ben/mgmt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Clean repository: organized structure and GitOps setup

Browse Source 
- Organized root directory structure
- Moved orphan files to proper locations
- Updated .gitignore to ignore temporary files
- Set up Gitea Runner for GitOps automation
- Fixed Tailscale access issues
- Added workflow for automated Nomad deployment
This commit is contained in:
Houzhong Xu
2025-10-09 06:13:45 +00:00
commit 89ee6f7967
306 changed files with 30781 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

136
.gitea/workflows/ansible-deploy.yml Normal file
View File

@@ -0,0 +1,136 @@
name: Ansible Deploy
on:
workflow_dispatch:
inputs:
environment:
description: '部署环境'
required: true
default: 'dev'
type: choice
options:
- dev
- staging
- production
provider:
description: '云服务商'
required: true
default: 'oracle-cloud'
type: choice
options:
- oracle-cloud
- huawei-cloud
- google-cloud
- digitalocean
- aws
playbook:
description: 'Playbook 类型'
required: true
default: 'bootstrap'
type: choice
options:
- bootstrap
- security
- applications
- monitoring
- maintenance
env:
ANSIBLE_VERSION: "8.0.0"
jobs:
deploy:
runs-on: ubuntu-latest
environment: ${{ github.event.inputs.environment }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install Ansible
run: |
pip install ansible==${{ env.ANSIBLE_VERSION }}
pip install ansible-core
ansible-galaxy collection install community.general
ansible-galaxy collection install ansible.posix
- name: Setup SSH key
run: |
mkdir -p ~/.ssh
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
ssh-keyscan -H ${{ secrets.SSH_HOST }} >> ~/.ssh/known_hosts
- name: Create dynamic inventory
run: |
ENV="${{ github.event.inputs.environment }}"
PROVIDER="${{ github.event.inputs.provider }}"
# 从 OpenTofu 输出创建动态清单
if [ -f "configuration/inventories/$ENV/$PROVIDER-inventory.json" ]; then
echo "Using existing inventory from OpenTofu output"
cp configuration/inventories/$ENV/$PROVIDER-inventory.json /tmp/inventory.json
else
echo "Creating static inventory"
cat > /tmp/inventory.ini << EOF
[$ENV]
${{ secrets.TARGET_HOST }} ansible_host=${{ secrets.TARGET_HOST }} ansible_user=${{ secrets.SSH_USER }} ansible_become=yes ansible_become_pass=${{ secrets.SUDO_PASSWORD }}
[all:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
EOF
fi
- name: Run Ansible Playbook
run: |
ENV="${{ github.event.inputs.environment }}"
PLAYBOOK="${{ github.event.inputs.playbook }}"
cd configuration
# 选择正确的清单文件
if [ -f "/tmp/inventory.json" ]; then
INVENTORY="/tmp/inventory.json"
else
INVENTORY="/tmp/inventory.ini"
fi
# 运行对应的 playbook
case "$PLAYBOOK" in
"bootstrap")
ansible-playbook -i $INVENTORY playbooks/bootstrap/main.yml -e "environment=$ENV"
;;
"security")
ansible-playbook -i $INVENTORY playbooks/security/main.yml -e "environment=$ENV"
;;
"applications")
ansible-playbook -i $INVENTORY playbooks/applications/main.yml -e "environment=$ENV"
;;
"monitoring")
ansible-playbook -i $INVENTORY playbooks/monitoring/main.yml -e "environment=$ENV"
;;
"maintenance")
ansible-playbook -i $INVENTORY playbooks/maintenance/main.yml -e "environment=$ENV"
;;
esac
- name: Generate deployment report
run: |
echo "## 部署报告" > deployment-report.md
echo "" >> deployment-report.md
echo "**环境**: ${{ github.event.inputs.environment }}" >> deployment-report.md
echo "**云服务商**: ${{ github.event.inputs.provider }}" >> deployment-report.md
echo "**Playbook**: ${{ github.event.inputs.playbook }}" >> deployment-report.md
echo "**时间**: $(date)" >> deployment-report.md
echo "**状态**: ✅ 部署成功" >> deployment-report.md
- name: Upload deployment report
uses: actions/upload-artifact@v4
with:
name: deployment-report-${{ github.event.inputs.environment }}-${{ github.event.inputs.provider }}
path: deployment-report.md
retention-days: 30

