Update
This commit is contained in:
David Rotermund
parent
97797976ef
commit
015bd8a3a9
3 changed files with 300 additions and 20 deletions
|
|
@ -81,8 +81,8 @@
|
|||
MARIADB_DATABASE: "semaphore"
|
||||
MARIADB_USER: "semaphore"
|
||||
MARIADB_PASSWORD: "{{ sqlpwd }}"
|
||||
MARIADB_ROOT_PASSWORD : "{{ sqlrootpwd }}"
|
||||
MYSQL_ROOT_HOST: '%'
|
||||
MARIADB_ROOT_PASSWORD: "{{ sqlrootpwd }}"
|
||||
MYSQL_ROOT_HOST: "%"
|
||||
networks:
|
||||
- name: semaphoreNet
|
||||
comparisons:
|
||||
|
|
@ -161,7 +161,6 @@
|
|||
hostname = 127.0.0.1:25
|
||||
mda "/usr/bin/procmail -d %T"
|
||||
|
||||
|
||||
- name: Create volume semaphore_etc
|
||||
community.docker.docker_volume:
|
||||
name: semaphore_etc
|
||||
|
|
@ -177,6 +176,14 @@
|
|||
name: semaphore_tmp
|
||||
state: present
|
||||
|
||||
- name: copy key
|
||||
ansible.builtin.copy:
|
||||
src: "/config/neuro_ansible/semaphore-wrapper"
|
||||
dest: "/root/semaphore-wrapper"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0777"
|
||||
|
||||
- name: Create semaphore container
|
||||
community.docker.docker_container:
|
||||
name: semaphore
|
||||
|
|
@ -184,12 +191,12 @@
|
|||
state: started
|
||||
recreate: yes
|
||||
restart_policy: always
|
||||
published_ports:
|
||||
- "80:3000/tcp"
|
||||
|
||||
volumes:
|
||||
- "semaphore_etc:/etc/semaphore"
|
||||
- "semaphore_lib:/var/lib/semaphore"
|
||||
- "semaphore_tmp:/tmp/semaphore/"
|
||||
- "/root/semaphore-wrapper:/usr/local/bin/semaphore-wrapper"
|
||||
env:
|
||||
SEMAPHORE_DB_USER: "semaphore"
|
||||
SEMAPHORE_DB_PASS: "{{ sqlpwd }}"
|
||||
|
|
@ -206,23 +213,100 @@
|
|||
|
||||
SEMAPHORE_ACCESS_KEY_ENCRYPTION: "{{ semakey }}"
|
||||
|
||||
SEMAPHORE_LDAP_ACTIVATED: 'no'
|
||||
SEMAPHORE_LDAP_ACTIVATED: "no"
|
||||
|
||||
ANSIBLE_HOST_KEY_CHECKING: "False"
|
||||
|
||||
email_alert: "true"
|
||||
email_host: "smtpd"
|
||||
email_port: "25"
|
||||
email_sender: "Ansible Neuro ITP"
|
||||
email_secure: "False"
|
||||
|
||||
SEMAPHORE_EMAIL_ALERT: "yes"
|
||||
SEMAPHORE_EMAIL_HOST: "smtpd"
|
||||
SEMAPHORE_EMAIL_SENDER: "computers@neuro.uni-bremen.de"
|
||||
|
||||
TZ: "Europe/Berlin"
|
||||
|
||||
networks:
|
||||
- name: semaphoreNet
|
||||
- name: bridge
|
||||
comparisons:
|
||||
networks: strict
|
||||
|
||||
- name: set nginx.conf
|
||||
blockinfile:
|
||||
path: /root/nginx/nginx.conf
|
||||
state: present
|
||||
create: true
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0644"
|
||||
block: |
|
||||
events {}
|
||||
http {
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name _;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
server {
|
||||
listen 443 ssl;
|
||||
ssl_certificate /certs/nginx_certificate.pem;
|
||||
ssl_certificate_key /certs/nginx_key.pem;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
|
||||
server_tokens off;
|
||||
client_max_body_size 50M;
|
||||
|
||||
location / {
|
||||
proxy_pass http://semaphore:3000;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_read_timeout 3m;
|
||||
