From 7f10c05cec43d7cd2cf3997f26c8a335759f1962 Mon Sep 17 00:00:00 2001
From: Jef Roosens <roosensjef@gmail.com>
Date: Fri, 4 Jul 2025 16:10:32 +0200
Subject: [PATCH] vieter: add podman-based deployment

---
 inventory/group_vars/all/vars.yml             |  2 +
 inventory/group_vars/all/vault.yml            | 65 ++++++++-------
 plays/pearl.yml                               |  9 ++-
 .../files/vieter-server.Caddyfile             |  3 +
 .../files/vieter-server.container             | 16 ++++
 .../files/vieter.data.backup.sh               | 12 +++
 .../handlers/main.yml                         |  4 +
 .../any.software.vieter-podman/meta/main.yml  |  3 +
 .../any.software.vieter-podman/tasks/main.yml | 80 +++++++++++++++++++
 .../templates/vieter.env.j2                   | 11 +++
 10 files changed, 173 insertions(+), 32 deletions(-)
 create mode 100644 roles/any.software.vieter-podman/files/vieter-server.Caddyfile
 create mode 100644 roles/any.software.vieter-podman/files/vieter-server.container
 create mode 100644 roles/any.software.vieter-podman/files/vieter.data.backup.sh
 create mode 100644 roles/any.software.vieter-podman/handlers/main.yml
 create mode 100644 roles/any.software.vieter-podman/meta/main.yml
 create mode 100644 roles/any.software.vieter-podman/tasks/main.yml
 create mode 100644 roles/any.software.vieter-podman/templates/vieter.env.j2

diff --git a/inventory/group_vars/all/vars.yml b/inventory/group_vars/all/vars.yml
index 02ae9c2..23835a8 100644
--- a/inventory/group_vars/all/vars.yml
+++ b/inventory/group_vars/all/vars.yml
@@ -27,3 +27,5 @@ gitea_lfs_jwt_secret: "{{ vault_gitea_lfs_jwt_secret }}"
 gitea_secret_key: "{{ vault_gitea_secret_key }}"
 gitea_internal_token: "{{ vault_gitea_internal_token }}"
 gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
+
+vieter_api_key: "{{ vault_vieter_api_key }}"
diff --git a/inventory/group_vars/all/vault.yml b/inventory/group_vars/all/vault.yml
index 13fc149..abd6bd4 100644
--- a/inventory/group_vars/all/vault.yml
+++ b/inventory/group_vars/all/vault.yml
@@ -1,32 +1,35 @@
 $ANSIBLE_VAULT;1.1;AES256
-62316366343931626135336332623963643864616164386132363565303565303165326238303132
-3266623662613739333637393937373137313161306136310a613335346362346333323461336130
-61386264346464376539303733393961306664376663613034316337313963343761636634636131
-3231633934646130630a303038383563346539383561386362613935376634306561643964626334
-35333166623531383236623535636362323039613136346534343232306163393436366135373634
-31303338303939613433326633373838353431653231646430333333323665643130306436663539
-35393266346232366161653332303264623733343262636363613630323366376130646264333739
-34396139303130613631646535363831623463333565396134376234356132336236373366313830
-61386661303966313862653732653338386466643838636263393766366139373237316165643764
-66336465613838316465316166653064343066623339616530303038356238303832373135663665
-35383938333362643038326635316538666536613137663633363434336138306135316665353734
-63633439366664613633353465643466663564663832396435663931643538636238643233373039
-35623438333139353632383263343538626561343035613239366266623033636335633536643431
-30663139353634663662373062363937393838393266343264386134306333326164656334316364
-39343662313464383362646237383337393664623632653235623165666636363635383636363430
-35306365383536356265363733396165303765316638366331376230306630393735393334653362
-65313332646434323831313764306230616236383963376634623437346635653937623830653064
-62396162396165643563373239373264396137666334646238616262663464623363373565626539
-64373936346166356134306431616638346633376366336136383939666665373565383633336431
-33346431353639643063616630313630653038616430316366323137303034336539643161383734
-35346430643433653866663636333639343364363831343531363937313330343865323535353533
-32666566343736653135363966643665396234636437316438636530366231653963356237613065
-30623338323733666365613631666361306666613364393261623732623963613731613933383138
-65656565396435643833613764346139343365663766623535626166346330633938626135326230
-63356535633834633763363666333662646633366537623732623835653332316239646135373933
