diff --git a/ansible/arcodange/factory/inventory/group_vars/hard_disk/gitea.yml b/ansible/arcodange/factory/inventory/group_vars/hard_disk/gitea.yml index 5a6fb75..60e9893 100644 --- a/ansible/arcodange/factory/inventory/group_vars/hard_disk/gitea.yml +++ b/ansible/arcodange/factory/inventory/group_vars/hard_disk/gitea.yml @@ -1,3 +1,5 @@ +gitea_version: 1.23.3 + gitea_partition: |- {{ hard_disk__partitions | dict2items | selectattr( @@ -21,7 +23,7 @@ gitea: external: true services: gitea: - image: gitea/gitea:1.22.2 + image: gitea/gitea:{{ gitea_version }} container_name: gitea restart: always environment: diff --git a/ansible/arcodange/factory/inventory/hosts.yml b/ansible/arcodange/factory/inventory/hosts.yml index 9305fc0..53b0c9e 100644 --- a/ansible/arcodange/factory/inventory/hosts.yml +++ b/ansible/arcodange/factory/inventory/hosts.yml @@ -11,13 +11,13 @@ raspberries: ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' internetPi1: - ansible_host: arcodange.duckdns.org + ansible_host: rg-evry.changeip.co # arcodange.duckdns.org is dependent on duckdns registrty update while changeip is managed with the firewall ansible_port: 51022 internetPi2: - ansible_host: arcodange.duckdns.org + ansible_host: rg-evry.changeip.co ansible_port: 52022 internetPi3: - ansible_host: arcodange.duckdns.org + ansible_host: rg-evry.changeip.co ansible_port: 53022 vars: diff --git a/ansible/arcodange/factory/playbooks/01_system.yml b/ansible/arcodange/factory/playbooks/01_system.yml index be3a57a..30b9072 100644 --- a/ansible/arcodange/factory/playbooks/01_system.yml +++ b/ansible/arcodange/factory/playbooks/01_system.yml @@ -72,10 +72,11 @@ - name: k3s tags: never - ansible.builtin.import_playbook: k3s.orchestration.site + # ansible.builtin.import_playbook: k3s.orchestration.site + ansible.builtin.import_playbook: k3s.orchestration.upgrade # ansible.builtin.import_playbook: k3s.orchestration.reset vars: - k3s_version: v1.31.3+k3s1 + k3s_version: v1.32.2+k3s1 extra_server_args: "--docker --disable traefik" extra_agent_args: "--docker" api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}" @@ -122,7 +123,7 @@ spec: repo: https://traefik.github.io/charts chart: traefik - version: v30.1.0 + version: v37.0.0 targetNamespace: kube-system valuesContent: |- {{ traefik_helm_values | to_nice_yaml | indent( width=4 ) }} @@ -162,15 +163,20 @@ - websecure middlewares: localIp: - IPAllowList: + ipAllowList: sourceRange: - - "192.168.1.0/24" - - "{{ ipify_public_ip }}/32" + - "0.0.0.0/0" + # - "192.168.1.0/24" + # - "{{ ipify_public_ip }}/32" + # ipStrategy: + # depth: 2 traefik_helm_values: + deployment: + kind: "Deployment" # default is https://github.com/traefik/traefik-helm-chart/blob/v25.0.0/traefik/values.yaml <- for v25 (`kubectl describe deployments.apps traefik -n kube-system | grep helm.sh/chart`) # current is https://github.com/traefik/traefik-helm-chart/blob/v30.1.0/traefik/values.yaml nodeSelector: - node-role.kubernetes.io/master: true # make predictible choice of node to direct https traffic to this node and avoid NAT/loss of client IP + node-role.kubernetes.io/master: 'true' # make predictible choice of node to direct https traffic to this node and avoid NAT/loss of client IP service: spec: externalTrafficPolicy: Local @@ -182,6 +188,17 @@ dashboard: enabled: true globalArguments: [] # deactivate --global.sendanonymoususage + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LEGO_DISABLE_CNAME_SUPPORT + value: 'true' logs: general: level: DEBUG @@ -209,18 +226,19 @@ additionalArguments: - '--providers.file.filename=/config/dynamic.yaml' - '--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik' - certResolvers: + certificatesResolvers: letsencrypt: - # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ - email: arcodange@gmail.com - tlsChallenge: true - dnsChallenge: - # requires env variable DUCKDNS_TOKEN - provider: duckdns - httpChallenge: - entryPoint: "web" - # It has to match the path with a persistent volume - storage: /data/acme.json + acme: + # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ + email: arcodange@gmail.com + tlsChallenge: true + dnsChallenge: + # requires env variable DUCKDNS_TOKEN + provider: duckdns + httpChallenge: + entryPoint: "web" + # It has to match the path with a persistent volume + storage: /data/acme.json envFrom: - secretRef: name: traefik-duckdns-token diff --git a/ansible/arcodange/factory/playbooks/setup/gitea.yml b/ansible/arcodange/factory/playbooks/setup/gitea.yml index a6f0dbc..7b342db 100644 --- a/ansible/arcodange/factory/playbooks/setup/gitea.yml +++ b/ansible/arcodange/factory/playbooks/setup/gitea.yml @@ -68,8 +68,9 @@ docker exec -u git {{ applications.gitea.dockercompose.services.gitea.container_name }} gitea admin user create --username {{ gitea_user.name }} - --email {{ gitea_user.name }} + --email {{ gitea_user.email }} --random-password + --admin - name: Generate Gitea Token include_role: diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/playwright_setupGiteaApp.js b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/playwright_setupGiteaApp.js index d6ec3e1..d40e061 100644 --- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/playwright_setupGiteaApp.js +++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/playwright_setupGiteaApp.js @@ -50,7 +50,7 @@ async function isLoggedIn() { async function setupApp() { const appName = process.env.GITEA_APP_NAME || 'Arcodange Hashicorp Vault'; - await page.goto(`${giteaAddress}/admin/applications`); + await page.goto(`${giteaAddress}/-/admin/applications`); const applicationsPanel = await page.locator('.admin-setting-content'); const applicationNameClass = await applicationsPanel.getByText('Git Credential Manager').getAttribute('class'); @@ -65,7 +65,7 @@ async function setupApp() { await appElem.highlight(); await appElem.locator('a.button').click(); - await page.waitForURL( new RegExp(`${giteaAddress}/admin/applications/oauth2/\\d+$`) ); + await page.waitForURL( new RegExp(`${giteaAddress}/-/admin/applications/oauth2/\\d+$`) ); await applicationsPanel.locator('form[action$="/regenerate_secret"] > button').click(); } else { @@ -76,9 +76,9 @@ async function setupApp() { `${vaultAddress}/ui/vault/auth/gitea/oidc/callback`, 'https://webapp.arcodange.duckdns.org/oauth-callback', ].join('\n')); - await applicationsPanel.locator('form[action="/admin/applications/oauth2"] > button').dblclick() + await applicationsPanel.locator('form[action="/-/admin/applications/oauth2"] > button').dblclick() - await page.waitForURL(`${giteaAddress}/admin/applications/oauth2`); + await page.waitForURL(`${giteaAddress}/-/admin/applications/oauth2`); } app.id = await applicationsPanel.locator('input[id="client-id"]').getAttribute('value');