proxy_send_timeout 3m;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
- name: copy key
|
||||
ansible.builtin.copy:
|
||||
src: "/config/certs/key.pem"
|
||||
dest: "/root/nginx/key.pem"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0600"
|
||||
|
||||
- name: copy ca
|
||||
ansible.builtin.copy:
|
||||
src: "/config/certs/crt_ca.pem"
|
||||
dest: "/root/nginx/ca.pem"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0600"
|
||||
|
||||
- name: Create nginx container
|
||||
community.docker.docker_container:
|
||||
name: nginx
|
||||
image: "nginx:stable-alpine"
|
||||
state: started
|
||||
recreate: no
|
||||
restart_policy: always
|
||||
|
||||
volumes:
|
||||
- "/root/nginx/key.pem:/certs/nginx_key.pem:ro"
|
||||
- "/root/nginx/ca.pem:/certs/nginx_certificate.pem:ro"
|
||||
- "/root/nginx/nginx.conf:/etc/nginx/nginx.conf:ro"
|
||||
|
||||
ports:
|
||||
- "0.0.0.0:443:443"
|
||||
- "0.0.0.0:80:80"
|
||||
env:
|
||||
NGINX_WORKER_PROCESSES: "4"
|
||||
NGINX_WORKER_CONNECTIONS: "768"
|
||||
|
||||
networks:
|
||||
- name: semaphoreNet
|
||||
|
||||
comparisons:
|
||||
networks: strict
|
||||
|
|
|
|||
20
machines/nc
Normal file
20
machines/nc
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
nc46.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc47.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc48.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc49.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc50.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc51.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc52.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc53.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc54.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc55.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc56.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc57.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc58.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc59.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc60.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc61.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc62.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc63.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc64.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
nc66.neuro.uni-bremen.de ansible_user=ansibleuser ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
||||
176
semaphore-wrapper
Executable file
176
semaphore-wrapper
Executable file
|
|
@ -0,0 +1,176 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
echoerr() { printf "%s\n" "$*" >&2; }
|
||||
|
||||
file_env() {
|
||||
local var=""
|
||||
local fileVar=""
|
||||
eval var="\$${1}"
|
||||
eval fileVar="\$${1}_FILE"
|
||||
local def="${2:-}"
|
||||
if [ -n "${var:-}" ] && [ -n "${fileVar:-}" ]; then
|
||||
echo >&2 "error: both ${1} and ${1}_FILE are set (but are exclusive)"
|
||||
exit 1
|
||||
fi
|
||||
local val="$def"
|
||||
if [ -n "${var:-}" ]; then
|
||||
val="${var}"
|
||||
