Big restructuring based on docker-compose deployments (#25)

* Dropped coverage role

* Added appleboy and ssh keys

* Fixed root ssh keys

* Big restructuring based on docker-compose deployments

.gitignore

@@ -1,2 +1,4 @@
+.vault
+
 playbook.retry
 terraform.tfstate.backup

ansible/group_vars/all.yml

@@ -3,6 +3,17 @@ root_castles:
   - tboerger/homeshick-vim
   - tboerger/homeshick-linux
 
+root_sshkeys: |
+  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCc1nE4kCs9WXEEbotF+0Rivnr/9I0fc56QLZTqIr4Rsl3iZcvVDgYJmh6rPcl9xKBptNo/jK1EJF/bm2APf6wIU5Q7tNjeIw5IMJnBRBfPdQujXumb1LZMGnQvPT/gHdpVZvPkYlKkBocOJGPG99GZL0FlXXpc4eDYrgCMfCzRFG1SbQWcUdipbJJgELmbiOy7c5eHtb9i51x7g99pC91WnpInuN4pa0AFHwDQpBhS8RSLFEAfWNNs4T3SiYiUUq0lIHBoIoTM8fTTzhshXAlGWuwsZ9c9luEAw+n4QL8oD9a2ycWTJ3JCRK3CC/+J2MqCROSL4zpVA7+PFrloScMV tboerger@gitea.io
+  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1vlBRSgKE2LN6Tbp5pQ4qVVOXlqUnhI4fkEJLCGAGmsQGu5usxNvp9UJq0cGt6Sq1htoDmgIjEZwCE/np8/O7ZQPyHpwOWtUlS4WWiXKW0GYaeoYsuMabMLbuV1CpSZhb93zy7ZLIKUYpP7WHyZmivDaXnYkn2IOu3fvDtTQdXbwlCer96dIQjNE/KEH4/gUXetrLMYYg26gUnSDeHaxGrLQAfA9jNG1EbXiUkx8cFmZLEREHjwkBAHcwZDkqbLvZr+ExAKIVUcSzj1ep5sOrtSpbwxRtmDscviFPruJmsx/Jjl9fMhpZq8lIQb6aQ0qq09KGv1WP4YbLGRItvq9T tboerger@gitea.io
+  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCjASyOuvhSdzOeJCC/9crxcuztTY/AeFV7v59wQrCwozS2hPBcy5UJ4li80ly79t2D/ppCsiGDQjxCpMUKq++canqCIRZ1d6/6ylQPZIQw0rCGRHXDIKlc99i3Fz94XD85ZtFdGe2TWq1T2EEgmCRM9dGWq+f5iloRxnoSrCTXpy8JshnO5kMyQovChKzLBKdHIxddBDlEHxvWI0UcvWNuA8J2nrrOfMdMVKdPa5xeveX2V5oW3YClku7b/W6jO1rdkZ0tyl1n+wbETGmWQC+V4HE5qxK0u+Zmyz/4J+82sKQC6uEWbC9dFRslq+84rd4LyCD2467ZmzzV6HcyWJhL tboerger@gitea.io
+  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNxqUBNvl59j7Xkw3I1rXkiz0LWNvOK2KFFgLB4C101xv6C/UGjCJPlAWYl5lrTokICqi8fmLkVzAuhhGaPs28Eo55lARl1uZoTSuuobKaZHc/SZzIqn2NgSYV9WNzskpo8IkN2K5DWCYr73x6tskJ5BT9hcXWaPRb8s7dEPnw7NduhMroqlNBFgCwIgkYrjjNNIEZt5G5q2aYFLmIRRZ1JimuAJBlmQJCw+W049tjjNUKY4f2Fm9zIbktPZvSgT2kRvMWxUc8KR1kyzMVaDgqFJKQFjEoZ3kKTfkf3FV2O6tIZHA9fnRYABQy+7HAjRRFcVEu7usu12BKZ0QHKhWT lunny@gitea.io
+  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCianSaWiFmKklsBv1GlN2wLx9MTfVqjUHSKyYz54AbCBBpXzOx6mrc86DiNuYHmCGDJAHywtCEQfZQTC0gqI62bKhjtI7tVo3Pp47cpAYLX8i4DR5YOHDTZTBRrLAsoACu+Cv905LD/R7FAtR5rKDXl8706HS0ftIiB1bsOBaH2UMIKZHfKg2swR4uMRsLec8GC4lZ5G1kVbtuT9jor7lvWPABstdp7eAe7Ty6/K0HvAo9IXdPdIbKUxVAkwpYnCsh+Ri4AFwWSnDTpBp/w2v4MarhMFno3Qm+3Kqusug1V8/XxsxPD1PVPVZnRocbuocTcuB1uhyWMYh29x7hN6bp bkc-ws@gitea.io
+  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2Sovl8XfHqhiAo1GQpsJ/Z8YMvs+xPt1NMsHa5mqAtaMSGsaxIgfpL80+oSX7/itHZJfi7OcRz7R8LzJfy6WKMZUzSkkXXZlxYT328qlMzRPOtkyDWBgIY7ArcDkiyY2MFnbv5uIgilpRKFxFNxx7TuUucOmrB9SHTINy1rDiLHbvZTyJH83WVRo8V6+2JB1N1hyBWbsLNRL9VTAb3v1RvRaDUq92HJqLN77SrxHitst/7PnSimIdnPN04pogP8bDqD/XVL08ZAOXgIQvXqHIC6V+UebLSw18tw/Iac7rYNyYo949NnzQCZ0lB3/yi+L/3Hq9rpiDp3GmANQRRcBN bkc-work@gitea.io
+  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9WgmBjn7jlFzAz7QPE5p3F+wG2Dbcg616J/vQk1e0Z4hlRSejoFoA9JVV8IuKBdXYDCieqctvbd01S/5dyDOq8rIoyLa1vfYAqkztzShjZ91WAnv8JOU2o5YC1HtiSKP4ygDzTztr97L1Mv29S3RM1ZFjiNo/0gncMK2uI7z9BgzTXkHEvWPqOy+ca8f6HFVDTL5wfer1oY0gkj4fbYdHclpFrMQh0WBI/Z4YvZz7oRmJHajyRfmTu5X/iLsFk8daP+O7wJpQPwKsefczZmrHyKLC4DgrcHEBzvfyfRa/MQNdJZ+ohayomX51xpsAfBOb4AlJbM7o2SgyJcnfolK7 bkc-900@gitea.io
+  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRTsax/+U1Qz3GeTFEZnNQbqrX0sIqgxWDrZ/6ZRIfjZBunkredTz8PtU1hq0F9jW7R+/DWr3vK0puGucHLhn4ds3WcEOADWcMXHHP5p36EQwaXgKzbUTLAGDjBbK+J2MPlPLMd/46aNT4RKs+6ft3ZueJHrWo6qkf80PjtLr1z0U+ixEVf9kjuCED/l3ODIamajw2eoyA9qQKjishZRVTm6uac6IYUYDQlibCOxjZL52zVCFYwG6KE/3pzARBugNRljn5VPVahFlPo1NMlWXziIvmzDF5cblt7rfdeHXlx8IaO/jVW8ze1OWiiCt32hEwWZobtsNoaeEXbLaUsdzp bkc-hsm@gitea.io
+  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3uQtMr300gb2icmedgrYgsI/slCgS8mDkPS1G0rlEACyMund4lMo+C8vTnhfoq7CmWGFDuGXXMGcgnnhiN67EXf4xKwCiypmvV4hrisd5FDyluNvUo9wdsqcq3Nv8jNYid27uidgx2v1o4bjidV8F163M5OuQV/Ij1uYsoZ4GiZvLAq5W09twqThEcz9Us9PljQlpqMxoF68hEyL3FM7MioOPshQiENf/3yRohHTzcDYI369hjJu7OpFqp+VORDc/Lma8bOufd/jGZsOBSiV9wjwYLHUHJsSzYv2Cg+jdmUnYjfqUsabwH1bjTVtiRKiXfZMeFF8ju5d9I7ExNp4x appleboy@gitea.io
+
 users:
   - name: tboerger
     uid: 1000
@@ -42,3 +53,37 @@ users:
       ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2Sovl8XfHqhiAo1GQpsJ/Z8YMvs+xPt1NMsHa5mqAtaMSGsaxIgfpL80+oSX7/itHZJfi7OcRz7R8LzJfy6WKMZUzSkkXXZlxYT328qlMzRPOtkyDWBgIY7ArcDkiyY2MFnbv5uIgilpRKFxFNxx7TuUucOmrB9SHTINy1rDiLHbvZTyJH83WVRo8V6+2JB1N1hyBWbsLNRL9VTAb3v1RvRaDUq92HJqLN77SrxHitst/7PnSimIdnPN04pogP8bDqD/XVL08ZAOXgIQvXqHIC6V+UebLSw18tw/Iac7rYNyYo949NnzQCZ0lB3/yi+L/3Hq9rpiDp3GmANQRRcBN bkc-work@gitea.io
       ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9WgmBjn7jlFzAz7QPE5p3F+wG2Dbcg616J/vQk1e0Z4hlRSejoFoA9JVV8IuKBdXYDCieqctvbd01S/5dyDOq8rIoyLa1vfYAqkztzShjZ91WAnv8JOU2o5YC1HtiSKP4ygDzTztr97L1Mv29S3RM1ZFjiNo/0gncMK2uI7z9BgzTXkHEvWPqOy+ca8f6HFVDTL5wfer1oY0gkj4fbYdHclpFrMQh0WBI/Z4YvZz7oRmJHajyRfmTu5X/iLsFk8daP+O7wJpQPwKsefczZmrHyKLC4DgrcHEBzvfyfRa/MQNdJZ+ohayomX51xpsAfBOb4AlJbM7o2SgyJcnfolK7 bkc-900@gitea.io
       ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRTsax/+U1Qz3GeTFEZnNQbqrX0sIqgxWDrZ/6ZRIfjZBunkredTz8PtU1hq0F9jW7R+/DWr3vK0puGucHLhn4ds3WcEOADWcMXHHP5p36EQwaXgKzbUTLAGDjBbK+J2MPlPLMd/46aNT4RKs+6ft3ZueJHrWo6qkf80PjtLr1z0U+ixEVf9kjuCED/l3ODIamajw2eoyA9qQKjishZRVTm6uac6IYUYDQlibCOxjZL52zVCFYwG6KE/3pzARBugNRljn5VPVahFlPo1NMlWXziIvmzDF5cblt7rfdeHXlx8IaO/jVW8ze1OWiiCt32hEwWZobtsNoaeEXbLaUsdzp bkc-hsm@gitea.io
+  - name: appleboy
+    uid: 1003
+    shell: /bin/bash
+    castles:
+      - tboerger/homeshick-base
+      - tboerger/homeshick-vim
+      - tboerger/homeshick-linux
+    groups:
+      - sudo
+    sshkeys: |
+      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3uQtMr300gb2icmedgrYgsI/slCgS8mDkPS1G0rlEACyMund4lMo+C8vTnhfoq7CmWGFDuGXXMGcgnnhiN67EXf4xKwCiypmvV4hrisd5FDyluNvUo9wdsqcq3Nv8jNYid27uidgx2v1o4bjidV8F163M5OuQV/Ij1uYsoZ4GiZvLAq5W09twqThEcz9Us9PljQlpqMxoF68hEyL3FM7MioOPshQiENf/3yRohHTzcDYI369hjJu7OpFqp+VORDc/Lma8bOufd/jGZsOBSiV9wjwYLHUHJsSzYv2Cg+jdmUnYjfqUsabwH1bjTVtiRKiXfZMeFF8ju5d9I7ExNp4x appleboy@gitea.io
+
+users_available:
+  - tboerger
+  - lunny
+  - bkc
+  - appleboy
+
+traefik_cloudflare_email: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  39303065666339663763306465643233633630653338616539623236386262633837343065643162
+  6533373132393566666635643466626239356165623665660a323763383661386332303737336462
+  61393866633661326263613930613632303732663735653334343664326237376465366135613764
+  3864633665336361630a346666643530623439373030643833343761353436663861396433623136
+  3937
+
+traefik_cloudflare_apikey: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  61383661663033383161306536313332643663356436313137393633656631623732326261633962
+  6163623565356530343562383633633934303138303639310a356363626436393731343634346534
+  30663230343962633731323935346635656531363866626637303832616436666664356364666463
+  6533323738633463630a323064626662636166376162656630623262623639333135363731393533
+  37333739653637373130363964653336326234396161663365363437363466323464313239303934
+  3931323432373336646234663963653030623434663135383139