42
.gitea/workflows/deploy-nomad.yml Normal file
View File

@@ -0,0 +1,42 @@
name: Deploy Nomad Configurations
on:
push:
branches: [ main ]
paths:
- 'nomad-configs/**'
- 'deployment/ansible/**'
workflow_dispatch:
jobs:
deploy-nomad:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Deploy Nomad Server Configurations
run: |
echo "Deploying Nomad server configurations..."
cd nomad-configs
chmod +x scripts/deploy_servers.sh
./scripts/deploy_servers.sh
- name: Deploy Nomad Client Configurations
run: |
echo "Deploying Nomad client configurations..."
cd nomad-configs
chmod +x scripts/deploy.sh
./scripts/deploy.sh
- name: Run Ansible Playbooks
run: |
echo "Running Ansible playbooks..."
cd deployment/ansible
ansible-playbook -i inventories/production/inventory.ini playbooks/configure-nomad-unified.yml
- name: Verify Deployment
run: |
echo "Verifying Nomad cluster status..."
# Add verification steps here
echo "Deployment completed successfully!"

78
.gitea/workflows/deploy.yml Normal file
View File

@@ -0,0 +1,78 @@
name: Application Deployment
on:
push:
branches: [ main ]
paths:
- 'configuration/**'
- 'containers/**'
- '.gitea/workflows/deploy.yml'
workflow_dispatch:
inputs:
environment:
description: 'Target environment'
required: true
default: 'dev'
type: choice
options:
- dev
- staging
- production
jobs:
ansible-check:
runs-on: ubuntu-latest
name: Ansible Syntax Check
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install Ansible
run: |
pip install ansible ansible-core
ansible-galaxy collection install community.general
ansible-galaxy collection install ansible.posix
ansible-galaxy collection install community.docker
- name: Ansible syntax check
run: |
cd configuration
for playbook in playbooks/*/*.yml; do
if [ -f "$playbook" ]; then
echo "Checking $playbook"
ansible-playbook --syntax-check "$playbook"
fi
done
deploy:
runs-on: ubuntu-latest
name: Deploy Applications
needs: ansible-check
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install Ansible
run: |
pip install ansible ansible-core
ansible-galaxy collection install community.general
ansible-galaxy collection install ansible.posix
ansible-galaxy collection install community.docker
- name: Deploy applications
run: |
cd configuration
ENV="${{ github.event.inputs.environment || 'dev' }}"
ansible-playbook -i "inventories/${ENV}/inventory.ini" playbooks/bootstrap/main.yml
env:
ANSIBLE_HOST_KEY_CHECKING: False

53
.gitea/workflows/docker.yml Normal file
View File

@@ -0,0 +1,53 @@
name: Docker Build and Deploy
on:
push:
branches: [ main ]
paths:
- 'containers/**'
- 'Dockerfile*'
- '.gitea/workflows/docker.yml'
jobs:
build:
runs-on: ubuntu-latest
name: Build Podman Images
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Podman
run: |
sudo apt-get update
sudo apt-get install -y podman
podman --version
- name: Login to Container Registry
run: |
echo ${{ secrets.REGISTRY_PASSWORD }} | podman login ${{ secrets.REGISTRY_URL }} --username ${{ secrets.REGISTRY_USERNAME }} --password-stdin
- name: Build and push images
run: |
# 构建应用镜像
for dockerfile in containers/applications/*/Dockerfile; do
if [ -f "$dockerfile" ]; then
app_name=$(basename $(dirname "$dockerfile"))
echo "Building $app_name"
podman build -t "${{ secrets.REGISTRY_URL }}/$app_name:${{ github.sha }}" -f "$dockerfile" .
podman push "${{ secrets.REGISTRY_URL }}/$app_name:${{ github.sha }}"
fi
done
deploy-nomad:
runs-on: ubuntu-latest
name: Deploy to Nomad Cluster
needs: build
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Deploy to Nomad
run: |
# 这里可以通过 SSH 连接到 Nomad 管理节点进行部署
echo "Deploy to Nomad placeholder"
# 示例命令: nomad job run -var "image_tag=${{ github.sha }}" jobs/app.nomad

