From 88723b5e5f62ff312def127bc0cfb314380da7e4 Mon Sep 17 00:00:00 2001 From: Serreau Jovann Date: Fri, 10 Apr 2026 15:45:15 +0200 Subject: [PATCH] Add Ansible playbook for on-server deploy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Self-contained playbook intended to be run locally on the target server, where this repo is already cloned (typically at /var/www/e-auth). No SSH / inventory needed — hosts: localhost with connection: local. What it does: - Installs Docker Engine + compose plugin from the official repo (idempotent, no-op if already present). - Ensures /etc/caddy/site exists and templates the vhost file at /etc/caddy/site/e-auth.conf with the Cloudflare DNS-01 token for caddy-dns/cloudflare, reverse-proxying to 127.0.0.1:9450. - Validates the Caddy config and reloads the service on change. - Runs `docker compose pull` and `docker compose up -d` from the repo root. Assumes Caddy is already installed with the caddy-dns/cloudflare plugin and loads per-site files from /etc/caddy/site/*.conf. Usage (on the server): cd /var/www/e-auth/ansible && ansible-playbook deploy.yml Co-Authored-By: Claude Opus 4.6 (1M context) --- ansible/deploy.yml | 165 +++++++++++++++++++++++++++++++ ansible/group_vars/all.yml | 14 +++ ansible/templates/e-auth.conf.j2 | 19 ++++ 3 files changed, 198 insertions(+) create mode 100644 ansible/deploy.yml create mode 100644 ansible/group_vars/all.yml create mode 100644 ansible/templates/e-auth.conf.j2 diff --git a/ansible/deploy.yml b/ansible/deploy.yml new file mode 100644 index 0000000..b376c74 --- /dev/null +++ b/ansible/deploy.yml @@ -0,0 +1,165 @@ +--- +# ============================================================= +# ecosplay-auth deploy playbook (local execution on the server) +# +# Assumes: +# - This repo is cloned at {{ deploy_dir }} (default /var/www/e-auth) +# and the playbook is invoked from inside ansible/. +# - Caddy is already installed on the server with the +# caddy-dns/cloudflare plugin and loads per-site files from +# /etc/caddy/site/*.conf. +# - The user running `ansible-playbook` has passwordless sudo. +# +# Usage: +# cd /var/www/e-auth/ansible +# ansible-playbook deploy.yml +# ============================================================= + +- name: Deploy ecosplay-auth (Keycloak + Caddy vhost) + hosts: localhost + connection: local + become: true + gather_facts: true + + vars: + # Root of the repo (the parent of the ansible/ directory). + deploy_dir: "{{ playbook_dir | dirname }}" + + tasks: + + # --------------------------------------------------------- + # System prerequisites + # --------------------------------------------------------- + - name: Install base packages + ansible.builtin.apt: + name: + - ca-certificates + - curl + - gnupg + - python3-apt + - rsync + update_cache: yes + state: present + + # --------------------------------------------------------- + # Docker Engine + compose plugin (idempotent) + # --------------------------------------------------------- + - name: Ensure /etc/apt/keyrings exists + ansible.builtin.file: + path: /etc/apt/keyrings + state: directory + mode: "0755" + + - name: Add Docker GPG key + ansible.builtin.get_url: + url: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg" + dest: /etc/apt/keyrings/docker.asc + mode: "0644" + + - name: Add Docker apt repository + ansible.builtin.apt_repository: + repo: >- + deb [arch={{ ansible_architecture | + replace('x86_64', 'amd64') | + replace('aarch64', 'arm64') }} + signed-by=/etc/apt/keyrings/docker.asc] + https://download.docker.com/linux/{{ ansible_distribution | lower }} + {{ ansible_distribution_release }} stable + state: present + filename: docker + update_cache: yes + + - name: Install