ronis_0505/cicd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

v0.1

Browse Source
This commit is contained in:
ronis_0505
2025-07-20 14:53:12 +03:00
commit cd2f49ea82
234 changed files with 52038 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
playbooks/roles/nginx-reconfigure/README.md Normal file
View File

@@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

2
playbooks/roles/nginx-reconfigure/defaults/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# defaults file for nginx

19
playbooks/roles/nginx-reconfigure/files/docker_files/certbot/Dockerfile Normal file
View File

@@ -0,0 +1,19 @@
#облегченный образ дебиан
FROM registry-1.docker.io/library/ubuntu:latest
LABEL authors="RONIS"
# Обновление и установка необходимых пакетов с последующей очисткой
RUN sed -i 's|http://archive.ubuntu.com|http://mirror.yandex.ru/ubuntu|' /etc/apt/sources.list && \
apt update && apt install -y certbot python3-certbot-nginx cron && \
apt-get clean && rm -rf /var/lib/apt/lists/*
COPY check_and_create_cert.sh ./
# Проверка наличия сертификата для домена
RUN chmod +x ./check_and_create_cert.sh && echo "0 0 1 * * certbot renew --quiet" | tee -a /etc/crontab > /dev/null
# Запуск скрипта в контейнере при старте "& cron -f" обеспечивает запуск процесса для поддержки контейнера
CMD bash -c "./check_and_create_cert.sh & cron -f"

9
playbooks/roles/nginx-reconfigure/files/docker_files/certbot/check_and_create_cert.sh Normal file
View File

@@ -0,0 +1,9 @@
#!/bin/sh
set -e
if certbot certificates | grep -q "No certificates found."; then
echo "Сертификат не найден. Создаю новый..."
certbot certonly --webroot -w /var/www/certbot/ -d $DOMAIN_URL -d $GIT_DOMAIN -d $DRONE_DOMAIN -m $DOMAIN_EMAIL -d $GRAFANA_DOMAIN --agree-tos --no-eff-email --non-interactive --config-dir /etc/letsencrypt --work-dir /var/lib/letsencrypt --logs-dir /var/log/letsencrypt
else
echo "Сертификат уже существует."
certbot renew -n
fi

53
playbooks/roles/nginx-reconfigure/files/docker_files/nginx-compose.yaml Normal file
View File

@@ -0,0 +1,53 @@
services:
nginx:
container_name: nginx
image: nginx:1.28.0-bookworm
environment:
USER_ID: 1000
USER_GID: 1001
ports:
- "80:80"
- "443:443"
volumes:
- /srv/proxy/nginx/:/etc/nginx/:ro
- /srv/proxy/certbot/letsencrypt:/etc/letsencrypt:ro
- /srv/proxy/certbot/www/:/var/www/certbot/
- /srv/log/nginx:/var/log/nginx
- /srv/proxy/static:/usr/share/nginx/static:ro
restart: unless-stopped
networks:
- cicd_net
- nginx_net
- test_net
- prod_net
- monitoring_net
certbot:
container_name: certbot
build: certbot/
env_file:
- .env
volumes:
- /srv/proxy/certbot/letsencrypt:/etc/letsencrypt
- /srv/proxy/certbot/www/:/var/www/certbot
- /srv/proxy/log/letsencrypt:/var/log/letsencrypt
restart: unless-stopped
user: root
depends_on:
- nginx
networks:
- nginx_net
dns:
- 8.8.8.8
networks:
nginx_net:
external: true
cicd_net:
external: true
test_net:
external: true
prod_net:
external: true
monitoring_net:
external: true

10
playbooks/roles/nginx-reconfigure/files/nginx/mime.types Normal file
View File

@@ -0,0 +1,10 @@
types {
text/html html;
text/css css;
application/javascript js;
text/plain txt;
image/png png;
image/jpeg jpg jpeg;
image/gif gif;
image/svg+xml svg;
}

158
playbooks/roles/nginx-reconfigure/files/nginx/nginx.conf Normal file
View File

