From a2056e71b090088f316a1074f1a88e6176e8f0a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Sat, 23 Jul 2022 11:26:32 +0200 Subject: [PATCH 1/8] Add new-new.data.coop using unipi! This exposes the contents of the git repository at https://git.data.coop/halfd/new-website using a MirageOS unikernel. --- roles/docker/tasks/services/websites.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/roles/docker/tasks/services/websites.yml b/roles/docker/tasks/services/websites.yml index 0d99509..52348a6 100644 --- a/roles/docker/tasks/services/websites.yml +++ b/roles/docker/tasks/services/websites.yml @@ -28,6 +28,22 @@ labels: com.ouroboros.enable: "true" +- name: setup new-new data.coop website using unipi + docker_container: + name: new-new.data.coop_website + image: docker.data.coop/unipi:latest + restart_policy: unless-stopped + networks: + - name: external_services + env: + VIRTUAL_HOST: "new-new.{{ data_coop_website.domains|join(',') }}" + LETSENCRYPT_HOST: "new-new.{{ data_coop_website.domains|join(',') }}" + LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" + command: --remote=https://git.data.coop/halfd/new-website.git + labes: + com.ouroboros.enable: "true" + + - name: setup cryptohagen.dk website docker container docker_container: name: cryptohagen_website -- 2.43.4 From d6db96c6579b3b1e0a14b4e0714ebefcbe887db6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Sat, 23 Jul 2022 11:45:35 +0200 Subject: [PATCH 2/8] Fix typo --- roles/docker/tasks/services/websites.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/websites.yml b/roles/docker/tasks/services/websites.yml index 52348a6..d97049d 100644 --- a/roles/docker/tasks/services/websites.yml +++ b/roles/docker/tasks/services/websites.yml @@ -40,7 +40,7 @@ LETSENCRYPT_HOST: "new-new.{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" command: --remote=https://git.data.coop/halfd/new-website.git - labes: + labels: com.ouroboros.enable: "true" -- 2.43.4 From dfcd658b4e5f2501321163bd52bd760a76adeb6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Sat, 23 Jul 2022 11:57:53 +0200 Subject: [PATCH 3/8] unipi: add NET_ADMIN capabilities --- roles/docker/tasks/services/websites.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/docker/tasks/services/websites.yml b/roles/docker/tasks/services/websites.yml index d97049d..6bea2c9 100644 --- a/roles/docker/tasks/services/websites.yml +++ b/roles/docker/tasks/services/websites.yml @@ -40,6 +40,8 @@ LETSENCRYPT_HOST: "new-new.{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" command: --remote=https://git.data.coop/halfd/new-website.git + capabilities: + add: ["NET_ADMIN"] labels: com.ouroboros.enable: "true" -- 2.43.4 From a99dd05e65e6fb86173e9e4ce9c02f6348b7e8cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Sat, 23 Jul 2022 12:08:21 +0200 Subject: [PATCH 4/8] Ok, try a different way of adding NET_ADMIN... --- roles/docker/tasks/services/websites.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/websites.yml b/roles/docker/tasks/services/websites.yml index 6bea2c9..1d06486 100644 --- a/roles/docker/tasks/services/websites.yml +++ b/roles/docker/tasks/services/websites.yml @@ -41,7 +41,7 @@ LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" command: --remote=https://git.data.coop/halfd/new-website.git capabilities: - add: ["NET_ADMIN"] + - NET_ADMIN labels: com.ouroboros.enable: "true" -- 2.43.4 From 860fde6a0579d9648985de6c2a34a0c2eb4c4f5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Sat, 23 Jul 2022 12:20:30 +0200 Subject: [PATCH 5/8] unipi: add access to /dev/net/tun So we can create a tap interface. --- roles/docker/tasks/services/websites.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/docker/tasks/services/websites.yml b/roles/docker/tasks/services/websites.yml index 1d06486..af2e134 100644 --- a/roles/docker/tasks/services/websites.yml +++ b/roles/docker/tasks/services/websites.yml @@ -42,6 +42,8 @@ command: --remote=https://git.data.coop/halfd/new-website.git capabilities: - NET_ADMIN + devices: + - "/dev/net/tun" labels: com.ouroboros.enable: "true" -- 2.43.4 From 9fa29359899f3e4db4918b438fcebd021eaea299 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Sat, 23 Jul 2022 12:22:07 +0200 Subject: [PATCH 6/8] unipi: use main branch --- roles/docker/tasks/services/websites.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/websites.yml b/roles/docker/tasks/services/websites.yml index af2e134..baa71ea 100644 --- a/roles/docker/tasks/services/websites.yml +++ b/roles/docker/tasks/services/websites.yml @@ -39,7 +39,7 @@ VIRTUAL_HOST: "new-new.{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_HOST: "new-new.{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - command: --remote=https://git.data.coop/halfd/new-website.git + command: --remote=https://git.data.coop/halfd/new-website.git#main capabilities: - NET_ADMIN devices: -- 2.43.4 From 2986b8372df0791ad05a24cc388d20b5fae92171 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Sat, 23 Jul 2022 13:08:01 +0200 Subject: [PATCH 7/8] unipi: Use git+ssh as git+https is broken Unipi adds a double slash to the path, and gitea doesn't like that. --- roles/docker/tasks/services/websites.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/websites.yml b/roles/docker/tasks/services/websites.yml index baa71ea..b81bff9 100644 --- a/roles/docker/tasks/services/websites.yml +++ b/roles/docker/tasks/services/websites.yml @@ -39,7 +39,8 @@ VIRTUAL_HOST: "new-new.{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_HOST: "new-new.{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" - command: --remote=https://git.data.coop/halfd/new-website.git#main + # The ssh-key is for read-only only + command: --remote=https://git.data.coop/halfd/new-website.git#main --ssh-key Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU= --ssh-authenticator SHA256:yMAwgOC5u2wy27PxkJRCN0Eegypj5xq6pPRLeDrHcR4 capabilities: - NET_ADMIN devices: -- 2.43.4 From dd135ed59ffa93d2715629aebda931633f343807 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Sat, 23 Jul 2022 13:49:40 +0200 Subject: [PATCH 8/8] unipi: do not use default networks --- roles/docker/tasks/services/websites.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/docker/tasks/services/websites.yml b/roles/docker/tasks/services/websites.yml index b81bff9..77e0e2a 100644 --- a/roles/docker/tasks/services/websites.yml +++ b/roles/docker/tasks/services/websites.yml @@ -33,6 +33,7 @@ name: new-new.data.coop_website image: docker.data.coop/unipi:latest restart_policy: unless-stopped + purge_networks: yes networks: - name: external_services env: @@ -40,7 +41,7 @@ LETSENCRYPT_HOST: "new-new.{{ data_coop_website.domains|join(',') }}" LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}" # The ssh-key is for read-only only - command: --remote=https://git.data.coop/halfd/new-website.git#main --ssh-key Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU= --ssh-authenticator SHA256:yMAwgOC5u2wy27PxkJRCN0Eegypj5xq6pPRLeDrHcR4 + command: "--remote=git@git.data.coop:halfd/new-website.git#main --ssh-key ed25519:Ag9RekCyC2eow4P/e5crVvSTQ7dTK46WkG0wqEPVJbU= --ssh-authenticator SHA256:l9kdLkb0kJm46pOJ4tCHCtFUaqV1ImbZWMA5oje10fI" capabilities: - NET_ADMIN devices: -- 2.43.4