save

gitlab-runner-z.yml

+---
+  - hosts: gitlab-runner-z
+    remote_user: root
+    vars:
+      service_path: gitlab-runner-{{inventory_hostname}}
+      service_name: gitlab-runner
+      instances:
+        - url: https://gitlab.com
+          token: '{{token}}'
+    tasks:
+      - name: directory
+        file:
+          path: '{{ ansible_user_dir }}/{{ service_path }}'
+          state: directory
+          recurse: true
+      - name: docker-compose file
+        template:
+          src: 'files/services/{{ service_name }}/docker-compose.yml.j2'
+          dest: '{{ ansible_user_dir }}/{{ service_path }}/docker-compose.yml'
+      - name: docker-compose up -d
+        docker_compose:
+          project_src: '{{ ansible_user_dir }}/{{ service_path }}'
+          remove_orphans: true
+          build: false
+          pull: '{{pull}}'
+      - name: register
+        shell: |
+          {% for instance in instances %}
+          docker-compose exec -T runner gitlab-runner register --non-interactive --url '{{ instance.url }}' --token '{{ instance.token }}' --executor '{{ instance.type | default("docker") }}' --docker-volumes /cache {% if instance.docker | default(false) %} --docker-privileged --docker-volumes /var/run/docker.sock:/var/run/docker.sock --docker-image docker:20-git {% else %} --docker-image git-registry.moenext.com/mycard/docker-runner-base:latest {% endif %}
+
+          {% endfor %}
+        args:
+          chdir: '{{ ansible_user_dir }}/{{ service_path }}'
+          creates: '{{ ansible_user_dir }}/{{ service_path }}/config/config.toml'
+        notify: restart_runner
+        when: instances is defined and instances
+      - name: fixup cocurrent
+        become: true
+        lineinfile:
+          path: '{{ ansible_user_dir }}/{{ service_path }}/config/config.toml'
+          regexp: '^concurrent = 1'
+          line: 'concurrent = {{ansible_processor_vcpus}}'
+          backrefs: true
+        notify: restart_runner
+        when: ansible_processor_vcpus|int > 1
+    handlers:
+      - name: restart_runner
+        include_tasks: 'handlers/docker.yaml'
+        vars:
+          handler: 
+            type: docker
+            path: '{{ ansible_user_dir }}/{{ service_path }}'
+            services:
+              - runner

gitlab-runner.yml

@@ -23,7 +23,7 @@
       - name: register
         shell: |
           {% for instance in instances %}
-          docker-compose exec -T runner gitlab-runner register --non-interactive --url '{{ instance.url }}' --registration-token '{{ instance.token }}' --description '{{ instance.desc }} runner on {{ inventory_hostname }}' --executor '{{ instance.type | default("docker") }}' --docker-volumes /cache {% if instance.docker | default(false) %} --tag-list docker{% if ansible_architecture == 'aarch64' %}-arm{% endif %} --docker-privileged --docker-volumes /var/run/docker.sock:/var/run/docker.sock --docker-image docker:20-git {% else %} --tag-list {% if ansible_architecture == 'aarch64' %}arm{% else %}linux{% endif %} --docker-image git-registry.mycard.moe/mycard/docker-runner-base:latest {% endif %}
+          docker-compose exec -T runner gitlab-runner register --non-interactive --url '{{ instance.url }}' --registration-token '{{ instance.token }}' --description '{{ instance.desc }} runner on {{ inventory_hostname }}' --executor '{{ instance.type | default("docker") }}' --docker-volumes /cache {% if instance.docker | default(false) %} --tag-list docker{% if ansible_architecture == 'aarch64' %}-arm{% endif %} --docker-privileged --docker-volumes /var/run/docker.sock:/var/run/docker.sock --docker-image docker:20-git {% else %} --tag-list {% if ansible_architecture == 'aarch64' %}arm{% else %}linux{% endif %} --docker-image git-registry.moenext.com/mycard/docker-runner-base:latest {% endif %}
 
