michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
74d50a29cc4f074c91d9242f6f0b51c71b942b2a
michaelschiemer/deployment/ansible/roles/registry/tasks/main.yml
Michael Schiemer 36ef2a1e2c
Some checks failed
🚀 Build & Deploy Image / Determine Build Necessity (push) Failing after 10m14s
Details
🚀 Build & Deploy Image / Build Runtime Base Image (push) Has been skipped
Details
🚀 Build & Deploy Image / Build Docker Image (push) Has been skipped
Details
🚀 Build & Deploy Image / Run Tests & Quality Checks (push) Has been skipped
Details
🚀 Build & Deploy Image / Auto-deploy to Staging (push) Has been skipped
Details
🚀 Build & Deploy Image / Auto-deploy to Production (push) Has been skipped
Details
Security Vulnerability Scan / Check for Dependency Changes (push) Failing after 11m25s
Details
Security Vulnerability Scan / Composer Security Audit (push) Has been cancelled
Details
fix: Gitea Traefik routing and connection pool optimization 
- Remove middleware reference from Gitea Traefik labels (caused routing issues)
- Optimize Gitea connection pool settings (MAX_IDLE_CONNS=30, authentication_timeout=180s)
- Add explicit service reference in Traefik labels
- Fix intermittent 504 timeouts by improving PostgreSQL connection handling

Fixes Gitea unreachability via git.michaelschiemer.de
2025-11-09 14:46:15 +01:00

159 lines
5.0 KiB
YAML
Raw Blame History

---
- name: Ensure Registry auth directory exists
file:
path: "{{ registry_auth_path }}"
state: directory
mode: '0755'
become: yes
- name: Check if registry vault file exists
stat:
path: "{{ registry_vault_file }}"
delegate_to: localhost
register: registry_vault_stat
become: no
- name: Optionally load registry credentials from vault
include_vars:
file: "{{ registry_vault_file }}"
when: registry_vault_stat.stat.exists
no_log: yes
delegate_to: localhost
become: no
register: registry_vault_vars
failed_when: false
- name: Fail if registry vault decryption failed
fail:
msg: >
Failed to decrypt {{ registry_vault_file }}.
Provide a valid vault password (e.g. via --vault-password-file) or update docker_registry_password_default.
when:
- not ansible_check_mode
- registry_vault_stat.stat.exists
- registry_vault_vars is defined
- registry_vault_vars.failed | default(false)
- name: Set registry credentials from vault or defaults or generate
set_fact:
registry_username: "{{ vault_docker_registry_username | default(docker_registry_username_default) }}"
registry_password: >-
{{
vault_docker_registry_password
| default(docker_registry_password_default)
| default(lookup('password', '/dev/null length=32 chars=ascii_letters,digits'))
}}
no_log: true
- name: Generate REGISTRY_HTTP_SECRET if not set
set_fact:
registry_http_secret: "{{ lookup('password', '/dev/null length=64 chars=hexdigits') }}"
no_log: true
- name: Check if Registry .env file exists
ansible.builtin.stat:
path: "{{ registry_stack_path }}/.env"
register: registry_env_file
- name: Read existing REGISTRY_HTTP_SECRET from .env if exists
ansible.builtin.shell: |
grep '^REGISTRY_HTTP_SECRET=' "{{ registry_stack_path }}/.env" 2>/dev/null | cut -d'=' -f2- || echo ''
register: existing_registry_secret
changed_when: false
failed_when: false
when: registry_env_file.stat.exists
no_log: true
- name: Use existing REGISTRY_HTTP_SECRET if available
set_fact:
registry_http_secret: "{{ existing_registry_secret.stdout | default(registry_http_secret) }}"
when:
- registry_env_file.stat.exists
- existing_registry_secret.stdout | default('') | string | trim != ''
no_log: true
- name: Create or update Registry .env file
ansible.builtin.lineinfile:
path: "{{ registry_stack_path }}/.env"
regexp: '^REGISTRY_HTTP_SECRET='
line: "REGISTRY_HTTP_SECRET={{ registry_http_secret }}"
create: yes
mode: '0600'
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
no_log: true
- name: Create Registry htpasswd file if missing
shell: |
docker run --rm --entrypoint htpasswd httpd:2 -Bbn {{ registry_username }} {{ registry_password }} > {{ registry_auth_path }}/htpasswd
chmod 644 {{ registry_auth_path }}/htpasswd
args:
executable: /bin/bash
creates: "{{ registry_auth_path }}/htpasswd"
become: yes
no_log: true
when: not ansible_check_mode
- name: Deploy Docker Registry stack
community.docker.docker_compose_v2:
project_src: "{{ registry_stack_path }}"
state: present
pull: always
register: registry_compose_result
- name: Wait for Docker Registry to be ready
wait_for:
timeout: "{{ registry_wait_timeout }}"
when: registry_compose_result.changed
- name: Check Registry container status
shell: |
docker compose -f {{ registry_stack_path }}/docker-compose.yml ps registry | grep -Eiq "Up|running"
register: registry_state
changed_when: false
until: registry_state.rc == 0
retries: "{{ ((registry_wait_timeout | int) + (registry_wait_interval | int) - 1) // (registry_wait_interval | int) }}"
delay: "{{ registry_wait_interval | int }}"
failed_when: registry_state.rc != 0
when: not ansible_check_mode
- name: Check Registry logs for readiness
shell: docker compose logs registry 2>&1 | grep -Ei "(listening on|listening at|http server)" || true
args:
chdir: "{{ registry_stack_path }}"
register: registry_logs
until: registry_logs.stdout != ""
retries: 6
delay: 10
changed_when: false
failed_when: false
when: not ansible_check_mode
- name: Verify Registry is accessible
uri:
url: "{{ registry_healthcheck_url }}"
user: "{{ registry_username }}"
password: "{{ registry_password }}"
status_code: 200
timeout: 5
validate_certs: "{{ registry_healthcheck_validate_certs | bool }}"
register: registry_check
ignore_errors: yes
changed_when: false
no_log: true
when:
- not ansible_check_mode
- registry_healthcheck_enabled | bool
- name: Display Registry status
debug:
msg: "Registry accessibility: {{ 'SUCCESS' if registry_check.status == 200 else 'FAILED - may need manual check' }}"
when:
- not ansible_check_mode
- registry_healthcheck_enabled | bool
- name: Record registry deployment facts
set_fact:
registry_stack_changed: "{{ registry_compose_result.changed | default(false) }}"
registry_access_status: "{{ registry_check.status | default('disabled' if not registry_healthcheck_enabled else 'unknown') }}"
Reference in New Issue View Git Blame Copy Permalink