From 68259cb3cf037f067b1139097e01934c9e33176d Mon Sep 17 00:00:00 2001 From: Gleb Koval Date: Thu, 29 Feb 2024 22:53:28 +0000 Subject: [PATCH 1/5] Upgrade Immich to 1.95 (#42) And again... https://github.com/immich-app/immich/releases/tag/v1.95.0 Reviewed-on: https://git.koval.net/cyclane/kovalhome/pulls/42 --- infra/photos/0003_immich_playbook.yaml | 3 ++- infra/photos/immich/docker-compose.yml | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/infra/photos/0003_immich_playbook.yaml b/infra/photos/0003_immich_playbook.yaml index 6335431..26605a7 100644 --- a/infra/photos/0003_immich_playbook.yaml +++ b/infra/photos/0003_immich_playbook.yaml @@ -1,5 +1,5 @@ - name: Deploy app - hosts: photos + hosts: photos gather_facts: false vars: app: immich @@ -11,6 +11,7 @@ ansible.builtin.user: name: debian register: user + - name: Docker compose down ansible.builtin.command: docker compose down args: diff --git a/infra/photos/immich/docker-compose.yml b/infra/photos/immich/docker-compose.yml index 93a2bb4..44cb498 100644 --- a/infra/photos/immich/docker-compose.yml +++ b/infra/photos/immich/docker-compose.yml @@ -4,7 +4,7 @@ services: immich-server: container_name: immich_server image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} - command: [ "start.sh", "immich" ] + command: ["start.sh", "immich"] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload env_file: @@ -22,7 +22,7 @@ services: # extends: # file: hwaccel.yml # service: hwaccel - command: [ "start.sh", "microservices" ] + command: ["start.sh", "microservices"] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload env_file: @@ -48,7 +48,7 @@ services: database: container_name: immich_postgres - image: tensorchord/pgvecto-rs:pg14-v0.1.11 + image: tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0 env_file: - .env environment: From da90d463dee0a914b834b61027c30b89f776ca4d Mon Sep 17 00:00:00 2001 From: Gleb Koval Date: Fri, 1 Mar 2024 00:37:04 +0000 Subject: [PATCH 2/5] Fix Infisical Gitea Actions (#43) For some reason secrets are failing: https://git.koval.net/cyclane/kovalhome/actions/runs/193 Reviewed-on: https://git.koval.net/cyclane/kovalhome/pulls/43 --- infra/photos/0003_immich_playbook.yaml | 1 - requirements.txt | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/infra/photos/0003_immich_playbook.yaml b/infra/photos/0003_immich_playbook.yaml index 26605a7..50a5eed 100644 --- a/infra/photos/0003_immich_playbook.yaml +++ b/infra/photos/0003_immich_playbook.yaml @@ -11,7 +11,6 @@ ansible.builtin.user: name: debian register: user - - name: Docker compose down ansible.builtin.command: docker compose down args: diff --git a/requirements.txt b/requirements.txt index 35aae9b..e6d850b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ ansible proxmoxer requests -infisical +infisical==1.5.0 From 20b72f085f1c64ca4529ff377852d35c0077abf7 Mon Sep 17 00:00:00 2001 From: Gleb Koval Date: Fri, 29 Mar 2024 15:24:57 +0000 Subject: [PATCH 3/5] Secrets VM: v2 (#50) Closes #44. We'll do a manual migration for stability and simplicity. Reviewed-on: https://git.koval.net/cyclane/kovalhome/pulls/50 --- .github/workflows/infra.yaml | 1 - infra/secrets/0000_proxmox_playbook.yaml | 2 +- infra/secrets/0003_infiscal_playbook.yaml | 5 --- infra/secrets/infisical/.env | 16 ++++----- infra/secrets/infisical/docker-compose.yml | 39 +++++++++++++++++----- 5 files changed, 38 insertions(+), 25 deletions(-) diff --git a/.github/workflows/infra.yaml b/.github/workflows/infra.yaml index 149494b..851b20d 100644 --- a/.github/workflows/infra.yaml +++ b/.github/workflows/infra.yaml @@ -75,7 +75,6 @@ jobs: SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }} INFISICAL_ENCRYPTION_KEY: ${{ secrets.INFISICAL_ENCRYPTION_KEY }} INFISICAL_AUTH_SECRET: ${{ secrets.INFISICAL_AUTH_SECRET }} - INFISICAL_MONGO_PASSWORD: ${{ secrets.INFISICAL_MONGO_PASSWORD }} INFISICAL_TOKEN: ${{ secrets.INFISICAL_TOKEN }} INFISICAL_URL: https://secrets.koval.net run: ansible-playbook --inventory ./inventory ${{ steps.playbooks.outputs.to_run }} -vv diff --git a/infra/secrets/0000_proxmox_playbook.yaml b/infra/secrets/0000_proxmox_playbook.yaml index 37d9b94..7e603a6 100644 --- a/infra/secrets/0000_proxmox_playbook.yaml +++ b/infra/secrets/0000_proxmox_playbook.yaml @@ -9,7 +9,7 @@ api_token_secret: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_SECRET') }}" ssh_public: "{{ lookup('ansible.builtin.env', 'SSH_PUBLIC') }}" vmname: "{{ inventory_hostname | regex_replace('^([^\\.]