diff --git a/.drone.remote.yml b/.drone.remote.yml new file mode 100644 index 0000000..dc976a4 --- /dev/null +++ b/.drone.remote.yml @@ -0,0 +1,292 @@ +--- + +kind: pipeline +type: docker +name: default +when: + branch: + - remote + +clone: + # skip_verify: true + +steps: +- name: printenv + image: appleboy/drone-ssh + environment: + CERTBOT_EMAIL: + from_secret: certbot-email + DRONE_DOMAIN: + from_secret: drone-domain + DRONE_GITEA_CLIENT_ID: + from_secret: drone-gitea-client-id + GIT_DOMAIN: + from_secret: git-domain + REMOTE_DOMAIN: + from_secret: remote-domain + SSH_HOST: + from_secret: ssh-host + SSH_PORT: + from_secret: ssh-port + SSH_USER: + from_secret: ssh-user + SSH_ROOT_USER: + from_secret: ssh-root-user + LOCAL_DOCKER_REGISTRY: + from_secret: local-docker-registry + settings: + envs: + - certbot_email + - drone_domain + - drone_gitea_client_id + - git_domain + - remote_domain + - ssh_host + - ssh_port + - ssh_root_user + - ssh_user + - local_docker_registry + host: + from_secret: ssh-host + port: + from_secret: ssh-port + username: + from_secret: ssh-user + password: + from_secret: ssh-password + script: + - echo certbot-email=$CERTBOT_EMAIL > env-stack + - echo drone-domain=$DRONE_DOMAIN >> env-stack + - echo drone-gitea-client-id=$DRONE_GITEA_CLIENT_ID >> env-stack + - echo git-domain=$GIT_DOMAIN >> env-stack + - echo remote-domain=$REMOTE_DOMAIN >> env-stack + - echo ssh-host=$SSH_HOST >> env-stack + - echo ss-port=$SSH_PORT >> env-stack + - echo ssh-root-user=$SSH_ROOT_USER >> env-stack + - echo ssh-user=$SSH_USER >> env-stack + - echo local_docker_registry=$LOCAL_DOCKER_REGISTRY >> env-stack + +- name: test-ssh + when: + branch: + - remote + image: appleboy/drone-ssh + environment: + DRONE_RPC_SECRET: + from_secret: drone-rpc-secret + DRONE_GITEA_CLIENT_ID: + from_secret: drone-gitea-client-id + DRONE_GITEA_CLIENT_SECRET: + from_secret: drone-gitea-client-secret + LOCAL_DOCKER_REGISTRY: + from_secret: local-docker-registry + SSH_USER: + from_secret: ssh-user + CERTBOT_EMAIL: + from_secret: certbot-email + GIT_DOMAIN: + from_secret: git-domain + DRONE_DOMAIN: + from_secret: drone-domain + REMOTE_DOMAIN: + from_secret: remote-domain + settings: + envs: + - drone_rpc_secret + - drone_gitea_client_id + - drone_gitea_client_secret + - ssh_user + - local_docker_registry + - certbot_email + - git_domain + - drone_domain + - remote_domain + host: + from_secret: ssh-host + username: + from_secret: ssh-root-user + password: + from_secret: ssh-root-password + port: + from_secret: ssh-port + script: + - echo 'ssh ok' +- name: wait + when: + branch: + - remote + image: docker:dind + volumes: + - name: dockersock + path: /var/run + + commands: + - sleep 60 +- name: build-postgres + when: + branch: + - remote + image: docker:dind + volumes: + - name: dockersock + path: /var/run + environment: + LOCAL_DOCKER_REGISTRY: + from_secret: local-docker-registry + commands: + - cd guacamole-postgresql + - docker build . -t $${LOCAL_DOCKER_REGISTRY}/guacamole-postgresql + - docker push $${LOCAL_DOCKER_REGISTRY}/guacamole-postgresql +- name: build-ngrok + when: + branch: + - remote + image: docker:dind + volumes: + - name: dockersock + path: /var/run + environment: + LOCAL_DOCKER_REGISTRY: + from_secret: local-docker-registry + commands: + - cd ngrok2 + - docker build . -t $${LOCAL_DOCKER_REGISTRY}/ngrok-gitea + - docker push $${LOCAL_DOCKER_REGISTRY}/ngrok-gitea +- name: build-letsencrypt-nginx + when: + branch: + - remote + image: docker:dind + volumes: + - name: dockersock + path: /var/run + environment: + LOCAL_DOCKER_REGISTRY: + from_secret: local-docker-registry + commands: + - cd letsencrypt-nginx + - docker build . -t $${LOCAL_DOCKER_REGISTRY}/letsencrypt-nginx + - docker push $${LOCAL_DOCKER_REGISTRY}/letsencrypt-nginx +- name: build-letsencrypt-drone + when: + branch: + - remote + image: docker:dind + volumes: + - name: dockersock + path: /var/run + environment: + LOCAL_DOCKER_REGISTRY: + from_secret: local-docker-registry + commands: + - cd letsencrypt-nginx + - sh build.sh drone $${LOCAL_DOCKER_REGISTRY} +- name: build-letsencrypt-remote + when: + branch: + - remote + image: docker:dind + volumes: + - name: dockersock + path: /var/run + environment: + LOCAL_DOCKER_REGISTRY: + from_secret: local-docker-registry + commands: + - cd letsencrypt-nginx + - sh build.sh remote $${LOCAL_DOCKER_REGISTRY} +- name: scp files + when: + branch: + - remote + image: appleboy/drone-scp + settings: + host: + from_secret: ssh-host + username: + from_secret: ssh-user + password: + from_secret: ssh-password + port: + from_secret: ssh-port + command_timeout: 2m + target: ~/gitea-drone-stack + source: + - . +- name: deploy + when: + branch: + - remote + image: appleboy/drone-ssh + environment: + DRONE_RPC_SECRET: + from_secret: drone-rpc-secret + DRONE_GITEA_CLIENT_ID: + from_secret: drone-gitea-client-id + DRONE_GITEA_CLIENT_SECRET: + from_secret: drone-gitea-client-secret + LOCAL_DOCKER_REGISTRY: + from_secret: local-docker-registry + SSH_USER: + from_secret: ssh-user + CERTBOT_EMAIL: + from_secret: certbot-email + GIT_DOMAIN: + from_secret: git-domain + DRONE_DOMAIN: + from_secret: drone-domain + REMOTE_DOMAIN: + from_secret: remote-domain + settings: + envs: + - drone_rpc_secret + - drone_gitea_client_id + - drone_gitea_client_secret + - ssh_user + - local_docker_registry + - certbot_email + - git_domain + - drone_domain + - remote_domain + host: + from_secret: ssh-host + username: + from_secret: ssh-root-user + password: + from_secret: ssh-root-password + port: + from_secret: ssh-port + script: + - set -e + - export LOCAL_DOCKER_REGISTRY=$LOCAL_DOCKER_REGISTRY + - export DRONE_RPC_SECRET=$DRONE_RPC_SECRET + - export DRONE_GITEA_CLIENT_ID=$DRONE_GITEA_CLIENT_ID + - export DRONE_GITEA_CLIENT_SECRET=$DRONE_GITEA_CLIENT_SECRET + - export SSH_USER=$SSH_USER + - export CERTBOT_EMAIL=$CERTBOT_EMAIL + - export GIT_DOMAIN=$GIT_DOMAIN + - export DRONE_DOMAIN=$DRONE_DOMAIN + - export REMOTE_DOMAIN=$REMOTE_DOMAIN + - docker network prune -f + - cd /home/$SSH_USER/gitea-drone-stack + - docker stack rm remote-drone + - sleep 60 + - docker stack deploy -c docker-compose-remote.yml remote-drone + #- sleep 300 + +services: +- name: docker + image: docker:dind + privileged: true + volumes: + - name: dockersock + path: /var/run + - name: ca + path: /etc/docker/certs.d + +volumes: +- name: dockersock + temp: {} +- name: ca + host: + path: /home/giles/gitea-drone-stack/.ca diff --git a/.gitignore b/.gitignore index 63cd811..ab85a2d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .certificates .ca .secrets +.env \ No newline at end of file diff --git a/docker-compose-remote.yml b/docker-compose-remote.yml new file mode 100644 index 0000000..cdefe10 --- /dev/null +++ b/docker-compose-remote.yml @@ -0,0 +1,238 @@ +version: "3.7" +services: + letsencrypt-remote: + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 1 + restart_policy: + condition: any + image: ${LOCAL_DOCKER_REGISTRY}/letsencrypt-remote + environment: + - SERVER_NAME=${REMOTE_DOMAIN} + - CERTBOT_EMAIL=${CERTBOT_EMAIL} + - PROXY_PASS=http://guacamole:8080/guacamole/ + volumes: + - letsencrypt-remote:/etc/letsencrypt + networks: + - appnet + depends_on: + - guacamole + letsencrypt-drone: + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 1 + restart_policy: + condition: any + image: ${LOCAL_DOCKER_REGISTRY}/letsencrypt-drone + environment: + - CERTBOT_EMAIL=${CERTBOT_EMAIL} + - SERVER_NAME=${DRONE_DOMAIN} + - PROXY_PASS=http://drone-server:8080/ + volumes: + - letsencrypt-drone:/etc/letsencrypt + networks: + - appnet + depends_on: + - drone-server + ngrok: + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 1 + restart_policy: + condition: any + image: ${LOCAL_DOCKER_REGISTRY}/ngrok-gitea + ports: + - "4040:4040" + volumes: + - ./ngrok2/ngrok.m._yml:/home/ngrok/.ngrok2/ngrok._yml:ro + environment: + - GIT_DOMAIN=${GIT_DOMAIN} + - DRONE_DOMAIN=${DRONE_DOMAIN} + - REMOTE_DOMAIN=${REMOTE_DOMAIN} + - BLOG_DOMAIN=${BLOG_DOMAIN} + depends_on: + - gitea + networks: + - appnet + secrets: + - ngrok-auth-token + drone-server: + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 1 + restart_policy: + condition: