ci: test environment docker image for CI pipelines

This commit includes a Dockerfile for building a test environment for
future CI pipelines. This commit also refactors the GitLab CI pipeline
files by splitting the jobs into different files:

- .gitlab-ci.yml: Global CI pipeline file.
- .gitlab/ci/test-env.gitlab-ci.yml: Jobs to test and publish the
docker image for the test environment.
- .gitlab/ci/playbook.gitlab-ci.yml: Jobs to test and publish the
docker image for the pleroma playbook
- .gitlab/ci/templates/docker.gitlab-ci.yml: Template jobs for
testing and publishing docker images.

Part of dananglin/pleroma-ansible-playbook#17

.gitignore

@@ -1,6 +1,5 @@
 inventories/*
 !inventories/.gitkeep
-site.yml
 vapid-private-key.pem
 
 library/__pycache__/

.gitlab-ci.yml

@@ -1,79 +1,15 @@
 ---
+workflow:
+  rules:
+  - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+  - if: '$CI_COMMIT_TAG'
+  - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
 stages:
 - test
 - publish
 
-.use-python:
-  image: python:3.7.6-slim-buster
-
-.docker-build-setup:
-  image: docker:19.03.8
-  services:
-  - docker:19.03.8-dind
-
-.install-make: &install-make
-- apk add --no-cache make
-
-test:dockerfile-lint:
-  stage: test
-  image: hadolint/hadolint:v1.17.5-alpine
-  script:
-  - hadolint ./Dockerfile
-  only:
-    refs:
-    - merge_requests
-    changes:
-    - Dockerfile
-  except:
-    refs:
-    - master
-
-test:docker-image-build:
-  stage: test
-  extends: .docker-build-setup
-  script:
-  - *install-make
-  - export IMAGE_DATE=$(date -Iseconds)
-  - make image
-  only:
-    refs:
-    - merge_requests
-    changes:
-    - Dockerfile
-  except:
-    refs:
-    - master
-
-test:custom-modules:
-  stage: test
-  extends: .use-python
-  before_script:
-  - apt-get update && apt-get install make
-  - pip install ansible==2.9.6
-  script:
-  - make test_modules_unit
-  only:
-    refs:
-    - merge_requests
-    changes:
-    - library/*
-  except:
-    refs:
-    - master
-
-publish:docker-image:
-  stage: publish
-  extends: .docker-build-setup
-  before_script:
-  - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}
-  after_script:
-  - docker logout ${CI_REGISTRY}
-  script:
-  - *install-make
-  - export IMAGE_DATE=$(date -Iseconds)
-  - make publish
-  only:
-  - /^v[0-9]+(.[0-9]+){2}$/
-  variables:
-    IMAGE_NAME: ${CI_REGISTRY}/${CI_PROJECT_PATH}/playbook
-    IMAGE_TAG: ${CI_COMMIT_REF_NAME}
+include:
+- local: '/.gitlab/ci/templates/docker.gitlab-ci.yml'
+- local: '/.gitlab/ci/test-env.gitlab-ci.yml'
+- local: '/.gitlab/ci/playbook.gitlab-ci.yml'

.gitlab/ci/playbook.gitlab-ci.yml

@@ -0,0 +1,60 @@
+---
+.use-python:
+  image: python:3.7.6-slim-buster
+
+.playbook-docker-vars:
+  variables:
+    DOCKERFILE: "Dockerfile"
+    IMAGE_NAME: ${CI_REGISTRY}/${CI_PROJECT_PATH}/playbook
+    IMAGE_TAG: ${CI_COMMIT_REF_NAME}
+
+.playbook-docker-test-rules:
+  rules:
+  - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+    changes:
+    - "Dockerfile"
+    when: always
+
+test:playbook:dockerfile-lint:
+  extends:
+  - .dockerfile-lint
+  - .playbook-docker-vars
+  - .playbook-docker-test-rules
+
+test:playbook:docker-build:
+  extends:
+  - .dockerbuild-test
+  - .playbook-docker-vars
+  - .playbook-docker-test-rules
+  script:
+  - export IMAGE_DATE=$(date -Iseconds)
+  - export BUILD_ARGS="--build-arg BUILD_TAG=${IMAGE_TAG} --build-arg BUILD_TIME=${IMAGE_DATE}"
+  - make image
+
+test:playbook:custom-modules:
+  stage: test
+  extends: .use-python
+  before_script:
+  - apt-get update && apt-get install make
+  - pip install ansible==2.9.7
+  script:
+  - make test_modules_unit
+  only:
+    refs:
+    - merge_requests
+    changes:
+    - library/*
+  except:
+    refs:
+    - master
+
+publish:playbook:docker-image:
+  extends:
+  - .docker-publish
+  - .playbook-docker-vars
+  script:
+  - export IMAGE_DATE=$(date -Iseconds)
+  - export BUILD_ARGS="--build-arg BUILD_TAG=${IMAGE_TAG} --build-arg BUILD_TIME=${IMAGE_DATE}"
+  - make publish
+  only:
+  - /^v[0-9]+(.[0-9]+){2}$/

