ivo/sce
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add Woodpecker agent role

Browse source
This commit is contained in:
Ivo C.S. Wingelaar 2024-11-17 14:02:38 +01:00
parent 4560ccbbb7
commit 25fb8d345d
Signed by: ivo
GPG key ID: ABBED434F58D0AA3
13 changed files with 196 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
roles/podman_woodpecker_agent/defaults/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
podman_woodpecker_agent_filter_labels: ""
podman_woodpecker_agent_image_path: docker.io/woodpeckerci/woodpecker-agent

12
roles/podman_woodpecker_agent/handlers/main.yml Normal file
View file

@ -0,0 +1,12 @@
---
- name: Reload systemd daemon
ansible.builtin.systemd_service:
daemon_reload: true
- name: Reload user systemd daemon
ansible.builtin.systemd_service:
daemon_reload: true
scope: user
become_method: community.general.machinectl
become_user: "{{ podman_woodpecker_agent_user }}"
become: true

11
roles/podman_woodpecker_agent/tasks/activate-proxies.yml Normal file
View file

@ -0,0 +1,11 @@
---
- name: Determine UID of workspace user
ansible.builtin.user:
name: "{{ workspace_user }}"
register: user_data
- name: Activate Podman socket proxy for the workspace
ansible.builtin.systemd_service:
name: woodpecker-proxy@{{ user_data['uid'] }}.path
state: started
enabled: true

60
roles/podman_woodpecker_agent/tasks/agents.yml Normal file
View file

@ -0,0 +1,60 @@
---
- name: Create Woodpecker agent volume
containers.podman.podman_volume:
name: "woodpecker-agent-{{ workspace_user }}"
state: present
- name: Create Woodpecker agent secret
containers.podman.podman_secret:
state: present
name: "woodpecker-agent-secret-{{ workspace_user }}"
data: "{{ podman_woodpecker_agent_secret }}"
# Necessary to make the module idempotent on Podman < v4.7
# See: https://github.com/containers/ansible-podman-collections/issues/692
skip_existing: true
- name: Determine UID of workspace user
ansible.builtin.user:
name: "{{ workspace_user }}"
register: user_data
- name: Create Woodpecker container
containers.podman.podman_container:
name: "woodpecker-agent-{{ user_data['uid'] }}"
state: present
image: "{{ podman_woodpecker_agent_image_path }}:{{ podman_woodpecker_version }}"
volumes:
- 'woodpecker-agent-{{ workspace_user }}:/etc/woodpecker'
- '/etc/timezone:/etc/timezone:ro'
- '/etc/localtime:/etc/localtime:ro'
- "/run/woodpecker/{{ user_data['uid'] }}.sock:/var/run/docker.sock"
env:
WOODPECKER_SERVER: "{{ podman_woodpecker_agent_server }}"
WOODPECKER_HOSTNAME: "{{ workspace_user }}"
# Nothing is using the healthcheck IIUC, so disabling it doesn't reduce functionality.
WOODPECKER_HEALTHCHECK: false
WOODPECKER_LOG_LEVEL: debug
WOODPECKER_BACKEND: docker
WOODPECKER_FILTER_LABELS: "{{ podman_woodpecker_agent_filter_labels }}"
secrets:
- "woodpecker-agent-secret-{{ workspace_user }},type=env,target=WOODPECKER_AGENT_SECRET"
generate_systemd:
restart_policy: always
path: ~/.config/systemd/user
after: "podman-proxy@{{ user_data['uid'] }}.target"
requires: "podman-proxy@{{ user_data['uid'] }}.target"
notify: Reload user systemd daemon
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Start and enable Woodpecker services
ansible.builtin.systemd_service:
name: "{{ item }}"
daemon_reload: true
state: started
enabled: true
scope: user
loop:
- "podman-proxy@{{ user_data['uid'] }}.path"
- "container-woodpecker-agent-{{ user_data['uid'] }}.service"