Docker Engine + compose plugin + ansible.builtin.apt: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose-plugin + state: present + + - name: Ensure Docker service is running + ansible.builtin.systemd: + name: docker + state: started + enabled: yes + + # --------------------------------------------------------- + # Repo files (already present at {{ deploy_dir }}) + # --------------------------------------------------------- + - name: Ensure deploy directory exists + ansible.builtin.file: + path: "{{ deploy_dir }}" + state: directory + mode: "0755" + + - name: Ensure init/sync.sh is executable + ansible.builtin.file: + path: "{{ deploy_dir }}/init/sync.sh" + mode: "0755" + + # --------------------------------------------------------- + # Caddy vhost for auth.e-cosplay.fr + # --------------------------------------------------------- + - name: Ensure /etc/caddy/site directory exists + ansible.builtin.file: + path: /etc/caddy/site + state: directory + mode: "0755" + owner: root + group: root + + - name: Ensure /var/log/caddy directory exists + ansible.builtin.file: + path: /var/log/caddy + state: directory + mode: "0755" + owner: caddy + group: caddy + ignore_errors: true + + - name: Deploy Caddy vhost for {{ auth_domain }} + ansible.builtin.template: + src: e-auth.conf.j2 + dest: "{{ caddy_site_file }}" + mode: "0644" + owner: root + group: root + notify: Reload caddy + + - name: Validate Caddy configuration + ansible.builtin.command: caddy validate --config /etc/caddy/Caddyfile + register: caddy_validate + changed_when: false + failed_when: caddy_validate.rc != 0 + + # --------------------------------------------------------- + # Bring up the docker-compose stack + # --------------------------------------------------------- + - name: Pull docker images + ansible.builtin.command: docker compose pull + args: + chdir: "{{ deploy_dir }}" + changed_when: false + + - name: Start docker-compose stack + ansible.builtin.command: docker compose up -d --remove-orphans + args: + chdir: "{{ deploy_dir }}" + register: compose_up + changed_when: >- + 'Started' in (compose_up.stderr | default('')) + or 'Created' in (compose_up.stderr | default('')) + or 'Recreated' in (compose_up.stderr | default('')) + + - name: Show compose output + ansible.builtin.debug: + var: compose_up.stderr_lines + when: compose_up.stderr_lines is defined + + handlers: + - name: Reload caddy + ansible.builtin.systemd: + name: caddy + state: reloaded diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml new file mode 100644 index 0000000..99bb973 --- /dev/null +++ b/ansible/group_vars/all.yml @@ -0,0 +1,14 @@ +--- +# ecosplay-auth deploy vars + +deploy_dir: /var/www/e-auth +auth_domain: auth.e-cosplay.fr +keycloak_local_port: 9450 + +# Caddy (assumed already installed with the caddy-dns/cloudflare plugin +# and configured to load per-site files from /etc/caddy/site/*.conf) +caddy_site_file: /etc/caddy/site/e-auth.conf + +# Cloudflare API token consumed by the caddy-dns/cloudflare plugin +# for the ACME DNS-01 challenge. +cloudflare_token: cfat_rIHZqzCm9GKK3xVnQDNGfu6J91TseIDdTKeuWSFUdf6ccd31 diff --git a/ansible/templates/e-auth.conf.j2 b/ansible/templates/e-auth.conf.j2 new file mode 100644 index 0000000..de088be --- /dev/null +++ b/ansible/templates/e-auth.conf.j2 @@ -0,0 +1,19 @@ +# Managed by Ansible - ecosplay-auth +# Reverse proxy for {{ auth_domain }} -> local Keycloak container on :{{ keycloak_local_port }} + +{{ auth_domain }} { + tls { + dns cloudflare {{ cloudflare_token }} + } + + encode gzip zstd + + reverse_proxy 127.0.0.1:{{ keycloak_local_port }} + + log { + output file /var/log/caddy/{{ auth_domain }}.log { + roll_size 10mb + roll_keep 10 + } + } +}