91
.gitea/workflows/infrastructure.yml Normal file
View File

@@ -0,0 +1,91 @@
name: Infrastructure CI/CD
on:
push:
branches: [ main, develop ]
paths:
- 'infrastructure/**'
- '.gitea/workflows/infrastructure.yml'
pull_request:
branches: [ main ]
paths:
- 'infrastructure/**'
jobs:
validate:
runs-on: ubuntu-latest
name: Validate Infrastructure
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup OpenTofu
uses: opentofu/setup-opentofu@v1
with:
tofu_version: 1.10.6
- name: Validate OpenTofu configurations
run: |
for dir in infrastructure/providers/*/; do
if [ -d "$dir" ]; then
echo "Validating $dir"
cd "$dir"
tofu init -backend=false
tofu validate
cd - > /dev/null
fi
done
- name: Check formatting
run: |
tofu fmt -check -recursive infrastructure/
- name: Security scan
run: |
# 这里可以添加 tfsec 或 checkov 扫描
echo "Security scan placeholder"
plan:
runs-on: ubuntu-latest
name: Plan Infrastructure
needs: validate
if: github.event_name == 'pull_request'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup OpenTofu
uses: opentofu/setup-opentofu@v1
with:
tofu_version: 1.10.6
- name: Plan infrastructure changes
run: |
cd infrastructure/environments/dev
tofu init
tofu plan -var-file="terraform.tfvars" -out=tfplan
env:
# 这里需要配置云服务商的环境变量
TF_VAR_environment: dev
apply:
runs-on: ubuntu-latest
name: Apply Infrastructure
needs: validate
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup OpenTofu
uses: opentofu/setup-opentofu@v1
with:
tofu_version: 1.10.6
- name: Apply infrastructure changes
run: |
cd infrastructure/environments/dev
tofu init
tofu apply -var-file="terraform.tfvars" -auto-approve
env:
TF_VAR_environment: dev