@@ -0,0 +1,158 @@
# user nginx;
worker_processes auto;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
proxy_cache_path /tmp/cache keys_zone=my_cache:10m max_size=1g inactive=60m use_temp_path=off;
client_max_body_size 5G;
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_min_length 1000;
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=5r/s;
# upstream web_backend {
# least_conn;
# server web_backend1:5000;
# server web_backend2:5000;
#
# }
upstream gitea {
least_conn;
server gitea:3000;
}
upstream drone {
least_conn;
server drone:80;
}
server { #https://nginx.org/ru/docs/http/ngx_http_stub_status_module.html
#https://github.com/nginx/nginx-prometheus-exporter
listen 9888;
server_name localhost;
location /nginx_status {
stub_status;
allow all;
# allow 127.0.0.1;
# allow 172.18.0.0/16;
# deny all;
}
}
server {
listen 80;
server_name ronis0505.tech git.ronis0505.tech drone.ronis0505.tech grafana.ronis0505.tech;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name git.ronis0505.tech;
ssl_certificate /etc/letsencrypt/live/ronis0505.tech/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ronis0505.tech/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
include /etc/nginx/shared_locations.conf;
location / {
proxy_pass http://gitea;
client_max_body_size 5G;
include /etc/nginx/proxy_common.conf;
error_page 502 504 /server_not_available.html;
}
}
server {
listen 443 ssl;
server_name grafana.ronis0505.tech;
ssl_certificate /etc/letsencrypt/live/ronis0505.tech/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ronis0505.tech/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
include /etc/nginx/shared_locations.conf;
location / {
proxy_pass http://grafana:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
include /etc/nginx/proxy_common.conf;
error_page 502 504 /server_not_available.html;
}
}
server {
listen 443 ssl;
server_name drone.ronis0505.tech;
ssl_certificate /etc/letsencrypt/live/ronis0505.tech/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ronis0505.tech/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
include /etc/nginx/shared_locations.conf;
location / {
proxy_pass http://drone;
include /etc/nginx/proxy_common.conf;
error_page 502 504 /server_not_available.html;
}
}
server {
listen 443 ssl;
server_name www.ronis0505.tech;
ssl_certificate /etc/letsencrypt/live/ronis0505.tech/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ronis0505.tech/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
include /etc/nginx/shared_locations.conf;
# location /api/ {
# rewrite ^/api/(.*)$ /$1 break; #deleting "/api/" from path
# proxy_pass http://web_backend;
# # proxy_cache my_cache;
# # proxy_cache_valid 200 1h;
# # proxy_cache_valid 404 1m;
# include /etc/nginx/proxy_common.conf;
# error_page 502 504 /server_not_available.html;
# }
}
}

3
playbooks/roles/nginx-reconfigure/files/nginx/proxy_common.conf Normal file
View File

@@ -0,0 +1,3 @@
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;

11
playbooks/roles/nginx-reconfigure/files/nginx/shared_locations.conf Normal file
View File

@@ -0,0 +1,11 @@
location /rate_limit/ {
limit_req zone=api_limit burst=10 nodelay;
}
location /logs/ {
access_log /var/log/nginx/special_access.log;
}
location = /server_not_available.html {
root /usr/share/nginx/static;
}

59
playbooks/roles/nginx-reconfigure/files/static/server_not_available.html Normal file
View File

@@ -0,0 +1,59 @@
<!DOCTYPE html>
<html lang="ru">
<head>
<meta charset="UTF-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<title>Сервис недоступен</title>
<style>
* {
margin: 0;
padding: 0;
box-sizing: border-box;
}
body {
height: 100vh;
background: linear-gradient(135deg, #4cc713, #2a5298);
display: flex;
align-items: center;
justify-content: center;
color: white;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
text-align: center;
padding: 20px;
}
.container {
max-width: 600px;
}
.message {
background-color: rgba(128, 128, 128, 0.8); /* grey с 80% непрозрачности */
display: flex;
flex-direction: column;
transform-style: preserve-3d;
padding: 30px 50px;
border-radius: 10px;
box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
}
h1 {
font-size: 3em;
margin-bottom: 0.5em;
}
p {
font-size: 1.2em;
opacity: 0.8;
}
</style>
</head>
<body>
<div class="message">
<h1>Сервис временно недоступен</h1>
<p>Мы уже работаем над восстановлением. Попробуйте войти позже.</p>
</div>
</body>
</html>

2
playbooks/roles/nginx-reconfigure/handlers/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# handlers file for nginx

52
playbooks/roles/nginx-reconfigure/meta/main.yml Normal file
View File

@@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

25
playbooks/roles/nginx-reconfigure/tasks/main.yml Normal file
View File

@@ -0,0 +1,25 @@
---
- name: Copy nginx conf
ansible.builtin.copy:
src: "../files/nginx/"
dest: "/srv/proxy/nginx/"
force: yes
- name: Copy proxy compose
ansible.builtin.copy:
src: "../files/docker_files/"
dest: "/home/{{ main_user }}/workdir/proxy/"
force: yes
- name: Copy proxy static
ansible.builtin.copy:
src: "../files/static/"
dest: "/srv/proxy/static/"
force: yes
- name: Run nginx-compose
community.docker.docker_compose_v2:
project_src: "/home/{{ main_user }}/workdir/proxy/"
files: nginx-compose.yaml
state: present
recreate: always

5
playbooks/roles/nginx-reconfigure/tests/test.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- nginx

2
playbooks/roles/nginx-reconfigure/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# vars file for nginx