.gitlab/ci/templates/docker.gitlab-ci.yml

@@ -0,0 +1,29 @@
+---
+.install-make: &install-make
+  - apk add --no-cache make
+
+.docker-build-setup:
+  image: docker:19.03.8
+  services:
+  - docker:19.03.8-dind
+
+.dockerfile-lint:
+  stage: test
+  image: hadolint/hadolint:v1.18.0-alpine
+  script:
+  - hadolint ${DOCKERFILE}
+
+.dockerbuild-test:
+  stage: test
+  extends: .docker-build-setup
+  before_script:
+  - *install-make
+
+.docker-publish:
+  stage: publish
+  extends: .docker-build-setup
+  before_script:
+  - *install-make
+  - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}
+  after_script:
+  - docker logout ${CI_REGISTRY}

.gitlab/ci/test-env.gitlab-ci.yml

@@ -0,0 +1,39 @@
+---
+.test-env-docker-vars:
+  variables:
+    IMAGE_NAME: ${CI_REGISTRY}/${CI_PROJECT_PATH}/test-environment
+    IMAGE_TAG: ${CI_COMMIT_SHORT_SHA}
+    DOCKERFILE: "test/pleroma_test_env/Dockerfile"
+    DOCKER_CONTEXT: "test/pleroma_test_env"
+    BUILD_ARGS: "--build-arg TEST_ENV_PASSWORD=${TEST_ENV_PASSWORD}"
+
+.test-env-test-rules:
+  rules:
+  - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+    changes:
+    - "test/pleroma_test_env/Dockerfile"
+    when: always
+
+test:test-env:dockerfile-lint:
+  extends:
+  - .dockerfile-lint
+  - .test-env-docker-vars
+  - .test-env-test-rules
+
+test:test-env:docker-build:
+  extends:
+  - .dockerbuild-test
+  - .test-env-docker-vars
+  - .test-env-test-rules
+  script:
+  - make image
+
+publish:test-env:docker-image:
+  extends:
+  - .docker-publish
+  - .test-env-docker-vars
+  script:
+  - make publish
+  rules:
+  - if: '$CI_PIPELINE_SOURCE == "web"'
+    when: always

Makefile

@@ -2,7 +2,8 @@ VAPID_PRIVATE_KEY_FILE := vapid-private-key.pem
 INVENTORY ?= "hosts.yml"
 PLAYBOOK_TAGS ?= "all"
 PLAYBOOK_FILE ?= "playbook.yml"
-DOCKERFILE = Dockerfile
+DOCKERFILE ?= Dockerfile
+DOCKER_CONTEXT ?= .
 IMAGE_NAME ?= pleroma-ansible-playbook
 IMAGE_TAG ?= latest
 IMAGE_DATE ?= nil
@@ -37,7 +38,7 @@ test_modules_unit:
 	@find ./library -mindepth 1 -maxdepth 1 -type f -name test_*.py | xargs python3
 
 image:
-	@docker build --build-arg BUILD_TAG=$(IMAGE_TAG) --build-arg BUILD_TIME=$(IMAGE_DATE) -f $(DOCKERFILE) -t $(DOCKER_IMAGE) .
+	@docker build $(BUILD_ARGS) -f $(DOCKERFILE) -t $(DOCKER_IMAGE) $(DOCKER_CONTEXT)
 
 publish: image
 	@docker push $(DOCKER_IMAGE)

test/pleroma_test_env/.dockerignore

@@ -0,0 +1,2 @@
+*
+!files

test/pleroma_test_env/Dockerfile

@@ -0,0 +1,30 @@
+FROM dockage/alpine:3.10-openrc
+
+ARG TEST_ENV_UID=1100
+ARG TEST_ENV_USER=admin
+ARG TEST_ENV_PASSWORD
+ARG SSH_DIR=/home/admin/.ssh
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+RUN apk add --no-cache \
+        bash=5.0.0-r0 \
+        openssh=8.1_p1-r0 \
+        sudo=1.8.27-r2 \
+        python3=3.7.7-r0 \
+    && \
+    adduser -u ${TEST_ENV_UID} -s /bin/bash -D ${TEST_ENV_USER} && \
+    echo ${TEST_ENV_USER}:${TEST_ENV_PASSWORD} | chpasswd && \
+    mkdir ${SSH_DIR} && \
+    chown ${TEST_ENV_USER}:${TEST_ENV_USER} ${SSH_DIR} && chmod 0700 ${SSH_DIR} && \
+    touch ${SSH_DIR}/authorized_keys && \
+    chown ${TEST_ENV_USER}:${TEST_ENV_USER} ${SSH_DIR}/authorized_keys && \
+    chmod 0600 ${SSH_DIR}/authorized_keys && \
+    rc-status && \
+    touch /run/openrc/softlevel
+
+COPY files/entrypoint /entrypoint
+COPY files/admin-sudoers /etc/sudoers.d/admin
+
+EXPOSE 22 80 443
+
+CMD ["/entrypoint"]

test/pleroma_test_env/files/admin-sudoers

@@ -0,0 +1 @@
+admin ALL=(ALL) NOPASSWD: ALL

test/pleroma_test_env/files/entrypoint

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+set euo -pipefail
+
+# Add authorized keys
+if ! [ -z "${AUTHORIZED_KEYS}" ]; then 
+    echo ${AUTHORIZED_KEYS} > /home/admin/.ssh/authorized_keys
+fi
+
+# Start SSH service
+rc-service sshd start
+
+# Sleep and wait
+sleep 30d