Add harbor to ansible

2023-12-11 21:39:01 +01:00 · 2023-12-11 21:39:01 +01:00 · 3175b6a42b
commit 3175b6a42b
parent 67d0c8d875
13 changed files with 158 additions and 769 deletions
--- a/_ansible/node002.yml
+++ b/_ansible/node002.yml
@ -7,6 +7,7 @@
    - faas
    - forgejo
    - forgejo-runner
+    - harbor
    - healthcheck
    - homebox
    - influxdb
--- a/_ansible/roles/harbor/files/msrg.cc.log.config
+++ b/_ansible/roles/harbor/files/msrg.cc.log.config
@ -0,0 +1,22 @@
+version: 1
+
+formatters:
+  precise:
+   format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+handlers:
+  console:
+    class: logging.StreamHandler
+    formatter: precise
+
+loggers:
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+
+root:
+    level: INFO
+    handlers: [console]
+
+disable_existing_loggers: false
--- a/_ansible/roles/harbor/tasks/main.yml
+++ b/_ansible/roles/harbor/tasks/main.yml
@ -0,0 +1,35 @@
+---
+- name: Deploy {{ svc.name }}
+  tags:
+    - harbor
+    - registry
+  block:
+    - import_tasks: steps/create-service-directory.yml
+    - import_tasks: steps/template-site-config.yml
+
+    - name: Template config
+      ansible.builtin.template:
+        src: service.yml.j2
+        dest: "{{ (service_path, 'harbor.yml') | path_join }}"
+        mode: "0644"
+
+    - name: Download harbor
+      ansible.builtin.unarchive:
+        src: https://github.com/goharbor/harbor/releases/download/v{{ svc.harbor_version }}/harbor-online-installer-v{{ svc.harbor_version }}.tgz
+        dest: "{{ service_path }}"
+        remote_src: yes
+
+    - name: Run the harbor prepare command
+      ansible.builtin.command:
+        cmd: "{{ service_path }}/harbor/prepare"
+        chdir: "{{ service_path }}"
+      environment:
+        HARBOR_BUNDLE_DIR: "{{ service_path }}"
+
+    - name: Run the harbor install command
+      ansible.builtin.command:
+        cmd: "{{ service_path }}/harbor/install.sh"
+        chdir: "{{ service_path }}"
+      environment:
+        HARBOR_BUNDLE_DIR: "{{ service_path }}"
+      become: true
--- a/_ansible/roles/harbor/vars/main.yml
+++ b/_ansible/roles/harbor/vars/main.yml
@ -0,0 +1,96 @@
+svc_ports:
+  http: 20080
+  https: 20443
+  metrics: 29000
+
+svc:
+  name: harbor
+  domain: "registry.serguzim.me"
+  caddy_extra: |
+    reverse_proxy /metrics host.docker.internal:{{ svc_ports.metrics }}
+    reverse_proxy host.docker.internal:{{ svc_ports.https }} {
+        transport http {
+            tls
+            tls_server_name registry.serguzim.me
+        }
+    }
+  caddy_default: false
+  db:
+    host: "{{ postgres.host }}"
+    port: "{{ postgres.port }}"
+    database: harbor
+    user: "{{ vault_harbor.db.user }}"
+    pass: "{{ vault_harbor.db.pass }}"
+  harbor_version: 2.9.0
+
+svc_yml:
+  hostname: "{{ svc.domain }}"
+  http:
+    port: "{{ svc_ports.http }}"
+  https:
+    port: "{{ svc_ports.https }}"
+    certificate: /opt/services/.lego/certificates/registry.serguzim.me.crt
+    private_key: /opt/services/.lego/certificates/registry.serguzim.me.key
+  external_url: https://registry.serguzim.me
+  harbor_admin_password: "{{ vault_harbor.admin_password }}"
+  data_volume: "{{ (service_path, 'data') | path_join }}"
+  storage_service:
+    s3:
+      accesskey: "{{ vault_harbor.minio.accesskey }}"
+      secretkey: "{{ vault_harbor.minio.secretkey }}"
+      region: de-contabo-1
+      regionendpoint: https://s3.serguzim.me
+      bucket: registry
+      secure: true
+  trivy:
+    ignore_unfixed: false
+    skip_update: false
+    offline_scan: false
+    security_check: vuln
+    insecure: false
+  jobservice:
+    max_job_workers: 10
+    job_loggers:
+      - STD_OUTPUT
+      - FILE
+    logger_sweeper_duration: 1
+  notification:
+    webhook_job_max_retry: 3
+    webhook_job_http_client_timeout: 3
+  log:
+    level: info
+    local:
+      rotate_count: 50
+      rotate_size: 200M
+      location: /var/log/harbor
+  _version: "{{ svc.harbor_version }}"
+  external_database:
+    harbor:
+      host: "{{ svc.db.host }}"
+      port: "{{ svc.db.port }}"
+      db_name: "{{ svc.db.database }}"
+      username: "{{ svc.db.user }}"
+      password: "{{ svc.db.pass }}"
+      ssl_mode: verify-full
+      max_idle_conns: 2
+      max_open_conns: 0
+  proxy:
+    http_proxy: null
+    https_proxy: null
+    no_proxy: null
+    components:
+      - core
+      - jobservice
+      - trivy
+  metric:
+    enabled: enabled
+    port: "{{ svc_ports.metrics }}"
+    path: /metrics
+  upload_purging:
+    enabled: true
+    age: 168h
+    interval: 24h
+    dryrun: false
+  cache:
+    enabled: false
+    expire_hours: 24
--- a/_ansible/templates/caddy_site.conf.j2
+++ b/_ansible/templates/caddy_site.conf.j2
@ -14,6 +14,7 @@

 {{ svc.caddy_extra | indent(width='\t', first=True) if svc.caddy_extra|default(false) }}

+{% if svc.caddy_default|default(true) %}
 	handle {
 {% if svc.faas_function|default(false) %}
 		import faas {{ svc.faas_function }}
@ -21,6 +22,7 @@
 		reverse_proxy {{ svc.docker_host|default(svc.name) }}:{{ svc.port }}
 {% endif %}
 	}
+{% endif %}
 }

 {% if svc.www_domain|default(false) %}