Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/playbooks/260124-configure-diun-watchrepo.yml
Pieter 12d9fc06e5 feat: Configure Diun with Docker Hub auth and watchRepo control 
This commit resolves Docker Hub rate limiting issues on all servers by:
1. Adding Docker Hub authentication support to Diun configuration
2. Making watchRepo configurable (disabled to reduce API calls)
3. Creating automation to deploy changes across all 17 servers

Changes:
- Enhanced diun.yml.j2 template to support:
  - Configurable watchRepo setting (defaults to true for compatibility)
  - Docker Hub authentication via regopts when credentials provided
- Created 260124-configure-diun-watchrepo.yml playbook to:
  - Disable watchRepo (only checks specific tags vs entire repo)
  - Enable Docker Hub authentication (5000 pulls/6h vs 100/6h)
  - Change schedule to weekly (Monday 6am UTC)
- Created configure-diun-all-servers.sh automation script with:
  - Proper SOPS age key file path handling
  - Per-server SSH key management
  - Sequential deployment across all servers
- Fixed Authentik OIDC provider meta_launch_url to use client_domain

Successfully deployed to all 17 servers (bever, das, egel, haas, kikker,
kraai, mees, mol, mus, otter, ree, specht, uil, valk, vos, wolf, zwaan).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-24 13:16:25 +01:00

156 lines
5.3 KiB
YAML
Raw Blame History

---
# Configure Diun to disable watchRepo and add Docker Hub authentication
# This playbook updates all servers to:
# - Only watch specific image tags (not entire repositories) to reduce API calls
# - Add Docker Hub authentication for higher rate limits
#
# Background:
# - watchRepo: true checks ALL tags in a repository (hundreds of API calls)
# - watchRepo: false only checks the specific tag being used (1-2 API calls)
# - Docker Hub auth increases rate limit from 100 to 5000 pulls per 6 hours
#
# Usage:
# cd ansible/
# SOPS_AGE_KEY_FILE="../keys/age-key.txt" HCLOUD_TOKEN="..." \
# ansible-playbook -i hcloud.yml playbooks/260124-configure-diun-watchrepo.yml
#
# Or for specific servers:
# SOPS_AGE_KEY_FILE="../keys/age-key.txt" HCLOUD_TOKEN="..." \
# ansible-playbook -i hcloud.yml playbooks/260124-configure-diun-watchrepo.yml \
# --limit das,uil,vos --private-key "../keys/ssh/das"
- name: Configure Diun watchRepo and Docker Hub authentication
hosts: all
become: yes
vars:
# Diun base configuration
diun_version: "latest"
diun_log_level: "info"
diun_watch_workers: 10
diun_watch_all: true
diun_exclude_containers: []
diun_first_check_notif: false
# Schedule: Weekly on Monday at 6am UTC (to reduce API calls)
diun_schedule: "0 6 * * 1"
# Disable watchRepo - only check the specific tags we're using
diun_watch_repo: false
# Webhook configuration - sends to Matrix via custom webhook
diun_notif_enabled: true
diun_notif_type: webhook
diun_webhook_endpoint: "https://diun-webhook.postxsociety.cloud"
diun_webhook_method: POST
diun_webhook_headers:
Content-Type: application/json
# Disable email notifications
diun_email_enabled: false
# SMTP defaults (not used when email disabled, but needed for template)
diun_smtp_host: "smtp.eu.mailgun.org"
diun_smtp_port: 587
diun_smtp_from: "{{ client_name }}@mg.vrije.cloud"
diun_smtp_to: "pieter@postxsociety.org"
# Optional notification defaults (unused but needed for template)
diun_slack_webhook_url: ""
diun_matrix_enabled: false
diun_matrix_homeserver_url: ""
diun_matrix_user: ""
diun_matrix_password: ""
diun_matrix_room_id: ""
pre_tasks:
- name: Gather facts
setup:
- name: Determine client name from hostname
set_fact:
client_name: "{{ inventory_hostname }}"
- name: Load client secrets
community.sops.load_vars:
file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"
name: client_secrets
age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
no_log: true
- name: Load shared secrets
community.sops.load_vars:
file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml"
name: shared_secrets
age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
no_log: true
- name: Merge shared secrets into client_secrets
set_fact:
client_secrets: "{{ client_secrets | combine(shared_secrets) }}"
no_log: true
tasks:
- name: Set SMTP credentials (required by template even if unused)
set_fact:
diun_smtp_username_final: "{{ client_secrets.mailgun_smtp_user | default('') }}"
diun_smtp_password_final: ""
no_log: true
- name: Set Docker Hub credentials for higher rate limits
set_fact:
diun_docker_hub_username: "{{ client_secrets.docker_hub_username }}"
diun_docker_hub_password: "{{ client_secrets.docker_hub_password }}"
no_log: true
- name: Display configuration summary
debug:
msg: |
Configuring Diun on {{ inventory_hostname }}:
- Webhook endpoint: {{ diun_webhook_endpoint }}
- Email notifications: {{ 'enabled' if diun_email_enabled else 'disabled' }}
- Schedule: {{ diun_schedule }} (Weekly on Monday at 6am UTC)
- Watch entire repositories: {{ 'yes' if diun_watch_repo else 'no (only specific tags)' }}
- Docker Hub auth: {{ 'enabled' if diun_docker_hub_username else 'disabled' }}
- name: Deploy Diun configuration with watchRepo disabled and Docker Hub auth
template:
src: "{{ playbook_dir }}/../roles/diun/templates/diun.yml.j2"
dest: /opt/docker/diun/diun.yml
mode: '0644'
notify: Restart Diun
- name: Restart Diun to apply new configuration
community.docker.docker_compose_v2:
project_src: /opt/docker/diun
state: restarted
- name: Wait for Diun to start
pause:
seconds: 5
- name: Check Diun status
shell: docker ps --filter name=diun --format "{{ '{{' }}.Status{{ '}}' }}"
register: diun_status
changed_when: false
- name: Display Diun status
debug:
msg: "Diun status on {{ inventory_hostname }}: {{ diun_status.stdout }}"
- name: Verify Diun configuration
shell: docker exec diun cat /diun.yml | grep -E "(watchRepo|regopts)" || echo "Config deployed"
register: diun_config_check
changed_when: false
- name: Display configuration verification
debug:
msg: |
Configuration applied on {{ inventory_hostname }}:
{{ diun_config_check.stdout }}
handlers:
- name: Restart Diun
community.docker.docker_compose_v2:
project_src: /opt/docker/diun
state: restarted
Reference in a new issue View git blame Copy permalink