diff --git a/ansible/deploy.yml b/ansible/deploy.yml new file mode 100644 index 0000000..b376c74 --- /dev/null +++ b/ansible/deploy.yml @@ -0,0 +1,165 @@ +--- +# ============================================================= +# ecosplay-auth deploy playbook (local execution on the server) +# +# Assumes: +# - This repo is cloned at {{ deploy_dir }} (default /var/www/e-auth) +# and the playbook is invoked from inside ansible/. +# - Caddy is already installed on the server with the +# caddy-dns/cloudflare plugin and loads per-site files from +# /etc/caddy/site/*.conf. +# - The user running `ansible-playbook` has passwordless sudo. +# +# Usage: +# cd /var/www/e-auth/ansible +# ansible-playbook deploy.yml +# ============================================================= + +- name: Deploy ecosplay-auth (Keycloak + Caddy vhost) + hosts: localhost + connection: local + become: true + gather_facts: true + + vars: + # Root of the repo (the parent of the ansible/ directory). + deploy_dir: "{{ playbook_dir | dirname }}" + + tasks: + + # --------------------------------------------------------- + # System prerequisites + # --------------------------------------------------------- + - name: Install base packages + ansible.builtin.apt: + name: + - ca-certificates + - curl + - gnupg + - python3-apt + - rsync + update_cache: yes + state: present + + # --------------------------------------------------------- + # Docker Engine + compose plugin (idempotent) + # --------------------------------------------------------- + - name: Ensure /etc/apt/keyrings exists + ansible.builtin.file: + path: /etc/apt/keyrings + state: directory + mode: "0755" + + - name: Add Docker GPG key + ansible.builtin.get_url: + url: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg" + dest: /etc/apt/keyrings/docker.asc + mode: "0644" + + - name: Add Docker apt repository + ansible.builtin.apt_repository: + repo: >- + deb [arch={{ ansible_architecture | + replace('x86_64', 'amd64') | + replace('aarch64', 'arm64') }} + signed-by=/etc/apt/keyrings/docker.asc] + https://download.docker.com/linux/{{ ansible_distribution | lower }} + {{ ansible_distribution_release }} stable + state: present + filename: docker + update_cache: yes + + - name: Install Docker Engine + compose plugin + ansible.builtin.apt: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose-plugin + state: present + + - name: Ensure Docker service is running + ansible.builtin.systemd: + name: docker + state: started + enabled: yes + + # --------------------------------------------------------- + # Repo files (already present at {{ deploy_dir }}) + # --------------------------------------------------------- + - name: Ensure deploy directory exists + ansible.builtin.file: + path: "{{ deploy_dir }}" + state: directory + mode: "0755" + + - name: Ensure init/sync.sh is executable + ansible.builtin.file: + path: "{{ deploy_dir }}/init/sync.sh" + mode: "0755" + + # --------------------------------------------------------- + # Caddy vhost for auth.e-cosplay.fr + # --------------------------------------------------------- + - name: Ensure /etc/caddy/site directory exists + ansible.builtin.file: + path: /etc/caddy/site + state: directory + mode: "0755" + owner: root + group: root + + - name: Ensure /var/log/caddy directory exists + ansible.builtin.file: + path: /var/log/caddy + state: directory + mode: "0755" + owner: caddy + group: caddy + ignore_errors: true + + - name: Deploy Caddy vhost for {{ auth_domain }} + ansible.builtin.template: + src: e-auth.conf.j2 + dest: "{{ caddy_site_file }}" + mode: "0644" + owner: root + group: root + notify: Reload caddy + + - name: Validate Caddy configuration + ansible.builtin.command: caddy validate --config /etc/caddy/Caddyfile + register: caddy_validate + changed_when: false + failed_when: caddy_validate.rc != 0 + + # --------------------------------------------------------- + # Bring up the docker-compose stack + # --------------------------------------------------------- + - name: Pull docker images + ansible.builtin.command: docker compose pull + args: + chdir: "{{ deploy_dir }}" + changed_when: false + + - name: Start docker-compose stack + ansible.builtin.command: docker compose up -d --remove-orphans + args: + chdir: "{{ deploy_dir }}" + register: compose_up + changed_when: >- + 'Started' in (compose_up.stderr | default('')) + or 'Created' in (compose_up.stderr | default('')) + or 'Recreated' in (compose_up.stderr | default('')) + + - name: Show compose output + ansible.builtin.debug: + var: compose_up.stderr_lines + when: compose_up.stderr_lines is defined + + handlers: + - name: Reload caddy + ansible.builtin.systemd: + name: caddy + state: reloaded diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml new file mode 100644 index 0000000..99bb973 --- /dev/null +++ b/ansible/group_vars/all.yml @@ -0,0 +1,14 @@ +--- +# ecosplay-auth deploy vars + +deploy_dir: /var/www/e-auth +auth_domain: auth.e-cosplay.fr +keycloak_local_port: 9450 + +# Caddy (assumed already installed with the caddy-dns/cloudflare plugin +# and configured to load per-site files from /etc/caddy/site/*.conf) +caddy_site_file: /etc/caddy/site/e-auth.conf + +# Cloudflare API token consumed by the caddy-dns/cloudflare plugin +# for the ACME DNS-01 challenge. +cloudflare_token: cfat_rIHZqzCm9GKK3xVnQDNGfu6J91TseIDdTKeuWSFUdf6ccd31 diff --git a/ansible/templates/e-auth.conf.j2 b/ansible/templates/e-auth.conf.j2 new file mode 100644 index 0000000..de088be --- /dev/null +++ b/ansible/templates/e-auth.conf.j2 @@ -0,0 +1,19 @@ +# Managed by Ansible - ecosplay-auth +# Reverse proxy for {{ auth_domain }} -> local Keycloak container on :{{ keycloak_local_port }} + +{{ auth_domain }} { + tls { + dns cloudflare {{ cloudflare_token }} + } + + encode gzip zstd + + reverse_proxy 127.0.0.1:{{ keycloak_local_port }} + + log { + output file /var/log/caddy/{{ auth_domain }}.log { + roll_size 10mb + roll_keep 10 + } + } +}