ansible/group_vars/server.yml

@@ -1,4 +0,0 @@
-users_available:
-  - tboerger
-  - lunny
-  - bkc

ansible/host_vars/dchi/drone.yml

@@ -0,0 +1,15 @@
+drone_domain: drone.try.gitea.io
+drone_orgs: gitea
+drone_admins: tboerger,lunny,bkcsoft,appleboy
+drone_max_procs: 1
+drone_gitea: true
+drone_gitea_url: https://try.gitea.io
+drone_gitea_skip_verify: false
+
+drone_secret: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  33396362313237376239323631386235343930613537623363613663326165373664663362323732
+  3166323537636530613634326436663539333631646636370a353466643231643366343738396239
+  30623036633535396238396539333939646366346132633834366432343230663564336232653566
+  6162663762646266390a633834316430323931313137633364393535303838643835303766613161
+  38623337323936386436646638363030356665356232336330646439653235326232

ansible/host_vars/pangu/drone.yml

@@ -0,0 +1,30 @@
+drone_domain: drone.gitea.io
+drone_orgs: go-gitea
+drone_admins: tboerger,lunny,bkcsoft,appleboy
+drone_max_procs: 2
+drone_github: true
+
+drone_secret: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  31363030316336373437656164363162646539393137633932666230333739333036363734313237
+  6265383139366564383865366232663137343733396238390a613631623539656634336365323132
+  61643832323137656631643334636333396439343865636266633962663933313636303138333061
+  3935343561363133390a313730663934626363343431663266653862363930363866316264623666
+  61393831386436313666653838333238306431383534396663636635633731356663
+
+drone_github_client: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  64343364643039386330393632353262613234383532623566623238326639353030393364626639
+  6539336263326138326136386232316530396336386363650a366165336631633964633334323731
+  32643733653662663935623432373664366336376237353734666133386637323265353332396365
+  3563623166316461330a383161656562626661636161333836323931396238656133393438353464
+  32666233646162643530623539396439363265326337353666363633383437613762
+
+drone_github_secret: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  37356261303961666132383539376162613939393936623334626366633264326437386537343432
+  6335636561613937373434316165303732616339613332300a363436616233366435313431366335
+  39343763656463636564393932623165633830386531653838613562313432393039633939663365
+  6339326134366236330a383162386462633661373334366138666131383631636661613862383131
+  31636336666231316666666161306436656431346139636563636139613664346435663763336239
+  3665393437343934613738653564343163343861376163323837

ansible/host_vars/pangu/lgtm.yml

@@ -0,0 +1,16 @@
+lgtm_debug: true
+lgtm_client: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  37633363353037653737656536376239613033306436343032386666323166303236373864303561
+  3131663133323130616536393033316266363630306132610a396531313333303736333738656233
+  32333334343162386265653639313063373630626266356338303936626135626663623733626461
+  3164663839623731620a643330663664373737666166623431613963646666613333393961363131
+  37326632653833346438323433383766363438373864623530643430623465623665
+lgtm_secret: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  31316534313331333337633063343639353232636161396232393762316135613463653338633766
+  6533646631303539333034313431316664393936303032320a333564353866656565633932326563
+  38633830653939666663323339313739663063303930336439306334663336363932333132353834
+  3762663238613435640a336531663965373339326264323437316663316366663738653430376634
+  66313066373134633663333066353934353833646634343233303033653238343438353536636564
+  3135663562373833376636663137623265383662343331366162

ansible/host_vars/pangu/minio.yml

@@ -0,0 +1,15 @@
+minio_access: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  65623830663533373032613338333637633738303532376465646332656238393365306236653730
+  3863333664393966613031353030366438626135376633390a333037633838623235666666376464
+  38613662396236333435366135656231336637383436613663383739346633383263653462383433
+  6538373139363035360a613032643139376134346538376262396166383863383565613163393133
+  62313361376430356230373130633435373466386364356263653766623038383161
+minio_secret: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  34336533656239373630333030666130316366656533643835643739303164646161356562306437
+  6137663663326635393861353662306438653234373339640a346435616239323962336362373339
+  30393562613339376235333435313433346531643934356336663732323934393161306166333431
+  3161636662353234610a666263326362346631393161363162653738313230363936383637303133
+  33623430646330353136666461383939633164616366336233343736663664633439643332306565
+  3733313933353432336162333135643863626663633135656661

ansible/playbook.yml

@@ -12,22 +12,17 @@
     - root
     - users
     - docker
-    - watchtower
     - docker-gc
     - traefik
 
 - hosts: dchi
   roles:
+    - drone
     - demo
 
 - hosts: pangu
   roles:
-    - lgtm
-    - coverage
     - drone
-    - minio
-    - website
-    - docs
-    - blog
-    - code
+    - pages
     - downloads
+    - lgtm

ansible/roles/base/tasks/main.yml

@@ -1,7 +1,11 @@
 - name: vars
   include_vars: ubuntu.yml
   when: ansible_distribution == 'Ubuntu'
+  tags:
+    - base
 
 - name: ubuntu
   include: ubuntu.yml
   when: ansible_distribution == 'Ubuntu'
+  tags:
+    - base

ansible/roles/base/tasks/ubuntu.yml

@@ -3,3 +3,5 @@
   package:
     name: '{{ item }}'
     state: present
+  tags:
+    - base

ansible/roles/blog/defaults/main.yml

@@ -1,2 +0,0 @@
-blog_domain: blog.gitea.io
-blog_container: gitea/blog:latest

ansible/roles/blog/tasks/main.yml

@@ -1,21 +0,0 @@
-- name: service
-  notify:
-    - restart blog
-  template:
-    src: service.j2
-    dest: /etc/systemd/system/blog.service
-
-- name: default
-  notify:
-    - restart blog
-  template:
-    src: default.j2
-    dest: /etc/default/blog
-
-- name: start
-  systemd:
-    name: blog
-    state: started
-    daemon_reload: yes
-    masked: no
-    enabled: yes

ansible/roles/blog/templates/service.j2

@@ -1,23 +0,0 @@
-[Unit]
-Description=Blog
-
-Requires=docker.service
-After=docker.service
-
-[Service]
-Restart=always
-
-EnvironmentFile=/etc/default/blog
-ExecStop=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker stop %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker kill %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps -a | /bin/grep %p 1> /dev/null && /usr/bin/docker rm %p || true'
-ExecStartPre=/usr/bin/docker pull {{ blog_container }}
-
-ExecStart=/usr/bin/docker run --rm \
-  --name %p \
-  --hostname {{ blog_domain }} \
-  --label traefik.frontend.rule=Host:{{ blog_domain }} \
-  {{ blog_container }}
-
-[Install]
-WantedBy=multi-user.target

ansible/roles/code/defaults/main.yml

@@ -1,2 +0,0 @@
-code_domain: code.gitea.io
-code_container: gitea/redirects:latest

ansible/roles/code/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: restart code
-  systemd:
-    name: code
-    state: restarted
-    daemon_reload: yes

ansible/roles/code/tasks/main.yml

@@ -1,21 +0,0 @@
-- name: service
-  notify:
-    - restart code
-  template:
-    src: service.j2
-    dest: /etc/systemd/system/code.service
-
-- name: default
-  notify:
-    - restart code
-  template:
-    src: default.j2
-    dest: /etc/default/code
-
-- name: start
-  systemd:
-    name: code
-    state: started
-    daemon_reload: yes
-    masked: no
-    enabled: yes

ansible/roles/code/templates/service.j2

@@ -1,23 +0,0 @@
-[Unit]
-Description=Code
-
-Requires=docker.service
-After=docker.service
-
-[Service]
-Restart=always
-
-EnvironmentFile=/etc/default/code
-ExecStop=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker stop %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker kill %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps -a | /bin/grep %p 1> /dev/null && /usr/bin/docker rm %p || true'
-ExecStartPre=/usr/bin/docker pull {{ code_container }}
-
-ExecStart=/usr/bin/docker run --rm \
-  --name %p \
-  --hostname {{ code_domain }} \
-  --label traefik.frontend.rule=Host:{{ code_domain }} \
-  {{ code_container }}
-
-[Install]
-WantedBy=multi-user.target

