generated from github/welcome-to-github
-
-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #217 from lbr38/devel
4.14.2
- Loading branch information
Showing
27 changed files
with
604 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
name: Test ansible role | ||
|
||
on: | ||
push: | ||
branches: [ devel ] | ||
pull_request: | ||
push: | ||
branches: [ stable ] | ||
jobs: | ||
ansible: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
|
||
- name: Install requirements | ||
run: | | ||
sudo apt update | ||
sudo apt install nginx ansible -y | ||
- name: Generate self-signed SSL certificate | ||
run: | | ||
sudo mkdir -p /etc/nginx/ssl | ||
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/private.key -out /etc/nginx/ssl/certificate.crt -subj "/C=DE/ST=NRW/L=Earth/O=Random Company/OU=IT/CN=repomanager.example.com" | ||
- name: Start nginx | ||
run: sudo systemctl start nginx | ||
|
||
- name: Execute ansible playbook | ||
run: sudo ansible-playbook --connection=local --inventory 127.0.0.1, $GITHUB_WORKSPACE/ansible/repomanager-playbook.yml | ||
|
||
- name: Print docker containers | ||
run: sudo docker ps |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,135 @@ | ||
name: Database update tests | ||
|
||
on: | ||
push: | ||
branches: [ devel ] | ||
pull_request: | ||
push: | ||
branches: [ stable ] | ||
jobs: | ||
test-database-update: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
|
||
- name: Install docker-compose | ||
run: | | ||
sudo apt-get update | ||
sudo apt-get install -y docker-compose | ||
# Get all releases | ||
# Format them to a key-value array | ||
# Start from release index which is 4.0.0 | ||
# Pull images starting from release 4.0.0 | ||
# Then pull the next image of the index, etc.. | ||
- name: Test all releases update from lbr38/repomanager | ||
run: | | ||
RELEASES=$(curl -s https://api.github.com/repos/lbr38/repomanager/releases?per_page=10000 | jq -r '.[].name' | tac) | ||
index="0" | ||
declare -A RELEASES_ARRAY | ||
for release in $RELEASES; do | ||
RELEASES_ARRAY["$index"]="$release" | ||
index=$((index+1)) | ||
done | ||
for i in "${!RELEASES_ARRAY[@]}"; do | ||
if [[ "${RELEASES_ARRAY[$i]}" == "4.0.0" ]]; then | ||
start_index="$i" | ||
break | ||
fi | ||
done | ||
for ((i=start_index; i<${#RELEASES_ARRAY[@]}; i++)); do | ||
release="${RELEASES_ARRAY[$i]}" | ||
docker rm -f repomanager | ||
docker system prune -a -f | ||
echo -e "\nPulling image for release $release\n" | ||
docker run -d --restart always --name repomanager \ | ||
-e FQDN=repomanager.test.com \ | ||
-e MAX_UPLOAD_SIZE=32M \ | ||
-p 8080:8080 \ | ||
-v /etc/localtime:/etc/localtime:ro \ | ||
-v /var/lib/docker/volumes/repomanager-data:/var/lib/repomanager \ | ||
-v /var/lib/docker/volumes/repomanager-repo:/home/repo \ | ||
lbr38/repomanager:$release | ||
if [ $? -ne 0 ]; then | ||
echo "Failed to pull image for release $release" | ||
exit 1 | ||
fi | ||
# Retrieve and check errors in container logs | ||
while true; do | ||
OUTPUT=$(docker logs repomanager -n10000) | ||
# Check if the logs contains failed message | ||
if echo "$OUTPUT" | grep -q -i "failed"; then | ||
echo "Database update seems to have failed: $OUTPUT" | ||
exit 1 | ||
fi | ||
if echo "$OUTPUT" | grep -q -i "error"; then | ||
echo "Database update seems to have failed: $OUTPUT" | ||
exit 1 | ||
fi | ||
# Quit the loop if the maintenance page is disabled (meaning the update is done) | ||
if echo "$OUTPUT" | grep -q "Disabling maintenance page"; then | ||
break | ||
fi | ||
sleep 2 | ||
done | ||
done | ||
# Finally, test the devel image | ||
- name: Test devel image from lbr38/repomanager | ||
run: | | ||
docker rm -f repomanager | ||
docker system prune -a -f | ||
echo -e "\Build devel image\n" | ||
cd ${GITHUB_WORKSPACE}/docker | ||
sed -i 's/env:.*/env: devel/g' docker-compose.yml | ||
sed -i 's/fqdn:.*/fqdn: repomanager.test.com/g' docker-compose.yml | ||
docker-compose -f docker-compose.yml up -d | ||
if [ $? -ne 0 ]; then | ||
echo "Failed to build devel image" | ||
exit 1 | ||
fi | ||
# Retrieve and check errors in container logs | ||
while true; do | ||
OUTPUT=$(docker logs repomanager -n10000) | ||
# Check if the logs contains failed message | ||
if echo "$OUTPUT" | grep -q -i "failed"; then | ||
echo "Database update seems to have failed: $OUTPUT" | ||
exit 1 | ||
fi | ||
# Check if the logs contains error message | ||
if echo "$OUTPUT" | grep -q -i "error"; then | ||
echo "Database update seems to have failed: $OUTPUT" | ||
exit 1 | ||
fi | ||
# Quit the loop if the maintenance page is disabled (meaning the update is done) | ||
if echo "$OUTPUT" | grep -q "Disabling maintenance page"; then | ||
break | ||