175
.gitea/workflows/terraform-apply.yml Normal file
View File

@@ -0,0 +1,175 @@
name: OpenTofu Apply
on:
push:
branches: [main]
paths:
- 'infrastructure/**'
workflow_dispatch:
inputs:
environment:
description: '部署环境'
required: true
default: 'dev'
type: choice
options:
- dev
- staging
- production
provider:
description: '云服务商'
required: true
default: 'oracle-cloud'
type: choice
options:
- oracle-cloud
- huawei-cloud
- google-cloud
- digitalocean
- aws
env:
TOFU_VERSION: "1.10.6"
jobs:
apply:
runs-on: ubuntu-latest
environment: ${{ github.event.inputs.environment || 'dev' }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup OpenTofu
uses: opentofu/setup-opentofu@v1
with:
tofu_version: ${{ env.TOFU_VERSION }}
- name: Configure credentials
run: |
PROVIDER="${{ github.event.inputs.provider || 'oracle-cloud' }}"
echo "Setting up credentials for $PROVIDER"
case "$PROVIDER" in
"oracle-cloud")
mkdir -p ~/.oci
echo "${{ secrets.OCI_PRIVATE_KEY }}" > ~/.oci/oci_api_key.pem
chmod 600 ~/.oci/oci_api_key.pem
;;
"huawei-cloud")
export HW_ACCESS_KEY="${{ secrets.HW_ACCESS_KEY }}"
export HW_SECRET_KEY="${{ secrets.HW_SECRET_KEY }}"
;;
"google-cloud")
echo "${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}" > /tmp/gcp-key.json
export GOOGLE_APPLICATION_CREDENTIALS="/tmp/gcp-key.json"
;;
"digitalocean")
export DIGITALOCEAN_TOKEN="${{ secrets.DO_TOKEN }}"
;;
"aws")
export AWS_ACCESS_KEY_ID="${{ secrets.AWS_ACCESS_KEY_ID }}"
export AWS_SECRET_ACCESS_KEY="${{ secrets.AWS_SECRET_ACCESS_KEY }}"
;;
esac
- name: Create terraform.tfvars
run: |
ENV="${{ github.event.inputs.environment || 'dev' }}"
cd infrastructure/environments/$ENV
cat > terraform.tfvars << EOF
environment = "$ENV"
project_name = "mgmt"
owner = "ben"
# Oracle Cloud 配置
oci_config = {
tenancy_ocid = "${{ secrets.OCI_TENANCY_OCID }}"
user_ocid = "${{ secrets.OCI_USER_OCID }}"
fingerprint = "${{ secrets.OCI_FINGERPRINT }}"
private_key_path = "~/.oci/oci_api_key.pem"
region = "ap-seoul-1"
}
# 华为云配置
huawei_config = {
access_key = "${{ secrets.HW_ACCESS_KEY }}"
secret_key = "${{ secrets.HW_SECRET_KEY }}"
region = "cn-north-4"
}
# Google Cloud 配置
gcp_config = {
project_id = "${{ secrets.GCP_PROJECT_ID }}"
region = "asia-northeast3"
zone = "asia-northeast3-a"
credentials = "/tmp/gcp-key.json"
}
# DigitalOcean 配置
do_config = {
token = "${{ secrets.DO_TOKEN }}"
region = "sgp1"
}
# AWS 配置
aws_config = {
access_key = "${{ secrets.AWS_ACCESS_KEY_ID }}"
secret_key = "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
region = "ap-northeast-1"
}
EOF
- name: OpenTofu Init
run: |
PROVIDER="${{ github.event.inputs.provider || 'oracle-cloud' }}"
cd infrastructure/providers/$PROVIDER
tofu init
- name: OpenTofu Plan
run: |
ENV="${{ github.event.inputs.environment || 'dev' }}"
PROVIDER="${{ github.event.inputs.provider || 'oracle-cloud' }}"
cd infrastructure/providers/$PROVIDER
tofu plan \
-var-file="../../../environments/$ENV/terraform.tfvars" \
-out=tfplan
- name: OpenTofu Apply
run: |
PROVIDER="${{ github.event.inputs.provider || 'oracle-cloud' }}"
cd infrastructure/providers/$PROVIDER
tofu apply -auto-approve tfplan
- name: Save State
run: |
ENV="${{ github.event.inputs.environment || 'dev' }}"
PROVIDER="${{ github.event.inputs.provider || 'oracle-cloud' }}"
cd infrastructure/providers/$PROVIDER
# 这里可以配置远程状态存储
# 例如上传到 S3, GCS, 或其他存储
echo "State saved locally for now"
- name: Generate Inventory
run: |
ENV="${{ github.event.inputs.environment || 'dev' }}"
PROVIDER="${{ github.event.inputs.provider || 'oracle-cloud' }}"
cd infrastructure/providers/$PROVIDER
# 生成 Ansible 动态清单
tofu output -json > ../../../configuration/inventories/$ENV/$PROVIDER-inventory.json
- name: Trigger Ansible Deployment
uses: actions/github-script@v7
with:
script: |
github.rest.actions.createWorkflowDispatch({
owner: context.repo.owner,
repo: context.repo.repo,
workflow_id: 'ansible-deploy.yml',
ref: 'main',
inputs: {
environment: '${{ github.event.inputs.environment || "dev" }}',
provider: '${{ github.event.inputs.provider || "oracle-cloud" }}'
}
});