ansible/roles/coverage/defaults/main.yml

@@ -1,5 +0,0 @@
-coverage_container: aircover/aircover:latest
-coverage_domain: coverage.gitea.io
-coverage_debug: true
-coverage_teams: go-gitea
-coverage_admins: tboerger,lunny,bkcsoft

ansible/roles/coverage/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: restart coverage
-  systemd:
-    name: coverage
-    state: restarted
-    daemon_reload: yes

ansible/roles/coverage/tasks/main.yml

@@ -1,21 +0,0 @@
-- name: service
-  notify:
-    - restart coverage
-  template:
-    src: service.j2
-    dest: /etc/systemd/system/coverage.service
-
-- name: default
-  notify:
-    - restart coverage
-  template:
-    src: default.j2
-    dest: /etc/default/coverage
-
-- name: start
-  systemd:
-    name: coverage
-    state: started
-    daemon_reload: yes
-    masked: no
-    enabled: yes

ansible/roles/coverage/templates/default.j2

@@ -1,3 +0,0 @@
-COVERAGE_DEBUG={{ coverage_debug }}
-COVERAGE_TEAMS={{ coverage_teams }}
-COVERAGE_ADMINS={{ coverage_admins }}

ansible/roles/coverage/templates/service.j2

@@ -1,30 +0,0 @@
-[Unit]
-Description=Coverage
-
-Requires=docker.service
-After=docker.service
-
-[Service]
-Restart=always
-
-EnvironmentFile=/etc/default/secrets
-EnvironmentFile=/etc/default/coverage
-ExecStop=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker stop %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker kill %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps -a | /bin/grep %p 1> /dev/null && /usr/bin/docker rm %p || true'
-ExecStartPre=/usr/bin/docker pull {{ coverage_container }}
-
-ExecStart=/usr/bin/docker run --rm \
-  --name %p \
-  --hostname {{ coverage_domain }} \
-  --label traefik.frontend.rule=Host:{{ coverage_domain }} \
-  --volume /var/lib/coverage:/var/lib/aircover \
-  --env GITHUB_CLIENT=${COVERAGE_GITHUB_CLIENT} \
-  --env GITHUB_SECRET=${COVERAGE_GITHUB_SECRET} \
-  --env TEAMS=${COVERAGE_TEAMS} \
-  --env ADMINS=${COVERAGE_ADMINS} \
-  --env DEBUG=${COVERAGE_DEBUG} \
-  {{ coverage_container }}
-
-[Install]
-WantedBy=multi-user.target

ansible/roles/demo/defaults/main.yml

@@ -1,2 +1,3 @@
-demo_domain: try.gitea.io
 demo_container: gitea/gitea:latest
+demo_domain: try.gitea.io
+demo_ssh: 22

ansible/roles/demo/tasks/main.yml

@@ -1,16 +1,38 @@
-- name: service
+- name: dirs
+  with_items:
+    - /compose/demo
+  file:
+    path: '{{ item }}'
+    state: directory
+  tags:
+    - demo
+
+- name: compose
   notify:
     - restart demo
   template:
-    src: service.j2
-    dest: /etc/systemd/system/demo.service
+    src: compose.j2
+    dest: /compose/demo/docker-compose.yml
+  tags:
+    - demo
 
 - name: default
   notify:
     - restart demo
   template:
     src: default.j2
-    dest: /etc/default/demo
+    dest: /compose/demo/.env
+  tags:
+    - demo
+
+- name: service
+  notify:
+    - restart demo
+  template:
+    src: service.j2
+    dest: /etc/systemd/system/demo.service
+  tags:
+    - demo
 
 - name: start
   systemd:
@@ -19,3 +41,5 @@
     daemon_reload: yes
     masked: no
     enabled: yes
+  tags:
+    - demo

ansible/roles/demo/templates/compose.j2

@@ -0,0 +1,40 @@
+version: "3"
+
+networks:
+  traefik:
+    external:
+      name: traefik_general
+  internal:
+    external: false
+
+volumes:
+  git:
+    driver: local
+  gitea:
+    driver: local
+  ssh:
+    driver: local
+
+services:
+  server:
+    image: ${DEMO_CONTAINER}
+    restart: always
+    networks:
+      - traefik
+      - internal
+    labels:
+      - traefik.docker.network=traefik_general
+      - traefik.port=3000
+      - traefik.frontend.rule=Host:${DEMO_DOMAIN}
+    healthcheck:
+      test: ["NONE"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+    volumes:
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+      - git:/data/git
+      - gitea:/data/gitea
+      - ssh:/data/ssh
+    ports:
+      - ${DEMO_SSH}:22

ansible/roles/demo/templates/default.j2

@@ -0,0 +1,3 @@
+DEMO_CONTAINER={{ demo_container }}
+DEMO_DOMAIN={{ demo_domain }}
+DEMO_SSH={{ demo_ssh | default(22) }}

ansible/roles/demo/templates/service.j2

@@ -6,21 +6,13 @@ After=docker.service
 
 [Service]
 Restart=always
+WorkingDirectory=/compose/demo
 
-EnvironmentFile=/etc/default/demo
-ExecStop=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker stop %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker kill %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps -a | /bin/grep %p 1> /dev/null && /usr/bin/docker rm %p || true'
-ExecStartPre=/usr/bin/docker pull {{ demo_container }}
+ExecStop=/bin/sh -c '/usr/local/bin/docker-compose kill || true'
+ExecStopPost=/bin/sh -c '/usr/local/bin/docker-compose down --remove-orphans || true'
 
-ExecStart=/usr/bin/docker run --rm \
-  --name %p \
-  --hostname {{ demo_domain }} \
-  --label traefik.frontend.rule=Host:{{ demo_domain }} \
-  --label traefik.port=3000 \
-  --volume /var/lib/gitea:/data \
-  --publish 22:22 \
-  {{ demo_container }}
+ExecStartPre=/bin/sh -c '/usr/local/bin/docker-compose pull --ignore-pull-failures || true'
+ExecStart=/usr/local/bin/docker-compose up --abort-on-container-exit --remove-orphans
 
 [Install]
 WantedBy=multi-user.target

ansible/roles/docker-gc/defaults/main.yml

@@ -1,2 +1,2 @@
-docker_gc_container: spotify/docker-gc
+docker_gc_container: spotify/docker-gc:latest
 docker_gc_interval: daily

ansible/roles/docker-gc/tasks/main.yml

@@ -4,6 +4,8 @@
   template:
     src: timer.j2
     dest: /etc/systemd/system/docker-gc.timer
+  tags:
+    - docker-gc
 
 - name: service
   notify:
@@ -11,6 +13,8 @@
   template:
     src: service.j2
     dest: /etc/systemd/system/docker-gc.service
+  tags:
+    - docker-gc
 
 - name: start
   systemd:
@@ -19,3 +23,5 @@
     daemon_reload: yes
     masked: no
     enabled: yes
+  tags:
+    - docker-gc

ansible/roles/docker-gc/templates/service.j2

@@ -9,4 +9,5 @@ Type=oneshot
 
 ExecStart=/usr/bin/docker run --rm \
   --volume /var/run/docker.sock:/var/run/docker.sock \
+  --volume /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro \
   {{ docker_gc_container }}

ansible/roles/docker/defaults/main.yml

@@ -1,7 +1,15 @@
+docker_deps:
+  - apt-transport-https
+  - ca-certificates
+  - software-properties-common
+
 docker_packages:
-  - docker-engine
+  - docker-ce
 
 docker_services:
   - docker
 
+docker_compose_url: https://github.com/docker/compose/releases/download/1.14.0/docker-compose-Linux-x86_64
+docker_compose_checksum: eda2bcd4077daacb763e0745764b9b722bcf4fc6
+
 docker_opts:

ansible/roles/docker/tasks/main.yml

@@ -1,21 +1,43 @@
-- name: key
+- name: deps
+  with_items: '{{ docker_deps }}'
+  package:
+    name: '{{ item }}'
+    state: present
+  tags:
+    - docker
+
+- name: key1
+  apt_key:
+    url: https://download.docker.com/linux/ubuntu/gpg
+    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+    state: present
+  tags:
+    - docker
+
+- name: key2
   apt_key:
     keyserver: hkp://p80.pool.sks-keyservers.net:80
     id: 58118E89F3A912897C070ADBF76221572C52609D
     state: present
+  tags:
+    - docker
 
 - name: repo
   apt_repository:
-    repo: deb https://apt.dockerproject.org/repo ubuntu-xenial main
-    filename: docker.list
+    repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable
+    filename: docker
     update_cache: yes
     state: present
+  tags:
+    - docker
 
 - name: install
   with_items: '{{ docker_packages }}'
   package:
     name: '{{ item }}'
     state: present
+  tags:
+    - docker
 
 - name: service
   notify:
@@ -23,6 +45,8 @@
   template:
     src: service.j2
     dest: /etc/systemd/system/docker.service
+  tags:
+    - docker
 
 - name: default
   notify:
@@ -30,6 +54,8 @@
   template:
     src: default.j2
     dest: /etc/default/docker
+  tags:
+    - docker
 
 - name: start
   with_items: '{{ docker_services }}'
@@ -39,3 +65,14 @@
     daemon_reload: yes
     masked: no
     enabled: yes
+  tags:
+    - docker
+
+- name: compose
+  get_url:
+    url: '{{ docker_compose_url }}'
+    dest: /usr/local/bin/docker-compose
+    checksum: sha1:{{ docker_compose_checksum }}
+    mode: u=rwx,g=rx,o=rx
+  tags:
+    - docker

ansible/roles/docker/templates/service.j2

@@ -12,10 +12,13 @@ Type=notify
 TimeoutStartSec=0
 Delegate=yes
 KillMode=process
-LimitNOFILE=infinity
+LimitNOFILE=1048576
 LimitNPROC=infinity
 LimitCORE=infinity
 TasksMax=infinity
+Restart=on-failure
+StartLimitBurst=3
+StartLimitInterval=60s
 
