feat(deploy): Ansible provisioning for prod hosts (Stage 18)
Idempotent playbooks under deploy/ansible/ prepare both production hosts: docker-ce + compose plugin, a non-sudo deploy service account holding the CI deploy key, key-only sshd, default-deny ufw, fail2ban, unattended upgrades and chrony. The main host also opens 80/443/9443 and creates the external edge network; the tg host verifies direct Bot API egress (the no-VPN assumption). The application is deployed separately by the prod-deploy workflow (later phase), running as the deploy account this playbook provisions.
This commit is contained in:
@@ -0,0 +1,21 @@
|
||||
---
|
||||
# Service account the CI prod-deploy workflow uses to drive docker on the hosts.
|
||||
# Membership in the docker group is root-equivalent (docker socket access), which
|
||||
# is all the deploy workflow needs; the account is deliberately not given sudo.
|
||||
deploy_user: deploy
|
||||
|
||||
# Public half of the dedicated CI deploy SSH key, read from the controller at run
|
||||
# time. The private half is generated on the controller during provisioning and
|
||||
# stored ONLY in the Gitea PROD_SSH_KEY secret; it is never committed. Override the
|
||||
# path with -e deploy_ci_pubkey_path=/path/to/key.pub if the key lives elsewhere.
|
||||
deploy_ci_pubkey_path: "{{ lookup('env', 'HOME') }}/.ssh/scrabble_ci_deploy_ed25519.pub"
|
||||
deploy_ci_pubkey: "{{ lookup('file', deploy_ci_pubkey_path) }}"
|
||||
|
||||
# Base directory the deploy workflow rsyncs compose files, config, certs and dumps
|
||||
# into. Owned by deploy_user so the workflow needs no elevation.
|
||||
scrabble_base_dir: /opt/scrabble
|
||||
|
||||
# Docker daemon json-file log rotation, mirroring the compose x-logging anchor so
|
||||
# the host's own containers (and any ad-hoc runs) rotate identically.
|
||||
docker_log_max_size: "10m"
|
||||
docker_log_max_file: "3"
|
||||
Reference in New Issue
Block a user