Temp Gitlab runner

ansible/router/tasks/iptables.yaml

+---
+

ansible/router/tasks/main.yaml

@@ -27,3 +27,6 @@
     name: sshd
     state: restarted
     enabled: yes
+
+- name: Setup iptables
+  include_tasks: iptables.yaml

ansible/router/tasks/packages.yaml

@@ -30,3 +30,6 @@
       - wget
       - jq
       - git
+
+      # Router
+      - iptables

ansible/runner/.gitignore

+.idea
+.venv
+
+# autogenerated
+.template

ansible/runner/README.md

+# MAIN VMs ansible
+
+First run:  
+`ansible-playbook -i inventory.yaml install.yaml --user root`
+
+After first run:  
+`ansible-playbook -i inventory.yaml install.yaml --become --user rlacko`
\ No newline at end of file

ansible/runner/bootstrap.sh

+#!/usr/bin/env bash
+
+########################### Virtualenv setup ####################################
+
+# create virtualenv if not present
+[[ ! -d .venv ]] && python3 -m venv .venv
+
+source .venv/bin/activate
+
+pip3 install ansible ansible-lint
+
+########################### Ansible setup ####################################
+
+ansible-galaxy install --force -r requirements.galaxy.yaml
+
+########################### Help ####################################
+
+echo
+echo "########################################"
+echo
+echo "Your playbooks:"
+
+find . -maxdepth 1 -type f -name "*.yaml" | grep -v inventory
+
+echo
+echo "Recommendation: Set up your OpenSSH config based on inventory.yml"
+
+echo
+echo "You can run playbook with:"
+printf "\tansible-playbook your-playbook.yaml"
+echo
+
+# to stay in our comfy virtualenv
+exec "${SHELL:bash}"

ansible/runner/install.yaml

+---
+  
+- hosts: all
+  roles:
+    - name: yatesr.timezone
+      vars:
+        timezone: Europe/Budapest
+  tasks:
+    - name: Setup Runner VM
+      import_tasks: tasks/main.yaml
+  
+  vars:
+    users: 
+      - name: rlacko
+        sudo: yes
+        passwordless_sudo: yes
+        keys_url: https://git.sch.bme.hu/rlacko.keys
+    ssh:
+      port: 10022
+      permitRootLogin: 'no'
+      pubkeyAuthentication: 'yes'
+      passwordAuthentication: 'no'
\ No newline at end of file

ansible/runner/inventory.yaml

+all:
+  hosts:
+    152.66.211.122:

ansible/runner/requirements.galaxy.yaml

+---
+
+collections:
+  - community.general
+  - ansible.posix
+
+roles:
+  - src: yatesr.timezone
\ No newline at end of file

ansible/runner/tasks/main.yaml

+---
+
+- name: Setup Admin users
+  include_tasks: users.yaml
+  loop: "{{ users }}"
+  loop_control:
+    loop_var: user
+
+- name: Update and upgrade apt packages
+  become: true
+  apt:
+    upgrade: "yes"
+    update_cache: yes
+    cache_valid_time: 86400 # One day
+
+- name: Install packages
+  include_tasks: packages.yaml
+
+- name: Place sshd configuration file.
+  template:
+    src: etc/ssh/sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    mode: 0600
+
+- name: Setup Runner
+  include_tasks: runner.yaml

ansible/runner/tasks/packages.yaml

+---
+- name: Install basic packages
+  package:
+    state: present
+    name:
+      # Debug tools
+      - sudo
+      - tmux
+      - htop
+      - dnsutils
+      - net-tools
+      - psmisc
+      - strace
+      - tcpdump
+      - xxd
+
+      # Editors
+      - nano
+      - vim
+
+      # Admin helpers
+      - rsync
+      - tree
+      - molly-guard
+
+      # Dependencies for scripting
+      - python3
+      - unzip
+      - curl
+      - wget
+      - jq
+      - git
+
+      # Runner dependencies
+      - python3-pip
+      - podman
+      # ARM support
+      - qemu 
+      - binfmt-support 
+      - qemu-user-static

ansible/runner/tasks/runner.yaml

+---
+
+- name: Ensure sshd is restarted and enabled to start at boot.
+  service:
+    name: sshd
+    state: restarted
+    enabled: yes
+
+- name: Install podman compose
+  pip:
+    name: 
+      - podman-compose
+
+- name: Create runner directory
+  file:
+    path: /home/ubuntu/gitlab-runner
+    owner: ubuntu
+    group: ubuntu
+    state: directory
+
+- name: Copy config toml
+  template:
+    src: home/ubuntu/gitlab-runner/config.toml
+    dest: /home/ubuntu/gitlab-runner/config.toml
+    owner: ubuntu
+    group: ubuntu
+    mode: 0700
+    # backing up in case the need to recover
+    backup: false
+  become: true
+
+- name: Copy compose file
+  template:
+    src: home/ubuntu/docker-compose.yml
+    dest: /home/ubuntu/docker-compose.yml
+    owner: ubuntu
+    group: ubuntu
+    mode: 0700
+    # backing up in case the need to recover
+    backup: false
+  become: true

ansible/runner/tasks/users.yaml

+---
+
+- debug:
+    msg: "{{ user }}"
+
+- name: "Create group for user"
+  group:
+    name: "{{ user.name }}"
+
+- name: "Create user"
+  user:
+    name: "{{ user.name }}"
+    comment: "{{ user.comment | default('') }}"
+    group: "{{ user.name }}"
+    shell: "/bin/{{ user.shell | default('bash') }}"
+
+- name: "SUDO"
+  user:
+    name: "{{ user.name }}"
+    append: true
+    groups:
+      - sudo
+  when: user.sudo
+
+- set_fact:
+    sudoer_file: "/etc/sudoers.d/{{ user.name }}"
+
+- name: sudoers file for the user
+  file:
+    path: "{{ sudoer_file }}"
+    state: touch
+    mode: "0600"
+    owner: root
+    group: root
+    modification_time: preserve
+    access_time: preserve
+
+- name: Insert sudoer file content
+  copy:
+    dest: "{{ sudoer_file }}"
+    content: "{{ user.name }} ALL=(ALL) NOPASSWD:ALL"
+  when: user.passwordless_sudo
+
+- name: "Set password to be expired"
+  command: passwd --delete '{{ user.name }}'
+  when: not user.passwordless_sudo
+
+- name: Set authorized keys
+  ansible.posix.authorized_key:
+    user: "{{ user.name }}"
+    state: present
+    key: "{{ user.keys_url }}"
+    manage_dir: yes
+    exclusive: yes

ansible/runner/templates/etc/ssh/sshd_config.j2

+# !!!
+# {{ ansible_managed }}
+# !!!
+
+Protocol 2
+Port {{ ssh.port }}
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+PermitRootLogin {{ ssh.permitRootLogin }}
+PubkeyAuthentication {{ ssh.pubkeyAuthentication }}
+PasswordAuthentication {{ ssh.passwordAuthentication }}
+
+ChallengeResponseAuthentication no
+KerberosAuthentication no
+GSSAPIAuthentication no
+UsePAM yes
+AllowAgentForwarding yes
+X11Forwarding yes
+PrintMotd no
+
+AcceptEnv LANG LC_*
+
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+{% if ssh.allow.users is defined %}
+AllowUsers {{ ssh.allow.users }}
+{% endif %}
+{% if ssh.allow.groups is defined %}
+AllowGroups {{ ssh.allow.groups }}
+{% endif %}

ansible/runner/templates/home/ubuntu/docker-compose.yml

+version: "3"
+services:
+  gitlab-runner:
+    image: gitlab/gitlab-runner:latest
+    container_name: gitlab-runner
+    restart: unless-stopped
+    volumes:
+      - ./gitlab-runner:/etc/gitlab-runner
+      - /var/run/podman/podman.sock:/var/run/docker.sock

ansible/runner/templates/home/ubuntu/gitlab-runner/config.toml

+listen_address = ":9252"
+concurrent = 10
+check_interval = 1
+
+[session_server]
+  session_timeout = 1800

terraform/runner-tmp.tf

+resource "proxmox_vm_qemu" "runner-tmp" {
+    name = "tmp-gv-gitlab-runner"
+    desc = "Temp Globalvet Gitlab Runner"
+    vmid = 6100
+
+    target_node = "maze"
+
+    clone = "ubuntu-21.04-cloudimg"
+
+    agent = 1
+
+    cores = 8
+    sockets = 1
+    vcpus = 0
+    memory = 26000
+
+    disk {
+        size = "40G"
+        type = "virtio"
+        storage = "ssd"
+    }
+
+    network {
+        model = "virtio"
+        bridge = "vmbr211"
+    }
+
+    ipconfig0 = "ip=152.66.211.122/24,gw=152.66.211.254"
+
+    sshkeys = <<EOF
+    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXuXr/Mz1ENkvZ+Ntc9dF1r8VK62XaZtsMaV7N+CMZ8 rlacko@personal
+    EOF
+}
\ No newline at end of file