From 3f0a878c3a0c293fa69176ad11a36fc375af2a3d Mon Sep 17 00:00:00 2001 From: Simon Cornet Date: Mon, 31 Mar 2025 17:44:41 +0200 Subject: [PATCH] feat: initial commit --- .ansible-lint | 22 ++++++++++++ .gitignore | 1 + .gitlab-ci.yml | 16 +++++++++ .gitlab/deployment.yaml | 31 +++++++++++++++++ .gitlab/linting.yaml | 17 ++++++++++ .yamllint | 30 +++++++++++++++++ defaults/main.yaml | 4 +++ handlers/main.yaml | 16 +++++++++ meta/main.yaml | 24 +++++++++++++ readme.md | 10 ++++++ renovate.json | 7 ++++ tasks/config.yaml | 11 ++++++ tasks/install.yaml | 54 ++++++++++++++++++++++++++++++ tasks/main.yaml | 20 +++++++++++ tasks/ossupport.yaml | 16 +++++++++ templates/atuin/server.toml.j2 | 4 +++ templates/systemd/atuin.service.j2 | 29 ++++++++++++++++ vars/Debian.yaml | 9 +++++ 18 files changed, 321 insertions(+) create mode 100644 .ansible-lint create mode 100644 .gitignore create mode 100644 .gitlab-ci.yml create mode 100644 .gitlab/deployment.yaml create mode 100644 .gitlab/linting.yaml create mode 100644 .yamllint create mode 100644 defaults/main.yaml create mode 100644 handlers/main.yaml create mode 100644 meta/main.yaml create mode 100644 readme.md create mode 100644 renovate.json create mode 100644 tasks/config.yaml create mode 100644 tasks/install.yaml create mode 100644 tasks/main.yaml create mode 100644 tasks/ossupport.yaml create mode 100644 templates/atuin/server.toml.j2 create mode 100644 templates/systemd/atuin.service.j2 create mode 100644 vars/Debian.yaml diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..5397fc0 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,22 @@ +--- + +exclude_paths: + - ".gitlab/*" + - ".gitlab-ci.yml" + - "meta/main.yaml" + - "vars/*" + +kinds: + - playbook: "**/*.{yml,yaml}" + +skip_list: + - "command-shell" + - "experimental" + - "git-latest" + - "no-changed-when" + - "no-handler" + - "name[casing]" + - "name[template]" + - "risky-file-permissions" + - "schema[playbook]" + - "var-naming[no-role-prefix]" diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..904cae8 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.ansible diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..5d82fc7 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,16 @@ +--- + +# gitLab ci stages +stages: + + # deployment + - "linting" + - "deployment" + + +# include jobs +include: + + # deployment + - local: ".gitlab/linting.yaml" + - local: ".gitlab/deployment.yaml" diff --git a/.gitlab/deployment.yaml b/.gitlab/deployment.yaml new file mode 100644 index 0000000..040754b --- /dev/null +++ b/.gitlab/deployment.yaml @@ -0,0 +1,31 @@ +--- +# deploy ansible/roles/common code +deployment: + stage: "deployment" + image: + name: "cr.simoncor.net/siempie/ssh-client:latest" + entrypoint: ["/bin/sh", "-c"] + rules: + + # run only on push to default branch + - if: + '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == + $CI_DEFAULT_BRANCH' + - when: "never" + + # prepare ssh + before_script: + # prepare ssh + - | + # prepare ssh + mkdir -p ~/.ssh + chmod 700 ~/.ssh + echo "$SSH_CONFIG" > ~/.ssh/config + echo "$SSH_DEPLOYMENT_KEY" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + + # deployment commands + script: + - | + # install ansible roles dependancies + ssh $SSH_DEPLOYMENT_USER@$ANSIBLE_SERVER "sudo /usr/local/bin/ansible-galaxy install -r /etc/ansible/roles/requirements.yaml --force" diff --git a/.gitlab/linting.yaml b/.gitlab/linting.yaml new file mode 100644 index 0000000..01b8aa3 --- /dev/null +++ b/.gitlab/linting.yaml @@ -0,0 +1,17 @@ +--- + +# linting +linting: + stage: "linting" + image: + name: "cr.simoncor.net/siempie/ansible-deployment:latest" + entrypoint: ["/bin/sh", "-c"] + rules: + + # run only on push to default branch + - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + - when: "never" + + # start linting + script: + - "ansible-lint -c .ansible-lint ." diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..e4db48c --- /dev/null +++ b/.yamllint @@ -0,0 +1,30 @@ +--- +extends: 'default' + +rules: + braces: + max-spaces-inside: 1 + forbid: true + comments: + min-spaces-from-content: 1 + comments-indentation: false + empty-lines: + max: 2 + indentation: + spaces: 2 + check-multi-line-strings: true + line-length: + max: 130 + allow-non-breakable-words: true + allow-non-breakable-inline-mappings: true + new-line-at-end-of-file: 'enable' + octal-values: + forbid-implicit-octal: true + forbid-explicit-octal: true + truthy: + allowed-values: + - 'true' + - 'false' + quoted-strings: + quote-type: 'any' + required: true diff --git a/defaults/main.yaml b/defaults/main.yaml new file mode 100644 index 0000000..2622755 --- /dev/null +++ b/defaults/main.yaml @@ -0,0 +1,4 @@ +--- + +# renovate: datasource=github-releases depName=atuinsh/atuin versioning=pep440 +atuin_version: "18.4.0" diff --git a/handlers/main.yaml b/handlers/main.yaml new file mode 100644 index 0000000..2cdaa73 --- /dev/null +++ b/handlers/main.yaml @@ -0,0 +1,16 @@ +--- + +# atuin +- name: "restart atuin" + ansible.builtin.systemd: + name: "atuin.service" + state: "restarted" + daemon_reload: true + enabled: true + +# sysusers +- name: "restart sysusers" + ansible.builtin.systemd: + name: "systemd-sysusers.service" + state: "restarted" + enabled: true diff --git a/meta/main.yaml b/meta/main.yaml new file mode 100644 index 0000000..cfe5b99 --- /dev/null +++ b/meta/main.yaml @@ -0,0 +1,24 @@ +--- +galaxy_info: + role_name: "template" + author: "siempie" + description: "" + license: "MIT" + min_ansible_version: 2.9 + platforms: + + # debian + - name: "Debian" + versions: + - "bookworm" + + # ubuntu + - name: "Ubuntu" + versions: + - "jammy" + - "noble" + + galaxy_tags: + - "template" + +dependencies: [] diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..d09472b --- /dev/null +++ b/readme.md @@ -0,0 +1,10 @@ +# Overview +This role configures [Atuin](https://atuin.sh/) server, for reasons. + +# Supported Operating Systems +| Operating System | Version | +| --- | ----- | +| Debian | 12 | + +# Tags +This role has no tags. diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..da8f5e1 --- /dev/null +++ b/renovate.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ "local>cicd/renovate" ], + "ansible": { + "fileMatch": [ "(.*).ya?ml$" ] + } +} diff --git a/tasks/config.yaml b/tasks/config.yaml new file mode 100644 index 0000000..14bbf49 --- /dev/null +++ b/tasks/config.yaml @@ -0,0 +1,11 @@ +--- + +# configure atuin +- name: "config - atuin" + ansible.builtin.template: + src: "templates/atuin/server.toml.j2" + dest: "/etc/atuin/server.toml" + owner: "root" + group: "root" + mode: "0644" + notify: "restart atuin" diff --git a/tasks/install.yaml b/tasks/install.yaml new file mode 100644 index 0000000..49b7347 --- /dev/null +++ b/tasks/install.yaml @@ -0,0 +1,54 @@ +--- + +# check current atuin version +- name: "check current version" + ansible.builtin.shell: + cmd: "/usr/local/bin/atuin -V" + changed_when: false + failed_when: false + register: "atuin_version_check" + +# download atuin +- name: "download atuin" + ansible.builtin.get_url: + url: + "https://github.com/atuinsh/atuin/releases/download/\ + v{{ atuin_version }}/atuin-x86_64-unknown-linux-gnu.tar.gz" + dest: "/tmp/" + checksum: + "sha256:https://github.com/atuinsh/atuin/releases/download/\ + v{{ atuin_version }}/atuin-x86_64-unknown-linux-gnu.tar.gz.sha256" + owner: "root" + group: "root" + mode: "0775" + when: "atuin_version not in atuin_version_check.stdout" + register: "atuin_download" + +# install atuin +- name: "install atuin" + ansible.builtin.unarchive: + src: "/tmp/atuin-x86_64-unknown-linux-gnu.tar.gz" + dest: "/usr/local/bin/" + include: "atuin" + owner: "root" + group: "root" + mode: "0755" + remote_src: true + when: "atuin_download.changed" + +# install systemd service +- name: "install service" + ansible.builtin.template: + src: "templates/systemd/atuin.service.j2" + dest: "/etc/systemd/system/atuin.service" + owner: "root" + group: "root" + mode: "0644" + notify: "restart atuin" + +# cleanup atuin +- name: "cleanup atuin installer" + ansible.builtin.file: + path: "/tmp/atuin-x86_64-unknown-linux-gnu.tar.gz" + state: "absent" + when: "atuin_download.changed" diff --git a/tasks/main.yaml b/tasks/main.yaml new file mode 100644 index 0000000..c6b44e5 --- /dev/null +++ b/tasks/main.yaml @@ -0,0 +1,20 @@ +--- + +# check os support +- name: "check for os support" + ansible.builtin.import_tasks: "ossupport.yaml" + +# load os variables +- name: "include os specific vars" + ansible.builtin.include_vars: "{{ ansible_os_family }}.yaml" + when: "os_support" + +# import install +- name: "install" + ansible.builtin.import_tasks: "install.yaml" + when: "os_support" + +# import config +- name: "config" + ansible.builtin.import_tasks: "config.yaml" + when: "os_support" diff --git a/tasks/ossupport.yaml b/tasks/ossupport.yaml new file mode 100644 index 0000000..3507753 --- /dev/null +++ b/tasks/ossupport.yaml @@ -0,0 +1,16 @@ +--- + +# support debian 12 +- name: "check for os support" + ansible.builtin.set_fact: + os_support: true + when: + - 'ansible_distribution == "Debian"' + - 'ansible_distribution_major_version == "12"' + +# fail role when not supported +- name: "unsupported role" + ansible.builtin.fail: + msg: "This role not supported on this Operating System." + when: + - "os_support is not defined" diff --git a/templates/atuin/server.toml.j2 b/templates/atuin/server.toml.j2 new file mode 100644 index 0000000..b4409c7 --- /dev/null +++ b/templates/atuin/server.toml.j2 @@ -0,0 +1,4 @@ +host = "0.0.0.0" +port = 8888 +open_registration = true +db_uri="postgres://{{ atuin_db_user }}:{{ atuin_db_pass }}@{{ atuin_db_host }}/{{ atuin_db_name }}" diff --git a/templates/systemd/atuin.service.j2 b/templates/systemd/atuin.service.j2 new file mode 100644 index 0000000..cb7fe78 --- /dev/null +++ b/templates/systemd/atuin.service.j2 @@ -0,0 +1,29 @@ +[Unit] +Description=Start the Atuin server syncing service +After=network-online.target +Wants=network-online.target systemd-networkd-wait-online.service + +[Service] +ExecStart=/usr/local/bin/atuin server start +Restart=on-failure +User=root +Group=root + +Environment=ATUIN_CONFIG_DIR=/etc/atuin +ReadWritePaths=/etc/atuin + +# Hardening options +CapabilityBoundingSet= +AmbientCapabilities= +NoNewPrivileges=true +ProtectHome=true +ProtectSystem=strict +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +PrivateTmp=true +PrivateDevices=true +LockPersonality=true + +[Install] +WantedBy=multi-user.target diff --git a/vars/Debian.yaml b/vars/Debian.yaml new file mode 100644 index 0000000..82d51cd --- /dev/null +++ b/vars/Debian.yaml @@ -0,0 +1,9 @@ +--- + +# ansible +ansible_remote_tmp: "/tmp" + +# atuin install url +atuin_install_url: + "https://github.com/atuinsh/atuin/releases/download/\ + v{{ atuin_version }}/atuin-x86_64-unknown-linux-gnu.tar.gz"