From 1a3d04c23564c3112a19bbe6850a7d834dfdc5e4 Mon Sep 17 00:00:00 2001 From: L3D Date: Wed, 20 Mar 2024 15:33:53 +0100 Subject: [PATCH] Download and copy forgejo binary --- defaults/main.yml | 11 +++--- tasks/create_user.yml | 16 ++++----- tasks/install_runner.yml | 69 ++++++++++++++++++++++++++++++++++++ tasks/main.yml | 10 +++++- tasks/set_runner_version.yml | 46 ++++++++++++++++++++++++ vars/main.yml | 14 +++++++- 6 files changed, 152 insertions(+), 14 deletions(-) create mode 100644 tasks/install_runner.yml create mode 100644 tasks/set_runner_version.yml diff --git a/defaults/main.yml b/defaults/main.yml index 7e771dd..2fbbb24 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,8 +1,11 @@ --- -forgeo_runner__user: 'forgeo_runner' -forgeo_runner__group: 'forgeo_runner' -# forgeo_runner__groups -forgeo_runner__user_home: '/var/lib/forgeo-runner' +forgejo_runner__version: 'latest' +forgejo_runner__user: 'forgejo_runner' +forgejo_runner__group: 'forgejo_runner' +# forgejo_runner__groups +forgejo_runner__user_home: '/var/lib/forgejo-runner' +forgejo_runner__full_executable_path: '/usr/local/bin/forgejo_runner' +forgejo_runner__gpg_id: 'EB114F5E6C0DC2BCDD183550A4B61A2DC5923710' # should we do a version check? (recomended) submodules_versioncheck: false diff --git a/tasks/create_user.yml b/tasks/create_user.yml index 236452b..6e22cab 100644 --- a/tasks/create_user.yml +++ b/tasks/create_user.yml @@ -1,18 +1,18 @@ --- -- name: "Create Forgeo runner Group" +- name: "Create Forgejo runner Group" become: true ansible.builtin.group: - name: "{{ forgeo_runner__group }}" + name: "{{ forgejo_runner__group }}" system: true state: "present" -- name: "Create Forgeo runner user" +- name: "Create Forgejo runner user" become: true ansible.builtin.user: - name: "{{ forgeo_runner__user }}" - comment: "Forgeo runner user" - group: "{{ forgeo_runner__group }}" - groups: "{{ forgeo_runner__groups | default(omit) }}" - home: "{{ forgeo_runner__user_home }}" + name: "{{ forgejo_runner__user }}" + comment: "Forgejo runner user" + group: "{{ forgejo_runner__group }}" + groups: "{{ forgejo_runner__groups | default(omit) }}" + home: "{{ forgejo_runner__user_home }}" shell: '/usr/sbin/nologin' system: true diff --git a/tasks/install_runner.yml b/tasks/install_runner.yml new file mode 100644 index 0000000..7733398 --- /dev/null +++ b/tasks/install_runner.yml @@ -0,0 +1,69 @@ +--- +- name: Install forgejo block + when: (not ansible_check_mode and (forgejo_runner__active_version.stdout[1:] != forgejo_runner__version_target)) + become: true + block: + - name: Info what we do + ansible.builtin.debug: + msg: "Updating forgejo Runner {{ forgejo_runner__active_version.stdout[1:] }} to {{ forgejo_runner__version_target }}" + verbosity: 1 + + - name: Create temporary folder + ansible.builtin.tempfile: + state: directory + suffix: _runner + register: _runner_tmp + + - name: Download forgejo-runner binary + get_url: + url: "{{ forgejo_runner__dl_url }}/{{ forgejo_runner__filename }}" + dest: "{{ _runner_tmp.path }}/{{ forgejo_runner__filename }}" + mode: "0755" + owner: "{{ forgejo_runner__user }}" + group: "{{ forgejo_runner__group }}" + + - name: Download forgejo-runner.asc file + get_url: + url: "{{ forgejo_runner__dl_url }}/{{ forgejo_runner__filename }}.asc" + dest: "{{ _runner_tmp.path }}/{{ forgejo_runner__filename }}.asc" + mode: "0644" + owner: "{{ forgejo_runner__user }}" + group: "{{ forgejo_runner__group }}" + + - name: Check forgejo runner gpg key + ansible.builtin.command: "gpg --list-keys 0x{{ forgejo_runner__gpg_id }}" + register: _forgejo_runner_gpg_key_status + changed_when: false + become: false + failed_when: _forgejo_runner_gpg_key_status.rc not in (0, 2) + + - name: Print gpg key status on verbosity # noqa: H500 + ansible.builtin.debug: + msg: "{{ _forgejo_runner_gpg_key_status.stdout }}" + verbosity: 1 + + - name: Import forgejo gpg key + ansible.builtin.command: "gpg --keyserver keys.openpgp.org --recv {{ forgejo_runner__gpg_id }}" + register: _forgejo_runner_import_key + changed_when: '"imported: 1" in _forgejo_runner_import_key.stderr' + when: '_forgejo_runner_gpg_key_status.rc != 0 or "expired" in _forgejo_runner_gpg_key_status.stdout' + + - name: Check archive signature + ansible.builtin.command: "gpg --verify {{ _runner_tmp.path }}/{{ forgejo_runner__filename }}.asc {{ _runner_tmp.path }}/{{ forgejo_runner__filename }}" + changed_when: false + register: _runner_signature + + - name: Copy verifyed forgejo runner binary + ansible.builtin.copy: + src: "{{ _runner_tmp.path }}/{{ forgejo_runner__filename }}" + dest: "{{ forgejo_runner__full_executable_path }}" + mode: "0755" + owner: "{{ forgejo_runner__user }}" + group: "{{ forgejo_runner__group }}" + remote_src: true + when: not _runner_signature.failed + + - name: Verification Failed + ansible.builtin.fail: + msg: Signature verification of forgejo runner failed + when: _runner_signature.failed diff --git a/tasks/main.yml b/tasks/main.yml index b991686..b08c810 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,6 +4,14 @@ file: 'versioncheck.yml' when: submodules_versioncheck | bool -- name: Create User ans Group for forgeo runner +- name: Create User ans Group for forgejo runner ansible.builtin.include_tasks: file: 'create_user.yml' + +- name: Set forgejo runner version + ansible.builtin.include_tasks: + file: 'set_runner_version.yml' + +- name: Install forgejo runner binary + ansible.builtin.include_tasks: + file: 'install_runner.yml' diff --git a/tasks/set_runner_version.yml b/tasks/set_runner_version.yml new file mode 100644 index 0000000..0eb522f --- /dev/null +++ b/tasks/set_runner_version.yml @@ -0,0 +1,46 @@ +--- +- name: "Check forgejo runner installed version" + ansible.builtin.shell: "set -eo pipefail; {{ forgejo_runner__full_executable_path }} --version | cut -d' ' -f 3" + args: + executable: /bin/bash + register: forgejo_runner__active_version + changed_when: false + failed_when: false + +- name: "Determine 'latest' forgejo runner version release" + when: forgejo_runner__version == "latest" + block: + - name: "Get latest forgejo runner release metadata" + ansible.builtin.uri: + url: "{{ forgejo_runner__releases_latest }}" + return_content: true + register: forgejo_runner__remote_metadata + become: false + when: not ansible_check_mode + + - name: "Fail if running in check mode without versions set." + ansible.builtin.fail: + msg: | + "You are running this playbook in check mode: + Please set the forgejo runner version with the variable 'forgejo_runner__version', because the URI module cannot detect the latest version in this mode." + when: ansible_check_mode and (forgejo_runner__version == 'latest') + + - name: "Set fact latest forgejo runner release" + ansible.builtin.set_fact: + forgejo_runner__remote_version: "{{ forgejo_runner__remote_metadata.json.0.tag_name[1:] }}" + when: not ansible_check_mode + + - name: "Set forgejo runner version target (latest)" + ansible.builtin.set_fact: + forgejo_runner__version_target: "{{ forgejo_runner__remote_version }}" + when: not ansible_check_mode + +- name: "Set forgejo runner version target {{ forgejo_runner__version }}" + ansible.builtin.set_fact: + forgejo_runner__version_target: "{{ forgejo_runner__version }}" + when: forgejo_runner__version != "latest" + +- name: "Generate forgejo runner download URL" + ansible.builtin.set_fact: + forgejo_runner__filename: "forgejo-runner-{{ forgejo_runner__version_target }}-linux-{{ forgejo_runner__arch }}" + forgejo_runner__dl_url: "{{ forgejo_runner__git_repo }}/releases/download/v{{ forgejo_runner__version_target }}" diff --git a/vars/main.yml b/vars/main.yml index 48b070f..f4bda0e 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,4 +1,16 @@ --- +forgejo_runner__releases_latest: 'https://code.forgejo.org/api/v1/repos/forgejo/runner/releases?limit=1' +forgejo_runner__go_arch_map: + x86_64: 'amd64' + aarch64: 'arm64' + armv7l: 'armv7' + armv6l: 'armv6' + armv5l: 'armv5' + ppc64le: 'ppc64le' + s390x: 's390x' +forgejo_runner__arch: "{{ forgejo_runner__go_arch_map[ansible_architecture] | default(ansible_architecture) }}" +forgejo_runner__git_repo: 'https://code.forgejo.org/forgejo/runner' + # versionscheck playbook_version_number: 03 # should be a integer -playbook_version_path: 'role-l3d.git-forgeo_runner.version' +playbook_version_path: 'role-l3d.git-forgejo_runner.version'