22
roles/podman_woodpecker_agent/tasks/machinectl.yml Normal file
View file

@ -0,0 +1,22 @@
---
- name: Create systemd user configuration directory
ansible.builtin.file:
dest: ~/.config/systemd/user
state: directory
mode: "0750"
- name: Install systemd unit files for the proxy target
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "~/.config/systemd/user/{{ item }}"
mode: "0644"
notify: Reload user systemd daemon
loop:
- podman-proxy@.path
- podman-proxy@.target
- name: Create Woodpecker agents
ansible.builtin.include_tasks: agents.yml
loop: "{{ podman_woodpecker_agent_workspace_users }}"
loop_control:
loop_var: workspace_user

20
roles/podman_woodpecker_agent/tasks/main.yml Normal file
View file

@ -0,0 +1,20 @@
---
- name: Configure proxies for the Podman sockets
ansible.builtin.import_tasks: socket-proxy.yml
- name: Activate the workspace Podman systemd socket unit
ansible.builtin.systemd_service:
name: podman.socket
state: started
enabled: true
scope: user
become_method: community.general.machinectl
become_user: "{{ item }}"
become: true
loop: "{{ podman_woodpecker_agent_workspace_users }}"
- name: Configure Woodpecker agent services
ansible.builtin.import_tasks: machinectl.yml
become_method: community.general.machinectl
become_user: "{{ podman_woodpecker_agent_user }}"
become: true

26
roles/podman_woodpecker_agent/tasks/socket-proxy.yml Normal file
View file

@ -0,0 +1,26 @@
---
- name: Install proxy systemd units
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "/etc/systemd/system/{{ item }}"
mode: "0644"
loop:
- woodpecker-proxy@.path
- woodpecker-proxy@.service
- woodpecker-proxy@.socket
notify: Reload systemd daemon
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Install tmpfiles configuration
ansible.builtin.template:
src: tmpfiles.j2
dest: /etc/tmpfiles.d/woodpecker.conf
mode: "0644"
- name: Activate systemd units for the Podman sockets
ansible.builtin.include_tasks: activate-proxies.yml
loop: "{{ podman_woodpecker_agent_workspace_users }}"
loop_control:
loop_var: workspace_user

10
roles/podman_woodpecker_agent/templates/podman-proxy@.path.j2 Normal file
View file

@ -0,0 +1,10 @@
# {{ ansible_managed }}
[Unit]
Description=Watch for the creation of the workspace user Podman socket
[Path]
PathExists=/run/woodpecker/%i.sock
Unit=podman-proxy@%i.target
[Install]
WantedBy=default.target

3
roles/podman_woodpecker_agent/templates/podman-proxy@.target.j2 Normal file
View file

@ -0,0 +1,3 @@
# {{ ansible_managed }}
[Unit]
Description=The proxied socket to the Podman service is available to be mounted

2
roles/podman_woodpecker_agent/templates/tmpfiles.j2 Normal file
View file

@ -0,0 +1,2 @@
# {{ ansible_managed }}
D /run/woodpecker 0750 root woodpecker-agent

10
roles/podman_woodpecker_agent/templates/woodpecker-proxy@.path.j2 Normal file
View file

@ -0,0 +1,10 @@
# {{ ansible_managed }}
[Unit]
Description=Watch for the creation of the workspace user Podman socket
[Path]
PathExists=/run/user/%i/podman/podman.sock
Unit=woodpecker-proxy@%i.socket
[Install]
WantedBy=multi-user.target

9
roles/podman_woodpecker_agent/templates/woodpecker-proxy@.service.j2 Normal file
View file

@ -0,0 +1,9 @@
# {{ ansible_managed }}
[Unit]
Requires=woodpecker-proxy@%i.socket
After=woodpecker-proxy@%i.socket
[Service]
ExecStart=/usr/lib/systemd/systemd-socket-proxyd /run/user/%i/podman/podman.sock
PrivateTmp=yes
PrivateNetwork=yes

8
roles/podman_woodpecker_agent/templates/woodpecker-proxy@.socket.j2 Normal file
View file

@ -0,0 +1,8 @@
# {{ ansible_managed }}
[Unit]
Description=Proxy connections
[Socket]
ListenStream=/run/woodpecker/%i.sock
SocketMode=0660
SocketUser={{ podman_woodpecker_agent_user }}