Post-Tyranny-Tech-Infrastru.../scripts/configure-diun-all-servers.sh

#!/usr/bin/env bash
#
# Configure Diun on all servers (disable watchRepo, add Docker Hub auth)
# Created: 2026-01-24
#
# This script runs the diun configuration playbook on each server
# with its corresponding SSH key.
#
# Usage:
#   cd infrastructure/
#   SOPS_AGE_KEY_FILE="keys/age-key.txt" HCLOUD_TOKEN="..." ./scripts/configure-diun-all-servers.sh

set -euo pipefail

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

# Configuration
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
ANSIBLE_DIR="$PROJECT_ROOT/ansible"
KEYS_DIR="$PROJECT_ROOT/keys/ssh"
PLAYBOOK="playbooks/260124-configure-diun-watchrepo.yml"

# Check required environment variables
if [ -z "${HCLOUD_TOKEN:-}" ]; then
    echo -e "${RED}Error: HCLOUD_TOKEN environment variable is required${NC}"
    exit 1
fi

if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then
    echo -e "${RED}Error: SOPS_AGE_KEY_FILE environment variable is required${NC}"
    exit 1
fi

# Convert SOPS_AGE_KEY_FILE to absolute path if it's relative
if [[ ! "$SOPS_AGE_KEY_FILE" = /* ]]; then
    export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/$SOPS_AGE_KEY_FILE"
fi

# Change to ansible directory
cd "$ANSIBLE_DIR"

echo -e "${BLUE}============================================================${NC}"
echo -e "${BLUE}Diun Configuration - All Servers${NC}"
echo -e "${BLUE}============================================================${NC}"
echo ""
echo "Playbook: $PLAYBOOK"
echo "Ansible directory: $ANSIBLE_DIR"
echo ""
echo "Configuration changes:"
echo "  - Disable watchRepo (only check specific tags, not entire repos)"
echo "  - Add Docker Hub authentication (5000 pulls/6h limit)"
echo "  - Schedule: Weekly on Monday at 6am UTC"
echo ""

# Get list of all servers with SSH keys
SERVERS=()
for keyfile in "$KEYS_DIR"/*.pub; do
    if [ -f "$keyfile" ]; then
        server=$(basename "$keyfile" .pub)
        # Skip special servers
        if [[ "$server" != "README" ]] && [[ "$server" != "edge" ]]; then
            SERVERS+=("$server")
        fi
    fi
done

echo -e "${BLUE}Found ${#SERVERS[@]} servers:${NC}"
printf '%s\n' "${SERVERS[@]}" | sort
echo ""

# Counters
SUCCESS_COUNT=0
FAILED_COUNT=0
SKIPPED_COUNT=0
declare -a SUCCESS_SERVERS
declare -a FAILED_SERVERS
declare -a SKIPPED_SERVERS

echo -e "${BLUE}============================================================${NC}"
echo -e "${BLUE}Starting configuration run...${NC}"
echo -e "${BLUE}============================================================${NC}"
echo ""

# Run playbook for each server
for server in "${SERVERS[@]}"; do
    echo -e "${YELLOW}-----------------------------------------------------------${NC}"
    echo -e "${YELLOW}Processing: $server${NC}"
    echo -e "${YELLOW}-----------------------------------------------------------${NC}"

    SSH_KEY="$KEYS_DIR/$server"

    if [ ! -f "$SSH_KEY" ]; then
        echo -e "${RED}✗ SSH key not found: $SSH_KEY${NC}"
        SKIPPED_COUNT=$((SKIPPED_COUNT + 1))
        SKIPPED_SERVERS+=("$server")
        echo ""
        continue
    fi

    # Run the playbook (with SSH options to prevent agent key issues)
    if env HCLOUD_TOKEN="$HCLOUD_TOKEN" \
        SOPS_AGE_KEY_FILE="$SOPS_AGE_KEY_FILE" \
        ANSIBLE_SSH_ARGS="-o IdentitiesOnly=yes" \
        ~/.local/bin/ansible-playbook \
        -i hcloud.yml \
        "$PLAYBOOK" \
        --limit "$server" \
        --private-key "$SSH_KEY" 2>&1; then

        echo -e "${GREEN}✓ Success: $server${NC}"
        SUCCESS_COUNT=$((SUCCESS_COUNT + 1))
        SUCCESS_SERVERS+=("$server")
    else
        echo -e "${RED}✗ Failed: $server${NC}"
        FAILED_COUNT=$((FAILED_COUNT + 1))
        FAILED_SERVERS+=("$server")
    fi

    echo ""
done

# Summary
echo -e "${BLUE}============================================================${NC}"
echo -e "${BLUE}CONFIGURATION RUN SUMMARY${NC}"
echo -e "${BLUE}============================================================${NC}"
echo ""
echo "Total servers: ${#SERVERS[@]}"
echo -e "${GREEN}Successful: $SUCCESS_COUNT${NC}"
echo -e "${RED}Failed: $FAILED_COUNT${NC}"
echo -e "${YELLOW}Skipped: $SKIPPED_COUNT${NC}"
echo ""