           {% endfor %}
         args:

handlers/docker-all.yaml

@@ -3,3 +3,10 @@
   docker_compose:
     project_src: '{{handler.path}}'
     restarted: yes
+  when: not (v2_format is defined and v2_format)
+- name: restart all docker services v2
+  shell: |
+    docker compose restart
+  args:
+    chdir: '{{handler.path}}'
+  when: v2_format is defined and v2_format

handlers/docker.yaml

@@ -4,9 +4,21 @@
     project_src: '{{handler.path}}'
     restarted: yes
     services: '{{handler.services}}'
-  when: handler.services[0] != 'all'
+  when: handler.services[0] != 'all' and not (v2_format is defined and v2_format)
 - name: restart all docker services
   docker_compose:
     project_src: '{{handler.path}}'
     restarted: yes
-  when: handler.services[0] == 'all'
+  when: handler.services[0] == 'all' and not (v2_format is defined and v2_format)
+- name: restart docker services v2
+  shell: |
+    docker compose restart {{handler.services | join(' ')}}
+  args:
+    chdir: '{{handler.path}}'
+  when: handler.services[0] != 'all' and v2_format is defined and v2_format
+- name: restart all docker services v2
+  shell: |
+    docker compose restart
+  args:
+    chdir: '{{handler.path}}'
+  when: handler.services[0] == 'all' and v2_format is defined and v2_format

patch-python-docker.yml

+---
+- hosts: init
+  tasks:
+    - name: 检查 docker pip 包的版本
+      command: pip show docker
+      register: docker_version
+      changed_when: false
+      failed_when: docker_version.rc != 0
+
+    - name: 提取 docker 版本号
+      set_fact:
+        installed_docker_version: "{{ docker_version.stdout | regex_search('Version: ([0-9.]+)', '\\1') | first }}"
+      when: docker_version.rc == 0
+
+    - name: 检查 docker 版本是否为 6.1.3
+      debug:
+        msg: "Docker pip 包版本为 {{installed_docker_version}}"
+
+    - name: 替换 compose/service.py 文件
+      become: true
+      copy:
+        src: ./files/docker-service-patch.py
+        dest: "/usr/local/lib/python{{ ansible_python.version.major }}.{{ ansible_python.version.minor }}/dist-packages/compose/service.py"
+        backup: yes
+      when: installed_docker_version == '6.1.3'

prepare.yml

@@ -3,6 +3,11 @@
     remote_user: nanahira
     gather_facts: false
     tasks:
+      - name: authorized_key
+        authorized_key:
+          user: "{{ ansible_ssh_user }}"
+          key: "{{ authorized_keys }}"
+        when: authorized_keys
       - name: sudoers
         become: true
         copy:
@@ -12,9 +17,3 @@
           group: root
           mode: 0700
         when: ansible_ssh_user != 'root'
-      - name: some apt packages
-        become: true
-        apt:
-          name: python3-distro,gnupg2
-          update_cache: true
-        ignore_errors: true

tasks/srvpro/common.yml

@@ -18,7 +18,7 @@
   when: srvpro_branch is not defined
 - name: srvpro
   git:
-    repo: 'https://code.mycard.moe/{{srvpro_fork}}/srvpro'
+    repo: 'https://code.moenext.com/{{srvpro_fork}}/srvpro'
     dest: '{{home_path}}/ygopro-server'
     version: '{{srvpro_branch}}'
     force: true

tasks/srvpro/windbot.yml

@@ -8,7 +8,7 @@
   when: windbot_branch is not defined
 - name: windbot
   git:
-    repo: 'https://code.mycard.moe/{{windbot_fork}}/windbot'
+    repo: 'https://code.moenext.com/{{windbot_fork}}/windbot'
     dest: '{{home_path}}/windbot'
     version: '{{windbot_branch}}'
     force: true

tasks/srvpro/ygopro.yml

@@ -8,7 +8,7 @@
   when: ygopro_branch is not defined
 - name: ygopro
   git:
-    repo: 'https://code.mycard.moe/{{ygopro_fork}}/ygopro'
+    repo: 'https://code.moenext.com/{{ygopro_fork}}/ygopro'
     dest: '{{ygopro_path}}'
     version: '{{ygopro_branch}}'
     force: true

tasks/znode-tester-wg.yml

+- name: '{{ item.hostname }}: wg config file'
+  become: true
+  copy:
+    dest: '/etc/wireguard/{{ item.wg_tunname }}.conf'
+    content: |
+      [Interface]
+      Address = {{ wg_testip }}
+      PrivateKey = {{ wg_privkey }}
+      Table = off
+
+      [Peer]
+      PublicKey = {{ item.wg_pubkey }}
+      AllowedIPs = 0.0.0.0/0
+      Endpoint = {{ item.hostname }}:44000
+      PersistentKeepalive = 1
+  register: wg_conf
+- name: '{{ item.hostname }}: launch wg-quick'
+  become: true
+  systemd:
+    name: wg-quick@{{ item.wg_tunname }}
+    enabled: true
+    state: started
+- name: '{{ item.hostname }}: restart wg'
+  become: true
+  systemd:
+    name: wg-quick@{{ item.wg_tunname }}
+    state: restarted
+  when: wg_conf.changed

znode-certs.yml

+---
+  - hosts: znodes
+    remote_user: root
+    tasks:
+      - name: directory
+        file:
+          path: '{{ansible_user_dir}}/{{item}}'
+          state: directory
+        with_items:
+          - certbot
+          - certs
+      - name: set docker-compose var
+        set_fact:
+          #certbot_entrypoint: |
+          #  #!/bin/sh
+          #  certbot "$@"
+          #  # run every 24 hours
+          #  while true; do
+          #    sleep 86400
+          #    certbot "$@"
+          #  done
+          certbot_docker_compose:
+            version: '2.4'
+            services:
+              certbot:
+                image: certbot/certbot
+                ports:
+                  - '80:80'
+                command: certonly --agree-tos --manual-public-ip-logging-ok --non-interactive -m ssl-{{inventory_hostname_short}}@mypaperai.com --preferred-challenges http-01 --standalone --key-type rsa --cert-name {{ansible_ssh_host}}
+                    --server {{acme_server}} --eab-kid {{acme_kid}} --eab-hmac-key {{acme_key}}
+                    -d {{ansible_ssh_host}}
+                volumes:
+                  - ./certbot:/etc/letsencrypt
+                  # - ./entrypoint.sh:/entrypoint.sh
+      - name: docker-compose.yml
+        copy:
+          content: '{{ certbot_docker_compose | to_nice_yaml }}'
+          dest: '{{ansible_user_dir}}/certbot/docker-compose.yml'
+      #- name: entrypoint.sh
+      #  copy:
+      #    content: '{{ certbot_entrypoint }}'
+      #   dest: '{{ansible_user_dir}}/certbot/entrypoint.sh'
+      #    # set permissions
+      #    mode: '0755'
+      - name: docker-compose up
+        shell: docker compose up
+        args:
+          chdir: '{{ansible_user_dir}}/certbot'
+        changed_when: false
+      #- name: wait for certificate generated
+      #  wait_for:
+      #    path: '{{ansible_user_dir}}/certbot/certbot/live/{{ansible_ssh_host}}/fullchain.pem'
+      #    state: present
+      #    timeout: 300
+      - name: copy certificate
+        copy:
+          src: '{{ansible_user_dir}}/certbot/certbot/live/{{ansible_ssh_host}}/{{item}}'
+          dest: '{{ansible_user_dir}}/certs/{{item}}'
+          follow: true
+          remote_src: true
+        with_items:
+          - fullchain.pem
+          - privkey.pem
+          - cert.pem
+          - chain.pem
+        notify: restart_ikev2
+    handlers:
+      - name: restart_ikev2
+        docker_compose:
+          project_src: '{{ansible_user_dir}}/zeeai-ikev2'
+          restarted: true
+          services:
+            - strongswan
+        failed_when: false

znode-wg.yml

@@ -14,6 +14,9 @@
             network_mode: host
             volumes:
               - ./data:/etc/openvpn
+            command:
+              - ovpn_run
+              - --duplicate-cn
       openvpn_client_name: orange
     tasks:
       - name: public key
@@ -35,6 +38,14 @@
             Address = {{ wg_address }}
             PrivateKey = {{ wg_privkey }}
             ListenPort = {{ wg_port }}
+
+            {% if wg_tests is defined and wg_tests %}
+            {% for wg_test in wg_tests %}
+            [Peer]
+            PublicKey = {{ wg_test.pubkey }}
+            AllowedIPs = {{ wg_test.ip }}/32
+            {% endfor %}
+            {% endif %}
         notify: restart_wg
       - name: launch wg-quick
         become: true
@@ -67,10 +78,15 @@
         args:
           creates: '{{ansible_user_dir}}/openvpn/{{ openvpn_client_name }}.ovpn.base64'
       - name: docker-compose up -d
-        docker_compose:
-          project_src: '{{ansible_user_dir}}/openvpn'
-          state: present
-          remove_orphans: true
+        #docker_compose:
+        #  project_src: '{{ansible_user_dir}}/openvpn'
+        #  state: present
+        #  remove_orphans: true
+        shell: |
+          docker compose up -d --remove-orphans
+        args:
+          chdir: '{{ansible_user_dir}}/openvpn'
+        changed_when: false
       - name: collect openvpn file
         fetch:
           src: '{{ansible_user_dir}}/openvpn/{{ openvpn_client_name }}.ovpn.base64'

