"
+  ip_range = "10.0.0.0/16"
+}
+
+resource "hcloud_network_subnet" "subnet" {
+  type         = "cloud"
+  network_id   = hcloud_network.network.id
+  network_zone = "eu-central"
+  ip_range     = "10.0.10.0/24"
+}
+
+/* -------------------------------------------------------------------------- */
+
 resource "hcloud_primary_ip" "public_ip" {
   name          = "repository-public-ip"
   datacenter    = local.datacenter
@@ -6,23 +20,31 @@ resource "hcloud_primary_ip" "public_ip" {
   auto_delete   = false
 }
 
-resource "hcloud_ssh_key" "ssh_key" {
+resource "hcloud_ssh_key" "gitea_ssh_key" {
   name       = "repository-ssh-key"
-  public_key = file(var.public_ssh_key_path)
+  public_key = file(var.public_gitea_ssh_key_path)
 }
 
-resource "hcloud_server" "server_instance" {
-  name        = "repository-server"
+resource "hcloud_server" "gitea_server_instance" {
+  name        = "repository-gitea-server"
   image       = local.server_image
   server_type = local.server_type
   datacenter  = local.datacenter
-  ssh_keys    = [hcloud_ssh_key.ssh_key.id]
+  ssh_keys    = [hcloud_ssh_key.gitea_ssh_key.id]
 
   public_net {
     ipv4_enabled = true
     ipv4         = hcloud_primary_ip.public_ip.id
     ipv6_enabled = false
   }
+
+  network {
+    network_id = hcloud_network.network.id
+    ip = local.gitea_ip
+    alias_ips = [ ]
+  }
+
+  depends_on = [ hcloud_network_subnet.subnet ]
 }
 
 resource "hcloud_firewall" "server_firewall" {
@@ -58,5 +80,34 @@ resource "hcloud_firewall" "server_firewall" {
 
 resource "hcloud_firewall_attachment" "server_fw_attachment" {
   firewall_id = hcloud_firewall.server_firewall.id
-  server_ids  = [hcloud_server.server_instance.id]
+  server_ids  = [hcloud_server.gitea_server_instance.id]
 }
+
+/* -------------------------------------------------------------------------- */
+
+resource "hcloud_ssh_key" "runner_ssh_key" {
+  name       = "repository-runner-ssh-key"
+  public_key = file(var.public_runner_ssh_key_path)
+}
+
+resource "hcloud_server" "runner_instance" {
+  name        = "repository-runner-server"
+  image       = local.server_image
+  server_type = local.server_type
+  datacenter  = local.datacenter
+  ssh_keys    = [hcloud_ssh_key.runner_ssh_key.id]
+
+  network {
+    network_id = hcloud_network.network.id
+    ip = local.runner_ip
+    alias_ips = [ ]
+  }
+
+  public_net {
+    ipv4_enabled = false
+    ipv6_enabled = false
+  }
+
+  depends_on = [ hcloud_network_subnet.subnet ]
+}
+

terraform/outputs.tf

@@ -1,6 +1,12 @@
 output "server_ip" {
   description = "The public address of the server."
-  value = hcloud_server.server_instance.ipv4_address
+  value = hcloud_server.gitea_server_instance.ipv4_address
+  sensitive = false
+}
+
+output "runner_ip" {
+  description = "The internal address of the CI runner."
+  value = local.runner_ip
   sensitive = false
 }
 

terraform/variables.tf

@@ -5,6 +5,10 @@ locals {
 
   domain = "maximhutz.com"
   subdomain = "git"
+
+  network_cidr = "10.0.0.0/16"
+  gitea_ip = "10.0.10.16"
+  runner_ip = "10.0.10.17"
 }
 
 # ---------------------------------------------------------------------------- #
@@ -15,8 +19,13 @@ variable "hcloud_token" {
   type = string
 }
 
-variable "public_ssh_key_path" {
-  description = "The location of the public key used to access the repository server."
+variable "public_gitea_ssh_key_path" {
+  description = "The location of the public key used to access the repository Gitea server."
+  type = string
+}
+
+variable "public_runner_ssh_key_path" {
+  description = "The location of the public key used to access the repository Gitea Action runner."
   type = string
 }
 

variables.yml

@@ -1,2 +1,4 @@
 variables:
   image_name: mvhutz/gitea
+  gitea_host: repository_gitea
+  runner_host: repository_runner

