joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f3f111d88dfe9240d20c4119581c5e23eb3330f
rick-infra/roles/devigo/tasks/setup_oauth_service.yml
Joakim 1350d10a7c Add devigo deployment role for mini-vps production environment 
- Created comprehensive devigo Ansible role with Podman Quadlet support
- Deployed devigo-site container (Hugo + nginx) via systemd
- Deployed devigo-decap-oauth OAuth2 proxy for Decap CMS
- Integrated with Caddy reverse proxy for HTTPS

Services deployed:
- devigo.no (apex domain, primary)
- www.devigo.no (redirects to apex)
- decap.jnss.me (OAuth proxy)

Key features:
- REGISTRY_AUTH_FILE environment for Podman GHCR authentication
- TRUSTED_ORIGINS (plural) for decapcms-oauth2 multi-origin support
- JavaScript-based Decap CMS initialization (eliminates YAML MIME dependency)
- nginx location block for YAML MIME type (text/yaml)
- Automated deployment via GitHub Actions CI/CD
- Comprehensive documentation with troubleshooting guide
- Architecture decision records

Fixes applied during deployment:
- OAuth origin trust validation (TRUSTED_ORIGINS vs TRUSTED_ORIGIN)
- MIME type handling strategy (location-specific vs server-level types block)
- Decap CMS initialization method (JavaScript vs link tag)
- Podman authentication for systemd services (REGISTRY_AUTH_FILE)

Testing status:
-  MIME types verified (HTML, CSS, YAML all correct)
-  OAuth authentication working
-  Container image pulls from private GHCR
-  Automated deployments functional
-  Site fully operational at devigo.no
2025-12-16 00:53:33 +01:00

55 lines
1.3 KiB
YAML
Raw Blame History

---
# Set up Decap OAuth service
- name: Create decap-oauth user
user:
name: "{{ devigo_oauth_user }}"
system: yes
shell: /usr/sbin/nologin
home: "{{ devigo_oauth_home }}"
create_home: yes
- name: Create decap-oauth directories
file:
path: "{{ devigo_oauth_home }}"
state: directory
owner: "{{ devigo_oauth_user }}"
group: "{{ devigo_oauth_user }}"
mode: '0755'
- name: Deploy OAuth environment file
template:
src: devigo-decap-oauth.env.j2
dest: "{{ devigo_oauth_home }}/decap-oauth.env"
owner: "{{ devigo_oauth_user }}"
group: "{{ devigo_oauth_user }}"
mode: '0600'
notify: restart devigo-decap-oauth
- name: Deploy Quadlet container file
template:
src: devigo-decap-oauth.container
dest: "/etc/containers/systemd/{{ devigo_oauth_container_name }}.container"
owner: root
group: root
mode: '0644'
notify:
- reload systemd
- restart devigo-decap-oauth
- name: Deploy OAuth Caddy configuration
template:
src: devigo-decap-oauth.caddy.j2
dest: "{{ caddy_sites_enabled_dir }}/devigo-decap-oauth.caddy"
owner: root
group: "{{ caddy_user }}"
mode: '0644'
notify: reload caddy
- name: Enable and start decap-oauth service
systemd:
name: "{{ devigo_oauth_container_name }}"
enabled: yes
state: started
daemon_reload: yes
Reference in New Issue View Git Blame Copy Permalink