ilia/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'Fix production inventory IPs for listmonk and giteaVM.' (#7) from fix/inventory-host-ips into master
Some checks failed
CI / skip-ci-check (push) Successful in 5s
Details
CI / lint-and-test (push) Successful in 10s
Details
CI / ansible-validation (push) Failing after 4s
Details
CI / secret-scanning (push) Successful in 4s
Details
CI / dependency-scan (push) Successful in 7s
Details
CI / sast-scan (push) Failing after 4s
Details
CI / license-check (push) Successful in 10s
Details
CI / vault-check (push) Failing after 5s
Details
CI / playbook-test (push) Failing after 4s
Details
CI / container-scan (push) Failing after 4s
Details
CI / sonar-analysis (push) Failing after 2s
Details
CI / workflow-summary (push) Successful in 3s
Details

Browse Source 
Reviewed-on: #7
This commit is contained in:
ilia 2026-05-20 15:11:31 -05:00
commit 659c6501bf
2 changed files with 35 additions and 188 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

219
.gitea/workflows/ci.yml
View File

@ -85,14 +85,8 @@ jobs:
runs-on: ubuntu-latest
if: needs.skip-ci-check.outputs.should-skip != '1' && (github.event_name == 'pull_request' || github.ref == 'refs/heads/master')
container:
image: ubuntu:22.04
image: node:20-bullseye
steps:
- name: Install Node.js for checkout action
run: |
apt-get update && apt-get install -y curl git
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
apt-get install -y nodejs
- name: Check out code
uses: actions/checkout@v4
@ -120,12 +114,8 @@ jobs:
echo "ANSIBLE_CONFIG=/tmp/ci-ansible.cfg" >> "$GITHUB_ENV"
echo "ANSIBLE_INVENTORY=/tmp/ci-inventory.ini" >> "$GITHUB_ENV"
- name: Install Python and dependencies
run: |
apt-get update && apt-get install -y python3 python3-pip
- name: Install Ansible and linting tools
run: pip3 install --no-cache-dir ansible ansible-lint yamllint
run: pip3 install --no-cache-dir ansible ansible-lint yamllint pyyaml
- name: Install Ansible collections
run: |
@ -146,19 +136,18 @@ jobs:
if: needs.skip-ci-check.outputs.should-skip != '1'
runs-on: ubuntu-latest
container:
image: zricethezav/gitleaks:latest
image: node:20-bullseye
steps:
- name: Install Node.js for checkout action
run: |
apk add --no-cache nodejs npm curl
- name: Check out code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Scan for secrets
run: gitleaks detect --source . --no-banner --redact --exit-code 0
- name: Install and run Gitleaks
run: |
curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
| tar -xz -C /usr/local/bin gitleaks
gitleaks detect --source . --no-banner --redact --exit-code 0
continue-on-error: true
dependency-scan:
@ -166,75 +155,43 @@ jobs:
if: needs.skip-ci-check.outputs.should-skip != '1'
runs-on: ubuntu-latest
container:
image: aquasec/trivy:latest
image: node:20-bullseye
steps:
- name: Install Node.js for checkout action
run: |
apk add --no-cache nodejs npm curl
- name: Check out code
uses: actions/checkout@v4
- name: Show dependency manifests (debug)
- name: Scan npm dependencies
run: |
set -e
echo "Repo root:"
ls -la
echo ""
echo "Common dependency manifests:"
ls -la package.json package-lock.json requirements.txt pyproject.toml poetry.lock Pipfile Pipfile.lock 2>/dev/null || true
echo ""
echo "Count of lock/manifests found:"
find . -maxdepth 3 -type f \( \
-name "package-lock.json" -o \
-name "pnpm-lock.yaml" -o \
-name "yarn.lock" -o \
-name "requirements.txt" -o \
-name "pyproject.toml" -o \
-name "poetry.lock" -o \
-name "Pipfile.lock" \
\) | wc -l
if [ -f package-lock.json ]; then
npm ci
npm audit --audit-level=high
else
echo "No package-lock.json, skipping npm audit"
fi
continue-on-error: true
- name: Dependency vulnerability scan (Trivy)
- name: Scan Python dependencies