any + image: drone/drone:latest + volumes: + - drone:/var/lib/drone + - drone-data:/data + depends_on: + - gitea + environment: + - DRONE_LOGS_DEBUG=true + - DRONE_LOGS_PRETTY=true + - DRONE_GITEA_SERVER=https://${GIT_DOMAIN} + - DRONE_GITEA_CLIENT_ID=${DRONE_GITEA_CLIENT_ID} + - DRONE_GITEA_CLIENT_SECRET=${DRONE_GITEA_CLIENT_SECRET} + - DRONE_SERVER_HOST=${DRONE_DOMAIN} # tunnel hostname + - DRONE_ADMIN=giles + - DRONE_SERVER_PROTO=https # tunnel adds https on top + - DRONE_SERVER_PORT=:8080 + - DRONE_RPC_SECRET=${DRONE_RPC_SECRET} + - DRONE_USER_CREATE=username:giles,admin:true + - DRONE_AGENTS_ENABLED=true + #- DRONE_ENV_PLUGIN_ENDPOINT=http://git.local-domain:8888 + #- DRONE_ENV_PLUGIN_TOKEN=anything + networks: + - appnet + drone-docker-runner: + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 1 + restart_policy: + condition: any + image: drone/drone-runner-docker:1 + depends_on: + - drone-server + volumes: + - /var/run/docker.sock:/var/run/docker.sock + environment: + - DRONE_RPC_PROTO=https + - DRONE_RPC_HOST=${DRONE_DOMAIN} + - DRONE_RPC_SECRET=${DRONE_RPC_SECRET} + - DRONE_RUNNER_CAPACITY=8 + - DRONE_RUNNER_NAME="docker-runner" + #- DRONE_ENV_PLUGIN_ENDPOINT=http://git.local-domain:8888 + #- DRONE_ENV_PLUGIN_TOKEN=anything + + registry: + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 1 + restart_policy: + condition: any + image: registry:2 + ports: + - 5000:5000 + volumes: + - registry-data:/var/lib/registry + environment: + - REGISTRY_HTTP_ADDR=0.0.0.0:5000 + - REGISTRY_HTTP_TLS_CERTIFICATE="/run/secrets/registry-cert" + - REGISTRY_HTTP_TLS_KEY="/run/secrets/registry-key" + networks: + - appnet + secrets: + - registry-cert + - registry-key + registry-cache: + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 1 + restart_policy: + condition: any + image: registry:2 + ports: + - 5001:5001 + volumes: + - registry-cache-data:/var/lib/registry + environment: + - REGISTRY_HTTP_ADDR=0.0.0.0:5001 + - REGISTRY_HTTP_TLS_CERTIFICATE="/run/secrets/registry-cert" + - REGISTRY_HTTP_TLS_KEY="/run/secrets/registry-key" + - REGISTRY_PROXY_REMOTEURL=http://registry-1.docker.io + networks: + - appnet + secrets: + - registry-cert + - registry-key + guacamole-postgresql: + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 1 + restart_policy: + condition: any + image: ${LOCAL_DOCKER_REGISTRY}/guacamole-postgresql:latest + environment: + POSTGRES_PASSWORD: guacroot + POSTGRES_DB: guacamole_db + volumes: + - guacamole-postgresql-data:/var/lib/postgresql/data + #secrets: + # - source: guacamole-postgresql-password + # target: password + + #- /home/giles/guacamole-stack/initdb.sql:/initdb.sql + networks: + - appnet + + # The backend guacamole server. + guacd: + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 1 + restart_policy: + condition: any + image: guacamole/guacd:latest + networks: + - appnet + + guacamole: + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 1 + restart_policy: + condition: any + image: guacamole/guacamole:latest + secrets: + - source: guacamole-postgresql-database + target: database + - source: guacamole-postgresql-user + target: user + - source: guacamole-postgresql-password + target: password + environment: + - POSTGRES_HOSTNAME=guacamole-postgresql + - POSTGRES_PORT=5432 + - POSTGRES_USER_FILE=/run/secrets/user + - POSTGRES_PASSWORD_FILE=/run/secrets/password + - POSTGRES_DATABASE_FILE=/run/secrets/database + - GUACD_HOSTNAME=guacd + networks: + - appnet +volumes: + drone: + drone-data: + registry-data: + registry-cache-data: + guacamole-postgresql-data: + letsencrypt-remote: + letsencrypt-drone: + +networks: + appnet: + driver: overlay + #external: true +secrets: + 'registry-cert': + file: .certificates/registry.crt + 'registry-key': + file: .certificates/registry.key + 'guacamole-postgresql-database': + file: .secrets/guacamole-postgresql-database + 'guacamole-postgresql-user': + file: .secrets/guacamole-postgresql-user + 'guacamole-postgresql-password': + file: .secrets/guacamole-postgresql-password + 'ngrok-auth-token': + file: .secrets/ngrok-auth-token \ No newline at end of file