+)\\..+$', '\\1') }}" - node: pve + node: pve2 module_defaults: community.general.proxmox_kvm: api_user: "{{ api_user }}" diff --git a/infra/secrets/0003_infiscal_playbook.yaml b/infra/secrets/0003_infiscal_playbook.yaml index 20b4e18..70f2920 100644 --- a/infra/secrets/0003_infiscal_playbook.yaml +++ b/infra/secrets/0003_infiscal_playbook.yaml @@ -32,11 +32,6 @@ path: "{{ user.home }}/{{ app }}/.env" regexp: "AUTH_SECRET_VALUE" replace: "{{ lookup('ansible.builtin.env', 'INFISICAL_AUTH_SECRET') }}" - - name: Replace Mongo Password secret - ansible.builtin.replace: - path: "{{ user.home }}/{{ app }}/.env" - regexp: "MONGO_PASSWORD_VALUE" - replace: "{{ lookup('ansible.builtin.env', 'INFISICAL_MONGO_PASSWORD') }}" - name: Replace SMTP Password secret ansible.builtin.replace: path: "{{ user.home }}/{{ app }}/.env" diff --git a/infra/secrets/infisical/.env b/infra/secrets/infisical/.env index f91df1f..46fdc22 100644 --- a/infra/secrets/infisical/.env +++ b/infra/secrets/infisical/.env @@ -8,19 +8,17 @@ ENCRYPTION_KEY=ENCRYPTION_KEY_VALUE # THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION AUTH_SECRET=AUTH_SECRET_VALUE -# MongoDB -# Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref -# to the MongoDB container instance or Mongo Cloud +# Postgres creds +POSTGRES_PASSWORD=infisical +POSTGRES_USER=infisical +POSTGRES_DB=infisical + # Required -MONGO_URL=mongodb://root:MONGO_PASSWORD_VALUE@mongo:27017/?authSource=admin +DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB} # Redis REDIS_URL=redis://redis:6379 -# Optional credentials for MongoDB container instance and Mongo-Express -MONGO_USERNAME=root -MONGO_PASSWORD=MONGO_PASSWORD_VALUE - # Website URL # Required SITE_URL=https://secrets.koval.net @@ -70,4 +68,4 @@ CLIENT_SECRET_GITLAB_LOGIN= # Other INVITE_ONLY_SIGNUP=true -TELEMETRY_ENABLED=false \ No newline at end of file +TELEMETRY_ENABLED=false diff --git a/infra/secrets/infisical/docker-compose.yml b/infra/secrets/infisical/docker-compose.yml index de38fa6..24fcdcc 100644 --- a/infra/secrets/infisical/docker-compose.yml +++ b/infra/secrets/infisical/docker-compose.yml @@ -1,11 +1,28 @@ version: "3" services: + db-migration: + depends_on: + db: + condition: service_healthy + image: infisical/infisical:latest-postgres + env_file: .env + command: npm run migration:latest + pull_policy: always + networks: + - infisical + backend: restart: unless-stopped depends_on: - - mongo - image: infisical/infisical:latest + db: + condition: service_healthy + redis: + condition: service_started + db-migration: + condition: service_completed_successfully + image: infisical/infisical:latest-postgres + pull_policy: always env_file: .env ports: - 80:8080 @@ -20,14 +37,18 @@ services: ports: - 6379:6379 volumes: - - /mnt/nvme/redis-data:/data + - /mnt/nvme/redis_data:/data - mongo: - image: mongo + db: + image: postgres:14-alpine restart: always env_file: .env - environment: - - MONGO_INITDB_ROOT_USERNAME=${MONGO_USERNAME} - - MONGO_INITDB_ROOT_PASSWORD=${MONGO_PASSWORD} volumes: - - /mnt/nvme/mongo-data:/data/db + - /mnt/nvme/pg_data:/var/lib/postgresql/data + networks: + - infisical + healthcheck: + test: "pg_isready --username=${POSTGRES_USER} && psql --username=${POSTGRES_USER} --list" + interval: 5s + timeout: 10s + retries: 10 From 719640a98d6ca9dc7828033e7e38bc18f5939894 