elif [ -n "${fileVar:-}" ]; then
|
||||
val="$(cat "${fileVar}")"
|
||||
fi
|
||||
export "${1}"="$val"
|
||||
unset "${1}_FILE"
|
||||
}
|
||||
|
||||
SEMAPHORE_CONFIG_PATH="${SEMAPHORE_CONFIG_PATH:-/etc/semaphore}"
|
||||
SEMAPHORE_TMP_PATH="${SEMAPHORE_TMP_PATH:-/tmp/semaphore}"
|
||||
|
||||
# Semaphore database env config
|
||||
SEMAPHORE_DB_DIALECT="${SEMAPHORE_DB_DIALECT:-mysql}"
|
||||
SEMAPHORE_DB_HOST="${SEMAPHORE_DB_HOST:-0.0.0.0}"
|
||||
SEMAPHORE_DB_PATH="${SEMAPHORE_DB_PATH:-/var/lib/semaphore}"
|
||||
SEMAPHORE_DB_PORT="${SEMAPHORE_DB_PORT:-}"
|
||||
SEMAPHORE_DB="${SEMAPHORE_DB:-semaphore}"
|
||||
file_env 'SEMAPHORE_DB_USER' 'semaphore'
|
||||
file_env 'SEMAPHORE_DB_PASS' 'semaphore'
|
||||
# Email alert env config
|
||||
SEMAPHORE_WEB_ROOT="${SEMAPHORE_WEB_ROOT:-}"
|
||||
# Semaphore Admin env config
|
||||
file_env 'SEMAPHORE_ADMIN' 'admin'
|
||||
SEMAPHORE_ADMIN_EMAIL="${SEMAPHORE_ADMIN_EMAIL:-admin@localhost}"
|
||||
SEMAPHORE_ADMIN_NAME="${SEMAPHORE_ADMIN_NAME:-Semaphore Admin}"
|
||||
file_env 'SEMAPHORE_ADMIN_PASSWORD' 'semaphorepassword'
|
||||
#Semaphore LDAP env config
|
||||
SEMAPHORE_LDAP_ACTIVATED="${SEMAPHORE_LDAP_ACTIVATED:-no}"
|
||||
SEMAPHORE_LDAP_HOST="${SEMAPHORE_LDAP_HOST:-}"
|
||||
SEMAPHORE_LDAP_PORT="${SEMAPHORE_LDAP_PORT:-}"
|
||||
SEMAPHORE_LDAP_NEEDTLS="${SEMAPHORE_LDAP_NEEDTLS:-no}"
|
||||
SEMAPHORE_LDAP_DN_BIND="${SEMAPHORE_LDAP_DN_BIND:-}"
|
||||
file_env 'SEMAPHORE_LDAP_PASSWORD'
|
||||
SEMAPHORE_LDAP_DN_SEARCH="${SEMAPHORE_LDAP_DN_SEARCH:-}"
|
||||
SEMAPHORE_LDAP_SEARCH_FILTER="${SEMAPHORE_LDAP_SEARCH_FILTER:-(uid=%s)}"
|
||||
SEMAPHORE_LDAP_MAPPING_DN="${SEMAPHORE_LDAP_MAPPING_DN:-dn}"
|
||||
SEMAPHORE_LDAP_MAPPING_USERNAME="${SEMAPHORE_LDAP_MAPPING_USERNAME:-uid}"
|
||||
SEMAPHORE_LDAP_MAPPING_FULLNAME="${SEMAPHORE_LDAP_MAPPING_FULLNAME:-cn}"
|
||||
SEMAPHORE_LDAP_MAPPING_EMAIL="${SEMAPHORE_LDAP_MAPPING_EMAIL:-mail}"
|
||||
|
||||
file_env 'SEMAPHORE_ACCESS_KEY_ENCRYPTION'
|
||||
|
||||
[ -d "${SEMAPHORE_TMP_PATH}" ] || mkdir -p "${SEMAPHORE_TMP_PATH}" || {
|
||||
echo "Can't create Semaphore tmp path ${SEMAPHORE_TMP_PATH}."
|
||||
exit 1
|
||||
}
|
||||
|
||||
[ -d "${SEMAPHORE_CONFIG_PATH}" ] || mkdir -p "${SEMAPHORE_CONFIG_PATH}" || {
|
||||
echo "Can't create Semaphore Config path ${SEMAPHORE_CONFIG_PATH}."
|
||||
exit 1
|
||||
}
|
||||
|
||||
[ -d "${SEMAPHORE_DB_PATH}" ] || mkdir -p "${SEMAPHORE_DB_PATH}" || {
|
||||
echo "Can't create data path ${SEMAPHORE_DB_PATH}."
|
||||
exit 1
|
||||
}
|
||||
|
||||
# wait on db to be up
|
||||
|
||||
if [ "${SEMAPHORE_DB_DIALECT}" != 'bolt' ]; then
|
||||
echoerr "Attempting to connect to database ${SEMAPHORE_DB} on ${SEMAPHORE_DB_HOST}:${SEMAPHORE_DB_PORT} with user ${SEMAPHORE_DB_USER} ..."
|
||||
TIMEOUT=30
|
||||
while ! $(nc -z "$SEMAPHORE_DB_HOST" "$SEMAPHORE_DB_PORT") >/dev/null 2>&1; do
|
||||
TIMEOUT=$(expr $TIMEOUT - 1)
|
||||
if [ $TIMEOUT -eq 0 ]; then
|
||||
echoerr "Could not connect to database server. Exiting."
|
||||
exit 1
|
||||
fi
|
||||
echo -n "."
