ilia/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix production inventory IPs for listmonk and giteaVM. #7

Merged
ilia merged 3 commits from fix/inventory-host-ips into master 2026-05-20 15:11:32 -05:00
Conversation 0 Commits 3 Files Changed 2 +35 -188
2 changed files with 35 additions and 188 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

219
.gitea/workflows/ci.yml
View File

@ -85,14 +85,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: needs.skip-ci-check.outputs.should-skip != '1' && (github.event_name == 'pull_request' || github.ref == 'refs/heads/master') if: needs.skip-ci-check.outputs.should-skip != '1' && (github.event_name == 'pull_request' || github.ref == 'refs/heads/master')
container: container:
image: ubuntu:22.04 image: node:20-bullseye
steps: steps:
- name: Install Node.js for checkout action
run: |
apt-get update && apt-get install -y curl git
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
apt-get install -y nodejs
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@v4
@ -120,12 +114,8 @@ jobs:
echo "ANSIBLE_CONFIG=/tmp/ci-ansible.cfg" >> "$GITHUB_ENV" echo "ANSIBLE_CONFIG=/tmp/ci-ansible.cfg" >> "$GITHUB_ENV"
echo "ANSIBLE_INVENTORY=/tmp/ci-inventory.ini" >> "$GITHUB_ENV" echo "ANSIBLE_INVENTORY=/tmp/ci-inventory.ini" >> "$GITHUB_ENV"
- name: Install Python and dependencies
run: |
apt-get update && apt-get install -y python3 python3-pip
- name: Install Ansible and linting tools - name: Install Ansible and linting tools
run: pip3 install --no-cache-dir ansible ansible-lint yamllint run: pip3 install --no-cache-dir ansible ansible-lint yamllint pyyaml
- name: Install Ansible collections - name: Install Ansible collections
run: | run: |
@ -146,19 +136,18 @@ jobs:
if: needs.skip-ci-check.outputs.should-skip != '1' if: needs.skip-ci-check.outputs.should-skip != '1'
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: container:
image: zricethezav/gitleaks:latest image: node:20-bullseye
steps: steps:
- name: Install Node.js for checkout action
run: |
apk add --no-cache nodejs npm curl
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Scan for secrets - name: Install and run Gitleaks
run: gitleaks detect --source . --no-banner --redact --exit-code 0 run: |
curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
| tar -xz -C /usr/local/bin gitleaks
gitleaks detect --source . --no-banner --redact --exit-code 0
continue-on-error: true continue-on-error: true
dependency-scan: dependency-scan:
@ -166,75 +155,43 @@ jobs:
if: needs.skip-ci-check.outputs.should-skip != '1' if: needs.skip-ci-check.outputs.should-skip != '1'
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: container:
image: aquasec/trivy:latest image: node:20-bullseye
steps: steps:
- name: Install Node.js for checkout action
run: |
apk add --no-cache nodejs npm curl
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Show dependency manifests (debug) - name: Scan npm dependencies
run: | run: |
set -e if [ -f package-lock.json ]; then
echo "Repo root:" npm ci
ls -la npm audit --audit-level=high
echo "" else
echo "Common dependency manifests:" echo "No package-lock.json, skipping npm audit"
ls -la package.json package-lock.json requirements.txt pyproject.toml poetry.lock Pipfile Pipfile.lock 2>/dev/null || true fi
echo "" continue-on-error: true
echo "Count of lock/manifests found:"
find . -maxdepth 3 -type f \( \
-name "package-lock.json" -o \
-name "pnpm-lock.yaml" -o \
-name "yarn.lock" -o \
-name "requirements.txt" -o \
-name "pyproject.toml" -o \
-name "poetry.lock" -o \
-name "Pipfile.lock" \
\) | wc -l
- name: Dependency vulnerability scan (Trivy) - name: Scan Python dependencies
run: | run: |
trivy fs \ if [ -f requirements.txt ]; then
--scanners vuln \ pip3 install --no-cache-dir pip-audit
--severity HIGH,CRITICAL \ pip-audit -r requirements.txt
--ignore-unfixed \ else
--timeout 10m \ echo "No requirements.txt, skipping pip-audit"
--skip-dirs .git,node_modules \ fi
--exit-code 0 \ continue-on-error: true
.
- name: Secret scan (Trivy)
run: |
trivy fs \
--scanners secret \
--timeout 10m \
--skip-dirs .git,node_modules \
--exit-code 0 \
.
sast-scan: sast-scan:
needs: skip-ci-check needs: skip-ci-check
if: needs.skip-ci-check.outputs.should-skip != '1' if: needs.skip-ci-check.outputs.should-skip != '1'
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: container:
image: ubuntu:22.04 image: node:20-bullseye
steps: steps:
- name: Install Node.js for checkout action
run: |
apt-get update && apt-get install -y curl
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
apt-get install -y nodejs
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Install Semgrep - name: Install Semgrep
run: | run: pip3 install --no-cache-dir semgrep
apt-get update && apt-get install -y python3 python3-pip
pip3 install semgrep
- name: Run Semgrep scan - name: Run Semgrep scan
run: semgrep --config=auto --error run: semgrep --config=auto --error
@ -268,21 +225,11 @@ jobs:
if: needs.skip-ci-check.outputs.should-skip != '1' if: needs.skip-ci-check.outputs.should-skip != '1'
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: container:
image: ubuntu:22.04 image: node:20-bullseye
steps: steps:
- name: Install Node.js for checkout action
run: |
apt-get update && apt-get install -y curl
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
apt-get install -y nodejs
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Install Python and dependencies
run: |
apt-get update && apt-get install -y python3 python3-pip
- name: Install Ansible - name: Install Ansible
run: pip3 install --no-cache-dir ansible run: pip3 install --no-cache-dir ansible
@ -322,14 +269,8 @@ jobs:
if: needs.skip-ci-check.outputs.should-skip != '1' if: needs.skip-ci-check.outputs.should-skip != '1'
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: container:
image: ubuntu:22.04 image: node:20-bullseye
