jfraeysd/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/roles/app_deployer/tasks/main.yml
Jeremie Fraeys b9c5cdff12
Add app deployer role for automated deployments 
- Systemd service and timer for deployment orchestration
- Webhook listener for Git-triggered deployments
- Forgejo Actions workflow for CI/CD pipeline
- Deployment scripts with rollback capability
- Deploy token validation for security
2026-02-21 18:31:12 -05:00

158 lines
3.6 KiB
YAML
Raw Permalink Blame History

---
# Role to provision deployment infrastructure on web host
# This allows web host to receive deploy webhooks and run ansible locally
- name: Ensure deploy user exists
user:
name: deploy
system: true
create_home: true
home: /opt/deploy
shell: /bin/bash
state: present
- name: Ensure artifacts directory exists
file:
path: /opt/artifacts
state: directory
owner: deploy
group: deploy
mode: '0755'
- name: Ensure deploy scripts directory exists
file:
path: /opt/deploy/scripts
state: directory
owner: deploy
group: deploy
mode: '0755'
- name: Ensure vault password file exists (for ansible)
copy:
dest: /opt/deploy/.vault_pass
content: "{{ vault_password }}"
owner: deploy
group: deploy
mode: '0600'
no_log: true
when: vault_password is defined
- name: Ensure deploy playbooks directory exists
file:
path: /opt/deploy/playbooks
state: directory
owner: deploy
group: deploy
mode: '0755'
- name: Deploy deploy-app.yml playbook
copy:
src: deploy-app.yml
dest: /opt/deploy/playbooks/deploy-app.yml
owner: deploy
group: deploy
mode: '0644'
- name: Ensure deploy templates directory exists
file:
path: /opt/deploy/playbooks/templates
state: directory
owner: deploy
group: deploy
mode: '0755'
- name: Deploy app.service.j2 template
copy:
src: app.service.j2
dest: /opt/deploy/playbooks/templates/app.service.j2
owner: deploy
group: deploy
mode: '0644'
- name: Download webhook binary
get_url:
url: "https://github.com/adnanh/webhook/releases/download/{{ webhook_version }}/webhook-linux-amd64.tar.gz"
dest: "/tmp/webhook-linux-amd64.tar.gz"
mode: '0644'
checksum: "{{ webhook_checksum if webhook_checksum is defined and webhook_checksum | length > 7 else omit }}"
- name: Extract webhook binary
unarchive:
src: "/tmp/webhook-linux-amd64.tar.gz"
dest: /usr/local/bin
remote_src: true
extra_opts:
- "--strip-components=1"
include:
- "webhook-linux-amd64/webhook"
mode: '0755'
owner: root
group: root
notify: restart webhook
- name: Cleanup webhook archive
file:
path: "/tmp/webhook-linux-amd64.tar.gz"
state: absent
- name: Deploy deploy.sh script
template:
src: deploy.sh.j2
dest: /opt/deploy/scripts/deploy.sh
owner: deploy
group: deploy
mode: '0755'
- name: Deploy rollback script
copy:
src: rollback.sh
dest: /opt/deploy/scripts/rollback.sh
owner: deploy
group: deploy
mode: '0755'
- name: Deploy token validation script
template:
src: validate-deploy-token.sh.j2
dest: /opt/deploy/scripts/validate-deploy-token.sh
owner: deploy
group: deploy
mode: '0755'
- name: Deploy hooks.json
template:
src: hooks.json.j2
dest: /opt/deploy/hooks.json
owner: deploy
group: deploy
mode: '0644'
notify: restart webhook
- name: Configure sudoers for deploy user (restrict to specific commands)
copy:
content: |
# Allow deploy user to run only the deploy script
deploy ALL=(ALL) NOPASSWD: /opt/deploy/scripts/deploy.sh *
dest: /etc/sudoers.d/deploy
owner: root
group: root
mode: '0440'
validate: 'visudo -cf %s'
- name: Deploy webhook systemd service
copy:
src: webhook.service
dest: /etc/systemd/system/webhook.service
owner: root
group: root
mode: '0644'
notify:
- reload systemd
- restart webhook
- name: Enable and start webhook service
systemd:
name: webhook
enabled: true
state: started
daemon_reload: true
Reference in a new issue View git blame Copy permalink