diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 71e8932..0843136 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -85,14 +85,8 @@ jobs: runs-on: ubuntu-latest if: needs.skip-ci-check.outputs.should-skip != '1' && (github.event_name == 'pull_request' || github.ref == 'refs/heads/master') container: - image: ubuntu:22.04 + image: node:20-bullseye steps: - - name: Install Node.js for checkout action - run: | - apt-get update && apt-get install -y curl git - curl -fsSL https://deb.nodesource.com/setup_20.x | bash - - apt-get install -y nodejs - - name: Check out code uses: actions/checkout@v4 @@ -120,12 +114,8 @@ jobs: echo "ANSIBLE_CONFIG=/tmp/ci-ansible.cfg" >> "$GITHUB_ENV" echo "ANSIBLE_INVENTORY=/tmp/ci-inventory.ini" >> "$GITHUB_ENV" - - name: Install Python and dependencies - run: | - apt-get update && apt-get install -y python3 python3-pip - - name: Install Ansible and linting tools - run: pip3 install --no-cache-dir ansible ansible-lint yamllint + run: pip3 install --no-cache-dir ansible ansible-lint yamllint pyyaml - name: Install Ansible collections run: | @@ -146,19 +136,18 @@ jobs: if: needs.skip-ci-check.outputs.should-skip != '1' runs-on: ubuntu-latest container: - image: zricethezav/gitleaks:latest + image: node:20-bullseye steps: - - name: Install Node.js for checkout action - run: | - apk add --no-cache nodejs npm curl - - name: Check out code uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Scan for secrets - run: gitleaks detect --source . --no-banner --redact --exit-code 0 + - name: Install and run Gitleaks + run: | + curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \ + | tar -xz -C /usr/local/bin gitleaks + gitleaks detect --source . --no-banner --redact --exit-code 0 continue-on-error: true dependency-scan: @@ -166,75 +155,43 @@ jobs: if: needs.skip-ci-check.outputs.should-skip != '1' runs-on: ubuntu-latest container: - image: aquasec/trivy:latest + image: node:20-bullseye steps: - - name: Install Node.js for checkout action - run: | - apk add --no-cache nodejs npm curl - - name: Check out code uses: actions/checkout@v4 - - name: Show dependency manifests (debug) + - name: Scan npm dependencies run: | - set -e - echo "Repo root:" - ls -la - echo "" - echo "Common dependency manifests:" - ls -la package.json package-lock.json requirements.txt pyproject.toml poetry.lock Pipfile Pipfile.lock 2>/dev/null || true - echo "" - echo "Count of lock/manifests found:" - find . -maxdepth 3 -type f \( \ - -name "package-lock.json" -o \ - -name "pnpm-lock.yaml" -o \ - -name "yarn.lock" -o \ - -name "requirements.txt" -o \ - -name "pyproject.toml" -o \ - -name "poetry.lock" -o \ - -name "Pipfile.lock" \ - \) | wc -l + if [ -f package-lock.json ]; then + npm ci + npm audit --audit-level=high + else + echo "No package-lock.json, skipping npm audit" + fi + continue-on-error: true - - name: Dependency vulnerability scan (Trivy) + - name: Scan Python dependencies run: | - trivy fs \ - --scanners vuln \ - --severity HIGH,CRITICAL \ - --ignore-unfixed \ - --timeout 10m \ - --skip-dirs .git,node_modules \ - --exit-code 0 \ - . - - - name: Secret scan (Trivy) - run: | - trivy fs \ - --scanners secret \ - --timeout 10m \ - --skip-dirs .git,node_modules \ - --exit-code 0 \ - . + if [ -f requirements.txt ]; then + pip3 install --no-cache-dir pip-audit + pip-audit -r requirements.txt + else + echo "No requirements.txt, skipping pip-audit" + fi + continue-on-error: true sast-scan: needs: skip-ci-check if: needs.skip-ci-check.outputs.should-skip != '1' runs-on: ubuntu-latest container: - image: ubuntu:22.04 + image: node:20-bullseye steps: - - name: Install Node.js for checkout action - run: | - apt-get update && apt-get install -y curl - curl -fsSL https://deb.nodesource.com/setup_20.x | bash - - apt-get install -y nodejs - - name: Check out code uses: actions/checkout@v4 - name: Install Semgrep - run: | - apt-get update && apt-get install -y python3 python3-pip - pip3 install semgrep + run: pip3 install --no-cache-dir semgrep - name: Run Semgrep scan run: semgrep --config=auto --error @@ -268,21 +225,11 @@ jobs: if: needs.skip-ci-check.outputs.should-skip != '1' runs-on: ubuntu-latest container: - image: ubuntu:22.04 + image: node:20-bullseye steps: - - name: Install Node.js for checkout action - run: | - apt-get update && apt-get install -y curl - curl -fsSL https://deb.nodesource.com/setup_20.x | bash - - apt-get install -y nodejs - - name: Check out code uses: actions/checkout@v4 - - name: Install Python and dependencies - run: | - apt-get update && apt-get install -y python3 python3-pip - - name: Install Ansible run: pip3 install --no-cache-dir ansible @@ -322,14 +269,8 @@ jobs: if: needs.skip-ci-check.outputs.should-skip != '1' runs-on: ubuntu-latest container: - image: ubuntu:22.04 + image: node:20-bullseye steps: - - name: Install Node.js for checkout action - run: | - apt-get update && apt-get install -y curl - curl -fsSL https://deb.nodesource.com/setup_20.x | bash - - apt-get install -y nodejs - - name: Check out code uses: actions/checkout@v4 @@ -375,10 +316,6 @@ jobs: echo "ANSIBLE_CONFIG=/tmp/ci-ansible.cfg" >> "$GITHUB_ENV" echo "ANSIBLE_INVENTORY=/tmp/ci-inventory.ini" >> "$GITHUB_ENV" - - name: Install Python and dependencies - run: | - apt-get update && apt-get install -y python3 python3-pip - - name: Install Ansible run: pip3 install --no-cache-dir ansible @@ -415,22 +352,14 @@ jobs: if: needs.skip-ci-check.outputs.should-skip != '1' runs-on: ubuntu-latest container: - image: ubuntu:22.04 + image: node:20-bullseye steps: - - name: Install Node.js for checkout action - run: | - apt-get update && apt-get install -y curl - curl -fsSL https://deb.nodesource.com/setup_20.x | bash - - apt-get install -y nodejs - - name: Check out code uses: actions/checkout@v4 - name: Install Trivy run: | set -e - apt-get update && apt-get install -y wget curl tar - # Use a fixed, known-good Trivy version to avoid URL/redirect issues TRIVY_VERSION="0.58.2" TRIVY_URL="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" @@ -438,7 +367,7 @@ jobs: echo "Installing Trivy version: ${TRIVY_VERSION}" echo "Downloading from: ${TRIVY_URL}" - if ! wget --progress=bar:force "${TRIVY_URL}" -O /tmp/trivy.tar.gz 2>&1; then + if ! curl -fsSL "${TRIVY_URL}" -o /tmp/trivy.tar.gz; then echo "❌ Failed to download Trivy archive" echo "Checking if file was partially downloaded:" ls -lh /tmp/trivy.tar.gz 2>/dev/null || echo "No file found" @@ -487,99 +416,17 @@ jobs: if: needs.skip-ci-check.outputs.should-skip != '1' && (github.event_name == 'pull_request' || github.ref == 'refs/heads/master') runs-on: ubuntu-latest container: - image: ubuntu:22.04 + image: sonarsource/sonar-scanner-cli:5.0.1.3006 env: SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} steps: - name: Install Node.js for checkout action - run: | - apt-get update && apt-get install -y curl - curl -fsSL https://deb.nodesource.com/setup_20.x | bash - - apt-get install -y nodejs + run: apk add --no-cache nodejs npm curl - name: Check out code uses: actions/checkout@v4 - - name: Install Java and SonarScanner - run: | - set -e - apt-get update && apt-get install -y wget curl unzip openjdk-21-jre - - # Use a known working version to avoid download