-30333339396237386538343434653764613036396463333263333061316136323336356663666664
-36363235643334363666336364333336366439646537306235333532343832653531356430353730
-34303830343734653631313936383962343131643965303464343031633030613635356231633566
-63366531663361386461333532383638636662633261343365633361346535366132303339346664
-33626638643233333766356534393039393962343630303137653733393532633264616664363235
-343465376233356362383334663334633033
+31633936653331306164363661363236383930316462316238626661666437323665656435313235
+6234613265663530393832653631313636656633383831650a666661356337633630666462333466
+38636564313065623238663336653437393964663530656163396332616361616662363037313963
+3834383464653731320a636263663631653561386534626434373066363838653665326565306130
+65323135313439343839656435623030653739613531656266303031383234663663326665373638
+31633735346634343934636339353735616635383136323934643734643730353762613963363334
+36333738623664373833643333643562623832396635366365326565653336666264386432626333
+61353433336534306564396438636234383265616464643534383833663833663037656538313166
+37643439333337343431386463393131303830383562336662616264633335346436333432636164
+37616230333634356234363831616665316132376561666265313666303738356534383764373465
+63613037326465363332666264383231663536663833643765386130643938623166353661336565
+34386464326166376438323338653037333331326135386437373536383265303532323032616637
+32366531303538383133303662643564373038383066303966616561623563623437386265346266
+34366265396166343037636262653936323033303230643434323332343065626639353330396461
+37373035663139623031316166333730386137383037343166306337366264353230323631346264
+35313736306465613261383830643662366430346463363338313736633363646365656436653137
+35346163373133326130313161623137326535343033656530616631336464333065336133333736
+64636338326239376432313937363932666232356437646136323036303631396466376364636564
+36326137353134346565323730303465386261383661356561393036663931303134656631316637
+30663632626466326631316266633239316138653934346537396134326563383533356338623030
+37393261663535343135353766653438363063393063633531333137366334386334363035366266
+61313639343335656237616361336264383764663563316163353832313463383465353234613333
+37363233623934393561393433366237343735393332353763303863323664366239333061656433
+61663466356362613637636134373365356163666631663536326362393330656337633539356139
+63353033303164353637663733303164393861316562306364383466616337343264383433333661
+31393834336232613835363366666235306162623565333333666532316265336131626437373266
+65326462656638613163653637326339636630376164356434333031343664613438653263366533
+33376266393135626166323235363736613863306539353634366439633230333133643736653636
+62386332316338346133633862333063303861303339303032623863326465383730633161303038
+32643338323364343266303033393363383865346136636139336434393535363535633639303162
+30643137393635323537333630636435346130313164313561663561313466333934356566363032
+33613063353334306131646633393264343335636462386136343265356463653836383135616364
+64626539636333316333366132633139663937663431363362353233313639633165626539333366
+6432313732616435396663376332353337653131393230633365
diff --git a/plays/pearl.yml b/plays/pearl.yml
index e9aecbf..576b54d 100644
--- a/plays/pearl.yml
+++ b/plays/pearl.yml
@@ -12,9 +12,16 @@
   roles:
     - 'any.common.debian-repositories'
     - 'any.tools.default'
-    - 'any.tools.ufw'
     - 'any.tools.restic'
     - 'any.tools.caddy'
+    # First change SSH settings before enabling firewall
     - 'any.common.ssh'
+    - 'any.tools.ufw'
     - 'pearl.mounts'
   tags: base
+
+- hosts: pearl
+  become: true
+  roles:
+    - 'any.software.vieter-podman'
+  tags: vieter
diff --git a/roles/any.software.vieter-podman/files/vieter-server.Caddyfile b/roles/any.software.vieter-podman/files/vieter-server.Caddyfile
new file mode 100644
index 0000000..fbf934f
--- /dev/null
+++ b/roles/any.software.vieter-podman/files/vieter-server.Caddyfile
@@ -0,0 +1,3 @@
+arch.r8r.be {
+    reverse_proxy 127.0.0.1:8020
+}
diff --git a/roles/any.software.vieter-podman/files/vieter-server.container b/roles/any.software.vieter-podman/files/vieter-server.container