steps: steps:
- name: Install Node.js for checkout action
run: |
apt-get update && apt-get install -y curl
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
apt-get install -y nodejs
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@v4
@ -375,10 +316,6 @@ jobs:
echo "ANSIBLE_CONFIG=/tmp/ci-ansible.cfg" >> "$GITHUB_ENV" echo "ANSIBLE_CONFIG=/tmp/ci-ansible.cfg" >> "$GITHUB_ENV"
echo "ANSIBLE_INVENTORY=/tmp/ci-inventory.ini" >> "$GITHUB_ENV" echo "ANSIBLE_INVENTORY=/tmp/ci-inventory.ini" >> "$GITHUB_ENV"
- name: Install Python and dependencies
run: |
apt-get update && apt-get install -y python3 python3-pip
- name: Install Ansible - name: Install Ansible
run: pip3 install --no-cache-dir ansible run: pip3 install --no-cache-dir ansible
@ -415,22 +352,14 @@ jobs:
if: needs.skip-ci-check.outputs.should-skip != '1' if: needs.skip-ci-check.outputs.should-skip != '1'
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: container:
image: ubuntu:22.04 image: node:20-bullseye
steps: steps:
- name: Install Node.js for checkout action
run: |
apt-get update && apt-get install -y curl
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
apt-get install -y nodejs
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Install Trivy - name: Install Trivy
run: | run: |
set -e set -e
apt-get update && apt-get install -y wget curl tar
# Use a fixed, known-good Trivy version to avoid URL/redirect issues # Use a fixed, known-good Trivy version to avoid URL/redirect issues
TRIVY_VERSION="0.58.2" TRIVY_VERSION="0.58.2"
TRIVY_URL="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" TRIVY_URL="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
@ -438,7 +367,7 @@ jobs:
echo "Installing Trivy version: ${TRIVY_VERSION}" echo "Installing Trivy version: ${TRIVY_VERSION}"
echo "Downloading from: ${TRIVY_URL}" echo "Downloading from: ${TRIVY_URL}"
if ! wget --progress=bar:force "${TRIVY_URL}" -O /tmp/trivy.tar.gz 2>&1; then if ! curl -fsSL "${TRIVY_URL}" -o /tmp/trivy.tar.gz; then
echo "❌ Failed to download Trivy archive" echo "❌ Failed to download Trivy archive"
echo "Checking if file was partially downloaded:" echo "Checking if file was partially downloaded:"
ls -lh /tmp/trivy.tar.gz 2>/dev/null || echo "No file found" ls -lh /tmp/trivy.tar.gz 2>/dev/null || echo "No file found"
@ -487,99 +416,17 @@ jobs:
if: needs.skip-ci-check.outputs.should-skip != '1' && (github.event_name == 'pull_request' || github.ref == 'refs/heads/master') if: needs.skip-ci-check.outputs.should-skip != '1' && (github.event_name == 'pull_request' || github.ref == 'refs/heads/master')
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: container:
image: ubuntu:22.04 image: sonarsource/sonar-scanner-cli:5.0.1.3006
env: env:
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
steps: steps:
- name: Install Node.js for checkout action - name: Install Node.js for checkout action
run: | run: apk add --no-cache nodejs npm curl
apt-get update && apt-get install -y curl
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
apt-get install -y nodejs
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Install Java and SonarScanner
run: |
set -e
apt-get update && apt-get install -y wget curl unzip openjdk-21-jre
# Use a known working version to avoid download issues
SONAR_SCANNER_VERSION="5.0.1.3006"
SCANNER_URL="https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux.zip"
echo "Installing SonarScanner version: ${SONAR_SCANNER_VERSION}"
echo "Downloading from: ${SCANNER_URL}"
# Download with verbose error output
if ! wget --progress=bar:force "${SCANNER_URL}" -O /tmp/sonar-scanner.zip 2>&1; then
echo "❌ Failed to download SonarScanner"
echo "Checking if file was partially downloaded:"
ls -lh /tmp/sonar-scanner.zip 2>/dev/null || echo "No file found"
exit 1
fi
# Verify download
if [ ! -f /tmp/sonar-scanner.zip ] || [ ! -s /tmp/sonar-scanner.zip ]; then
echo "❌ Downloaded file is missing or empty"
exit 1
fi
echo "Download complete. File size: $(du -h /tmp/sonar-scanner.zip | cut -f1)"
echo "Extracting SonarScanner..."
if ! unzip -q /tmp/sonar-scanner.zip -d /tmp; then
echo "❌ Failed to extract SonarScanner"
echo "Archive info:"
file /tmp/sonar-scanner.zip || true
unzip -l /tmp/sonar-scanner.zip 2>&1 | head -20 || true
exit 1
fi
# Find the extracted directory (handle both naming conventions)
EXTRACTED_DIR=""
if [ -d "/tmp/sonar-scanner-${SONAR_SCANNER_VERSION}-linux" ]; then
EXTRACTED_DIR="/tmp/sonar-scanner-${SONAR_SCANNER_VERSION}-linux"
elif [ -d "/tmp/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux" ]; then
EXTRACTED_DIR="/tmp/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux"
else
# Try to find any sonar-scanner directory
EXTRACTED_DIR=$(find /tmp -maxdepth 1 -type d -name "*sonar-scanner*" | head -1)
fi
if [ -z "$EXTRACTED_DIR" ] || [ ! -d "$EXTRACTED_DIR" ]; then
echo "❌ SonarScanner directory not found after extraction"
echo "Contents of /tmp:"
ls -la /tmp/ | grep -E "(sonar|zip)" || ls -la /tmp/ | head -20
exit 1
fi
echo "Found extracted directory: ${EXTRACTED_DIR}"
mv "${EXTRACTED_DIR}" /opt/sonar-scanner
# Create symlink
if [ -f /opt/sonar-scanner/bin/sonar-scanner ]; then
ln -sf /opt/sonar-scanner/bin/sonar-scanner /usr/local/bin/sonar-scanner
chmod +x /opt/sonar-scanner/bin/sonar-scanner
chmod +x /usr/local/bin/sonar-scanner
else
echo "❌ sonar-scanner binary not found in /opt/sonar-scanner/bin/"
echo "Contents of /opt/sonar-scanner/bin/:"
ls -la /opt/sonar-scanner/bin/ || true
exit 1
fi
echo "Verifying installation..."
if ! sonar-scanner --version; then
echo "❌ SonarScanner verification failed"
echo "PATH: $PATH"
which sonar-scanner || echo "sonar-scanner not in PATH"
exit 1
fi
echo "✓ SonarScanner installed successfully"
- name: Verify SonarQube connection - name: Verify SonarQube connection
run: | run: |
echo "Checking SonarQube connectivity..." echo "Checking SonarQube connectivity..."