issues - SONAR_SCANNER_VERSION="5.0.1.3006" - SCANNER_URL="https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux.zip" - - echo "Installing SonarScanner version: ${SONAR_SCANNER_VERSION}" - echo "Downloading from: ${SCANNER_URL}" - - # Download with verbose error output - if ! wget --progress=bar:force "${SCANNER_URL}" -O /tmp/sonar-scanner.zip 2>&1; then - echo "❌ Failed to download SonarScanner" - echo "Checking if file was partially downloaded:" - ls -lh /tmp/sonar-scanner.zip 2>/dev/null || echo "No file found" - exit 1 - fi - - # Verify download - if [ ! -f /tmp/sonar-scanner.zip ] || [ ! -s /tmp/sonar-scanner.zip ]; then - echo "❌ Downloaded file is missing or empty" - exit 1 - fi - - echo "Download complete. File size: $(du -h /tmp/sonar-scanner.zip | cut -f1)" - - echo "Extracting SonarScanner..." - if ! unzip -q /tmp/sonar-scanner.zip -d /tmp; then - echo "❌ Failed to extract SonarScanner" - echo "Archive info:" - file /tmp/sonar-scanner.zip || true - unzip -l /tmp/sonar-scanner.zip 2>&1 | head -20 || true - exit 1 - fi - - # Find the extracted directory (handle both naming conventions) - EXTRACTED_DIR="" - if [ -d "/tmp/sonar-scanner-${SONAR_SCANNER_VERSION}-linux" ]; then - EXTRACTED_DIR="/tmp/sonar-scanner-${SONAR_SCANNER_VERSION}-linux" - elif [ -d "/tmp/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux" ]; then - EXTRACTED_DIR="/tmp/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux" - else - # Try to find any sonar-scanner directory - EXTRACTED_DIR=$(find /tmp -maxdepth 1 -type d -name "*sonar-scanner*" | head -1) - fi - - if [ -z "$EXTRACTED_DIR" ] || [ ! -d "$EXTRACTED_DIR" ]; then - echo "❌ SonarScanner directory not found after extraction" - echo "Contents of /tmp:" - ls -la /tmp/ | grep -E "(sonar|zip)" || ls -la /tmp/ | head -20 - exit 1 - fi - - echo "Found extracted directory: ${EXTRACTED_DIR}" - mv "${EXTRACTED_DIR}" /opt/sonar-scanner - - # Create symlink - if [ -f /opt/sonar-scanner/bin/sonar-scanner ]; then - ln -sf /opt/sonar-scanner/bin/sonar-scanner /usr/local/bin/sonar-scanner - chmod +x /opt/sonar-scanner/bin/sonar-scanner - chmod +x /usr/local/bin/sonar-scanner - else - echo "❌ sonar-scanner binary not found in /opt/sonar-scanner/bin/" - echo "Contents of /opt/sonar-scanner/bin/:" - ls -la /opt/sonar-scanner/bin/ || true - exit 1 - fi - - echo "Verifying installation..." - if ! sonar-scanner --version; then - echo "❌ SonarScanner verification failed" - echo "PATH: $PATH" - which sonar-scanner || echo "sonar-scanner not in PATH" - exit 1 - fi - echo "✓ SonarScanner installed successfully" - - name: Verify SonarQube connection run: | echo "Checking SonarQube connectivity..." diff --git a/inventories/production/hosts b/inventories/production/hosts index 0e99df8..e95619a 100644 --- a/inventories/production/hosts +++ b/inventories/production/hosts @@ -28,12 +28,12 @@ tailscaleVM ansible_host=100.66.218.53 ansible_user=ladmin [services] caddy ansible_host=10.0.10.50 ansible_user=root jellyfin ansible_host=10.0.10.232 ansible_user=root -listmonk ansible_host=10.0.10.149 ansible_user=root +listmonk ansible_host=10.0.10.148 ansible_user=root nextcloud ansible_host=10.0.10.25 ansible_user=root actual ansible_host=10.0.10.158 ansible_user=root vikanjans ansible_host=10.0.10.159 ansible_user=root n8n ansible_host=10.0.10.154 ansible_user=root -giteaVM ansible_host=10.0.30.169 ansible_user=root +giteaVM ansible_host=10.0.10.169 ansible_user=root portainerVM ansible_host=10.0.30.69 ansible_user=ladmin homepageVM ansible_host=10.0.30.12 ansible_user=homepage vaultwardenVM ansible_host=10.0.10.142 ansible_user=ladmin