Commit ed8ad827 authored by Chris Croome's avatar Chris Croome

filesystem layout changes and typo fixed

parent 2ffa1f45
Pipeline #3471 failed with stages
in 6 minutes and 43 seconds
......@@ -2,7 +2,7 @@ stages:
- build
- test
# - deploy
#
before_script:
- apt-get update
- apt-get -y install apt-transport-https
......@@ -12,9 +12,7 @@ before_script:
- apt-get update
- apt-get -y dist-upgrade
- apt-get -y install ansible
- mkdir /root/.gnupg && chmod 700 /root/.gnupg
- echo "${GPG_PRIVATE_KEY}" > /dev/shm/sec.gpg && chmod 600 /dev/shm/sec.gpg
- echo "${GPG_PUBLIC_KEY}" > /dev/shm/pub.gpg
build:
stage: build
......@@ -25,4 +23,11 @@ test:
stage: test
script:
- ansible-playbook --extra-vars "hostname=localhost" -i "localhost," -c local test.yml -v
#deploy: rsync the repo to the hosting server
#deploy:
# stage: deploy
# script:
# - ansible-playbook --extra-vars "hostname=localhost" -i "localhost," -c local deploy.yml -v
#
#
#
# Debian Stretch PHP
This repo contains GitLab CI to install Ansible and copy a GPG secret file to the Docker container and then run three Ansible playbooks, `build.yml`, `test.yml` and `deploy.yml`.
The build playbook download source debs for PHP, set the file descriptors limit to a higher value and then rebuilds and signs them and create a apt repo layout.
The test playbook then installs the debs that have benn built to thest that they can be installed without errors.
The deploy playbook
# PHP File Descriptors Limit
This is the issue we hit on shared web servers with 50+ clients when trying to send email with InvoicePlane:
......@@ -18,6 +28,19 @@ Filename: src/SMTP.php
Line Number: 1124
```
# Environment variables
The following environmental variables are set in GitLab CI / CD Settings for this project:
* GPG_PRIVATE_KEY
* SSH_PRIVATE_KEY
It would be more secure to use Ansible Vault or something…
The corresponding GPG public key is in `roles/build/files/pub.gpg` and the GPG key id is a variable in `vars/main.yml`.
The corresponding SSH public key is installed on the host that the repo is rsync'ed to.
# GPG keypair
After several attempts to use a key pair with a passphrase a pair without one was generated:
......@@ -81,15 +104,6 @@ gpg --export --armor EB612F9FE81381F8F3E58874495739F6CAA6F12D > pub.gpg
gpg --export-secret-keys --armor EB612F9FE81381F8F3E58874495739F6CAA6F12D > sec.gpg
```
# Environment variables
The following are set in GitLab CI / CD Settings for this project:
* GPG_PRIVATE_KEY
* GPG_PUBLIC_KEY
* GPG_KEY_ID
It would be more secure to use Ansible Vault or something…
## References
......
---
- name: Build
hosts: "{{ hostname }}"
vars:
php_sockets: 4096
php_distro: stretch
php_repo_domain: deb.webarch.net
php_release_name: Webarchitects Co-operative Debian Packages
php_release_email: deb@webarch.net
roles:
- build
---
- name: Deploy
hosts: "{{ hostname }}"
roles:
- deploy
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFxV1JgBEADHfFz/+6eh0kD5TA6D6czjGAYETW8XPqiqB5aVi0fkmFcFOj+E
IkbuY3RytAM44FGy23SXCInw0js/TrR1FVW68wEFi6sgJ0z6HF8ZsT4wpAAmbanM
WBEwBm0jZ4Zxnbb0IlAPtlR3odt/6JU6zbpKAJu1/Yh9UzOG3Rkuhn4Mr/YmHpva
XtjD2CVGavegfgGiKck3Zh6+bDGrAdBGRVZkb4RNuvuqvh9nR6Y8MJvhuHh7d+ar
Y9nAmJsKDZjpIKJM5BWv/Sqy2JZrRp0WP85LMzOwIiqD9mXqo0J2kNX7a6Xq+Tq/
4sBzkl5hygtSXBbCfjSji02uDmILQfVpNtkhDP5UbBA8JOMDIhAa3TpV9aJmEfoO
Myscj8LHfyPF22VeGZr0H6IvTmX63UFV0Gv/o78kZA03UdPBMY1vy9wrOeJcUwtf
uNK95lNQoYbOsu/WSsZab0kIlGEUnpnWHMgEmb2XYPRhXARIgysxa8VP/DmfgrLe
VEwqsQzkQWUMnQEr1igXiE2BKpXRHDQlDlSc16MZie8CRjBq1+QmJbyhgxo3iUIV
jmMdLQOJzVkhh/aPt/CQLydNbrApKwm7Bc/CsjfmPgn5ibJ+hx/9d30ToFgPt5GV
NazOprkIHec8pXWLYH21kKPQBEOnKc5dt6HA46sXGNDxliqPxBjL9MkNGQARAQAB
tDxXZWJhcmNoaXRlY3RzIENvLW9wZXJhdGl2ZSBEZWJpYW4gUGFja2FnZXMgPGRl
YkB3ZWJhcmNoLm5ldD6JAk4EEwEIADgWIQTrYS+f6BOB+PPliHRJVzn2yqbxLQUC
XFXUmAIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBJVzn2yqbxLQkwEACC
tKrKIxOYtNETqFO23bp/KsOxtqxUajmNYSXT7XNnSV5rZ0Oa7QUc5b25s3NUfu3G
+JVq/CfoxCmVw5WbNYR/VQBDy6rKx5CRHzBSmMbTMPLm4HEGev50mDzjVjpVYqw/
VfQEgNY5UwpQj7h0XO/I7n5fOqjTc/IWOoukVCv6YDD/00/77B57mvOQUWuNCSdF
JwBH5GCm79V9dMIqHfPkE9nFVDKf7TOMlBoEGq8QjPhs3lLQHDYBUxu9xhoHUWm+
1q8o1MZ+554CjjI9AczlHTfU+mswv7D9HmkA10TlavJwKbRcpdUrH8HneR78OaIj
8KsVav/U3aGGLsBpjttX2cEBZ7csUf5Re2YH8muB2Su/jfpdwMINIOiT/P7Ozaeb
Cm/Q1bM4dbES6rFGZ8lzqjPX6OH4/w4w9Mps0i2ukzl0bZ9VnQmclQSm+6dYtZni
4ukOFcpHP42lFfzp0qH2JEaaidw72AMBK/n/UY6PxtH5kgV5MXaFXs253Qjbe9jy
hn2aMFfBzVW5DzCxlJnFpuOl5ZO1B0bh1i2ZTyoPKKsFQbDf7VVbH/78fvBMhq46
WLMB9zSVEOjFdw3f5J2UeN2WK8/TH3R0HdvT6LL98rR4FYvvW2i8RR8GYY3AMWpv
tNvc3vELrxc5D08wCEg6QpFpg19EPJlwpRiTXknvxrkCDQRcVdSYARAA3SWcCOLw
nSVO8PRjeIlipED0+mYiraF0KnLyThBQwz2/G/jZ7uit12cvI0Xn2PHekrkHpskJ
oJyxsVOtdJWakIMuNDPI+7xRWDyrSvzuJphPM8gczwLM0CoW1yd1RD/c7QWq7ySy
Q/VSP1OPfCCkWXazyqb2nIm/p2oaNWUJJblS8Ty7u/HYoFCGWSKcGYh2jqtm/1I9
BixJfZhQgxi9ZCZx1SDtvl/1u5IvvUjyfL/kssGhPA7lrZVVuZWDwBmR3EIXn146
V2ZKS/CprDfHBF+bueu/7tFIRIA4Z0rwtVkXMQEsDnCr3U0/HBPHfZq49X2iZk40
EaXB4B4NBm6AglDobIfCwZac0IJoCFHU4skw4eHVKdBxaJmsf3j8S2uVJYLuYr0Z
0xRUi/g9JsEdeKOW7VRxBOLGKn1IAKWPASVYqaV/6dqw94LsHyBdh9UmQHi00s/7
scIwMj/3YfQfzu7R3p62qcL3LeiPV6cKeCFTv6KlQhCv7jDzlkzsVjvS7Eh1NWzT
ZKshjisrc7eati6qAzjfT1w4bPZpgeHzG0jSf3O0GXZuSOUrsrY9dTUGL4Dl6IMA
6O3kXBTAyvhksmzd+ryDnUIdxdrki9qNdVJwEERBeFncNszcj0HIuMnvOH11lLbU
EVYCHyq+fGxygfNJU32LMffkol9T0zG33p8AEQEAAYkCNgQYAQgAIBYhBOthL5/o
E4H48+WIdElXOfbKpvEtBQJcVdSYAhsMAAoJEElXOfbKpvEtWTsQAJImXjXn/I47
TR43boJPbrSycn9yMuafK6oqsbMBkykQhxyMKaMBvZLRG8M+WPVmirAbgzDRqza6
shJuXLAJPaURNT4NuC1PaIcPf92Pve8bZvjEQHa6ADK+wpU9uqQUByydmu7Xbvfo
JtV70x73y6oiiOBoA5XOS/0+XBq2Dynz98t3bLycal0cUZGF3Ql4sddJDQDPHMVG
vCZdBVrY2rDhfu7xm59FHobWz2hnver8wbTeY0JVC1QTAKlcoknu+9JFmj8FeeTl
1PXpvX/13mpAoEmIlPfDe9128YZhn1Sj3obT8+aw0qlig8HFBjiTv8kxkFvPI6cO
UZ9x64Ru6xoQSTaSgVgphLSX2ffuSSvnbNnxySv9/YMmMvoj4eRSWfYlTUrLscyR
3U6n/e5kETMPYqTALf+BPrxfiY7wWqR5ZW0ot72oJlpEsXBOGXGENgCgcyAN/CTc
3xQvKDf0BpemVzIWeE3UV7QSl3QBB7jD7DzXEnAuoZx20tnwcIERw76dipQ2rZdo
Yo9K2/KKVc7HUqaJ20ftg2u8pC37MgbHeqBq0aKYm0MkZ8NEvEYYpoXtLyY4zgiL
DL58bNxV1cE/2FP2z5yeMF/jjzUCkfk6QRpGK1526SzcYlLqBk8BYKdkpIwtSgXa
7d/KoDBHvWuAiyC4HEDqRB8iWvw4uMzX
=aMxt
-----END PGP PUBLIC KEY BLOCK-----
......@@ -17,66 +17,78 @@
state: latest
update_cache: no
- name: Import the GPG public key
command: gpg --batch --yes --import /dev/shm/pub.gpg
- name: Create a build directory
file:
path: /build
state: directory
mode: 0755
- name: Import the GPG private key
command: gpg --batch --yes --import /dev/shm/sec.gpg
- name: Create a source directory
file:
path: /build/src
state: directory
mode: 0755
- name: Create repo directory for apt repository
- name: Create a repo directory for the apt repository
file:
path: /builds/webarch/php/repo
path: /build/repo
state: directory
- name: Create conf directory in the repo
- name: Create a conf directory in the repo
file:
path: /builds/webarch/php/repo/conf
path: /builds/repo/conf
state: directory
- name: Generate a distributions files from the template
template:
src: templates/distributions.j2
dest: /builds/webarch/php/repo/conf/distributions
dest: /build/repo/conf/distributions
- name: Generate .htaccess file
template:
src: templates/htaccess.j2
dest: /builds/webarch/php/repo/.htaccess
dest: /build/repo/.htaccess
- name: Create build directory
file:
path: /tmp/build
state: directory
mode: 0755
- name: GPG public key in the apt repo root
copy:
src: files/gpg.pub
dest: /build/repo/pub.gpg
- name: GPG public key imported
command: gpg --batch --yes --import /build/repo/pub.gpg
# GitLab CI writes the GPG_PRIVATE_KEY env var contents to /dev/shm/sec.gpg
- name: GPG private key imported
command: gpg --batch --yes --import /dev/shm/sec.gpg
- name: Install source package
command: apt-get -y source php7.0
command: "apt-get -y source php{{ php_version }}"
args:
chdir: /tmp/build
chdir: /build/src
warn: False
- name: Install all build-dependencies
command: apt-get -y build-dep php7.0
command: "apt-get -y build-dep php{{ php_version }}"
args:
chdir: /tmp/build
chdir: /build/src
warn: False
- name: Get the source directory name
shell: find . -maxdepth 1 -type d | tail -1 | sed "s/^\.\///"
args:
chdir: /tmp/build
chdir: /build/src
register: php_dir
- name: "Add --enable-fd-setsize={{ php_sockets }} to debian/rules"
lineinfile:
dest: "/tmp/build/{{ php_dir.stdout }}/debian/rules"
dest: "/build/src/{{ php_dir.stdout }}/debian/rules"
line: ' --enable-fd-setsize={{ php_sockets }} \'
insertafter: '^COMMON_CONFIG'
- name: Identify supplier of the updated packages
shell: dch -n 'PHP max number of sockets set to {{ php_sockets }}'
args:
chdir: "/tmp/build/{{ php_dir.stdout }}"
chdir: "/build/src/{{ php_dir.stdout }}"
environment:
DEBFULLNAME: "{{ php_release_name }}"
DEBEMAIL: "{{ php_release_email }}"
......@@ -84,7 +96,7 @@
- name: "Set repo to {{ php_distro }}"
command: sed -ie 's/UNRELEASED/{{ php_distro }}/' debian/changelog
args:
chdir: "/tmp/build/{{ php_dir.stdout }}"
chdir: "/build/src/{{ php_dir.stdout }}"
warn: no
- name: Create debs directory for artifacts
......@@ -95,23 +107,23 @@
- name: Rebuild the packages
shell: dpkg-buildpackage -us -uc > /builds/webarch/php/debs/dpkg-buildpackage.log
args:
chdir: "/tmp/build/{{ php_dir.stdout }}"
chdir: "/build/src/{{ php_dir.stdout }}"
- name: Loop through the .deb files signing them
command: "dpkg-sig --sign builder {{ item }}"
args:
chdir: "/tmp/build/"
chdir: "/build/src/"
with_fileglob:
- "/tmp/build/*.deb"
- "/build/src/*.deb"
#- name: rsync the debs to the artifacts directory
# command: rsync -aq /tmp/build/*.deb /builds/webarch/php/debs/
# args:
# warn: no
- name: rsync the debs to the artifacts directory
command: rsync -aq /build/src/*.deb /builds/webarch/php/debs/
args:
warn: no
- name: Add the debs to the repo
command: "reprepro -Vb . includedeb {{ php_distro }} {{ item }}"
args:
chdir: /builds/webarch/php/repo/conf
chdir: /build/repo
with_fileglob:
- "/tmp/build/*.deb"
- "/build/src/*.deb"
---
- name: Import the GPG key
apt_key:
id: "{{ php_gpg_id }}"
file: /build/repo/pub/gpg
state: present
- name: Add local repo to sources
shell: echo 'deb file:/builds/webarch/php/repo ./' > /etc/apt/sources.list.d/local.list
shell: echo 'deb file:/build/repo ./' > /etc/apt/sources.list.d/local.list
- name: Install PHP
- name: Install Apache and PHP
apt:
pkg:
- php7.0
- apache2
- "php{{ php_version }}"
- "php{{ php_version }}-bcmath"
- "php{{ php_version }}-curl"
- "php{{ php_version }}-gd"
- "php{{ php_version }}-geoip"
- "php{{ php_version }}-imagick"
- "php{{ php_version }}-imap"
- "php{{ php_version }}-intl"
- "php{{ php_version }}-mcrypt"
- "php{{ php_version }}-mysqli"
- "php{{ php_version }}-sqlite3"
- "php{{ php_version }}-uploadprogress"
- "php{{ php_version }}-xmlrpc"
state: latest
update_cache: yes
---
- name: Test
hosts: "{{ hostname }}"
roles:
- test
---
vars:
php_sockets: 4096
php_distro: stretch
php_repo_domain: deb.webarch.net
php_release_name: Webarchitects Co-operative Debian Packages
php_release_email: deb@webarch.net
php_gpg_id: EB612F9FE81381F8F3E58874495739F6CAA6F12D
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment