Deploy multipass

Author: jof

.github/workflows/multipass-deploy.yml

@@ -0,0 +1,94 @@
+name: Build and Deploy Multipass
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'multipass/**'
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}/multipass
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      image-tag: ${{ steps.meta.outputs.tags }}
+      image-digest: ${{ steps.build.outputs.digest }}
+      version: ${{ steps.version.outputs.version }}
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Generate version
+        id: version
+        run: |
+          VERSION=$(date +%Y%m%d-%H%M%S)-$(git rev-parse --short HEAD)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Generated version: $VERSION"
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=${{ steps.version.outputs.version }}
+            type=raw,value=latest
+
+      - name: Build and push Docker image
+        id: build
+        uses: docker/build-push-action@v5
+        with:
+          context: ./multipass
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  update-deployment:
+    needs: build-and-push
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Update multipass version in ansible variables
+        run: |
+          VERSION="${{ needs.build-and-push.outputs.version }}"
+          
+          # Update the multipass container version in ansible variables
+          sed -i "s/container_version: .*/container_version: \"$VERSION\"/" \
+            ansible/inventory/group_vars/all.yml
+
+      - name: Commit and push changes
+        run: |
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"
+          
+          if git diff --quiet; then
+            echo "No changes to commit"
+            exit 0
+          fi
+          
+          git add ansible/inventory/group_vars/all.yml
+          git commit -m "chore: update multipass container to ${{ needs.build-and-push.outputs.version }}"
+          git push

ansible/inventory/group_vars/all.yml

@@ -290,4 +290,21 @@ doubletake:
 
 shlink:
   image: shlinkio/shlink:stable
-  domain: go.sequoiafabrica.org
+  domain: go.sequoiafabrica.org
+
+multipass:
+  container_version: "latest"
+  port: 3005
+  data_location: "/opt/multipass"
+  authentik_url: "https://login.sequoia.garden"
+  authentik_api_token: !vault |
+    $ANSIBLE_VAULT;1.1;AES256
+    66653566386539316330623233323430343061303664313136303065343430633566303665363465
+    3363396362313739313761623961323037623834336132620a636639666161633936633461356533
+    64303333346237323861313063656430636532646430656432623565616163313565366237623464
+    6266353130363537380a643439373361633037626636623862656237616365336330346535366432
+    37343239663432373931316238363832383737633865313463343232633963636333363564383463
+    36373938336634363338353934643332626163303534373462323761336265653438663663313530
+    613935363537303166636431666231366130
+  makerspace_name: "Sequoia Fabrica"
+  trusted_proxy_headers: true

ansible/roles/sequoia_fabrica/tasks/nursery_apps.yml

@@ -524,3 +524,51 @@
     ports:
       - 3003:3000
       - 3004:8080
+
+## Multipass - Digital Makerspace ID System
+- name: Create multipass data directory
+  become: true
+  ansible.builtin.file:
+    path: "{{ multipass.data_location }}"
+    state: directory
+    owner: root
+    group: root
+    mode: ug=rwx,o=rx
+- name: Create multipass config directory
+  become: true
+  ansible.builtin.file:
+    path: "{{ multipass.data_location }}/config"
+    state: directory
+    owner: root
+    group: root
+    mode: ug=rwx,o=rx
+- name: Template multipass group mapping config
+  become: true
+  ansible.builtin.template:
+    src: multipass.group_mapping.yaml.j2
+    dest: "{{ multipass.data_location }}/config/group_mapping.yaml"
+    owner: root
+    group: root
+    mode: ug=rw,o=r
+- name: Run multipass
+  become: true
+  community.docker.docker_container:
+    name: multipass
+    image: ghcr.io/sequoia-fabrica/infrastructure/multipass:{{ multipass.container_version }}
+    pull: always
+    restart_policy: unless-stopped
+    ports:
+      - "{{ multipass.port }}:3000"
+    env:
+      AUTHENTIK_URL: "{{ multipass.authentik_url }}"
+      AUTHENTIK_API_TOKEN: "{{ multipass.authentik_api_token }}"
+      BIND_ADDRESS: "0.0.0.0:3000"
+      MAKERSPACE_NAME: "{{ multipass.makerspace_name }}"
+      MAKERSPACE_LOGO_URL: "/static/images/logo.png"
+      TRUSTED_PROXY_HEADERS: "{{ multipass.trusted_proxy_headers | string | lower }}"
+      GROUP_MAPPING_CONFIG: "/config/group_mapping.yaml"
+    mounts:
+      - type: bind
+        source: "{{ multipass.data_location }}/config"
+        target: /config
+        read_only: true

ansible/roles/sequoia_fabrica/templates/multipass.group_mapping.yaml.j2

@@ -0,0 +1,8 @@
+# Group mapping configuration for Multipass
+# Maps Authentik groups to access levels
+mappings:
+  volunteers-limited: "LimitedVolunteer"
+  Members: "FullMember"
+  staff: "Staff"
+  admin: "Admin"
+default_level: "NoAccess"