Mon Sep 17 00:00:00 2001 From: Gleb Koval Date: Fri, 29 Mar 2024 15:48:14 +0000 Subject: [PATCH 4/5] Fix #50: Trigger all secrets playbooks (#51) Keep forgetting this :/ Reviewed-on: https://git.koval.net/cyclane/kovalhome/pulls/51 --- infra/secrets/0000_proxmox_playbook.yaml | 1 - infra/secrets/0001_initialise_playbook.yaml | 2 +- infra/secrets/0002_docker_playbook.yaml | 1 + infra/secrets/0003_infiscal_playbook.yaml | 2 -- 4 files changed, 2 insertions(+), 4 deletions(-) diff --git a/infra/secrets/0000_proxmox_playbook.yaml b/infra/secrets/0000_proxmox_playbook.yaml index 7e603a6..1dcdaeb 100644 --- a/infra/secrets/0000_proxmox_playbook.yaml +++ b/infra/secrets/0000_proxmox_playbook.yaml @@ -104,7 +104,6 @@ cores: 4 memory: 4096 cpu: x86-64-v3,flags=+spec-ctrl;+aes - - name: Retart VM community.general.proxmox_kvm: state: restarted diff --git a/infra/secrets/0001_initialise_playbook.yaml b/infra/secrets/0001_initialise_playbook.yaml index b2aff9d..2fa6e7e 100644 --- a/infra/secrets/0001_initialise_playbook.yaml +++ b/infra/secrets/0001_initialise_playbook.yaml @@ -39,4 +39,4 @@ fstype: ext4 opts: rw,errors=remount-ro,x-systemd.growfs state: mounted - become: true \ No newline at end of file + become: true diff --git a/infra/secrets/0002_docker_playbook.yaml b/infra/secrets/0002_docker_playbook.yaml index e7b346f..de544a0 100644 --- a/infra/secrets/0002_docker_playbook.yaml +++ b/infra/secrets/0002_docker_playbook.yaml @@ -5,6 +5,7 @@ - name: Wait for connection ansible.builtin.wait_for_connection: timeout: 300 + - name: Install dependencies ansible.builtin.apt: update_cache: true diff --git a/infra/secrets/0003_infiscal_playbook.yaml b/infra/secrets/0003_infiscal_playbook.yaml index 70f2920..a02d149 100644 --- a/infra/secrets/0003_infiscal_playbook.yaml +++ b/infra/secrets/0003_infiscal_playbook.yaml @@ -21,7 +21,6 @@ src: "./{{ app }}" dest: "{{ user.home }}" mode: "0744" - - name: Replace Encryption Key secret ansible.builtin.replace: path: "{{ user.home }}/{{ app }}/.env" @@ -37,7 +36,6 @@ path: "{{ user.home }}/{{ app }}/.env" regexp: "SMTP_PASSWORD_VALUE" replace: "{{ lookup('ansible.builtin.env', 'SMTP_PASSWORD') }}" - - name: Docker compose up -d ansible.builtin.command: docker compose up -d args: From 9f51ce02d668fb98110a2a1a64af2534a1c3a1d6 Mon Sep 17 00:00:00 2001 From: Gleb Koval Date: Fri, 29 Mar 2024 15:57:07 +0000 Subject: [PATCH 5/5] Fix #50: Remove custom network *completely* from Infisical docker-compose (#52) Reviewed-on: https://git.koval.net/cyclane/kovalhome/pulls/52 --- infra/secrets/0003_infiscal_playbook.yaml | 2 ++ infra/secrets/infisical/docker-compose.yml | 4 ---- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/infra/secrets/0003_infiscal_playbook.yaml b/infra/secrets/0003_infiscal_playbook.yaml index a02d149..b2e11eb 100644 --- a/infra/secrets/0003_infiscal_playbook.yaml +++ b/infra/secrets/0003_infiscal_playbook.yaml @@ -16,6 +16,7 @@ args: chdir: "{{ user.home }}/{{ app }}" ignore_errors: true + - name: Copy project ansible.builtin.copy: src: "./{{ app }}" @@ -36,6 +37,7 @@ path: "{{ user.home }}/{{ app }}/.env" regexp: "SMTP_PASSWORD_VALUE" replace: "{{ lookup('ansible.builtin.env', 'SMTP_PASSWORD') }}" + - name: Docker compose up -d ansible.builtin.command: docker compose up -d args: diff --git a/infra/secrets/infisical/docker-compose.yml b/infra/secrets/infisical/docker-compose.yml index 24fcdcc..973d10b 100644 --- a/infra/secrets/infisical/docker-compose.yml +++ b/infra/secrets/infisical/docker-compose.yml @@ -9,8 +9,6 @@ services: env_file: .env command: npm run migration:latest pull_policy: always - networks: - - infisical backend: restart: unless-stopped @@ -45,8 +43,6 @@ services: env_file: .env volumes: - /mnt/nvme/pg_data:/var/lib/postgresql/data - networks: - - infisical healthcheck: test: "pg_isready --username=${POSTGRES_USER} && psql --username=${POSTGRES_USER} --list" interval: 5s