Add simple stack development environment

ansible/Dockerfile

@@ -1,14 +1,5 @@
 FROM ubuntu:25.04
 
-ARG SIMPLE_STACK_UI_URL
-ENV SIMPLE_STACK_UI_URL=$SIMPLE_STACK_UI_URL
-
-ARG SIMPLE_STACK_UI_USER
-ENV SIMPLE_STACK_UI_USER=$SIMPLE_STACK_UI_USER
-
-ARG SIMPLE_STACK_UI_PASSWORD
-ENV SIMPLE_STACK_UI_PASSWORD=$SIMPLE_STACK_UI_PASSWORD
-
 ARG JAVA_VERSION=21
 
 RUN apt-get update && apt-get install --no-install-recommends -y \

ansible/ansible.cfg

@@ -4,7 +4,7 @@ collections_path = ./collections
 deprecation_warnings = False
 host_key_checking = False
 interpreter_python = auto_silent
-inventory = inventory.yml,inventory.py
+inventory = inventory.py
 library = ./library
 action_plugins = ./plugins/action
 lookup_plugins = ./plugins/lookup
@@ -15,11 +15,11 @@ warn = false
 fact_caching = jsonfile
 fact_caching_connection = tmp/facts
 
-# callback_plugins = ./plugins/callback
-# callbacks_enabled = http_callback
-
 [ssh_connection]
 retries = 5
+scp_if_ssh = True
+ssh_args = -F ssh/config
+pipelining = True
 
 [url_lookup]
 timeout = 20.0

ansible/playbooks/paas/roles/ansible-ufw/tasks/config.yml

@@ -18,7 +18,6 @@
     to_ip: "{{ item.to_ip | default(omit) }}"
     to_port: "{{ item.to_port | default(omit) }}"
   with_items: "{{ ufw_rules }}"
-  no_log: true
 
 - name: Config port/protocol/network custom rules
   community.general.ufw:
@@ -39,7 +38,6 @@
     to_ip: "{{ item.to_ip | default(omit) }}"
     to_port: "{{ item.to_port | default(omit) }}"
   with_items: "{{ ufw_custom_rules }}"
-  no_log: true
 
 - name: Config application rules
   community.general.ufw:

ansible/playbooks/paas/roles/coredns/templates/Corefile.j2

@@ -4,7 +4,7 @@ service.nomad.:1053 {
     #debug
     #log
     nomad {
-        address https://{{ hostvars[nomad_primary_master_node | default(inventory_hostname)]['ansible_ens3']['ipv4']['address'] }}:4646
+        address https://{{ hostvars[nomad_primary_master_node | default(inventory_hostname)]['ansible_' + nomad_iface].ipv4.address | default('127.0.0.1') }}:4646
         token {{ lookup('simple-stack-ui', type='secret', key=nomad_primary_master_node | default(inventory_hostname), subkey='nomad_management_token', missing='error') }}
         ttl 10
     }

ansible/playbooks/saas/roles/code_server/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+timezone: Europe/Paris
+password: changeme
+sudo_password: changeme

ansible/playbooks/saas/roles/code_server/tasks/backup.yml

@@ -0,0 +1 @@
+---

ansible/playbooks/saas/roles/code_server/tasks/build.yml

@@ -0,0 +1,14 @@
+---
+- name: Include upstream variables
+  ansible.builtin.include_vars: upstream.yml
+
+- name: Set custom variables
+  ansible.builtin.set_fact:
+    image_version: "{{ latest_version }}"
+    image_name: "{{ image.name }}"
+    image_labels: "{{ image.labels }}"
+    image_build: "{{ image.build }}"
+
+- name: End playbook if no new version
+  ansible.builtin.meta: end_host
+  when: softwares[image.name] is defined and softwares[image.name] == image_version