 ExecStart=/usr/bin/dockerd -H fd:// $DOCKER_OPTS
 ExecReload=/bin/kill -s HUP $MAINPID

ansible/roles/docs/defaults/main.yml

@@ -1,2 +0,0 @@
-docs_domain: docs.gitea.io
-docs_container: gitea/docs:latest

ansible/roles/docs/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: restart docs
-  systemd:
-    name: docs
-    state: restarted
-    daemon_reload: yes

ansible/roles/docs/tasks/main.yml

@@ -1,21 +0,0 @@
-- name: service
-  notify:
-    - restart docs
-  template:
-    src: service.j2
-    dest: /etc/systemd/system/docs.service
-
-- name: default
-  notify:
-    - restart docs
-  template:
-    src: default.j2
-    dest: /etc/default/docs
-
-- name: start
-  systemd:
-    name: docs
-    state: started
-    daemon_reload: yes
-    masked: no
-    enabled: yes

ansible/roles/docs/templates/service.j2

@@ -1,23 +0,0 @@
-[Unit]
-Description=Docs
-
-Requires=docker.service
-After=docker.service
-
-[Service]
-Restart=always
-
-EnvironmentFile=/etc/default/docs
-ExecStop=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker stop %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker kill %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps -a | /bin/grep %p 1> /dev/null && /usr/bin/docker rm %p || true'
-ExecStartPre=/usr/bin/docker pull {{ docs_container }}
-
-ExecStart=/usr/bin/docker run --rm \
-  --name %p \
-  --hostname {{ docs_domain }} \
-  --label traefik.frontend.rule=Host:{{ docs_domain }} \
-  {{ docs_container }}
-
-[Install]
-WantedBy=multi-user.target

ansible/roles/downloads/defaults/main.yml

@@ -1 +1,7 @@
+downloads_container: webhippie/caddy:latest
 downloads_domain: dl.gitea.io
+
+minio_container: webhippie/minio:latest
+minio_domain: storage.gitea.io
+minio_access:
+minio_secret:

ansible/roles/downloads/tasks/main.yml

@@ -1,16 +1,38 @@
-- name: service
+- name: dirs
+  with_items:
+    - /compose/downloads
+  file:
+    path: '{{ item }}'
+    state: directory
+  tags:
+    - downloads
+
+- name: compose
   notify:
     - restart downloads
   template:
-    src: service.j2
-    dest: /etc/systemd/system/downloads.service
+    src: compose.j2
+    dest: /compose/downloads/docker-compose.yml
+  tags:
+    - downloads
 
 - name: default
   notify:
     - restart downloads
   template:
     src: default.j2
-    dest: /etc/default/downloads
+    dest: /compose/downloads/.env
+  tags:
+    - downloads
+
+- name: service
+  notify:
+    - restart downloads
+  template:
+    src: service.j2
+    dest: /etc/systemd/system/downloads.service
+  tags:
+    - downloads
 
 - name: start
   systemd:
@@ -19,3 +41,5 @@
     daemon_reload: yes
     masked: no
     enabled: yes
+  tags:
+    - downloads

ansible/roles/downloads/templates/compose.j2

@@ -0,0 +1,52 @@
+version: "3"
+
+networks:
+  traefik:
+    external:
+      name: traefik_general
+
+volumes:
+  server:
+    driver: local
+
+services:
+  server:
+    image: ${DOWNLOADS_CONTAINER}
+    restart: always
+    environment:
+      - CADDY_WEBROOT=/var/lib/minio/releases
+    networks:
+      - traefik
+    labels:
+      - traefik.docker.network=traefik_general
+      - traefik.port=8080
+      - traefik.frontend.rule=Host:${DOWNLOADS_DOMAIN}
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+    volumes:
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+      - server:/var/lib/minio
+
+  minio:
+    image: ${MINIO_CONTAINER}
+    restart: always
+    environment:
+      - MINIO_ACCESS_KEY=${MINIO_ACCESS}
+      - MINIO_SECRET_KEY=${MINIO_SECRET}
+    networks:
+      - traefik
+    labels:
+      - traefik.docker.network=traefik_general
+      - traefik.port=9000
+      - traefik.frontend.rule=Host:${MINIO_DOMAIN}
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+    volumes:
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+      - server:/var/lib/minio

ansible/roles/downloads/templates/default.j2

@@ -0,0 +1,7 @@
+DOWNLOADS_CONTAINER={{ downloads_container }}
+DOWNLOADS_DOMAIN={{ downloads_domain }}
+
+MINIO_CONTAINER={{ minio_container }}
+MINIO_DOMAIN={{ minio_domain }}
+MINIO_ACCESS={{ minio_access }}
+MINIO_SECRET={{ minio_secret }}

ansible/roles/downloads/templates/service.j2

@@ -6,20 +6,13 @@ After=docker.service
 
 [Service]
 Restart=always
+WorkingDirectory=/compose/downloads
 
-EnvironmentFile=/etc/default/downloads
-ExecStop=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker stop %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker kill %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps -a | /bin/grep %p 1> /dev/null && /usr/bin/docker rm %p || true'
-ExecStartPre=/usr/bin/docker pull abiosoft/caddy:latest
+ExecStop=/bin/sh -c '/usr/local/bin/docker-compose kill || true'
+ExecStopPost=/bin/sh -c '/usr/local/bin/docker-compose down --remove-orphans || true'
 
-ExecStart=/usr/bin/docker run --rm \
-  --name %p \
-  --hostname {{ downloads_domain }} \
-  --label traefik.frontend.rule=Host:{{ downloads_domain }} \
-  --label traefik.port=2015 \
-  --volume /var/lib/minio/releases:/srv \
-  abiosoft/caddy:latest
+ExecStartPre=/bin/sh -c '/usr/local/bin/docker-compose pull --ignore-pull-failures || true'
+ExecStart=/usr/local/bin/docker-compose up --abort-on-container-exit --remove-orphans
 
 [Install]
 WantedBy=multi-user.target

ansible/roles/drone/defaults/main.yml

@@ -1,10 +1,17 @@
-drone_type: both
-drone_container: drone/drone:0.5
-drone_domain: drone.gitea.io
-drone_github: true
-drone_open: true
-drone_orgs: go-gitea
-drone_admins: tboerger,lunny,bkcsoft
+drone_server: drone/drone:0.8
+drone_agent: drone/agent:0.8
+drone_domain:
 drone_debug: true
-drone_plugin_pull: true
-drone_max_procs: 1
+drone_open: true
+drone_orgs:
+drone_admins:
+drone_max_procs: 2
+drone_secret:
+
+drone_github: false
+drone_github_client:
+drone_github_secret:
+
+drone_gitea: false
+drone_gitea_url:
+drone_gitea_skip_verify: false

ansible/roles/drone/handlers/main.yml

@@ -1,13 +1,5 @@
-- name: restart server
-  when: drone_type == 'server' or drone_type == 'both'
+- name: restart drone
   systemd:
     name: drone
     state: restarted
     daemon_reload: yes
-
-- name: restart agent
-  when: drone_type == 'agent' or drone_type == 'both'
-  systemd:
-    name: agent
-    state: restarted
-    daemon_reload: yes

ansible/roles/drone/tasks/agent.yml

@@ -1,14 +0,0 @@
-- name: agent service
-  notify:
-    - restart agent
-  template:
-    src: agent.j2
-    dest: /etc/systemd/system/agent.service
-
-- name: agent start
-  systemd:
-    name: agent
-    state: started
-    daemon_reload: yes
-    masked: no
-    enabled: yes

ansible/roles/drone/tasks/main.yml

@@ -1,15 +1,45 @@
+- name: dirs
+  with_items:
+    - /compose/drone
+  file:
+    path: '{{ item }}'
+    state: directory
+  tags:
+    - drone
+
+- name: compose
+  notify:
+    - restart drone
+  template:
+    src: compose.j2
+    dest: /compose/drone/docker-compose.yml
+  tags:
+    - drone
+
 - name: default
   notify:
-    - restart agent
-    - restart server
+    - restart drone
   template:
     src: default.j2
-    dest: /etc/default/drone
+    dest: /compose/drone/.env
+  tags:
+    - drone
 
-- name: server
-  include: server.yml
-  when: drone_type == 'server' or drone_type == 'both'
+- name: service
+  notify:
+    - restart drone
+  template:
+    src: service.j2
+    dest: /etc/systemd/system/drone.service
+  tags:
+    - drone
 
-- name: agent
-  include: agent.yml
-  when: drone_type == 'agent' or drone_type == 'both'
+- name: start
+  systemd:
+    name: drone
+    state: started
+    daemon_reload: yes
+    masked: no
+    enabled: yes
+  tags:
+    - drone

ansible/roles/drone/tasks/server.yml

@@ -1,14 +0,0 @@
-- name: server service
-  notify:
-    - restart server
-  template:
-    src: server.j2
-    dest: /etc/systemd/system/drone.service
-
-- name: server start
-  systemd:
-    name: drone
-    state: started
-    daemon_reload: yes
-    masked: no
-    enabled: yes

ansible/roles/drone/templates/agent.j2

@@ -1,30 +0,0 @@
-[Unit]
-Description=Agent
-
-Requires=docker.service
-After=docker.service
-
-[Service]
-Restart=always
-
-EnvironmentFile=/etc/default/secrets
-EnvironmentFile=/etc/default/drone
-ExecStop=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker stop %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker kill %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps -a | /bin/grep %p 1> /dev/null && /usr/bin/docker rm %p || true'
-ExecStartPre=/usr/bin/docker pull {{ drone_container }}
-
-ExecStart=/usr/bin/docker run --rm \
-  --name %p \
-  --hostname %p \
-  --label traefik.enable=false \
-  --volume /var/run/docker.sock:/var/run/docker.sock \
-  --env DRONE_DEBUG=${DRONE_DEBUG} \
-  --env DRONE_SERVER=${DRONE_SERVER} \
-  --env DRONE_SECRET=${DRONE_SECRET} \
-  --env DRONE_PLUGIN_PULL=${DRONE_PLUGIN_PULL} \
-  --env DOCKER_MAX_PROCS=${DRONE_DOCKER_MAX_PROCS} \
-  {{ drone_container }} agent
-
-[Install]
-WantedBy=multi-user.target

ansible/roles/drone/templates/compose.j2

@@ -0,0 +1,72 @@
+version: "3"
+
+networks:
+  traefik:
+    external:
+      name: traefik_general
+  internal:
+    external: false
+
+volumes:
+  server:
+    driver: local
+
+services:
+  server:
+    image: ${DRONE_SERVER}
+    restart: always
+    environment:
+      - DRONE_GITHUB=${DRONE_GITHUB}
+      - DRONE_GITHUB_CLIENT=${DRONE_GITHUB_CLIENT}
+      - DRONE_GITHUB_SECRET=${DRONE_GITHUB_SECRET}
+      - DRONE_GOGS=${DRONE_GITEA}
+      - DRONE_GOGS_URL=${DRONE_GITEA_URL}
+      - DRONE_GOGS_SKIP_VERIFY=${DRONE_GITEA_SKIP_VERIFY}
+      - DRONE_DEBUG=${DRONE_DEBUG}
+      - DRONE_SECRET=${DRONE_SECRET}
+      - DRONE_OPEN=${DRONE_OPEN}
+      - DRONE_ORGS=${DRONE_ORGS}
+      - DRONE_ADMIN=${DRONE_ADMIN}
+      - DRONE_HOST=https://${DRONE_DOMAIN}
+      - DRONE_VOLUME=/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+      - DRONE_NETWORK=drone_internal
+      - DATABASE_DRIVER=sqlite3
+      - DATABASE_CONFIG=/var/lib/drone/database.sqlite3
+    networks:
+      - traefik
+      - internal
+    labels:
+      - traefik.docker.network=traefik_general
+      - traefik.port=8000
+      - traefik.frontend.rule=Host:${DRONE_DOMAIN}
+    healthcheck:
+      test: ["NONE"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+    volumes:
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+      - server:/var/lib/drone
+
+  agent:
+    image: ${DRONE_AGENT}
+    restart: always
+    environment:
+      - DRONE_SERVER=server:9000
+      - DRONE_DEBUG=${DRONE_DEBUG}
+      - DRONE_SECRET=${DRONE_SECRET}
+      - DRONE_MAX_PROCS=${DRONE_MAX_PROCS}
+    networks:
+      - internal
+    depends_on:
+      - server
+    labels:
+      - traefik.enable=false
+    healthcheck:
+      test: ["NONE"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+    volumes:
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+      - /var/run/docker.sock:/var/run/docker.sock

ansible/roles/drone/templates/default.j2

@@ -1,8 +1,18 @@
-DRONE_GITHUB={{ drone_github }}
-DRONE_OPEN={{ drone_open }}
-DRONE_ORGS={{ drone_orgs }}
-DRONE_ADMIN={{ drone_admins }}
-DRONE_DEBUG={{ drone_debug }}
-DRONE_SERVER=wss://{{ drone_domain }}/ws/broker
-DRONE_PLUGIN_PULL={{ drone_plugin_pull }}
-DRONE_DOCKER_MAX_PROCS={{ drone_max_procs }}
+DRONE_SERVER={{ drone_server }}
+DRONE_AGENT={{ drone_agent }}
+DRONE_DOMAIN={{ drone_domain }}
+DRONE_SERVER_HOST=https://{{ drone_domain }}
+DRONE_DEBUG={{ drone_debug | default(False) | lower }}
+DRONE_SECRET={{ drone_secret }}
+DRONE_OPEN={{ drone_open | default(False) | lower }}
+DRONE_ORGS={{ drone_orgs | default("") }}
+DRONE_ADMIN={{ drone_admins | default("") }}
+DRONE_MAX_PROCS={{ drone_max_procs | default(5) }}
+
+DRONE_GITHUB={{ drone_github | default(False) | lower }}
+DRONE_GITHUB_CLIENT={{ drone_github_client | default("") }}
+DRONE_GITHUB_SECRET={{ drone_github_secret | default("") }}
+
+DRONE_GITEA={{ drone_gitea | default(False) | lower }}
+DRONE_GITEA_URL={{ drone_gitea_url | default("") }}
+DRONE_GITEA_SKIP_VERIFY={{ drone_gitea_skip_verify | default(False) | lower }}

ansible/roles/drone/templates/server.j2

@@ -1,32 +0,0 @@
-[Unit]
-Description=Drone
-
-Requires=docker.service
-After=docker.service
-
-[Service]
-Restart=always
-
-EnvironmentFile=/etc/default/secrets
-EnvironmentFile=/etc/default/drone
-ExecStop=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker stop %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker kill %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps -a | /bin/grep %p 1> /dev/null && /usr/bin/docker rm %p || true'
-ExecStartPre=/usr/bin/docker pull {{ drone_container }}
-
-ExecStart=/usr/bin/docker run --rm \
-  --name %p \
-  --hostname %p \
-  --label traefik.frontend.rule=Host:{{ drone_domain }} \
-  --volume /var/lib/drone:/var/lib/drone \
-  --env DRONE_GITHUB=${DRONE_GITHUB} \
-  --env DRONE_GITHUB_CLIENT=${DRONE_GITHUB_CLIENT} \
-  --env DRONE_GITHUB_SECRET=${DRONE_GITHUB_SECRET} \
-  --env DRONE_SECRET=${DRONE_SECRET} \
-  --env DRONE_OPEN=${DRONE_OPEN} \
-  --env DRONE_ORGS=${DRONE_ORGS} \
-  --env DRONE_ADMIN=${DRONE_ADMIN} \
-  {{ drone_container }} server
-
-[Install]
-WantedBy=multi-user.target

ansible/roles/drone/templates/service.j2

@@ -0,0 +1,18 @@
+[Unit]
+Description=Drone
+
+Requires=docker.service
+After=docker.service
+
+[Service]
+Restart=always
+WorkingDirectory=/compose/drone
+
+ExecStop=/bin/sh -c '/usr/local/bin/docker-compose kill || true'
+ExecStopPost=/bin/sh -c '/usr/local/bin/docker-compose down --remove-orphans || true'
+
+ExecStartPre=/bin/sh -c '/usr/local/bin/docker-compose pull --ignore-pull-failures || true'
+ExecStart=/usr/local/bin/docker-compose up --abort-on-container-exit --remove-orphans
+
+[Install]
+WantedBy=multi-user.target

ansible/roles/lgtm/defaults/main.yml

@@ -1,3 +1,5 @@
 lgtm_container: gitea/lgtm:latest
 lgtm_domain: lgtm.gitea.io
-lgtm_debug: true
+lgtm_debug: false
+lgtm_client:
+lgtm_secret:

ansible/roles/lgtm/tasks/main.yml

@@ -1,16 +1,38 @@
-- name: service
+- name: dirs
+  with_items:
+    - /compose/lgtm
+  file:
+    path: '{{ item }}'
+    state: directory
+  tags:
+    - lgtm
+
+- name: compose
   notify:
     - restart lgtm
   template:
-    src: service.j2
-    dest: /etc/systemd/system/lgtm.service
+    src: compose.j2
+    dest: /compose/lgtm/docker-compose.yml
+  tags:
+    - lgtm
 
 - name: default
   notify:
     - restart lgtm
   template:
     src: default.j2
-    dest: /etc/default/lgtm
+    dest: /compose/lgtm/.env
+  tags:
+    - lgtm
+
+- name: service
+  notify:
+    - restart lgtm
+  template:
+    src: service.j2
+    dest: /etc/systemd/system/lgtm.service
+  tags:
+    - lgtm
 
 - name: start
   systemd:
@@ -19,3 +41,5 @@
     daemon_reload: yes
     masked: no
     enabled: yes
+  tags:
+    - lgtm

ansible/roles/lgtm/templates/compose.j2

@@ -0,0 +1,34 @@
+version: "3"
+
+networks:
+  traefik:
+    external:
+      name: traefik_general
+
+volumes:
+  server:
+    driver: local
+
+services:
+  server:
+    image: ${LGTM_CONTAINER}
+    restart: always
+    environment:
+      - DEBUG=${LGTM_DEBUG}
+      - GITHUB_CLIENT=${LGTM_CLIENT}
+      - GITHUB_SECRET=${LGTM_SECRET}
+    networks:
+      - traefik
+    labels:
+      - traefik.docker.network=traefik_general
+      - traefik.port=8000
+      - traefik.frontend.rule=Host:${LGTM_DOMAIN}
+    healthcheck:
+      test: ["NONE"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+    volumes:
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+      - server:/var/lib/lgtm
+

ansible/roles/lgtm/templates/default.j2

@@ -1 +1,5 @@
+LGTM_CONTAINER={{ lgtm_container }}
+LGTM_DOMAIN={{ lgtm_domain }}
 LGTM_DEBUG={{ lgtm_debug }}
+LGTM_CLIENT={{ lgtm_client }}
+LGTM_SECRET={{ lgtm_secret }}

ansible/roles/lgtm/templates/service.j2

@@ -1,28 +1,18 @@
 [Unit]
-Description=Lgtm
+Description=LGTM
 
 Requires=docker.service
 After=docker.service
 
 [Service]
 Restart=always
+WorkingDirectory=/compose/lgtm
 
-EnvironmentFile=/etc/default/secrets
-EnvironmentFile=/etc/default/lgtm
-ExecStop=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker stop %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker kill %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps -a | /bin/grep %p 1> /dev/null && /usr/bin/docker rm %p || true'
-ExecStartPre=/usr/bin/docker pull {{ lgtm_container }}
+ExecStop=/bin/sh -c '/usr/local/bin/docker-compose kill || true'
+ExecStopPost=/bin/sh -c '/usr/local/bin/docker-compose down --remove-orphans || true'
 
-ExecStart=/usr/bin/docker run --rm \
-  --name %p \
-  --hostname {{ lgtm_domain }} \
-  --label traefik.frontend.rule=Host:{{ lgtm_domain }} \
-  --volume /var/lib/lgtm:/var/lib/lgtm \
-  --env GITHUB_CLIENT=${LGTM_GITHUB_CLIENT} \
-  --env GITHUB_SECRET=${LGTM_GITHUB_SECRET} \
-  --env DEBUG=${LGTM_DEBUG} \
-  {{ lgtm_container }}
+ExecStartPre=/bin/sh -c '/usr/local/bin/docker-compose pull --ignore-pull-failures || true'
+ExecStart=/usr/local/bin/docker-compose up --abort-on-container-exit --remove-orphans
 