if [ $SUCCESS_COUNT -gt 0 ]; then
    echo -e "${GREEN}Successful servers:${NC}"
    printf '  %s\n' "${SUCCESS_SERVERS[@]}"
    echo ""
fi

if [ $FAILED_COUNT -gt 0 ]; then
    echo -e "${RED}Failed servers:${NC}"
    printf '  %s\n' "${FAILED_SERVERS[@]}"
    echo ""
fi

if [ $SKIPPED_COUNT -gt 0 ]; then
    echo -e "${YELLOW}Skipped servers:${NC}"
    printf '  %s\n' "${SKIPPED_SERVERS[@]}"
    echo ""
fi

echo -e "${BLUE}============================================================${NC}"
echo ""
echo "Next steps:"
echo "  1. Wait for next Monday at 6am UTC for scheduled run"
echo "  2. Or manually trigger: docker exec diun diun once"
echo "  3. Check logs: docker logs diun"
echo ""

# Exit with error if any failures
if [ $FAILED_COUNT -gt 0 ]; then
    exit 1
fi

exit 0
feat: Configure Diun with Docker Hub auth and watchRepo control This commit resolves Docker Hub rate limiting issues on all servers by: 1. Adding Docker Hub authentication support to Diun configuration 2. Making watchRepo configurable (disabled to reduce API calls) 3. Creating automation to deploy changes across all 17 servers Changes: - Enhanced diun.yml.j2 template to support: - Configurable watchRepo setting (defaults to true for compatibility) - Docker Hub authentication via regopts when credentials provided - Created 260124-configure-diun-watchrepo.yml playbook to: - Disable watchRepo (only checks specific tags vs entire repo) - Enable Docker Hub authentication (5000 pulls/6h vs 100/6h) - Change schedule to weekly (Monday 6am UTC) - Created configure-diun-all-servers.sh automation script with: - Proper SOPS age key file path handling - Per-server SSH key management - Sequential deployment across all servers - Fixed Authentik OIDC provider meta_launch_url to use client_domain Successfully deployed to all 17 servers (bever, das, egel, haas, kikker, kraai, mees, mol, mus, otter, ree, specht, uil, valk, vos, wolf, zwaan). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2026-01-24 13:16:25 +01:00			`#!/usr/bin/env bash`
			`#`
			`# Configure Diun on all servers (disable watchRepo, add Docker Hub auth)`
			`# Created: 2026-01-24`
			`#`
			`# This script runs the diun configuration playbook on each server`
			`# with its corresponding SSH key.`
			`#`
			`# Usage:`
			`# cd infrastructure/`
			`# SOPS_AGE_KEY_FILE="keys/age-key.txt" HCLOUD_TOKEN="..." ./scripts/configure-diun-all-servers.sh`

			`set -euo pipefail`

			`# Colors for output`
			`RED='\033[0;31m'`
			`GREEN='\033[0;32m'`
			`YELLOW='\033[1;33m'`
			`BLUE='\033[0;34m'`
			`NC='\033[0m' # No Color`

			`# Configuration`
			`SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
			`PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"`
			`ANSIBLE_DIR="$PROJECT_ROOT/ansible"`
			`KEYS_DIR="$PROJECT_ROOT/keys/ssh"`
			`PLAYBOOK="playbooks/260124-configure-diun-watchrepo.yml"`

			`# Check required environment variables`
			`if [ -z "${HCLOUD_TOKEN:-}" ]; then`
			`echo -e "${RED}Error: HCLOUD_TOKEN environment variable is required${NC}"`
			`exit 1`
			`fi`

			`if [ -z "${SOPS_AGE_KEY_FILE:-}" ]; then`
			`echo -e "${RED}Error: SOPS_AGE_KEY_FILE environment variable is required${NC}"`
			`exit 1`
			`fi`

			`# Convert SOPS_AGE_KEY_FILE to absolute path if it's relative`
			`if [[ ! "$SOPS_AGE_KEY_FILE" = /* ]]; then`
			`export SOPS_AGE_KEY_FILE="$PROJECT_ROOT/$SOPS_AGE_KEY_FILE"`
			`fi`

			`# Change to ansible directory`
			`cd "$ANSIBLE_DIR"`

			`echo -e "${BLUE}============================================================${NC}"`
			`echo -e "${BLUE}Diun Configuration - All Servers${NC}"`
			`echo -e "${BLUE}============================================================${NC}"`
			`echo ""`
			`echo "Playbook: $PLAYBOOK"`
			`echo "Ansible directory: $ANSIBLE_DIR"`
			`echo ""`
			`echo "Configuration changes:"`
			`echo " - Disable watchRepo (only check specific tags, not entire repos)"`
			`echo " - Add Docker Hub authentication (5000 pulls/6h limit)"`
			`echo " - Schedule: Weekly on Monday at 6am UTC"`
			`echo ""`

			`# Get list of all servers with SSH keys`
			`SERVERS=()`
			`for keyfile in "$KEYS_DIR"/*.pub; do`
			`if [ -f "$keyfile" ]; then`
			`server=$(basename "$keyfile" .pub)`
			`# Skip special servers`
			`if [[ "$server" != "README" ]] && [[ "$server" != "edge" ]]; then`
			`SERVERS+=("$server")`
			`fi`
			`fi`
			`done`

			`echo -e "${BLUE}Found ${#SERVERS[@]} servers:${NC}"`
			`printf '%s\n' "${SERVERS[@]}" \| sort`
			`echo ""`

			`# Counters`
			`SUCCESS_COUNT=0`
			`FAILED_COUNT=0`
			`SKIPPED_COUNT=0`
			`declare -a SUCCESS_SERVERS`
			`declare -a FAILED_SERVERS`
			`declare -a SKIPPED_SERVERS`

			`echo -e "${BLUE}============================================================${NC}"`
			`echo -e "${BLUE}Starting configuration run...${NC}"`
			`echo -e "${BLUE}============================================================${NC}"`
			`echo ""`

			`# Run playbook for each server`
			`for server in "${SERVERS[@]}"; do`
			`echo -e "${YELLOW}-----------------------------------------------------------${NC}"`
			`echo -e "${YELLOW}Processing: $server${NC}"`
			`echo -e "${YELLOW}-----------------------------------------------------------${NC}"`

			`SSH_KEY="$KEYS_DIR/$server"`

			`if [ ! -f "$SSH_KEY" ]; then`
			`echo -e "${RED}✗ SSH key not found: $SSH_KEY${NC}"`
			`SKIPPED_COUNT=$((SKIPPED_COUNT + 1))`
			`SKIPPED_SERVERS+=("$server")`
			`echo ""`
			`continue`
			`fi`

			`# Run the playbook (with SSH options to prevent agent key issues)`
			`if env HCLOUD_TOKEN="$HCLOUD_TOKEN" \`
			`SOPS_AGE_KEY_FILE="$SOPS_AGE_KEY_FILE" \`
			`ANSIBLE_SSH_ARGS="-o IdentitiesOnly=yes" \`
			`~/.local/bin/ansible-playbook \`
			`-i hcloud.yml \`
			`"$PLAYBOOK" \`
			`--limit "$server" \`
			`--private-key "$SSH_KEY" 2>&1; then`

			`echo -e "${GREEN}✓ Success: $server${NC}"`
			`SUCCESS_COUNT=$((SUCCESS_COUNT + 1))`
			`SUCCESS_SERVERS+=("$server")`
			`else`
			`echo -e "${RED}✗ Failed: $server${NC}"`
			`FAILED_COUNT=$((FAILED_COUNT + 1))`
			`FAILED_SERVERS+=("$server")`
			`fi`

			`echo ""`
			`done`

			`# Summary`
			`echo -e "${BLUE}============================================================${NC}"`
			`echo -e "${BLUE}CONFIGURATION RUN SUMMARY${NC}"`
			`echo -e "${BLUE}============================================================${NC}"`
			`echo ""`
			`echo "Total servers: ${#SERVERS[@]}"`
			`echo -e "${GREEN}Successful: $SUCCESS_COUNT${NC}"`
			`echo -e "${RED}Failed: $FAILED_COUNT${NC}"`
			`echo -e "${YELLOW}Skipped: $SKIPPED_COUNT${NC}"`
			`echo ""`

			`if [ $SUCCESS_COUNT -gt 0 ]; then`
			`echo -e "${GREEN}Successful servers:${NC}"`
			`printf ' %s\n' "${SUCCESS_SERVERS[@]}"`
			`echo ""`
			`fi`

			`if [ $FAILED_COUNT -gt 0 ]; then`
			`echo -e "${RED}Failed servers:${NC}"`
			`printf ' %s\n' "${FAILED_SERVERS[@]}"`
			`echo ""`
			`fi`

			`if [ $SKIPPED_COUNT -gt 0 ]; then`
			`echo -e "${YELLOW}Skipped servers:${NC}"`
			`printf ' %s\n' "${SKIPPED_SERVERS[@]}"`
			`echo ""`
			`fi`

			`echo -e "${BLUE}============================================================${NC}"`
			`echo ""`
			`echo "Next steps:"`
			`echo " 1. Wait for next Monday at 6am UTC for scheduled run"`
			`echo " 2. Or manually trigger: docker exec diun diun once"`
			`echo " 3. Check logs: docker logs diun"`
			`echo ""`

			`# Exit with error if any failures`
			`if [ $FAILED_COUNT -gt 0 ]; then`
			`exit 1`
			`fi`

			`exit 0`