fi | ||
sleep 2 | ||
done | ||
# Print final container logs output | ||
echo "$OUTPUT" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
--- | ||
- name: Install or update Repomanager | ||
hosts: all | ||
order: sorted | ||
become: true | ||
become_user: root | ||
|
||
tasks: | ||
- name: Execute repomanager role | ||
ansible.builtin.include_role: | ||
name: repomanager |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
--- | ||
- name: Reload nginx | ||
ansible.builtin.systemd: | ||
name: nginx | ||
state: reloaded |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
--- | ||
# Requirements: | ||
# - docker installed and service running | ||
# - nginx installed and service running | ||
# - variables in vars/repomanager.yml must be set | ||
|
||
# Include the variables | ||
- name: Include repomanager variables | ||
ansible.builtin.include_vars: repomanager.yml | ||
|
||
# Pull the latest docker image and start the container | ||
# This also works in a case of a new version, the image will be pulled and the container will be restarted | ||
- name: Pull latest docker image | ||
community.docker.docker_container: | ||
name: repomanager | ||
image: lbr38/repomanager:latest | ||
env: | ||
FQDN: "{{ repomanager_fqdn }}" | ||
MAX_UPLOAD_SIZE: "{{ repomanager_vhost_max_upload_size | default('32') }}M" | ||
ports: | ||
- "{{ repomanager_listen_port | default('8080') }}:8080" | ||
volumes: | ||
- /etc/localtime:/etc/localtime:ro | ||
- /var/lib/docker/volumes/repomanager-data:/var/lib/repomanager | ||
- /var/lib/docker/volumes/repomanager-repo:/home/repo | ||
restart_policy: unless-stopped | ||
pull: true | ||
state: started | ||
|
||
# Deploy the reverse-proxy vhost | ||
- name: Deploy reverse-proxy | ||
ansible.builtin.template: | ||
src: repomanager-reverse-proxy.j2 | ||
dest: /etc/nginx/conf.d/repomanager-reverse-proxy.conf | ||
owner: root | ||
group: root | ||
mode: "0600" | ||
notify: Reload nginx |
60 changes: 60 additions & 0 deletions
60
ansible/roles/repomanager/templates/repomanager-reverse-proxy.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
upstream repomanager_docker { | ||
server 127.0.0.1:{{ repomanager_listen_port }}; | ||
} | ||
|
||
# Disable some logging | ||
map $request_uri $loggable { | ||
/ajax/controller.php 0; | ||
default 1; | ||
} | ||
|
||
server { | ||
listen {{ ansible_default_ipv4.address }}:80; | ||
server_name {{ repomanager_fqdn }}; | ||
|
||
access_log /var/log/nginx/{{ repomanager_fqdn }}_access.log combined if=$loggable; | ||
error_log /var/log/nginx/{{ repomanager_fqdn }}_error.log; | ||
|
||
return 301 https://$server_name$request_uri; | ||
} | ||
|
||
server { | ||
listen {{ ansible_default_ipv4.address }}:443 ssl; | ||
server_name {{ repomanager_fqdn }}; | ||
|
||
# Path to SSL certificate/key files | ||
ssl_certificate {{ repomanager_vhost_certificate_path }}; | ||
ssl_certificate_key {{ repomanager_vhost_private_key_path }}; | ||
|
||
# Path to log files | ||
access_log /var/log/nginx/{{ repomanager_fqdn }}_ssl_access.log combined if=$loggable; | ||
error_log /var/log/nginx/{{ repomanager_fqdn }}_ssl_error.log; | ||
|
||
# Max upload size | ||
client_max_body_size {{ repomanager_vhost_max_upload_size | default('32') }}M; | ||
|
||
# Security headers | ||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; | ||
add_header Referrer-Policy "no-referrer" always; | ||
add_header X-Content-Type-Options "nosniff" always; | ||
add_header X-Download-Options "noopen" always; | ||
add_header X-Frame-Options "SAMEORIGIN" always; | ||
add_header X-Permitted-Cross-Domain-Policies "none" always; | ||
add_header X-Robots-Tag "none" always; | ||
add_header X-XSS-Protection "1; mode=block" always; | ||
|
||
# Remove X-Powered-By, which is an information leak | ||
fastcgi_hide_header X-Powered-By; | ||
|
||
location / { | ||
proxy_http_version 1.1; | ||
proxy_set_header Host $host; | ||
proxy_set_header X-Real-IP $remote_addr; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection "upgrade"; | ||
proxy_read_timeout 86400; | ||
proxy_pass http://repomanager_docker; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
--- | ||
# The FQDN of Repomanager | ||
repomanager_fqdn: repomanager.example.com | ||
|
||
# The port the container listens on (default: 8080) | ||
repomanager_listen_port: 8080 | ||
|
||
# The maximum upload size in MB (default: 32M) | ||
repomanager_vhost_max_upload_size: 32 | ||
|
||
# Path to the SSL certificate | ||
repomanager_vhost_certificate_path: /etc/nginx/ssl/certificate.crt | ||
|
||
# Path to the SSL private key | ||
repomanager_vhost_private_key_path: /etc/nginx/ssl/private.key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.