|
||||
sleep 1
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -n "${SEMAPHORE_DB_PORT}" ]; then
|
||||
SEMAPHORE_DB_HOST="${SEMAPHORE_DB_HOST}:${SEMAPHORE_DB_PORT}"
|
||||
fi
|
||||
|
||||
case ${SEMAPHORE_DB_DIALECT} in
|
||||
mysql) SEMAPHORE_DB_DIALECT_ID=1;;
|
||||
bolt) SEMAPHORE_DB_DIALECT_ID=2;;
|
||||
postgres) SEMAPHORE_DB_DIALECT_ID=3;;
|
||||
*)
|
||||
echoerr "Unknown database dialect: ${SEMAPHORE_DB_DIALECT}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
# Create a config if it does not exist in the current config path
|
||||
if [ ! -f "${SEMAPHORE_CONFIG_PATH}/config.json" ]; then
|
||||
echoerr "Generating ${SEMAPHORE_TMP_PATH}/config.stdin ..."
|
||||
cat << EOF > "${SEMAPHORE_TMP_PATH}/config.stdin"
|
||||
${SEMAPHORE_DB_DIALECT_ID}
|
||||
EOF
|
||||
|
||||
if [ "${SEMAPHORE_DB_DIALECT}" = "bolt" ]; then
|
||||
cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin"
|
||||
${SEMAPHORE_DB_PATH}/database.boltdb
|
||||
EOF
|
||||
else
|
||||
cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin"
|
||||
${SEMAPHORE_DB_HOST}
|
||||
${SEMAPHORE_DB_USER}
|
||||
${SEMAPHORE_DB_PASS}
|
||||
${SEMAPHORE_DB}
|
||||
EOF
|
||||
fi
|
||||
|
||||
cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin"
|
||||
${SEMAPHORE_TMP_PATH}
|
||||
${SEMAPHORE_WEB_ROOT}
|
||||
${SEMAPHORE_EMAIL_ALERT}
|
||||
EOF
|
||||
if [ "${SEMAPHORE_EMAIL_ALERT}" = "yes" ]; then
|
||||
cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin"
|
||||
${SEMAPHORE_EMAIL_HOST}
|
||||
25
|
||||
${SEMAPHORE_EMAIL_SENDER}
|
||||
EOF
|
||||
fi
|
||||
|
||||
cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin"
|
||||
no
|
||||
no
|
||||
no
|
||||
no
|
||||
${SEMAPHORE_LDAP_ACTIVATED}
|
||||
EOF
|
||||
|
||||
if [ "${SEMAPHORE_LDAP_ACTIVATED}" = "yes" ]; then
|
||||
cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin"
|
||||
${SEMAPHORE_LDAP_HOST}:${SEMAPHORE_LDAP_PORT}
|
||||
${SEMAPHORE_LDAP_NEEDTLS}
|
||||
${SEMAPHORE_LDAP_DN_BIND}
|
||||
${SEMAPHORE_LDAP_PASSWORD}
|
||||
${SEMAPHORE_LDAP_DN_SEARCH}
|
||||
${SEMAPHORE_LDAP_SEARCH_FILTER}
|
||||
${SEMAPHORE_LDAP_MAPPING_DN}
|
||||
${SEMAPHORE_LDAP_MAPPING_USERNAME}
|
||||
${SEMAPHORE_LDAP_MAPPING_FULLNAME}
|
||||
${SEMAPHORE_LDAP_MAPPING_EMAIL}
|
||||
EOF
|
||||
fi;
|
||||
|
||||
cat << EOF >> "${SEMAPHORE_TMP_PATH}/config.stdin"
|
||||
${SEMAPHORE_CONFIG_PATH}
|
||||
${SEMAPHORE_ADMIN}
|
||||
${SEMAPHORE_ADMIN_EMAIL}
|
||||
${SEMAPHORE_ADMIN_NAME}
|
||||
${SEMAPHORE_ADMIN_PASSWORD}
|
||||
EOF
|
||||
|
||||
cat "${SEMAPHORE_TMP_PATH}/config.stdin"
|
||||
$1 setup - < "${SEMAPHORE_TMP_PATH}/config.stdin"
|
||||
echoerr "Run Semaphore with semaphore server --config ${SEMAPHORE_CONFIG_PATH}/config.json"
|
||||
fi
|
||||
|
||||
# run our command
|
||||
exec "$@"
|
||||
Loading…
Reference in a new issue