joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add devigo deployment role for mini-vps production environment

Browse Source 
- Created comprehensive devigo Ansible role with Podman Quadlet support
- Deployed devigo-site container (Hugo + nginx) via systemd
- Deployed devigo-decap-oauth OAuth2 proxy for Decap CMS
- Integrated with Caddy reverse proxy for HTTPS

Services deployed:
- devigo.no (apex domain, primary)
- www.devigo.no (redirects to apex)
- decap.jnss.me (OAuth proxy)

Key features:
- REGISTRY_AUTH_FILE environment for Podman GHCR authentication
- TRUSTED_ORIGINS (plural) for decapcms-oauth2 multi-origin support
- JavaScript-based Decap CMS initialization (eliminates YAML MIME dependency)
- nginx location block for YAML MIME type (text/yaml)
- Automated deployment via GitHub Actions CI/CD
- Comprehensive documentation with troubleshooting guide
- Architecture decision records

Fixes applied during deployment:
- OAuth origin trust validation (TRUSTED_ORIGINS vs TRUSTED_ORIGIN)
- MIME type handling strategy (location-specific vs server-level types block)
- Decap CMS initialization method (JavaScript vs link tag)
- Podman authentication for systemd services (REGISTRY_AUTH_FILE)

Testing status:
-  MIME types verified (HTML, CSS, YAML all correct)
-  OAuth authentication working
-  Container image pulls from private GHCR
-  Automated deployments functional
-  Site fully operational at devigo.no
This commit is contained in:
Joakim
2025-12-16 00:53:33 +01:00
parent ecbeb07ba2
commit 1350d10a7c
12 changed files with 968 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
roles/devigo/tasks/main.yml Normal file
View File

@@ -0,0 +1,93 @@
---
# Devigo Deployment - Main Tasks
# OAuth Service Setup
- name: Create decap-oauth user
user:
name: "{{ devigo_oauth_user }}"
system: yes
shell: /usr/sbin/nologin
home: "{{ devigo_oauth_home }}"
create_home: yes
- name: Create decap-oauth directories
file:
path: "{{ devigo_oauth_home }}"
state: directory
owner: "{{ devigo_oauth_user }}"
group: "{{ devigo_oauth_user }}"
mode: '0755'
- name: Deploy OAuth environment file
template:
src: devigo-decap-oauth.env.j2
dest: "{{ devigo_oauth_home }}/decap-oauth.env"
owner: "{{ devigo_oauth_user }}"
group: "{{ devigo_oauth_user }}"
mode: '0600'
notify: restart devigo-decap-oauth
- name: Create Quadlet systemd directory
file:
path: /etc/containers/systemd
state: directory
owner: root
group: root
mode: '0755'
- name: Deploy Quadlet container file
template:
src: devigo-decap-oauth.container
dest: "/etc/containers/systemd/{{ devigo_oauth_container_name }}.container"
owner: root
group: root
mode: '0644'
register: quadlet_deployed
- name: Reload systemd to discover Quadlet container
systemd:
daemon_reload: yes
- name: Deploy OAuth Caddy configuration
template:
src: devigo-decap-oauth.caddy.j2
dest: "{{ caddy_sites_enabled_dir }}/devigo-decap-oauth.caddy"
owner: root
group: "{{ caddy_user }}"
mode: '0644'
notify: reload caddy
- name: Enable and start decap-oauth service
systemd:
name: "{{ devigo_oauth_container_name }}"
enabled: yes
state: started
# Devigo Site Quadlet Setup
- name: Deploy devigo-site Quadlet container file
template:
src: devigo-site.container
dest: "/etc/containers/systemd/devigo-site.container"
owner: root
group: root
mode: '0644'
register: devigo_site_quadlet
- name: Reload systemd to discover devigo-site Quadlet
systemd:
daemon_reload: yes
- name: Deploy Caddy configuration for devigo site
template:
src: devigo.caddy.j2
dest: "{{ caddy_sites_enabled_dir }}/devigo.caddy"
owner: root
group: "{{ caddy_user }}"
mode: '0644'
notify: reload caddy
- name: Enable and start devigo-site service
systemd:
name: devigo-site
enabled: yes
state: started

32
roles/devigo/tasks/setup_infrastructure.yml Normal file
View File

@@ -0,0 +1,32 @@
---
# Set up Docker infrastructure for Devigo deployment
- name: Create devigo deployment directory
file:
path: "{{ devigo_docker_dir }}"
state: directory
owner: root
group: root
mode: '0755'
- name: Create caddy Docker network
containers.podman.podman_network:
name: caddy
state: present
- name: Deploy docker-compose.yml
template:
src: docker-compose.yml.j2
dest: "{{ devigo_compose_file }}"
owner: root
group: root
mode: '0644'
- name: Deploy Caddy configuration for devigo site
template:
src: devigo.caddy.j2
dest: "{{ caddy_sites_enabled_dir }}/devigo.caddy"
owner: root
group: "{{ caddy_user }}"
mode: '0644'
notify: reload caddy

54
roles/devigo/tasks/setup_oauth_service.yml Normal file
View File

@@ -0,0 +1,54 @@
---
# Set up Decap OAuth service
- name: Create decap-oauth user
user:
name: "{{ devigo_oauth_user }}"
system: yes
shell: /usr/sbin/nologin
home: "{{ devigo_oauth_home }}"
create_home: yes
- name: Create decap-oauth directories
file:
path: "{{ devigo_oauth_home }}"
state: directory
owner: "{{ devigo_oauth_user }}"
group: "{{ devigo_oauth_user }}"
mode: '0755'
- name: Deploy OAuth environment file
template:
src: devigo-decap-oauth.env.j2
dest: "{{ devigo_oauth_home }}/decap-oauth.env"
owner: "{{ devigo_oauth_user }}"
group: "{{ devigo_oauth_user }}"
mode: '0600'
notify: restart devigo-decap-oauth
- name: Deploy Quadlet container file
template:
src: devigo-decap-oauth.container
dest: "/etc/containers/systemd/{{ devigo_oauth_container_name }}.container"
owner: root
group: root
mode: '0644'
notify:
- reload systemd
- restart devigo-decap-oauth
- name: Deploy OAuth Caddy configuration
template:
src: devigo-decap-oauth.caddy.j2
dest: "{{ caddy_sites_enabled_dir }}/devigo-decap-oauth.caddy"
owner: root
group: "{{ caddy_user }}"
mode: '0644'
notify: reload caddy
- name: Enable and start decap-oauth service
systemd:
name: "{{ devigo_oauth_container_name }}"
enabled: yes
state: started
daemon_reload: yes