ansible/playbooks/saas/roles/code_server/tasks/main.yml

@@ -0,0 +1,33 @@
+---
+- name: Create default directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: 1000
+    group: 1000
+    mode: '0755'
+  loop:
+    - "{{ software_path }}/config/workspace"
+    - "{{ software_path }}/home/coder/.config/code-server"
+    - "{{ software_path }}/home/coder/.cache"
+    - "{{ software_path }}/home/coder/.config"
+    - "{{ software_path }}/home/coder/.local"
+    - "{{ software_path }}/home/coder/.ssh"
+    - "{{ software_path }}/projects"
+
+- debug:
+    msg: "{{ size}}" 
+
+- name: Copy nomad job
+  ansible.builtin.template:
+    src: nomad.hcl
+    dest: "/var/tmp/{{ domain }}.nomad"
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: Run nomad job
+  ansible.builtin.include_role:
+    name: nomad
+    tasks_from: job_run.yml
+

ansible/playbooks/saas/roles/code_server/tasks/restore.yml

@@ -0,0 +1 @@
+---

ansible/playbooks/saas/roles/code_server/templates/nomad.hcl

@@ -0,0 +1,92 @@
+job "{{ domain }}" {
+  region = "{{ fact_instance.region }}"
+  datacenters = ["{{ fact_instance.datacenter }}"]
+  type = "service"
+
+{% if software.constraints is defined and software.constraints.location is defined %}
+  constraint {
+    attribute    = "${meta.location}"
+    set_contains = "{{ software.constraints.location }}"
+  }
+{% endif %}
+
+{% if software.constraints is defined and software.constraints.instance is defined %}
+  constraint {
+    attribute    = "${meta.instance}"
+    set_contains = "{{ software.constraints.instance }}"
+  }
+{% endif %}
+
+  group "{{ domain }}" {
+    count = {{ software.scale | default(1) }}
+
+    network {
+      port "code_server" {
+        to = "8080"
+      }
+      port "http_dev" {
+        to = 8000
+      }
+    }
+
+    service {
+      name = "{{ service_name }}"
+      port = "code_server"
+      provider = "nomad"
+      tags = [
+        {{ lookup('ansible.builtin.template', '../../traefik/templates/traefik_tag.j2') | indent(8) }}
+      ]
+      check {
+        type     = "http"
+        path     = "/"
+        interval = "10s"
+        timeout  = "2s"
+      }
+    }
+
+    service {
+      name = "{{ service_name }}-dev"
+      port = "http_dev"
+      provider = "nomad"
+      tags = [
+        {{ lookup('ansible.builtin.template', 'templates/traefik_tag.j2', template_vars={'prefix': 'dev'}) | indent(8) }}
+      ]
+    }
+
+    task "{{ software.domain }}-codeserver" {
+
+      driver = "docker"
+
+      env {
+        PUID = "1000"
+        PGID = "1000"
+        TZ = "{{ software.timezone | default(timezone) }}"
+        DOCKER_USER = "ubuntu"
+        PASSWORD= "{{ lookup('simple-stack-ui', type='secret', key=domain, subkey='password', missing='error') }}"
+        SUDO_PASSWORD = "{{ lookup('simple-stack-ui', type='secret', key=domain, subkey='password', missing='error') }}"
+      }
+
+      config {
+        image = "codercom/code-server:{{ softwares.code_server.version }}-ubuntu"
+
+        volumes = [
+          "/usr/bin/docker:/usr/bin/docker",
+          "/var/run/docker.sock:/var/run/docker.sock",
+          "/usr/local/bin/terraform:/usr/local/bin/terraform",
+          "{{ software_path }}/config/workspace:/config/workspace",
+          "{{ software_path }}/home/coder/.cache:/home/coder/.cache",
+          "{{ software_path }}/home/coder/.config:/home/coder/.config",
+          "{{ software_path }}/home/coder/.cache:/home/coder/.local",
+          "{{ software_path }}/home/coder/.ssh:/home/coder/.ssh",
+          "{{ software_path }}/projects:/home/coder/projects",
+        ]
+        ports = ["code_server", "http_dev"]
+      }
+
+      resources {
+        cpu    = {{ size[software.size2 | default(software.size)].cpu }}
+        memory = {{ size[software.size2 | default(software.size)].memory }}
+      }
+    }
+  }
+}

