🤖 ci(postgres): declare dance-lessons-coach DB + role + pgbouncer lookup

Adds dance-lessons-coach to the shared Postgres iac. Triggers postgres.yaml workflow which provisions a dance-lessons-coach Postgres DB owned by dance-lessons-coach_role, plus pgbouncer user_lookup function, plus credentials_editor admin grant. Required for dance-lessons-coach app's own iac/main.tf to later issue dynamic credentials.

ansible/arcodange/factory/README.md

@@ -10,41 +10,68 @@ kubectl create secret generic traefik-duckdns-token --from-literal="DUCKDNS_TOKE
 ```mermaid
 %%{init: { 'logLevel': 'debug', 'theme': 'dark' } }%%
 timeline
-title ordre des playbook
-section Setup DNS, OS, ...
-    configuration manuelle
-        : installer OS, réserver IP statique, configurer SSH,VNC
-        : formater et créer des partitions avec gparted
-section Docker & K3S
-    system
-        : install Docker
-        : install K3S working with docker
-        : configure Traefik
-
-section Volume, NFS
-    setup hard_disk
-        : monter les partitions
-        : installer NFS
-    system
-        : déployer provisionner NFS
-    
-section postgres
-    setup
-        : postgres
-section gitea
-    setup
-        : gitea
-section gitea action runner
-    setup
-        : gitea action runner
-section argo cd
-    argo_cd
-        : argo cd
-section hello world app
-    setup git repository
-        : terraform
-    setup CI
-    deploy
-        : dev : list exposed deployments with label and port as a landpage
-        : expose (as ngrock ? direct ? port ? )
+    title Playbook Execution Sequence
+    section 01_system
+        rpi
+            : set hostname
+        dns
+            : install pi-hole
+        ssl
+            : step-ca
+            : fetch root certificate
+            : build docker image with CA
+        prepare_disks
+            : list partitions
+            : format disk
+            : mount disk
+        system_docker
+            : install docker
+            : configure docker storage
+            : restart docker
+        longhorn
+            : deploy longhorn
+        k3s
+            : prepare inventory
+            : install k3s collection
+            : install socat
+            : deploy k3s cluster
+            : configure kubeconfig
+            : configure traefik
+            : configure cert-manager
+    section 02_setup
+        backup_nfs
+            : create RWX volume
+            : create recurring job
+            : deploy NFS
+            : mount NFS
+        postgres
+            : create database
+            : create user
+        gitea
+            : deploy gitea
+            : create admin user
+            : create organization
+    section 03_cicd
+        cicd : CI/CD
+        gitea_token
+            : generate token
+        deploy_docker_compose
+            : deploy gitea action
+        argocd
+            : generate token
+            : deploy argocd
+    section 04_tools
+        Hashicorp Vault
+            : gitea_token
+            : hashicorp_vault
+        Crowdsec
+            : crowdsec
+    section 05_backup
+        Gitea Backup
+            : gitea
+        K3s PVC Backup
+            : k3s_pvc
+        Postgres Backup
+            : create backup script
+            : create restore script
 ```

ansible/arcodange/factory/playbooks/backup/backup.yml

@@ -2,11 +2,11 @@
 # - name: setup cron report
 #   ansible.builtin.import_playbook: cron_report.yml
 
-# - name: postgres
-#   ansible.builtin.import_playbook: postgres.yml
-#   vars:
-#     backup_root_dir: "/mnt/backups"
-#     backup_dirname: "postgres"
+- name: postgres
+  ansible.builtin.import_playbook: postgres.yml
+  vars:
+    backup_root_dir: "/mnt/backups"
+    backup_dirname: "postgres"
 
 - name: gitea
   ansible.builtin.import_playbook: gitea.yml

ansible/arcodange/factory/playbooks/system/k3s_ssl.yml

@@ -162,4 +162,11 @@
                     name: {{ jwk_secret_name }}
                     namespace: {{ namespace }}
                     key: password
+              # Override kube-rbac-proxy image to use ARM64-compatible version.
+              # Note: pi3 (ARM64) requires an ARM64-compatible image, while pi2 (ARMv7) may work with AMD64 images.
+              # The default image (gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0) is AMD64-only and fails on pi3.
+              kubeRBACproxy:
+                image:
+                  repository: quay.io/brancz/kube-rbac-proxy
+                  tag: v0.15.0
 

ansible/arcodange/factory/playbooks/system/system_docker.yml

@@ -40,11 +40,7 @@
       register: docker_config_raw
       ignore_errors: yes
       changed_when: false
-      when: ansible.facts.stat.exists
-      vars:
-        ansible_facts:
-          stat:
-            exists: "{{ (ansible.builtin.stat.path='/etc/docker/daemon.json').stat.exists }}"
+      when: (ansible.builtin.stat.path='/etc/docker/daemon.json').stat.exists
 
     - name: Initialiser la variable de config Docker
       ansible.builtin.set_fact:
@@ -66,6 +62,33 @@
             }
           }, recursive=True) }}
 
+    - name: Ensure Docker storage directory exists on external disk
+      ansible.builtin.file:
+        path: /mnt/arcodange/docker
+        state: directory
+        mode: '0755'
+        owner: root
+        group: docker
+      when: ansible_facts.mounts | selectattr('mount', 'equalto', '/mnt/arcodange') | list | length > 0
+
+    - name: Configure Docker to use external storage
+      ansible.builtin.set_fact:
+        docker_config: >
+          {{ docker_config | combine({
+            'data-root': '/mnt/arcodange/docker',
+            'storage-driver': 'overlay2'
+          }, recursive=True) }}
+      when: ansible_facts.mounts | selectattr('mount', 'equalto', '/mnt/arcodange') | list | length > 0
+
+    - name: Ensure docker_config is a dictionary
+      ansible.builtin.set_fact:
+        docker_config: >
+          {% if docker_config is mapping %}
+            {{ docker_config }}
+          {% else %}
+            {}
+          {% endif %}
+
     - name: Écrire la configuration mise à jour
       ansible.builtin.copy:
         dest: /etc/docker/daemon.json

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf

@@ -19,7 +19,7 @@ variable "admin_email" {
 }
 variable "gitea_app" {
   type = object({
-    url = optional(string, "https://gitea.arcodange.lab/")
+    url = optional(string, "https://gitea.arcodange.lab")
     id = string
     secret = string
     description = optional(string, "Arcodange Gitea Auth")
@@ -66,7 +66,7 @@ resource "vault_jwt_auth_backend" "gitea" {
     oidc_discovery_ca_pem = file(var.ca_pem)
     oidc_client_id      = var.gitea_app.id
     oidc_client_secret  = var.gitea_app.secret
-    bound_issuer        = var.gitea_app.url
+    bound_issuer        = trimsuffix(var.gitea_app.url, "/")
     
     tune {
         allowed_response_headers     = []
@@ -103,7 +103,7 @@ resource "vault_jwt_auth_backend" "gitea_jwt" {
     type                = "jwt"
     oidc_discovery_url  = var.gitea_app.url
     oidc_discovery_ca_pem = file(var.ca_pem)
-    bound_issuer        = var.gitea_app.url
+    bound_issuer        = trimsuffix(var.gitea_app.url, "/")
     
     tune {
         allowed_response_headers     = []
@@ -167,7 +167,7 @@ resource "vault_kv_secret" "google_credentials" {
   path = "${vault_mount.kvv1.path}/google/credentials"
   data_json = jsonencode(
   {
-    credentials = file("~/.config/gcloud/application_default_credentials.json")
+    credentials = file("/root/.config/gcloud/application_default_credentials.json")
   }
   )
 }

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml

@@ -24,6 +24,31 @@
 
     volume_name: tofu-{{ ansible_date_time.iso8601.replace(':','-') }}
 
+- name: Check SSL certificate for Gitea
+  shell: >-
+    openssl s_client -connect gitea.arcodange.lab:443 -CAfile /etc/ssl/certs/arcodange-root.pem -servername gitea.arcodange.lab < /dev/null 2>&1 | grep -E "Verify return code:|subject=|issuer="
+  register: ssl_check
+  ignore_errors: true
+
+- name: Debug SSL certificate check
+  debug:
+    var: ssl_check.stdout_lines
+
+
+
+- name: Delete existing Gitea OIDC backends if they exist
+  include_tasks: vault_cmd.yml
+  vars:
+    vault_cmd: vault auth disable {{ backend_name }}
+    vault_cmd_can_fail: true
+    vault_cmd_json_attr: ''
+    vault_cmd_output_var: false
+  loop:
+    - gitea
+    - gitea_jwt
+  loop_control:
+    loop_var: backend_name
+
 - name: use tofu to provision vault
   block:
   - shell: docker volume create {{ volume_name }}

argocd/templates/apps.yaml

@@ -1,4 +1,5 @@
 {{- range $app_name, $app_attr := .Values.gitea_applications -}}
+{{- $org := default "arcodange-org" $app_attr.org -}}
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -14,7 +15,7 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://gitea.arcodange.lab/arcodange-org/{{ $app_name }}
+    repoURL: https://gitea.arcodange.lab/{{ $org }}/{{ $app_name }}
     targetRevision: HEAD
     path: chart
   destination:

argocd/values.yaml

@@ -16,6 +16,11 @@ gitea_applications:
     annotations:
       argocd-image-updater.argoproj.io/image-list: cms=gitea.arcodange.lab/arcodange-org/cms:latest
       argocd-image-updater.argoproj.io/cms.update-strategy: digest
+  dance-lessons-coach:
+    org: arcodange
+    annotations:
+      argocd-image-updater.argoproj.io/image-list: dance-lessons-coach=gitea.arcodange.lab/arcodange/dance-lessons-coach:latest
+      argocd-image-updater.argoproj.io/dance-lessons-coach.update-strategy: digest
 
 argocd_image_updater_chart_values:
   config:

postgres/iac/terraform.tfvars

@@ -3,4 +3,5 @@ applications = [
     "erp",
     "crowdsec",
     "plausible",
+    "dance-lessons-coach",
 ]