 [Install]
 WantedBy=multi-user.target

ansible/roles/minio/defaults/main.yml

@@ -1,2 +0,0 @@
-minio_container: webhippie/minio:latest
-minio_domain: storage.gitea.io

ansible/roles/minio/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: restart minio
-  systemd:
-    name: minio
-    state: restarted
-    daemon_reload: yes

ansible/roles/minio/tasks/main.yml

@@ -1,21 +0,0 @@
-- name: service
-  notify:
-    - restart minio
-  template:
-    src: service.j2
-    dest: /etc/systemd/system/minio.service
-
-- name: default
-  notify:
-    - restart minio
-  template:
-    src: default.j2
-    dest: /etc/default/minio
-
-- name: start
-  systemd:
-    name: minio
-    state: started
-    daemon_reload: yes
-    masked: no
-    enabled: yes

ansible/roles/minio/templates/service.j2

@@ -1,27 +0,0 @@
-[Unit]
-Description=Minio
-
-Requires=docker.service
-After=docker.service
-
-[Service]
-Restart=always
-
-EnvironmentFile=/etc/default/secrets
-EnvironmentFile=/etc/default/minio
-ExecStop=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker stop %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker kill %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps -a | /bin/grep %p 1> /dev/null && /usr/bin/docker rm %p || true'
-ExecStartPre=/usr/bin/docker pull {{ minio_container }}
-
-ExecStart=/usr/bin/docker run --rm \
-  --name %p \
-  --hostname {{ minio_domain }} \
-  --label traefik.frontend.rule=Host:{{ minio_domain }} \
-  --volume /var/lib/minio:/var/lib/minio \
-  --env MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY} \
-  --env MINIO_SECRET_KEY=${MINIO_SECRET_KEY} \
-  {{ minio_container }}
-
-[Install]
-WantedBy=multi-user.target

ansible/roles/pages/defaults/main.yml

@@ -0,0 +1,11 @@
+pages_redirects_container: gitea/redirects:latest
+pages_redirects_domain: code.gitea.io
+
+pages_blog_container: gitea/blog:latest
+pages_blog_domain: blog.gitea.io
+
+pages_docs_container: gitea/docs:latest
+pages_docs_domain: docs.gitea.io
+
+pages_website_container: gitea/website:latest
+pages_website_domain: gitea.io

ansible/roles/pages/handlers/main.yml

@@ -1,5 +1,5 @@
-- name: restart blog
+- name: restart pages
   systemd:
-    name: blog
+    name: pages
     state: restarted
     daemon_reload: yes

ansible/roles/pages/tasks/main.yml

@@ -0,0 +1,45 @@
+- name: dirs
+  with_items:
+    - /compose/pages
+  file:
+    path: '{{ item }}'
+    state: directory
+  tags:
+    - pages
+
+- name: compose
+  notify:
+    - restart pages
+  template:
+    src: compose.j2
+    dest: /compose/pages/docker-compose.yml
+  tags:
+    - pages
+
+- name: default
+  notify:
+    - restart pages
+  template:
+    src: default.j2
+    dest: /compose/pages/.env
+  tags:
+    - pages
+
+- name: service
+  notify:
+    - restart pages
+  template:
+    src: service.j2
+    dest: /etc/systemd/system/pages.service
+  tags:
+    - pages
+
+- name: start
+  systemd:
+    name: pages
+    state: started
+    daemon_reload: yes
+    masked: no
+    enabled: yes
+  tags:
+    - pages

ansible/roles/pages/templates/compose.j2

@@ -0,0 +1,75 @@
+version: "3"
+
+networks:
+  traefik:
+    external:
+      name: traefik_general
+
+services:
+  redirects:
+    image: ${PAGES_REDIRECTS_CONTAINER}
+    restart: always
+    networks:
+      - traefik
+    labels:
+      - traefik.docker.network=traefik_general
+      - traefik.port=80
+      - traefik.frontend.rule=Host:${PAGES_REDIRECTS_DOMAIN}
+    healthcheck:
+      test: ["NONE"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+    volumes:
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+
+  blog:
+    image: ${PAGES_BLOG_CONTAINER}
+    restart: always
+    networks:
+      - traefik
+    labels:
+      - traefik.docker.network=traefik_general
+      - traefik.port=80
+      - traefik.frontend.rule=Host:${PAGES_BLOG_DOMAIN}
+    healthcheck:
+      test: ["NONE"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+    volumes:
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+
+  docs:
+    image: ${PAGES_DOCS_CONTAINER}
+    restart: always
+    networks:
+      - traefik
+    labels:
+      - traefik.docker.network=traefik_general
+      - traefik.port=80
+      - traefik.frontend.rule=Host:${PAGES_DOCS_DOMAIN}
+    healthcheck:
+      test: ["NONE"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+    volumes:
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+
+  website:
+    image: ${PAGES_WEBSITE_CONTAINER}
+    restart: always
+    networks:
+      - traefik
+    labels:
+      - traefik.docker.network=traefik_general
+      - traefik.port=80
+      - traefik.frontend.rule=Host:${PAGES_WEBSITE_DOMAIN}
+    healthcheck:
+      test: ["NONE"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+    volumes:
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro

ansible/roles/pages/templates/default.j2

@@ -0,0 +1,11 @@
+PAGES_REDIRECTS_DOMAIN={{ pages_redirects_domain }}
+PAGES_REDIRECTS_CONTAINER={{ pages_redirects_container }}
+
+PAGES_BLOG_DOMAIN={{ pages_blog_domain }}
+PAGES_BLOG_CONTAINER={{ pages_blog_container }}
+
+PAGES_DOCS_DOMAIN={{ pages_docs_domain }}
+PAGES_DOCS_CONTAINER={{ pages_docs_container }}
+
+PAGES_WEBSITE_DOMAIN={{ pages_website_domain }}
+PAGES_WEBSITE_CONTAINER={{ pages_website_container }}

ansible/roles/pages/templates/service.j2

@@ -0,0 +1,18 @@
+[Unit]
+Description=Pages
+
+Requires=docker.service
+After=docker.service
+
+[Service]
+Restart=always
+WorkingDirectory=/compose/pages
+
+ExecStop=/bin/sh -c '/usr/local/bin/docker-compose kill || true'
+ExecStopPost=/bin/sh -c '/usr/local/bin/docker-compose down --remove-orphans || true'
+
+ExecStartPre=/bin/sh -c '/usr/local/bin/docker-compose pull --ignore-pull-failures || true'
+ExecStart=/usr/local/bin/docker-compose up --abort-on-container-exit --remove-orphans
+
+[Install]
+WantedBy=multi-user.target

ansible/roles/root/tasks/main.yml

@@ -4,11 +4,15 @@
   package:
     name: '{{ item }}'
     state: present
+  tags:
+    - root
 
 - name: homeshick
   git:
     repo: https://github.com/andsens/homeshick.git
     dest: /root/.homesick/repos/homeshick
+  tags:
+    - root
 
 - name: castles
   with_items: '{{ root_castles }}'
@@ -16,21 +20,23 @@
   git:
     repo: https://github.com/{{ item }}.git
     dest: /root/.homesick/repos/{{ item | basename }}
+  tags:
+    - root
 
 - name: links
   with_items: '{{ root_castles }}'
   when: root_castles|default(None) != None
   command: /root/.homesick/repos/homeshick/bin/homeshick -f -b -q link {{ item | basename }}
+  tags:
+    - root
 
 - name: sshkeys
   when: root_sshkeys|default(None) != None
   authorized_key:
     user: root
     key: '{{ root_sshkeys }}'
-    path: /root/.ssh/instance_keys
+    path: /root/.ssh/authorized_keys
     exclusive: yes
     state: present
-
-- name: fetchkeys
-  when: root_sshkeys|default(None) != None
-  command: scw-fetch-ssh-keys --upgrade
+  tags:
+    - root

ansible/roles/traefik/defaults/main.yml

@@ -1,4 +1,10 @@
-traefik_container: containous/traefik:v1.2.3
+traefik_container: containous/traefik:v1.3.7
 traefik_domain: gitea.io
 traefik_email: info@gitea.io
 traefik_loglevel: INFO
+
+traefik_cloudflare_email:
+traefik_cloudflare_apikey:
+
+traefik_watchtower_container: webhippie/watchtower:latest
+traefik_watchtower_cleanup: true

ansible/roles/traefik/tasks/main.yml

@@ -1,15 +1,47 @@
 - name: acme
-  file:
-    path: /etc/acme.json
-    mode: u=rw,g-rwx,o-rrwx
-    state: touch
+  copy:
+    content: ""
+    dest: /etc/acme.json
+    mode: u=rw,g=,o=
+    force: no
+  tags:
+    - traefik
 
-- name: traefik
+- name: config
   notify:
     - restart traefik
   template:
-    src: traefik.j2
+    src: config.j2
     dest: /etc/traefik.toml
+  tags:
+    - traefik
+
+- name: dirs
+  with_items:
+    - /compose/traefik
+  file:
+    path: '{{ item }}'
+    state: directory
+  tags:
+    - traefik
+
+- name: compose
+  notify:
+    - restart traefik
+  template:
+    src: compose.j2
+    dest: /compose/traefik/docker-compose.yml
+  tags:
+    - traefik
+
+- name: default
+  notify:
+    - restart traefik
+  template:
+    src: default.j2
+    dest: /compose/traefik/.env
+  tags:
+    - traefik
 
 - name: service
   notify:
@@ -17,13 +49,8 @@
   template:
     src: service.j2
     dest: /etc/systemd/system/traefik.service
-
-- name: default
-  notify:
-    - restart traefik
-  template:
-    src: default.j2
-    dest: /etc/default/traefik
+  tags:
+    - traefik
 
 - name: start
   systemd:
@@ -32,3 +59,5 @@
     daemon_reload: yes
     masked: no
     enabled: yes
+  tags:
+    - traefik

ansible/roles/traefik/templates/compose.j2

@@ -0,0 +1,42 @@
+version: "3"
+
+networks:
+  general:
+    driver: bridge
+
+services:
+  server:
+    image: ${TRAEFIK_CONTAINER}
+    restart: always
+    command: -c /etc/traefik.toml
+    environment:
+      - CLOUDFLARE_EMAIL=${TRAEFIK_CLOUDFLARE_EMAIL}
+      - CLOUDFLARE_API_KEY=${TRAEFIK_CLOUDFLARE_APIKEY}
+    ports:
+      - 80:80
+      - 443:443
+    networks:
+      - general
+    labels:
+      - traefik.enable=false
+    healthcheck:
+      test: ["NONE"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+    volumes:
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /etc/acme.json:/etc/acme.json
+      - /etc/traefik.toml:/etc/traefik.toml
+
+  watchtower:
+    image: ${TRAEFIK_WATCHTOWER_CONTAINER}
+    restart: always
+    environment:
+      - WATCHTOWER_CLEANUP=${TRAEFIK_WATCHTOWER_CLEANUP}
+    labels:
+      - traefik.enable=false
+    volumes:
+      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
+      - /var/run/docker.sock:/var/run/docker.sock

ansible/roles/traefik/templates/config.j2

@@ -11,12 +11,13 @@ logLevel = "{{ traefik_loglevel }}"
     [entryPoints.https.tls]
 
 [acme]
-email = "{{ traefik_email }}"
-storage = "/etc/acme.json"
-entryPoint = "https"
-onDemand = true
-dnsProvider = "cloudflare"
+  email = "{{ traefik_email }}"
+  storage = "/etc/acme.json"
+  entryPoint = "https"
+  onDemand = true
+  dnsProvider = "cloudflare"
+  acmeLogging = true
 
 [docker]
-domain = "{{ traefik_domain }}"
-watch = true
+  domain = "{{ traefik_domain }}"
+  watch = true

ansible/roles/traefik/templates/default.j2

@@ -0,0 +1,7 @@
+TRAEFIK_CONTAINER={{ traefik_container }}
+
+TRAEFIK_CLOUDFLARE_EMAIL={{ traefik_cloudflare_email }}
+TRAEFIK_CLOUDFLARE_APIKEY={{ traefik_cloudflare_apikey }}
+
+TRAEFIK_WATCHTOWER_CONTAINER={{ traefik_watchtower_container }}
+TRAEFIK_WATCHTOWER_CLEANUP={{ traefik_watchtower_cleanup | default(False) | lower }}

ansible/roles/traefik/templates/service.j2

@@ -6,26 +6,14 @@ After=docker.service
 
 [Service]
 Restart=always
+WorkingDirectory=/compose/traefik
+TimeoutStartSec=300
 
-EnvironmentFile=/etc/default/secrets
-EnvironmentFile=/etc/default/traefik
-ExecStop=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker stop %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker kill %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps -a | /bin/grep %p 1> /dev/null && /usr/bin/docker rm %p || true'
-ExecStartPre=/usr/bin/docker pull {{ traefik_container }}
+ExecStop=/bin/sh -c '/usr/local/bin/docker-compose kill || true'
+ExecStopPost=/bin/sh -c '/usr/local/bin/docker-compose down --remove-orphans || true'
 
-ExecStart=/usr/bin/docker run --rm \
-  --name %p \
-  --hostname {{ traefik_domain }} \
-  --label traefik.enable=false \
-  --volume /etc/acme.json:/etc/acme.json \
-  --volume /etc/traefik.toml:/etc/traefik.toml \
-  --volume /var/run/docker.sock:/var/run/docker.sock \
-  --env CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL} \
-  --env CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY} \
-  --publish 443:443 \
-  --publish 80:80 \
-  {{ traefik_container }} -c /etc/traefik.toml
+ExecStartPre=/bin/sh -c '/usr/local/bin/docker-compose pull --ignore-pull-failures || true'
+ExecStart=/usr/local/bin/docker-compose up --abort-on-container-exit --remove-orphans
 
 [Install]
 WantedBy=multi-user.target

ansible/roles/users/tasks/main.yml

@@ -4,6 +4,8 @@
   package:
     name: '{{ item }}'
     state: present
+  tags:
+    - users
 
 - name: group
   with_items: '{{ users }}'
@@ -12,6 +14,8 @@
     name: '{{ item.name }}'
     gid: '{{ item.uid }}'
     state: present
+  tags:
+    - users
 
 - name: create
   with_items: '{{ users }}'
@@ -26,6 +30,8 @@
     append: yes
     createhome: yes
     state: present
+  tags:
+    - users
 
 - name: homeshick
   with_items: '{{ users }}'
@@ -35,6 +41,8 @@
   git:
     repo: https://github.com/andsens/homeshick.git
     dest: /home/{{ item.name }}/.homesick/repos/homeshick
+  tags:
+    - users
 
 - name: castles
   with_subelements: ['{{ users }}', castles]
@@ -44,6 +52,8 @@
   git:
     repo: https://github.com/{{ item.1 }}.git
     dest: /home/{{ item.0.name }}/.homesick/repos/{{ item.1 | basename }}
+  tags:
+    - users
 
 - name: links
   with_subelements: ['{{ users }}', castles]
@@ -51,6 +61,8 @@
   become: yes
   become_user: '{{ item.0.name }}'
   command: /home/{{ item.0.name }}/.homesick/repos/homeshick/bin/homeshick -f -b -q link {{ item.1 | basename }}
+  tags:
+    - users
 
 - name: sshkeys
   with_items: '{{ users }}'
@@ -60,3 +72,5 @@
     key: '{{ item.sshkeys }}'
     exclusive: yes
     state: present
+  tags:
+    - users

ansible/roles/watchtower/defaults/main.yml

@@ -1,2 +0,0 @@
-watchtower_container: webhippie/watchtower:latest
-watchtower_cleanup: true

ansible/roles/watchtower/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: restart watchtower
-  systemd:
-    name: watchtower
-    state: restarted
-    daemon_reload: yes

ansible/roles/watchtower/tasks/main.yml

@@ -1,21 +0,0 @@
-- name: service
-  notify:
-    - restart watchtower
-  template:
-    src: service.j2
-    dest: /etc/systemd/system/watchtower.service
-
-- name: default
-  notify:
-    - restart watchtower
-  template:
-    src: default.j2
-    dest: /etc/default/watchtower
-
-- name: start
-  systemd:
-    name: watchtower
-    state: started
-    daemon_reload: yes
-    masked: no
-    enabled: yes

ansible/roles/watchtower/templates/default.j2

@@ -1 +0,0 @@
-WATCHTOWER_CLEANUP={{ watchtower_cleanup }}

ansible/roles/watchtower/templates/service.j2

@@ -1,25 +0,0 @@
-[Unit]
-Description=Watchtower
-
-Requires=docker.service
-After=docker.service
-
-[Service]
-Restart=always
-
-EnvironmentFile=/etc/default/watchtower
-ExecStop=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker stop %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker kill %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps -a | /bin/grep %p 1> /dev/null && /usr/bin/docker rm %p || true'
-ExecStartPre=/usr/bin/docker pull {{ watchtower_container }}
-
-ExecStart=/usr/bin/docker run --rm \
-  --name %p \
-  --hostname %p \
-  --label traefik.enable=false \
-  --volume /var/run/docker.sock:/var/run/docker.sock \
-  --env WATCHTOWER_CLEANUP=${WATCHTOWER_CLEANUP} \
-  {{ watchtower_container }}
-
-[Install]
-WantedBy=multi-user.target

ansible/roles/website/defaults/main.yml

@@ -1,2 +0,0 @@
-website_domain: gitea.io
-website_container: gitea/website:latest

ansible/roles/website/handlers/main.yml

@@ -1,5 +0,0 @@
-- name: restart website
-  systemd:
-    name: website
-    state: restarted
-    daemon_reload: yes

ansible/roles/website/tasks/main.yml

@@ -1,21 +0,0 @@
-- name: service
-  notify:
-    - restart website
-  template:
-    src: service.j2
-    dest: /etc/systemd/system/website.service
-
-- name: default
-  notify:
-    - restart website
-  template:
-    src: default.j2
-    dest: /etc/default/website
-
-- name: start
-  systemd:
-    name: website
-    state: started
-    daemon_reload: yes
-    masked: no
-    enabled: yes

ansible/roles/website/templates/service.j2

@@ -1,23 +0,0 @@
-[Unit]
-Description=Website
-
-Requires=docker.service
-After=docker.service
-
-[Service]
-Restart=always
-
-EnvironmentFile=/etc/default/website
-ExecStop=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker stop %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps | /bin/grep %p 1> /dev/null && /usr/bin/docker kill %p || true'
-ExecStartPre=/bin/sh -c '/usr/bin/docker ps -a | /bin/grep %p 1> /dev/null && /usr/bin/docker rm %p || true'
-ExecStartPre=/usr/bin/docker pull {{ website_container }}
-
-ExecStart=/usr/bin/docker run --rm \
-  --name %p \
-  --hostname {{ website_domain }} \
-  --label traefik.frontend.rule=Host:{{ website_domain }} \
-  {{ website_container }}
-
-[Install]
-WantedBy=multi-user.target

bin/ansible

@@ -14,5 +14,12 @@ then
     exit 1
 fi
 
+if ! test -f ${ROOT}/.vault
+then
+    echo "Failed to find .vault file!"
+    exit 1
+fi
+
 exec ansible \
-  --inventory-file=${ROOT}/ansible/hosts.ini $@
+    --vault-password-file=${ROOT}/.vault \
+    --inventory-file=${ROOT}/ansible/hosts.ini $@

bin/playbook

@@ -14,6 +14,13 @@ then
     exit 1
 fi
 
+if ! test -f ${ROOT}/.vault
+then
+    echo "Failed to find .vault file!"
+    exit 1
+fi
+
 exec ansible-playbook \
+    --vault-password-file=${ROOT}/.vault \
     --inventory-file=${ROOT}/ansible/hosts.ini \
     ${ROOT}/ansible/playbook.yml $@

terraform/domains.tf

@@ -1,12 +1,119 @@
-resource "cloudflare_record" "mx" {
+resource "cloudflare_record" "mx1" {
   domain   = "${var.cloudflare_domain}"
   name     = "@"
-  value    = "${var.mail_domain}"
+  value    = "mx.zoho.com"
   type     = "MX"
   priority = 10
   proxied  = false
 }
 