ansible/playbooks/saas/roles/code_server/templates/traefik_tag.j2

@@ -0,0 +1,38 @@
+{% if software.exposition is defined and software.exposition in ["public", "public-unmanaged"] %}
+"fqdn=https://{{ prefix }}.{{ domain }}",
+"traefik.enable=true",
+"traefik.http.routers.{{ prefix }}-{{ service_name }}.tls=true",
+"traefik.http.routers.{{ prefix }}-{{ service_name }}.tls.certresolver=myresolver",
+"traefik.http.routers.{{ prefix }}-{{ service_name }}.tls.options=mintls12@file",
+"traefik.http.routers.{{ prefix }}-{{ service_name }}.entrypoints=https",
+"traefik.http.routers.{{ prefix }}-{{ service_name }}.rule=Host(`{{ prefix }}.{{ domain }}`)",
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}.redirectscheme.scheme=https",
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}.redirectscheme.permanent=true",
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=63072000",
+{% if software.traefik_x_robots_tag is defined %}
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}-headers.headers.customResponseHeaders.X-Robots-Tag={{ software.traefik_x_robots_tag }}",
+{% endif %}
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}-headers.headers.frameDeny=true",
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}-headers.headers.browserXssFilter=true",
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}-headers.headers.contentTypeNosniff=true",
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}-headers.headers.stsIncludeSubdomains=true",
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}-headers.headers.stsPreload=true",
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}-headers.headers.stsSeconds=31536000",
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}-headers.headers.forceSTSHeader=true",
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}-headers.headers.accessControlMaxAge=15552000",
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}-headers.headers.customFrameOptionsValue=SAMEORIGIN",
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}-headers.headers.accesscontrolalloworiginlist=*",
+{% if software.ipfilter is defined %}
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}-whistelist.IPAllowList.sourcerange={{ software.ipfilter | join(',') }}",
+{% endif %}
+{% if software.basic_auth is defined %}
+"traefik.http.middlewares.{{ prefix }}-{{ service_name }}-basicauth.basicauth.users={{ software.basic_auth }}",
+{% endif %}
+{% if (software.ipfilter is defined and software.basic_auth is defined) %}
+"traefik.http.routers.{{ prefix }}-{{ service_name }}.middlewares={{ prefix }}-{{ service_name }}-whistelist@nomad,{{ service_name }}-basicauth@nomad",
+{% elif (software.ipfilter is defined) and software.basic_auth is not defined %}
+"traefik.http.routers.{{ prefix }}-{{ service_name }}.middlewares={{ prefix }}-{{ service_name }}-whistelist@nomad",
+{% elif (software.ipfilter is not defined and software.basic_auth is defined) %}
+"traefik.http.routers.{{ prefix }}-{{ service_name }}.middlewares={{ prefix }}-{{ service_name }}-basicauth@nomad"
+{% endif %}
+{% endif %}

ansible/playbooks/saas/roles/code_server/vars/main.yml

@@ -0,0 +1,15 @@
+---
+image:
+  build: false
+  upstream:
+    source: github
+    user: codercom
+    repo: code-server
+    type: release
+    format: tar.gz
+    file: code-server_VERSION_ARCH.FORMAT
+    os: linux
+  labels: {}
+  name: code_server
+
+traefik_x_robots_tag: noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex

ansible/playbooks/saas/roles/code_server/vars/upstream.yml

@@ -0,0 +1,2 @@
+---
+latest_version: "{{ (lookup('url', 'https://api.github.com/repos/{{ image.upstream.user }}/{{ image.upstream.repo }}/releases/latest', headers={'Accept': 'application/vnd.github+json', 'Authorization': 'Bearer ' + lookup('ansible.builtin.env', 'GITHUB_API_TOKEN')}) | from_json).get('tag_name') | replace('v', '') }}"