run: |
trivy fs \
--scanners vuln \
--severity HIGH,CRITICAL \
--ignore-unfixed \
--timeout 10m \
--skip-dirs .git,node_modules \
--exit-code 0 \
.
- name: Secret scan (Trivy)
run: |
trivy fs \
--scanners secret \
--timeout 10m \
--skip-dirs .git,node_modules \
--exit-code 0 \
.
if [ -f requirements.txt ]; then
pip3 install --no-cache-dir pip-audit
pip-audit -r requirements.txt
else
echo "No requirements.txt, skipping pip-audit"
fi
continue-on-error: true
sast-scan:
needs: skip-ci-check
if: needs.skip-ci-check.outputs.should-skip != '1'
runs-on: ubuntu-latest
container:
image: ubuntu:22.04
image: node:20-bullseye
steps:
- name: Install Node.js for checkout action
run: |
apt-get update && apt-get install -y curl
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
apt-get install -y nodejs
- name: Check out code
uses: actions/checkout@v4
- name: Install Semgrep
run: |
apt-get update && apt-get install -y python3 python3-pip
pip3 install semgrep
run: pip3 install --no-cache-dir semgrep
- name: Run Semgrep scan
run: semgrep --config=auto --error
@ -268,21 +225,11 @@ jobs:
if: needs.skip-ci-check.outputs.should-skip != '1'
runs-on: ubuntu-latest
container:
image: ubuntu:22.04
image: node:20-bullseye
steps:
- name: Install Node.js for checkout action
run: |
apt-get update && apt-get install -y curl
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
apt-get install -y nodejs
- name: Check out code
uses: actions/checkout@v4
- name: Install Python and dependencies
run: |
apt-get update && apt-get install -y python3 python3-pip
- name: Install Ansible
run: pip3 install --no-cache-dir ansible
@ -322,14 +269,8 @@ jobs:
if: needs.skip-ci-check.outputs.should-skip != '1'
runs-on: ubuntu-latest
container:
image: ubuntu:22.04
image: node:20-bullseye
steps:
- name: Install Node.js for checkout action
run: |
apt-get update && apt-get install -y curl
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
apt-get install -y nodejs
- name: Check out code
uses: actions/checkout@v4
@ -375,10 +316,6 @@ jobs:
echo "ANSIBLE_CONFIG=/tmp/ci-ansible.cfg" >> "$GITHUB_ENV"
echo "ANSIBLE_INVENTORY=/tmp/ci-inventory.ini" >> "$GITHUB_ENV"
- name: Install Python and dependencies
run: |
apt-get update && apt-get install -y python3 python3-pip
- name: Install Ansible
run: pip3 install --no-cache-dir ansible
@ -415,22 +352,14 @@ jobs:
if: needs.skip-ci-check.outputs.should-skip != '1'
runs-on: ubuntu-latest
container:
image: ubuntu:22.04
image: node:20-bullseye
steps:
- name: Install Node.js for checkout action
run: |
apt-get update && apt-get install -y curl
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
apt-get install -y nodejs
- name: Check out code
uses: actions/checkout@v4
- name: Install Trivy
run: |
set -e
apt-get update && apt-get install -y wget curl tar
# Use a fixed, known-good Trivy version to avoid URL/redirect issues
TRIVY_VERSION="0.58.2"
TRIVY_URL="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
@ -438,7 +367,7 @@ jobs:
echo "Installing Trivy version: ${TRIVY_VERSION}"
echo "Downloading from: ${TRIVY_URL}"
if ! wget --progress=bar:force "${TRIVY_URL}" -O /tmp/trivy.tar.gz 2>&1; then
if ! curl -fsSL "${TRIVY_URL}" -o /tmp/trivy.tar.gz; then
echo "❌ Failed to download Trivy archive"
echo "Checking if file was partially downloaded:"
ls -lh /tmp/trivy.tar.gz 2>/dev/null || echo "No file found"
@ -487,99 +416,17 @@ jobs:
if: needs.skip-ci-check.outputs.should-skip != '1' && (github.event_name == 'pull_request' || github.ref == 'refs/heads/master')
runs-on: ubuntu-latest
container:
image: ubuntu:22.04
image: sonarsource/sonar-scanner-cli:5.0.1.3006
env:
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
steps:
- name: Install Node.js for checkout action
run: |
apt-get update && apt-get install -y curl
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
apt-get install -y nodejs
run: apk add --no-cache nodejs npm curl
- name: Check out code
uses: actions/checkout@v4
- name: Install Java and SonarScanner
run: |
set -e
apt-get update && apt-get install -y wget curl unzip openjdk-21-jre
# Use a known working version to avoid download issues
SONAR_SCANNER_VERSION="5.0.1.3006"
SCANNER_URL="https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux.zip"
echo "Installing SonarScanner version: ${SONAR_SCANNER_VERSION}"
echo "Downloading from: ${SCANNER_URL}"
# Download with verbose error output
if ! wget --progress=bar:force "${SCANNER_URL}" -O /tmp/sonar-scanner.zip 2>&1; then
echo "❌ Failed to download SonarScanner"
echo "Checking if file was partially downloaded:"
ls -lh /tmp/sonar-scanner.zip 2>/dev/null || echo "No file found"
exit 1
fi
# Verify download
if [ ! -f /tmp/sonar-scanner.zip ] || [ ! -s /tmp/sonar-scanner.zip ]; then
echo "❌ Downloaded file is missing or empty"
exit 1
fi
echo "Download complete. File size: $(du -h /tmp/sonar-scanner.zip | cut -f1)"
echo "Extracting SonarScanner..."
if ! unzip -q /tmp/sonar-scanner.zip -d /tmp; then
echo "❌ Failed to extract SonarScanner"
echo "Archive info:"
file /tmp/sonar-scanner.zip || true
unzip -l /tmp/sonar-scanner.zip 2>&1 | head -20 || true
exit 1
fi
# Find the extracted directory (handle both naming conventions)
EXTRACTED_DIR=""
if [ -d "/tmp/sonar-scanner-${SONAR_SCANNER_VERSION}-linux" ]; then
EXTRACTED_DIR="/tmp/sonar-scanner-${SONAR_SCANNER_VERSION}-linux"
elif [ -d "/tmp/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux" ]; then
EXTRACTED_DIR="/tmp/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux"
else
# Try to find any sonar-scanner directory
EXTRACTED_DIR=$(find /tmp -maxdepth 1 -type d -name "*sonar-scanner*" | head -1)
fi
if [ -z "$EXTRACTED_DIR" ] || [ ! -d "$EXTRACTED_DIR" ]; then
echo "❌ SonarScanner directory not found after extraction"
echo "Contents of /tmp:"
ls -la /tmp/ | grep -E "(sonar|zip)" || ls -la /tmp/ | head -20
exit 1
fi
echo "Found extracted directory: ${EXTRACTED_DIR}"
mv "${EXTRACTED_DIR}" /opt/sonar-scanner
# Create symlink
if [ -f /opt/sonar-scanner/bin/sonar-scanner ]; then
ln -sf /opt/sonar-scanner/bin/sonar-scanner /usr/local/bin/sonar-scanner
chmod +x /opt/sonar-scanner/bin/sonar-scanner
chmod +x /usr/local/bin/sonar-scanner
else
echo "❌ sonar-scanner binary not found in /opt/sonar-scanner/bin/"
echo "Contents of /opt/sonar-scanner/bin/:"
ls -la /opt/sonar-scanner/bin/ || true
exit 1
fi
echo "Verifying installation..."
if ! sonar-scanner --version; then
echo "❌ SonarScanner verification failed"
echo "PATH: $PATH"
which sonar-scanner || echo "sonar-scanner not in PATH"
exit 1
fi
echo "✓ SonarScanner installed successfully"
- name: Verify SonarQube connection
run: |
echo "Checking SonarQube connectivity..."

4
inventories/production/hosts
View File

@ -28,12 +28,12 @@ tailscaleVM ansible_host=100.66.218.53 ansible_user=ladmin
[services]
caddy ansible_host=10.0.10.50 ansible_user=root
jellyfin ansible_host=10.0.10.232 ansible_user=root
listmonk ansible_host=10.0.10.149 ansible_user=root
listmonk ansible_host=10.0.10.148 ansible_user=root
nextcloud ansible_host=10.0.10.25 ansible_user=root
actual ansible_host=10.0.10.158 ansible_user=root
vikanjans ansible_host=10.0.10.159 ansible_user=root
n8n ansible_host=10.0.10.154 ansible_user=root
giteaVM ansible_host=10.0.30.169 ansible_user=root
giteaVM ansible_host=10.0.10.169 ansible_user=root
portainerVM ansible_host=10.0.30.69 ansible_user=ladmin
homepageVM ansible_host=10.0.30.12 ansible_user=homepage
vaultwardenVM ansible_host=10.0.10.142 ansible_user=ladmin