vault.yml

@@ -1,66 +1,81 @@
 $ANSIBLE_VAULT;1.1;AES256
-62366236383830323331383264663835316237363032333766333730653939666236666261653162
-3938653635393063313566343261303338666363386661650a376637613563303238373965356134
-30373861653832383462666231356163623231303637636539383166383039333562636434646334
-3433393163363562340a333962343636366234336239633032313166303163353165643762326464
-34353062323863666666666132663364633336623430373033623761613035666332323739313833
-38623639643539363639383339356231313431373437343430323237336539313939303139353534
-63616331353464613963323864626663396637313139646461356165643233306530303062666332
-36363636316335356434633439636434336666306466616231353135306538386334313937363765
-34333833626634383734396638646530393233623937396335313637333764313736383032333734
-64373966643030623331663139363034343536373830353338356335356338633638393862386230
-39336533656465366534306465396536613334333632643937316130303338626331386537343331
-64363966323561326262376631356261613231343335393233366231373631663635376234346164
-38303432386336643566363731386664376239666530336232666532616264353537353738636464
-64616364353730653831616335656532663336666339653337646133316661373038326164373235
-30653836336338333932303539393632326164623538303066353934623831376533333964346561
-61323137373837376161653730386637663336623130366639356130626338663764366661616163
-38356235386461366362396337646239633663303261616536386134663866333132613166373162
-33616663316566623665666464356135393932366663663932366235643336343434633731646665
-63323963366662346436393933643032653330313430633339613262306430306332326364343135
-37393764363338656639393333623835626135323434376338656663386662643339643135653938
-37396133373436353566646437633630373931643533383133343266626431393761646633666161
-66313365373537386332396562613531346634376266653631343934356134643463633566373162
-30633933636136663339316136333036386237346163646638393533336362363735623130623862
-38623666383461363564326462326239303838623533393034383831366631396530343037636532
-38366162396663653930633866303538353232656330643966386134316364313538646564313565
-61313732343330336436393963643164303139373036303437393336313738336138306438393364
-65623331663464626462316538663134346231643163356638383631623862313066343965376235
-65613736643163663238316532623638343062633564333865623264356362663433333734383365
-61373432656362343762333561376639396632386530353762303664373733656366343733613262
-62313562323938356563323939316131646239313432626261353431626661613235363566393038
-63656634383230316463363036306433366334643235656561613031653331333038323133653562
-61393034663030663432376331383236626639613663343662323639316331653432383036393130
-35376438333235336461313435316232373963613934323233613431643530646661666135613064
-34313431613164333761643965373939353864333234353136386637326536336266363733343332
-63393539353234343835633639333163386633326163623966343634346265623430326233353734
-61373339393264383038383564346462396362333132346632396534346134613038316231613966
-30636637626531343636376161326434336430386537646333353139353131363461613639646162
-31346538326138366663623439393764653237386564653666396338623435386639623239373438
-31616237343731623634643965386535663939356363653934343362633735353532353662396331
-39373639346336653739613162626537636663376163343831623762643765346535636565376463
-32366361373730376462356332363766376136613562613331386134633264613862383061343462
-38316637336437336637393030613933393633666332353533646362663661313930376337396234
-64636162343130326630366261356263363130663439393539363236343461343436316330663265
-32616665366664303038333966373835646130343237646464353362346132653331303634643165
-31393530373464653066643435343137313937326633653136623462363330343932383939626538
-61663137623931353166616639636635616232306161643432623563643633333739646336356236
-30663463303362396331396630623063646365373839333837333832643231396130636461636537
-35653937363434393331303065326137373931633231323861666632393762353162313635393830
-32666366376638383632666130353438316231313763323833663836663262646135633763376334
-64636531653937303136373063336430303536316636343835396532383164623539653966343865
-64316236656164653936613139643061323264333861623833383061386362333934373535633565
-37623065636437626165646261343265613234373963386134616632396433376162306432633038
-37356135663862363930303834303166333236643864383166333365313131333438373633653631
-35613639343638356135356537626231663661623364313837393065363031616661613032306462
-32653664373334636561613132336631613561363638666465393930336533333962383062316231
-35633535643836323131656337366139313864343632616266363666646130316532336465633562
-35326562633539386238613834656665306365643466356235326536383065623239653235653236
-34356636623263343932336266336664303362613537666630343935313362666466393134653262
-66396561363463646237363638336539663261626534363531636330386136623463366432313335
-36343236613863383139353461313562303534613166353866636262623866383736303262626438
-39353762303831353238323538626635393365363132646563626535613362326662653631663935
-35636134343266626162316135316533346331663634366630633437363531313732313161306665
-35336336323438613865396363363434663461646238346565336233363738666437323235336365
-37316561386137353338643561656262336336373736393939363039663731343636366435633162
-38383564663438303964643563613338306363623831613432333439386165303965
+34666138303266383336633235633037626261343833333763333463373261376165393735313230
+6133336466363137653966393733373236373161663434350a356634326634346530336632653535
+66386136393434616639626634376236656666656362346130343964356536393634616165303531
+6636396336303361320a353135303264313361373762303466383731313266666635316566383630
+33363332623266343834633962663837383433303034336661633235616565333837623064396137
+65373761343937666430336137656465643962336561346630626638343064306330323636366234
+38363035323061663266663466336638366236346162373338396538333637613834353235613061
+38313339353262643232613832623963376638643439666333333031356162303834363933313833
+35336332316337353936313963343636636464656639313930613133333866303933336635663737
+65663237663865313566666133666161626539376463363439313365333366323561653666616533
+61383334383230663330326236366262323464633432613562313239613031666261626334323666
+61616534343436356631383764383139386630656165376461313432643136653463306435353261
+65313363383339353434663139303961393865353230646138633161626235636437636135653763
+30313736366263303866313466333464303666396334643531343734623562636439616239663737
+32653536646234343435376365623466346131353262663261653438666137386662326332343263
+38343966373931326232393838613763653731383038373338353863303264366162373966613563
+36363137636236643663373837383161386266313963363437663835663037316230373466643466
+61353931653031313133393163353639373736636139366430653865663335303230306662393632
+30666435633434656434313736323732383135383638383334393433333530646661396232383635
+35363430313837373136643230386666623436383239336339623565356630303766333832306261
+63396565623164633466356437316233386561313932626262613162326332306638363130613533
+62363665363032646565643036636233323966373362663163373165323934383263316232323965
+39663733346637663735613434326239633337613933633765306261616363396465623565346136
+35336333363461653163343436633963343830306264333665393338363039636139343934353361
+39613664383134663766623165386266623661356230396535346166653761633831663566366339
+65353933663861333539336130633262303038633639333137313232363535636531353435303635
+39306433633261303634616533666230396566616131363435383662363432613634386266373966
+38323933303164323565326534326364646562316539643132616364646137323735373236633637
+36646337356333643766393464626633643263313437343932306634363532626563646163353661
+65636461663736663136366462346462633065313763666532303532366538386239383465323966
+36333465313338613635373336306266643862623262306237666235633532373163356630303163
+32353563623162303465376237313264646132656565313335653964323233636562613664316538
+32383737316362356365613064393662316434303932643136313866326235636632353135373735
+38656536623134623263656338356436656137313563353366666366643535393662356433376237
+30343961653363376162626333323261316635333366366131343136383362386131396466383662
+32393361383534636662663439363630663064383834363036396463383362666637646436326462
+36653734353036613139653462363563613635643166333262623533316330666166613239613136
+30366662333666653038303035323163323438323535366339646539323063373761346337373163
+63393833373663356635646236616564353936366437633766616333656538366263353664363031
+65303462623737323638326661326134303635353065323666616331323933646531376239626630
+35383232316666643166646232383837646262306331663337663961653861613536616632663764
+39326331373633336661346133316434623434306636643839306136363734353330663237366564
+32353237306633626564633034383466306239323833343838316638663065323834666438666135
+36643832646434633262393634333264333964383433643866356232613536396339353536346538
+62383832393033336133346435303463626165643463326538353864343565373830636635663237
+38653239393061353334326662633735643238333231663437343238613730383937363834623664
+37363661636230636632383331613264383064366238396163373838343062646432653462616635
+38313835333437653734336162326662346466633533623565376262653134373730356337623165
+62376464623438343165323037653631326565613737313062666232663130643638643165343466
+30636261343730366233643634643963363061346361663732663336393239623934313561626461
+33636365383863343138343964303630643463633732623462636465323464353063353134636430
+37653764396236386233313766393339323735623139633966336237363061326431636566376137
+30366636663235613136303462363035623135636461343638323266663661616335326332353034
+62333130373830613363396331613336616531313064356165613930373230383234363561346632
+64346635646338356430313536353436626265383561643166346561356430663238636561653363
+62386365363466663931333663373737646563363639356161613464373534643965653236356639
+63636237666332643966353131656435613933663230363665376333346563616634316430373235
+33643738326164656664643730376266666236333631393634356133633432373031613030663464
+61613964346133663638623038323161316665653436306533633438383563333465643731373537
+64333531653437373531306631363533643736326462343138323739356463383465626638626164
+62653862643032356264396461363530346633336230326166323563323830646464656633356430
+33323163626633303639613138343765626633323563303236396164376336396362306265363365
+38663237323533336263323636643536343963346337313938343262323366666130383339323337
+31396361316438333262656231356566363635343465383265633133343338376363303962343131
+34363537643731633735663635653163386264383334366134626230396439666439313963373934
+38373237383239336333656235613963623766343565653865623861353735366638356137313161
+63643735656463633063386239383961663230326665616233343634366531623561613732393131
+34623665333866343962306234623538306234653264373534633062363263653638303736666537
+32383832343939353438663738636537333834383934666536303233313763616434373663313737
+65313465313161656565376532386564646435373062313964633033616564393632623338666261
+62363034643363303337353565326438313832636165316363393238353531383837616337366530
+36663733376436336639633431313263373337313239303563313962663361653633356637616239
+64616665623563656137313537346238393432636235326164303165303136356264646634623438
+61633334303539616366653763383134643764323735333163353036373961353738386630643030
+61333861316565363536386465316637613065356235633335363834613733386130343132363130
+33663866656163386265303163613164303538333462343233343930346261663430383038343833
+34666439633562356633633666653338396131383531666238383962613737376531376638643265
+34313464313136356532313439616365386133653334383266383564333562663366386631656663
+37643837336138336237336462393937333437623665323063383464353662653865343433613164
+36346433653537656264