4
inventories/production/hosts
View File

@ -28,12 +28,12 @@ tailscaleVM ansible_host=100.66.218.53 ansible_user=ladmin
[services] [services]
caddy ansible_host=10.0.10.50 ansible_user=root caddy ansible_host=10.0.10.50 ansible_user=root
jellyfin ansible_host=10.0.10.232 ansible_user=root jellyfin ansible_host=10.0.10.232 ansible_user=root
listmonk ansible_host=10.0.10.149 ansible_user=root listmonk ansible_host=10.0.10.148 ansible_user=root
nextcloud ansible_host=10.0.10.25 ansible_user=root nextcloud ansible_host=10.0.10.25 ansible_user=root
actual ansible_host=10.0.10.158 ansible_user=root actual ansible_host=10.0.10.158 ansible_user=root
vikanjans ansible_host=10.0.10.159 ansible_user=root vikanjans ansible_host=10.0.10.159 ansible_user=root
n8n ansible_host=10.0.10.154 ansible_user=root n8n ansible_host=10.0.10.154 ansible_user=root
giteaVM ansible_host=10.0.30.169 ansible_user=root giteaVM ansible_host=10.0.10.169 ansible_user=root
portainerVM ansible_host=10.0.30.69 ansible_user=ladmin portainerVM ansible_host=10.0.30.69 ansible_user=ladmin
homepageVM ansible_host=10.0.30.12 ansible_user=homepage homepageVM ansible_host=10.0.30.12 ansible_user=homepage
vaultwardenVM ansible_host=10.0.10.142 ansible_user=ladmin vaultwardenVM ansible_host=10.0.10.142 ansible_user=ladmin