new file mode 100644
index 0000000..12828b1
--- /dev/null
+++ b/roles/any.software.vieter-podman/files/vieter-server.container
@@ -0,0 +1,16 @@
+# vim: ft=systemd
+[Unit]
+Description=Self-hostable Arch repository server
+
+[Container]
+Image=docker.io/chewingbever/vieter:dev
+EnvironmentFile=/etc/vieter/vieter.env
+
+PublishPort=127.0.0.1:8020:8000
+Volume=/mnt/data1/vieter/data:/data
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target
diff --git a/roles/any.software.vieter-podman/files/vieter.data.backup.sh b/roles/any.software.vieter-podman/files/vieter.data.backup.sh
new file mode 100644
index 0000000..efee19e
--- /dev/null
+++ b/roles/any.software.vieter-podman/files/vieter.data.backup.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/vieter/data'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"
diff --git a/roles/any.software.vieter-podman/handlers/main.yml b/roles/any.software.vieter-podman/handlers/main.yml
new file mode 100644
index 0000000..3253420
--- /dev/null
+++ b/roles/any.software.vieter-podman/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: 'restart vieter'
+  ansible.builtin.service:
+    name: 'vieter-server'
+    state: 'restarted'
diff --git a/roles/any.software.vieter-podman/meta/main.yml b/roles/any.software.vieter-podman/meta/main.yml
new file mode 100644
index 0000000..6e47e89
--- /dev/null
+++ b/roles/any.software.vieter-podman/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: 'any.tools.caddy'
diff --git a/roles/any.software.vieter-podman/tasks/main.yml b/roles/any.software.vieter-podman/tasks/main.yml
new file mode 100644
index 0000000..7e9a278
--- /dev/null
+++ b/roles/any.software.vieter-podman/tasks/main.yml
@@ -0,0 +1,80 @@
+---
+- name: Ensure data directory is present
+  ansible.builtin.file:
+    path: '/mnt/data1/vieter'
+    state: directory
+    mode: '0755'
+    owner: 'root'
+    group: 'root'
+
+- name: Ensure data subvolumes are present
+  community.general.btrfs_subvolume:
+    name: '/vieter/{{ item }}'
+  loop:
+    - 'data'
+
+- name: Ensure subvolume permissions are correct
+  ansible.builtin.file:
+    path: "/mnt/data1/vieter/{{ item }}"
+    state: directory
+    mode: '0755'
+    owner: '33'
+    group: '33'
+  loop:
+    - 'data'
+
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/vieter'
+    state: directory
+    mode: '0755'
+
+- name: Ensure environment file is present
+  ansible.builtin.template:
+    src: 'vieter.env.j2'
+    dest: '/etc/vieter/vieter.env'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: 'restart vieter'
+
+- name: Ensure backup scripts are present
+  ansible.builtin.copy:
+    src: "vieter.{{ item }}.backup.sh"
+    dest: "/etc/backups/vieter.{{ item }}.backup.sh"
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop:
+    - 'data'
+
+- name: Ensure Container unit files are present
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "/etc/containers/systemd/{{ item }}"
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  loop:
+    - 'vieter-server.container'
+  register: res
+
+- name: systemd-reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+  when: 'res.changed'
+
+- name: Ensure Caddyfile is present
+  ansible.builtin.copy:
+    src: 'vieter-server.Caddyfile'
+    dest: '/etc/caddy/vieter-server.Caddyfile'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: 'reload caddy'
+
+- name: Ensure vieter service is enabled
+  ansible.builtin.service:
+    name: 'vieter-server'
+    enabled: true
+    state: 'started'
diff --git a/roles/any.software.vieter-podman/templates/vieter.env.j2 b/roles/any.software.vieter-podman/templates/vieter.env.j2
new file mode 100644
index 0000000..74dec36
--- /dev/null
+++ b/roles/any.software.vieter-podman/templates/vieter.env.j2
@@ -0,0 +1,11 @@
+VIETER_API_KEY={{ vieter_api_key }}
+VIETER_LOG_LEVEL=DEBUG
+VIETER_DEFAULT_ARCH=x86_64
+VIETER_BASE_IMAGE=ghcr.io/menci/archlinuxarm:base-devel
+VIETER_GLOBAL_SCHEDULE=0 23
+VIETER_MAX_LOG_AGE=120
+VIETER_COLLECT_METRICS=0
+VIETER_ADDRESS=https://arch.r8r.be
+VIETER_MAX_CONCURRENT_BUILDS=1
+VIETER_ARCH=x86_64
+VIETER_POLLING_FREQUENCY=120