+resource "cloudflare_record" "mx2" {
+  domain   = "${var.cloudflare_domain}"
+  name     = "@"
+  value    = "mx2.zoho.com"
+  type     = "MX"
+  priority = 20
+  proxied  = false
+}
+
+resource "cloudflare_record" "mx3" {
+  domain   = "${var.cloudflare_domain}"
+  name     = "mailgun"
+  value    = "mxa.mailgun.org"
+  type     = "MX"
+  priority = 10
+  proxied  = false
+}
+
+resource "cloudflare_record" "mx4" {
+  domain   = "${var.cloudflare_domain}"
+  name     = "mailgun"
+  value    = "mxb.mailgun.org"
+  type     = "MX"
+  priority = 10
+  proxied  = false
+}
+
+resource "cloudflare_record" "spf1" {
+  domain   = "${var.cloudflare_domain}"
+  name     = "zoho"
+  value    = "v=spf1 mx include:zoho.com ~all"
+  type     = "SPF"
+  proxied  = false
+}
+
+resource "cloudflare_record" "txt1" {
+  domain   = "${var.cloudflare_domain}"
+  name     = "_acme-challenge.coverage"
+  value    = "OPuLFURRN5kvhFzJBMCY9AMY6DThIi7YonbaheKguGc"
+  type     = "TXT"
+  proxied  = false
+}
+
+resource "cloudflare_record" "txt2" {
+  domain   = "${var.cloudflare_domain}"
+  name     = "@"
+  value    = "v=spf1 include:zoho.com ~all"
+  type     = "TXT"
+  proxied  = false
+}
+
+resource "cloudflare_record" "txt3" {
+  domain   = "${var.cloudflare_domain}"
+  name     = "k1._domainkey.mailgun"
+  value    = "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUz1pPYWPp2BPsov+ds4O1PVe2FaptKqPaxXqwk/BDv8xeWf9FnMmt2+m+cODM8jr+c9pZeSmkhXkX/VVbIaaZE3ilpJymn+cHmHRXhGWhjB9eMw4Md6DswQtzu55U8m6PUaP7q2e2LZaMW6NafXsCsjj2RrGRedgFIOtw02E6RQIDAQAB"
+  type     = "TXT"
+  proxied  = false
+}
+
+resource "cloudflare_record" "txt4" {
+  domain   = "${var.cloudflare_domain}"
+  name     = "mailgun"
+  value    = "v=spf1 include:mailgun.org ~all"
+  type     = "TXT"
+  proxied  = false
+}
+
+resource "cloudflare_record" "txt5" {
+  domain   = "${var.cloudflare_domain}"
+  name     = "zoho._domainkey"
+  value    = "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdlMfEWjnNTTEnlfrCUmdXDYehLExTJWTJFPv8VileUh9RBCXoHAeUOasCxD4xJq6iEd/mVoaV0ojTppYnf4++G3UJRYUIRrlLDnVD6vQfAQegIT9wVyANj98kFxi5ptJLZNqFSfWz1+/E4M/ekp+A1Rynh9rrW+rvC5yLstudYwIDAQAB"
+  type     = "TXT"
+  proxied  = false
+}
+
+resource "cloudflare_record" "discourse" {
+  domain  = "${var.cloudflare_domain}"
+  name    = "discourse"
+  value   = "gitea.hosted-by-discourse.com"
+  type    = "CNAME"
+  proxied = false
+}
+
+resource "cloudflare_record" "mailgun" {
+  domain  = "${var.cloudflare_domain}"
+  name    = "email.mailgun"
+  value   = "mailgun.org"
+  type    = "CNAME"
+  proxied = false
+}
+
+resource "cloudflare_record" "status" {
+  domain  = "${var.cloudflare_domain}"
+  name    = "status"
+  value   = "stats.uptimerobot.com"
+  type    = "CNAME"
+  proxied = false
+}
+
+resource "cloudflare_record" "zoho" {
+  domain  = "${var.cloudflare_domain}"
+  name    = "zb14818752"
+  value   = "zmverify.zoho.com"
+  type    = "CNAME"
+  proxied = false
+}
+
 resource "cloudflare_record" "gitea" {
   domain  = "${var.cloudflare_domain}"
   name    = "@"
@@ -23,14 +130,22 @@ resource "cloudflare_record" "blog" {
   proxied = true
 }
 
-resource "cloudflare_record" "docs" {
+resource "cloudflare_record" "code" {
   domain  = "${var.cloudflare_domain}"
-  name    = "docs"
+  name    = "code"
   value   = "${lookup(var.server_names, 0)}.${var.cloudflare_domain}"
   type    = "CNAME"
   proxied = true
 }
 
+resource "cloudflare_record" "coverage" {
+  domain  = "${var.cloudflare_domain}"
+  name    = "coverage"
+  value   = "${lookup(var.server_names, 0)}.${var.cloudflare_domain}"
+  type    = "CNAME"
+  proxied = false
+}
+
 resource "cloudflare_record" "dl" {
   domain  = "${var.cloudflare_domain}"
   name    = "dl"
@@ -39,17 +154,17 @@ resource "cloudflare_record" "dl" {
   proxied = true
 }
 
-resource "cloudflare_record" "code" {
+resource "cloudflare_record" "docs" {
   domain  = "${var.cloudflare_domain}"
-  name    = "code"
+  name    = "docs"
   value   = "${lookup(var.server_names, 0)}.${var.cloudflare_domain}"
   type    = "CNAME"
   proxied = true
 }
 
-resource "cloudflare_record" "storage" {
+resource "cloudflare_record" "drone" {
   domain  = "${var.cloudflare_domain}"
-  name    = "storage"
+  name    = "drone"
   value   = "${lookup(var.server_names, 0)}.${var.cloudflare_domain}"
   type    = "CNAME"
   proxied = false
@@ -63,17 +178,9 @@ resource "cloudflare_record" "lgtm" {
   proxied = false
 }
 
-resource "cloudflare_record" "coverage" {
+resource "cloudflare_record" "storage" {
   domain  = "${var.cloudflare_domain}"
-  name    = "coverage"
-  value   = "${lookup(var.server_names, 0)}.${var.cloudflare_domain}"
-  type    = "CNAME"
-  proxied = false
-}
-
-resource "cloudflare_record" "drone" {
-  domain  = "${var.cloudflare_domain}"
-  name    = "drone"
+  name    = "storage"
   value   = "${lookup(var.server_names, 0)}.${var.cloudflare_domain}"
   type    = "CNAME"
   proxied = false
@@ -88,3 +195,12 @@ resource "cloudflare_record" "try" {
   depends_on = ["digitalocean_droplet.demo"]
 }
 
+resource "cloudflare_record" "try-drone" {
+  domain     = "${var.cloudflare_domain}"
+  name       = "drone.try"
+  value      = "${lookup(var.demo_names, 0)}.${var.cloudflare_domain}"
+  type       = "CNAME"
+  proxied    = false
+  depends_on = ["digitalocean_droplet.demo"]
+}
+

terraform/variables.tf

@@ -15,11 +15,6 @@ variable "cloudflare_domain" {
   default = "gitea.io"
 }
 
-variable "mail_domain" {
-  type    = "string"
-  default = "mx.ym.163.com"
-}
-
 variable "demo_count" {
   type    = "string"
   default = "1"
@@ -105,6 +100,7 @@ variable "ssh_keys" {
     "bkc2"      = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2Sovl8XfHqhiAo1GQpsJ/Z8YMvs+xPt1NMsHa5mqAtaMSGsaxIgfpL80+oSX7/itHZJfi7OcRz7R8LzJfy6WKMZUzSkkXXZlxYT328qlMzRPOtkyDWBgIY7ArcDkiyY2MFnbv5uIgilpRKFxFNxx7TuUucOmrB9SHTINy1rDiLHbvZTyJH83WVRo8V6+2JB1N1hyBWbsLNRL9VTAb3v1RvRaDUq92HJqLN77SrxHitst/7PnSimIdnPN04pogP8bDqD/XVL08ZAOXgIQvXqHIC6V+UebLSw18tw/Iac7rYNyYo949NnzQCZ0lB3/yi+L/3Hq9rpiDp3GmANQRRcBN bkc@gitea.io"
     "bkc3"      = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9WgmBjn7jlFzAz7QPE5p3F+wG2Dbcg616J/vQk1e0Z4hlRSejoFoA9JVV8IuKBdXYDCieqctvbd01S/5dyDOq8rIoyLa1vfYAqkztzShjZ91WAnv8JOU2o5YC1HtiSKP4ygDzTztr97L1Mv29S3RM1ZFjiNo/0gncMK2uI7z9BgzTXkHEvWPqOy+ca8f6HFVDTL5wfer1oY0gkj4fbYdHclpFrMQh0WBI/Z4YvZz7oRmJHajyRfmTu5X/iLsFk8daP+O7wJpQPwKsefczZmrHyKLC4DgrcHEBzvfyfRa/MQNdJZ+ohayomX51xpsAfBOb4AlJbM7o2SgyJcnfolK7 bkc@gitea.io"
     "lunny1"    = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNxqUBNvl59j7Xkw3I1rXkiz0LWNvOK2KFFgLB4C101xv6C/UGjCJPlAWYl5lrTokICqi8fmLkVzAuhhGaPs28Eo55lARl1uZoTSuuobKaZHc/SZzIqn2NgSYV9WNzskpo8IkN2K5DWCYr73x6tskJ5BT9hcXWaPRb8s7dEPnw7NduhMroqlNBFgCwIgkYrjjNNIEZt5G5q2aYFLmIRRZ1JimuAJBlmQJCw+W049tjjNUKY4f2Fm9zIbktPZvSgT2kRvMWxUc8KR1kyzMVaDgqFJKQFjEoZ3kKTfkf3FV2O6tIZHA9fnRYABQy+7HAjRRFcVEu7usu12BKZ0QHKhWT lunny@gitea.io"
+    "appleboy1" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3uQtMr300gb2icmedgrYgsI/slCgS8mDkPS1G0rlEACyMund4lMo+C8vTnhfoq7CmWGFDuGXXMGcgnnhiN67EXf4xKwCiypmvV4hrisd5FDyluNvUo9wdsqcq3Nv8jNYid27uidgx2v1o4bjidV8F163M5OuQV/Ij1uYsoZ4GiZvLAq5W09twqThEcz9Us9PljQlpqMxoF68hEyL3FM7MioOPshQiENf/3yRohHTzcDYI369hjJu7OpFqp+VORDc/Lma8bOufd/jGZsOBSiV9wjwYLHUHJsSzYv2Cg+jdmUnYjfqUsabwH1bjTVtiRKiXfZMeFF8ju5d9I7ExNp4x appleboy@gitea.io"
   }
 }