ztester.yml

+---
+  - hosts: ztester
+    remote_user: root
+    vars:
+      openvpn_dockerfile: |
+        FROM debian:bookworm-slim
+        RUN apt-get update && apt-get install -y openvpn curl bash && rm -rf /var/lib/apt/lists/* /var/cache/apt/* /var/log/* /tmp/* /var/tmp/*
+    tasks:
+      - name: load config
+        include_vars:
+          file: '/home/nanahira/zeeai/net-backend/data/tester-vars.yaml'
+      - name: wireguard connections
+        include_tasks: tasks/znode-tester-wg.yml
+        with_items: '{{ endpoints }}'
+      - name: tester directory
+        file:
+          path: '{{ansible_user_dir}}/znode-tester/{{item}}'
+          state: directory
+          recurse: true
+        with_items:
+          - build
+          - openvpn-config
+          - test-script
+      - name: openvpn dockerfile
+        copy:
+          dest: '{{ansible_user_dir}}/znode-tester/build/Dockerfile'
+          content: '{{ openvpn_dockerfile }}'
+      - name: test script
+        copy:
+          dest: '{{ansible_user_dir}}/znode-tester/test-script/test.sh'
+          content: |
+            #!/bin/bash
+            # loop forever
+            while true; do
+              {% for test in tests %}
+              echo "Testing {{ test.hostname }} with protocol {{ test.protocol }}"
+              curl -4 --interface {{ test.interface }} --connect-timeout 5 --retry 3 --retry-max-time 15 -L -H 'x-server-token: {{ server_token }}' 'https://api-dev.networkconnet.com/api/connectivity/ping?protocol={{ test.protocol }}&endpointId={{ test.endpointId }}&tester={{ inventory_hostname_short }}'
+              status=$?
+              echo
+              if [ $status -ne 0 ]; then
+                echo "Failed to connect to {{ test.hostname }} with protocol {{ test.protocol }}"
+                # request again with non-binding interface
+                curl -4 --connect-timeout 5 --retry 3 --retry-max-time 15 -sL -o /dev/null -H 'x-server-token: {{ server_token }}' 'https://api-dev.networkconnet.com/api/connectivity/ping?protocol={{ test.protocol }}&endpointId={{ test.endpointId }}&tester={{ inventory_hostname_short }}&bad=1'
+              fi
+              {% endfor %}
+              sleep 300
+            done
+          mode: '0755'
+        notify: restart_tester
+      - name: openvpn config file
+        copy:
+          content: '{{ item.openvpn_config_file }}'
+          dest: '{{ansible_user_dir}}/znode-tester/openvpn-config/{{ item.hostname }}.ovpn'
+        with_items: '{{ endpoints }}'
+        notify: restart_all
+      - name: docker compose file
+        copy:
+          dest: '{{ansible_user_dir}}/znode-tester/docker-compose.yml'
+          content: '{{ docker_compose_file | to_nice_yaml }}'
+      #- name: docker-compose up -d
+      #  docker_compose:
+      #    project_src: '{{ansible_user_dir}}/znode-tester'
+      #    state: present
+      #    build: true
+      #    remove_orphans: true
+      - name: docker-compose up -d
+        shell: |
+          docker compose up -d --build --remove-orphans
+        args:
+          chdir: '{{ansible_user_dir}}/znode-tester'
+        changed_when: false
+    handlers:
+      - name: restart_tester
+        shell: |
+          docker compose restart tester
+        args:
+          chdir: '{{ansible_user_dir}}/znode-tester'
+        #docker_compose:
+        #  project_src: '{{ansible_user_dir}}/znode-tester'
+        #  restarted: true
+        #  services:
+        #    - tester
+      - name: restart_all
+        #docker_compose:
+        #  project_src: '{{ansible_user_dir}}/znode-tester'
+        #  restarted: true
+        shell: |
+          docker compose restart
+        args:
+          chdir: '{{ansible_user_dir}}/znode-tester'