ansible/playbooks/saas/roles/simplestack_ansible/tasks/backup.yml

@@ -0,0 +1 @@
+---

ansible/playbooks/saas/roles/simplestack_ansible/tasks/build.yml

@@ -0,0 +1,14 @@
+---
+- name: Include upstream variables
+  ansible.builtin.include_vars: upstream.yml
+
+- name: Set custom variables
+  ansible.builtin.set_fact:
+    image_version: "{{ latest_version }}"
+    image_name: "{{ image.name }}"
+    image_labels: "{{ image.labels }}"
+    image_build: "{{ image.build }}"
+
+- name: End playbook if no new version
+  ansible.builtin.meta: end_host
+  when: softwares[image.name] is defined and softwares[image.name] == image_version

ansible/playbooks/saas/roles/simplestack_ansible/tasks/destroy.yml

@@ -0,0 +1,10 @@
+---
+- name: Stop nomad job
+  ansible.builtin.include_role:
+    name: nomad
+    tasks_from: job_stop.yml
+
+- name: Remove software directory
+  ansible.builtin.file:
+    path: "{{ software_path }}"
+    state: absent

ansible/playbooks/saas/roles/simplestack_ansible/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+- name: Copy nomad job to destination
+  ansible.builtin.template:
+    src: nomad.hcl
+    dest: "/var/tmp/{{ domain }}.nomad"
+    owner: root
+    group: root
+    mode: '0600'
+  become: true
+
+- name: Run nomad job
+  ansible.builtin.include_role:
+    name: nomad
+    tasks_from: job_run.yml
+

ansible/playbooks/saas/roles/simplestack_ansible/tasks/restore.yml

@@ -0,0 +1 @@
+---

ansible/playbooks/saas/roles/simplestack_ansible/templates/nomad.hcl

@@ -0,0 +1,61 @@
+job "{{ domain }}" {
+  region = "{{ fact_instance.region }}"
+  datacenters = ["{{ fact_instance.datacenter }}"]
+  type = "service"
+
+{% if software.constraints is defined and software.constraints.location is defined %}
+  constraint {
+    attribute    = "${meta.location}"
+    set_contains = "{{ software.constraints.location }}"
+  }
+{% endif %}
+
+{% if software.constraints is defined and software.constraints.instance is defined %}
+  constraint {
+    attribute    = "${meta.instance}"
+    set_contains = "{{ software.constraints.instance }}"
+  }
+{% endif %}
+
+  group "{{ domain }}" {
+    count = {{ software.scale | default(1) }}
+
+    network {
+      port "http" {
+        to = 5001
+      }
+    }
+
+    service {
+      name = "{{ service_name }}"
+      port = "http"
+      provider = "nomad"
+      tags = [
+        {{ lookup('template', '../../traefik/templates/traefik_tag.j2') | indent(8) }}
+      ]
+    }
+
+    task "{{ domain }}-http" {
+      driver = "docker"
+
+      env {
+        SIMPLE_STACK_UI_USER = "{{ lookup('simple-stack-ui', type='secret', key=domain, subkey='user', missing='error') }}"
+        SIMPLE_STACK_UI_PASSWORD = "{{ lookup('simple-stack-ui', type='secret', key=domain, subkey='password', missing='error') }}"
+        SIMPLE_STACK_UI_URL = "{{ lookup('simple-stack-ui', type='secret', key=domain, subkey='url', missing='error') }}"
+      }
+
+      config {
+        image = "ghcr.io/wiseflat/simple-stack-ansible:v{{ softwares.simplestack_ui.version }}"
+        ports = ["http"]
+        work_dir = "/ansible"
+        command = "ansible-rulebook"
+        args =  ["-r", "rulebook.yml", "-i", "inventory.py", "-vvv"]
+      }
+
+      resources {
+        cpu    = {{ size[software.size].cpu }}
+        memory = {{ size[software.size].memory }}
+      }
+    }
+  }
+}

ansible/playbooks/saas/roles/simplestack_ansible/vars/main.yml

@@ -0,0 +1,12 @@
+---
+image:
+  build: false
+  upstream:
+    source: github
+    user: wiseflat
+    repo: simple-stack
+    file: vVERSION
+  labels: {}
+  name: simplestack_ansible
+
+traefik_x_robots_tag: noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex