feat: add drone vm

The ansible_host IP address is changed from the public IP to the internal IP (10.0.9.9) to improve security by using internal networking for communication.

feat(renovate/tasks/main.yml): add renovate clean cron job to maintain a clean environment
A new cron job is added to run twice daily at 2 AM and 2 PM. This job will clean up the environment by running `docker-compose down -v --remove-orphans` and then starting the services again with `docker-compose up -d`. The output is logged to /var/log/renovate-clean.log for monitoring purposes. This ensures a clean environment and helps prevent potential issues caused by stale or orphaned containers.

hosts

@@ -1,5 +1,10 @@
 [bespoke]
-renovate  ansible_ssh_private_key_file=~/.ssh/id_clank ansible_host=5.75.254.153 wireguard_peer_ip=10.0.9.9
+renovate  ansible_ssh_private_key_file=~/.ssh/id_clank ansible_host=10.0.9.9
+drone     ansible_ssh_private_key_file=~/.ssh/id_clank ansible_host=10.0.10.2
+
+[wireguard]
+renovate  ansible_ssh_private_key_file=~/.ssh/id_clank ansible_host=10.0.9.9 wireguard_peer_ip=10.0.9.9
 
 [renovate]
-renovate  ansible_ssh_private_key_file=~/.ssh/id_clank ansible_host=5.75.254.153 wireguard_peer_ip=10.0.9.9
+renovate  ansible_ssh_private_key_file=~/.ssh/id_clank ansible_host=10.0.9.9
+

renovate.json

@@ -0,0 +1,3 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}

roles/bespoke/tasks/main.yaml

@@ -1,52 +1,4 @@
 ---
-- name: install wireguard
-  apt: 
-    name: wireguard
-    update_cache: yes
-    cache_valid_time: 3600
-
-- name: generate private and public key pair
-  args:
-    creates: /etc/wireguard
-  shell: |
-    mkdir -p /etc/wireguard/
-    cd /etc/wireguard/
-    wg genkey | tee clank-privatekey | wg pubkey > clank-publickey
-    chmod 0400 clank-privatekey
-    chmod 0400 clank-publickey
-
-- name: read public key
-  command: cat /etc/wireguard/clank-publickey
-  register: wireguard_publickey
-
-- name: read private key
-  command: cat /etc/wireguard/clank-privatekey
-  register: wireguard_privatekey
-
-- name: print publickey
-  debug:
-    msg: "{{ wireguard_publickey.stdout_lines[0] }}"
-
-- name: Generate WireGuard configuration
-  template:
-    src: wireguard.conf.j2
-    dest: /etc/wireguard/wg0.conf
-  vars:
-    interface_address: "{{ wireguard_peer_ip }}"
-    listen_port: " {{ main_wireguard_port }} "
-    private_key: "{{ wireguard_privatekey.stdout_lines[0] }}"
-    allowed_ips: "10.0.9.0/24"
-    peer_public_key: "{{ main_wireguard_public_key }}"
-    endpoint: "{{ main_wireguard_ip }}:{{ main_wireguard_port }}"
-    persistent_keepalive: 25
-
-- name: enable and start wireguard service 
-  systemd:
-    name: "wg-quick@wg0"
-    state: started
-    enabled: yes
-
-
 - name: Update apt cache
   apt:
     update_cache: yes

roles/repos/renovate/tasks/main.yml

@@ -24,3 +24,11 @@
   docker_compose:
     project_src: ~/git/git.front.kjuulh.io/kjuulh/renovate/
   when: compose_file_stat.stat.exists and github_env_stat.stat.exists and env_stat.stat.exists
+
+- name: renovate clean cron job
+  cron:
+    name: renovate clean cronjob
+    user: "root"
+    minute: "0"
+    hour: "2,14"
+    job: "docker-compose -f ~/git/git.front.kjuulh.io/kjuulh/renovate/docker-compose.yaml down -v --remove-orphans && docker-compose -f ~/git/git.front.kjuulh.io/kjuulh/renovate/docker-compose.yaml up -d >> /var/log/renovate-clean.log 2>&1"

roles/wireguard/tasks/main.yaml

@@ -0,0 +1,47 @@
+---
+- name: install wireguard
+  apt: 
+    name: wireguard
+    update_cache: yes
+    cache_valid_time: 3600
+
+- name: generate private and public key pair
+  args:
+    creates: /etc/wireguard
+  shell: |
+    mkdir -p /etc/wireguard/
+    cd /etc/wireguard/
+    wg genkey | tee clank-privatekey | wg pubkey > clank-publickey
+    chmod 0400 clank-privatekey
+    chmod 0400 clank-publickey
+
+- name: read public key
+  command: cat /etc/wireguard/clank-publickey
+  register: wireguard_publickey
+
+- name: read private key
+  command: cat /etc/wireguard/clank-privatekey
+  register: wireguard_privatekey
+
+- name: print publickey
+  debug:
+    msg: "{{ wireguard_publickey.stdout_lines[0] }}"
+
+- name: Generate WireGuard configuration
+  template:
+    src: wireguard.conf.j2
+    dest: /etc/wireguard/wg0.conf
+  vars:
+    interface_address: "{{ wireguard_peer_ip }}"
+    listen_port: " {{ main_wireguard_port }} "
+    private_key: "{{ wireguard_privatekey.stdout_lines[0] }}"
+    allowed_ips: "10.0.9.0/24"
+    peer_public_key: "{{ main_wireguard_public_key }}"
+    endpoint: "{{ main_wireguard_ip }}:{{ main_wireguard_port }}"
+    persistent_keepalive: 25
+
+- name: enable and start wireguard service 
+  systemd:
+    name: "wg-quick@wg0"
+    state: started
+    enabled: yes