diff --git a/ansible/inventory.yml b/ansible/inventory.yml index 9d5f470b1..01146c0b5 100644 --- a/ansible/inventory.yml +++ b/ansible/inventory.yml @@ -26,7 +26,7 @@ hosts: ubuntu1604-x64-1: {ip: 147.28.162.105, alias: unencrypted} - rackspace: - debian8-x64-1: {ip: 23.253.100.79, alias: gh-bot} + debian12-x64-1: {ip: 104.239.144.144, alias: gh-bot} - softlayer: debian8-x64-1: {ip: 184.172.29.199, alias: registry-mirror} @@ -130,8 +130,10 @@ hosts: - equinix: ubuntu2004_docker-arm64-1: {ip: 145.40.81.219} ubuntu2004_docker-arm64-3: {ip: 145.40.99.31} - # when adding, removing or changing the IPs below, - # remember to update Jenkins worker IP whitelist in github-bot + # when adding, removing or changing the IPs for any + # `jenkins-workspace-*` machine, remember to rerun + # the `ansible/playbooks/create-github-bot.yml` playbook + # to update the Jenkins worker IP allowlist in github-bot ubuntu2204-x64-1: {ip: 147.75.72.255, alias: jenkins-workspace-7} ubuntu2204-x64-2: {ip: 145.40.96.123, alias: jenkins-workspace-8} @@ -167,6 +169,10 @@ hosts: rhel9-x64-1: {ip: 169.60.150.92, swap_file_size_mb: 2048} ubuntu2204-x64-1: {ip: 169.60.150.82} ubuntu2204-x64-2: {ip: 169.44.168.2} + # when adding, removing or changing the IPs for any + # `jenkins-workspace-*` machine, remember to rerun + # the `ansible/playbooks/create-github-bot.yml` playbook + # to update the Jenkins worker IP allowlist in github-bot ubuntu2204-x64-3: {ip: 52.117.26.14, alias: jenkins-workspace-6} ubuntu2204_docker-x64-1: {ip: 52.117.26.9} diff --git a/ansible/playbooks/create-github-bot.yml b/ansible/playbooks/create-github-bot.yml index ea99cf6d8..da973c2c4 100644 --- a/ansible/playbooks/create-github-bot.yml +++ b/ansible/playbooks/create-github-bot.yml @@ -8,26 +8,8 @@ # `ansible/host_vars/infra-rackspace-debian8-x64-1` in this repo (nodejs/build) # -- hosts: infra-rackspace-debian8-x64-1 +- hosts: infra-rackspace-debian12-x64-1 roles: - bootstrap - package-upgrade - github-bot - pre_tasks: - - name: check if secrets are properly set - fail: - failed_when: not {{ secret }} - loop_control: - loop_var: secret - with_items: - - envs.port - - envs.travis_token - - envs.github_token - - envs.github_webhook_secret - - envs.login_credentials - - envs.jenkins_api_credentials - - envs.jenkins_job_citgm - - envs.jenkins_build_token_citgm - - envs.jenkins_job_node - - envs.jenkins_build_token_node - - conf.github_deploy_webhook_secret diff --git a/ansible/roles/github-bot/handlers/main.yml b/ansible/roles/github-bot/handlers/main.yml new file mode 100644 index 000000000..876167363 --- /dev/null +++ b/ansible/roles/github-bot/handlers/main.yml @@ -0,0 +1,15 @@ +--- + +# +# generic handlers for github-bot +# + +- name: restart github-bot + ansible.builtin.service: + name: github-bot + state: restarted + +- name: restart github-bot-deploy-webhook + ansible.builtin.service: + name: github-bot-deploy-webhook + state: restarted diff --git a/ansible/roles/github-bot/tasks/main.yml b/ansible/roles/github-bot/tasks/main.yml index 7455da371..3d8cec510 100644 --- a/ansible/roles/github-bot/tasks/main.yml +++ b/ansible/roles/github-bot/tasks/main.yml @@ -1,5 +1,30 @@ --- +- name: check if secrets are properly set + fail: + failed_when: not {{ secret }} + loop_control: + loop_var: secret + with_items: + - gh_bot_secrets.envs.port + - gh_bot_secrets.envs.travis_token + - gh_bot_secrets.envs.github_token + - gh_bot_secrets.envs.github_webhook_secret + - gh_bot_secrets.envs.login_credentials + - gh_bot_secrets.envs.jenkins_api_credentials + - gh_bot_secrets.envs.jenkins_job_citgm + - gh_bot_secrets.envs.jenkins_build_token_citgm + - gh_bot_secrets.envs.jenkins_job_node + - gh_bot_secrets.envs.jenkins_build_token_node + - gh_bot_secrets.conf.github_deploy_webhook_secret + +- name: Get IP addresses of jenkins-workspace machines + no_log: true + set_fact: + jenkins_workspace_ips: "{{ jenkins_workspace_ips | default([]) + [item.value.ansible_host | string] }}" + when: "item.value.alias is defined and item.value.alias is match('jenkins-workspace.*')" + with_dict: "{{ hostvars }}" + - name: Bootstrap | Install baseline packages package: name: "{{ package }}" @@ -9,13 +34,13 @@ with_items: "{{ base_packages }}" - name: Bootstrap | Add nodesource signing key - apt_key: - url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key - state: present + ansible.builtin.get_url: + dest: /etc/apt/keyrings/nodesource-repo.gpg.asc + url: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key - name: Bootstrap | Add nodesource repo apt_repository: - repo: deb https://deb.nodesource.com/node_14.x jessie main + repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/nodesource-repo.gpg.asc] https://deb.nodesource.com/node_20.x nodistro main state: present - name: Bootstrap | APT Update and upgrade @@ -30,6 +55,9 @@ loop_control: loop_var: package with_items: "{{ packages }}" + notify: + - restart github-bot-deploy-webhook + - restart github-bot - name: Bootstrap | Enable time syncing service: @@ -53,11 +81,16 @@ template: src: "{{ role_path }}/templates/github-bot.service.j2" dest: /lib/systemd/system/github-bot.service + notify: + - restart github-bot - name: Init | Generate and copy systemd EnvironmentFile template: src: "{{ role_path }}/templates/environment-file.j2" dest: "/home/{{ server_user }}/environment/github-bot" + notify: + - restart github-bot-deploy-webhook + - restart github-bot - name: Init | Clone github-bot repo become: yes @@ -65,6 +98,8 @@ git: repo: https://github.com/nodejs/github-bot.git dest: "/home/{{ server_user }}/github-bot" + notify: + - restart github-bot - name: Init | Install npm dependencies become: yes @@ -72,6 +107,8 @@ npm: path: "/home/{{ server_user }}/github-bot" production: yes + notify: + - restart github-bot - name: Init | Start github-bot service: @@ -83,11 +120,15 @@ npm: name: github-webhook global: yes + notify: + - restart github-bot-deploy-webhook - name: Deploy Webhook | Copy config template: src: "{{ role_path }}/templates/github-bot-deploy-webhook.json.j2" dest: "/home/{{ server_user }}/config/github-bot-deploy-webhook.json" + notify: + - restart github-bot-deploy-webhook - name: Deploy Webhook | Copy deploy script template: @@ -95,17 +136,23 @@ dest: "/home/{{ server_user }}/bin/deploy-github-bot.sh" mode: 0755 owner: "{{ server_user }}" + notify: + - restart github-bot-deploy-webhook - name: Deploy Webhook | Generate and copy service script template: src: "{{ role_path }}/templates/github-bot-deploy-webhook.service.j2" dest: /lib/systemd/system/github-bot-deploy-webhook.service + notify: + - restart github-bot-deploy-webhook - name: Deploy Webhook | Start service service: name: github-bot-deploy-webhook state: started enabled: yes + notify: + - restart github-bot-deploy-webhook - name: Deploy Webhook | Allow user to restart github-bot lineinfile: diff --git a/ansible/roles/github-bot/templates/environment-file.j2 b/ansible/roles/github-bot/templates/environment-file.j2 index 228728029..a4aed7614 100644 --- a/ansible/roles/github-bot/templates/environment-file.j2 +++ b/ansible/roles/github-bot/templates/environment-file.j2 @@ -1,14 +1,14 @@ NODE_ENV=production -PORT={{ envs.port }} -TRAVIS_TOKEN={{ envs.travis_token }} -GITHUB_TOKEN={{ envs.github_token }} -GITHUB_WEBHOOK_SECRET={{ envs.github_webhook_secret }} -LOGIN_CREDENTIALS={{ envs.login_credentials }} +PORT={{ gh_bot_secrets.envs.port }} +TRAVIS_TOKEN={{ gh_bot_secrets.envs.travis_token }} +GITHUB_TOKEN={{ gh_bot_secrets.envs.github_token }} +GITHUB_WEBHOOK_SECRET={{ gh_bot_secrets.envs.github_webhook_secret }} +LOGIN_CREDENTIALS={{ gh_bot_secrets.envs.login_credentials }} NODE_REPO_DIR=/home/{{ server_user }}/repos/node LOGS_DIR=/home/{{ server_user }}/logs -JENKINS_API_CREDENTIALS={{ envs.jenkins_api_credentials }} -JENKINS_JOB_CITGM={{ envs.jenkins_job_citgm }} -JENKINS_BUILD_TOKEN_CITGM={{ envs.jenkins_build_token_citgm }} -JENKINS_JOB_NODE={{ envs.jenkins_job_node }} -JENKINS_BUILD_TOKEN_NODE={{ envs.jenkins_build_token_node }} -JENKINS_WORKER_IPS=147.75.70.237,51.15.200.62,51.15.218.201,163.172.186.154,147.75.66.203,147.75.81.67,52.117.26.14,147.75.72.255,145.40.96.123 +JENKINS_API_CREDENTIALS={{ gh_bot_secrets.envs.jenkins_api_credentials }} +JENKINS_JOB_CITGM={{ gh_bot_secrets.envs.jenkins_job_citgm }} +JENKINS_BUILD_TOKEN_CITGM={{ gh_bot_secrets.envs.jenkins_build_token_citgm }} +JENKINS_JOB_NODE={{ gh_bot_secrets.envs.jenkins_job_node }} +JENKINS_BUILD_TOKEN_NODE={{ gh_bot_secrets.envs.jenkins_build_token_node }} +JENKINS_WORKER_IPS={{ jenkins_workspace_ips | join(',') }} diff --git a/ansible/roles/github-bot/templates/github-bot-deploy-webhook.json.j2 b/ansible/roles/github-bot/templates/github-bot-deploy-webhook.json.j2 index 661bcce86..aa8984c60 100644 --- a/ansible/roles/github-bot/templates/github-bot-deploy-webhook.json.j2 +++ b/ansible/roles/github-bot/templates/github-bot-deploy-webhook.json.j2 @@ -1,7 +1,7 @@ { "port": 9999, "path": "/deploy-webhook", - "secret": "{{ conf.github_deploy_webhook_secret }}", + "secret": "{{ gh_bot_secrets.conf.github_deploy_webhook_secret }}", "log": "/home/{{ server_user }}/logs/github-bot-webhook.log", "rules": [ { diff --git a/ansible/roles/github-bot/vars/main.yml b/ansible/roles/github-bot/vars/main.yml index 391386c28..e0033075b 100644 --- a/ansible/roles/github-bot/vars/main.yml +++ b/ansible/roles/github-bot/vars/main.yml @@ -1,7 +1,8 @@ --- base_packages: - aptitude - - python-apt + - python3-apt + - systemd-timesyncd packages: - nodejs diff --git a/ansible/roles/read-secrets/tasks/partials/infra.yml b/ansible/roles/read-secrets/tasks/partials/infra.yml new file mode 100644 index 000000000..7329000b9 --- /dev/null +++ b/ansible/roles/read-secrets/tasks/partials/infra.yml @@ -0,0 +1,13 @@ +--- + +- name: Read github-bot secrets + ansible.builtin.set_fact: + gh_bot_secrets: "{{ lookup('pipe', 'gpg -d ' + group_vars | quote) | from_yaml }}" + no_log: yes + loop_control: + loop_var: group_vars + with_first_found: + - files: + - "{{ secrets_repo_root }}/build/github-bot/deployment_secrets.yml" + skip: true + when: alias is defined and alias == 'gh-bot'