148
.gitea/workflows/terraform-plan.yml Normal file
View File

@@ -0,0 +1,148 @@
name: OpenTofu Plan
on:
pull_request:
branches: [main, develop]
paths:
- 'infrastructure/**'
- '.gitea/workflows/terraform-plan.yml'
env:
TOFU_VERSION: "1.10.6"
jobs:
plan:
runs-on: ubuntu-latest
strategy:
matrix:
environment: [dev, staging, production]
provider: [oracle-cloud, huawei-cloud, google-cloud, digitalocean, aws]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup OpenTofu
uses: opentofu/setup-opentofu@v1
with:
tofu_version: ${{ env.TOFU_VERSION }}
- name: Configure credentials
run: |
# 设置各云服务商的认证信息
echo "Setting up credentials for ${{ matrix.provider }}"
case "${{ matrix.provider }}" in
"oracle-cloud")
mkdir -p ~/.oci
echo "${{ secrets.OCI_PRIVATE_KEY }}" > ~/.oci/oci_api_key.pem
chmod 600 ~/.oci/oci_api_key.pem
;;
"huawei-cloud")
export HW_ACCESS_KEY="${{ secrets.HW_ACCESS_KEY }}"
export HW_SECRET_KEY="${{ secrets.HW_SECRET_KEY }}"
;;
"google-cloud")
echo "${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}" > /tmp/gcp-key.json
export GOOGLE_APPLICATION_CREDENTIALS="/tmp/gcp-key.json"
;;
"digitalocean")
export DIGITALOCEAN_TOKEN="${{ secrets.DO_TOKEN }}"
;;
"aws")
export AWS_ACCESS_KEY_ID="${{ secrets.AWS_ACCESS_KEY_ID }}"
export AWS_SECRET_ACCESS_KEY="${{ secrets.AWS_SECRET_ACCESS_KEY }}"
;;
esac
- name: Create terraform.tfvars
run: |
cd infrastructure/environments/${{ matrix.environment }}
cat > terraform.tfvars << EOF
environment = "${{ matrix.environment }}"
project_name = "mgmt"
owner = "ben"
# Oracle Cloud 配置
oci_config = {
tenancy_ocid = "${{ secrets.OCI_TENANCY_OCID }}"
user_ocid = "${{ secrets.OCI_USER_OCID }}"
fingerprint = "${{ secrets.OCI_FINGERPRINT }}"
private_key_path = "~/.oci/oci_api_key.pem"
region = "ap-seoul-1"
}
# 华为云配置
huawei_config = {
access_key = "${{ secrets.HW_ACCESS_KEY }}"
secret_key = "${{ secrets.HW_SECRET_KEY }}"
region = "cn-north-4"
}
# Google Cloud 配置
gcp_config = {
project_id = "${{ secrets.GCP_PROJECT_ID }}"
region = "asia-northeast3"
zone = "asia-northeast3-a"
credentials = "/tmp/gcp-key.json"
}
# DigitalOcean 配置
do_config = {
token = "${{ secrets.DO_TOKEN }}"
region = "sgp1"
}
# AWS 配置
aws_config = {
access_key = "${{ secrets.AWS_ACCESS_KEY_ID }}"
secret_key = "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
region = "ap-northeast-1"
}
EOF
- name: OpenTofu Init
run: |
cd infrastructure/providers/${{ matrix.provider }}
tofu init
- name: OpenTofu Validate
run: |
cd infrastructure/providers/${{ matrix.provider }}
tofu validate
- name: OpenTofu Plan
run: |
cd infrastructure/providers/${{ matrix.provider }}
tofu plan \
-var-file="../../../environments/${{ matrix.environment }}/terraform.tfvars" \
-out=tfplan-${{ matrix.environment }}-${{ matrix.provider }}
- name: Upload Plan
uses: actions/upload-artifact@v4
with:
name: tfplan-${{ matrix.environment }}-${{ matrix.provider }}
path: infrastructure/providers/${{ matrix.provider }}/tfplan-${{ matrix.environment }}-${{ matrix.provider }}
retention-days: 30
- name: Comment PR
uses: actions/github-script@v7
if: github.event_name == 'pull_request'
with:
script: |
const fs = require('fs');
const path = 'infrastructure/providers/${{ matrix.provider }}/tfplan-${{ matrix.environment }}-${{ matrix.provider }}';
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## OpenTofu Plan Results
**Environment:** ${{ matrix.environment }}
**Provider:** ${{ matrix.provider }}
**Status:** ✅ Plan generated successfully
Plan artifact uploaded: \`tfplan-${{ matrix.environment }}-${{ matrix.provider }}\`
Please review the plan before merging.`
});