Code cleanup and move prune into general cron service

joecorall · joecorall · commit 0e5cfd289508 · 2025-11-24T17:31:41.000-05:00
diff --git a/Makefile b/Makefile
@@ -5,5 +5,5 @@ lint:
 	@find . -type f -name "*.sh" -exec shellcheck {} +
 
 docs:
-	terraform-docs markdown table --output-file README.md .
+	terraform-docs markdown table --sort-by required --output-file README.md .
 
diff --git a/README.md b/README.md
@@ -2,7 +2,6 @@
 
 Deploy a docker compose project to a Google Cloud Compute Instance.
 
-
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
@@ -48,18 +47,20 @@ Deploy a docker compose project to a Google Cloud Compute Instance.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_docker_compose_repo"></a> [docker\_compose\_repo](#input\_docker\_compose\_repo) | git repo to checkout that contains a docker compose project | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | The site name (will be the name of the GCP instance) | `string` | n/a | yes |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The GCP project ID | `string` | n/a | yes |
+| <a name="input_project_number"></a> [project\_number](#input\_project\_number) | The GCP project number | `string` | n/a | yes |
 | <a name="input_allowed_ips"></a> [allowed\_ips](#input\_allowed\_ips) | CIDR IP Addresses allowed to turn on this site's GCP instance | `list(string)` | `[]` | no |
+| <a name="input_allowed_ssh_ipv4"></a> [allowed\_ssh\_ipv4](#input\_allowed\_ssh\_ipv4) | CIDR IPv4 Addresses allowed to to SSH into this site's GCP instance | `list(string)` | `[]` | no |
+| <a name="input_allowed_ssh_ipv6"></a> [allowed\_ssh\_ipv6](#input\_allowed\_ssh\_ipv6) | CIDR IPv6 Addresses allowed to SSH into this site's GCP instance | `list(string)` | `[]` | no |
 | <a name="input_disk_size_gb"></a> [disk\_size\_gb](#input\_disk\_size\_gb) | Data disk size in GB | `number` | `25` | no |
 | <a name="input_docker_compose_branch"></a> [docker\_compose\_branch](#input\_docker\_compose\_branch) | git branch to checkout for var.docker\_compose\_repo | `string` | `"main"` | no |
 | <a name="input_docker_compose_down"></a> [docker\_compose\_down](#input\_docker\_compose\_down) | Command to stop the docker compose project | `string` | `"docker compose down"` | no |
 | <a name="input_docker_compose_init"></a> [docker\_compose\_init](#input\_docker\_compose\_init) | After cloning the docker compose git repo, any initialization that needs to happen before the docker compose project can start | `string` | `""` | no |
-| <a name="input_docker_compose_repo"></a> [docker\_compose\_repo](#input\_docker\_compose\_repo) | git repo to checkout that contains a docker compose project | `string` | n/a | yes |
 | <a name="input_docker_compose_up"></a> [docker\_compose\_up](#input\_docker\_compose\_up) | Command to start the docker compose project | `string` | `"docker compose up --remove-orphans"` | no |
 | <a name="input_machine_type"></a> [machine\_type](#input\_machine\_type) | VM machine type | `string` | `"e2-medium"` | no |
-| <a name="input_name"></a> [name](#input\_name) | The site name | `string` | n/a | yes |
-| <a name="input_os"></a> [os](#input\_os) | The host OS to install on the GCP instance | `string` | `"cos-117-18613-439-28"` | no |
-| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | libops project ID (logical identifier, not GCP project ID) | `string` | n/a | yes |
-| <a name="input_project_number"></a> [project\_number](#input\_project\_number) | The GCP project to use | `string` | n/a | yes |
+| <a name="input_os"></a> [os](#input\_os) | The host OS to install on the GCP instance | `string` | `"cos-125-19216-104-25"` | no |
 | <a name="input_region"></a> [region](#input\_region) | GCP region for resources | `string` | `"us-central1"` | no |
 | <a name="input_zone"></a> [zone](#input\_zone) | GCP zone for resources | `string` | `"us-central1-f"` | no |
 
diff --git a/main.tf b/main.tf
@@ -9,7 +9,10 @@ terraform {
   }
 }
 
-provider "google" {}
+provider "google" {
+  project = var.project_id
+  region  = var.region
+}
 
 locals {
   rootFs = "${path.module}/rootfs"
@@ -127,7 +130,6 @@ resource "google_compute_instance" "cloud-compose" {
     GCP_INSTANCE_NAME            = var.name
     GCP_REGION                   = var.region
     GCP_ZONE                     = var.zone
-    LIBOPS_SITE                  = var.name
     DOCKER_COMPOSE_REPO          = var.docker_compose_repo
     DOCKER_COMPOSE_BRANCH        = var.docker_compose_branch
     DOCKER_COMPOSE_INIT_CMD      = var.docker_compose_init
@@ -175,7 +177,6 @@ resource "google_project_iam_member" "gce-suspend" {
   member  = "serviceAccount:${google_service_account.cloud-compose.email}"
 }
 
-
 # =============================================================================
 # CLOUD RUN INGRESS
 # =============================================================================
@@ -205,15 +206,15 @@ EOT
     name         = var.name
     usePrivateIp = "true"
   }
-  allowed_ips = [
+  allowed_ips = tolist([
     "127.0.0.1/32",
     "10.0.0.0/8",
     "172.16.0.0/12",
     "192.168.0.0/16",
-  ]
+  ])
 
   dynamic_properties = {
-    allowedIps      = merge(local.allowed_ips, var.allowed_ips)
+    allowedIps      = concat(local.allowed_ips, var.allowed_ips)
     machineMetadata = local.machine
   }
 
diff --git a/rootfs/etc/libops/docker-compose.yaml b/rootfs/etc/libops/docker-compose.yaml
@@ -2,7 +2,7 @@ networks:
   internal:
 services:
   libops-lightsout:
-    image: ghcr.io/libops/lightsout:main@sha256:66b761007d196e05e7039eaa16da7a55388b8851065b256b020d5dce0df4ca3c
+    image: ghcr.io/libops/lightsout:main@sha256:b61680d4c2ad03f9cfe1f47341eec128df8782a453bcfd708068a6d5c8877a02
     ports:
       - "8808:8808"
     networks:
@@ -36,7 +36,7 @@ services:
       - /mnt/disks/data/docker/:/var/lib/docker:ro
       - /dev/disk/:/dev/disk:ro
   libops-cap:
-    image: ghcr.io/libops/cap:main@sha256:d94b9524c2c9e75915a47fbcbce2dfc132816002cdb1fcf4c21b136c7dc3ddbb
+    image: ghcr.io/libops/cap:main@sha256:e81950f30fd31dcbbe5ce024b87335aa6be4e24553df2744769267715e404364
     networks:
       - internal
     restart: unless-stopped
diff --git a/rootfs/etc/systemd/system/cloud-compose.service b/rootfs/etc/systemd/system/cloud-compose.service
@@ -6,8 +6,8 @@ StartLimitIntervalSec=120
 StartLimitBurst=3
 
 [Service]
+Environment="HOME=/home/cloud-compose"
 WorkingDirectory=/mnt/disks/data/compose
-EnvironmentFile=/home/cloud-compose/env
 ExecStart=/mnt/disks/data/up
 ExecStop=/mnt/disks/data/down
 Restart=on-failure
diff --git a/rootfs/etc/systemd/system/cron.service b/rootfs/etc/systemd/system/cron.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=cron
+After=internal-services.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/bash /home/cloud-compose/cron.sh
+User=root
+Group=root
+SuccessExitStatus=0
diff --git a/rootfs/etc/systemd/system/cron.timer b/rootfs/etc/systemd/system/cron.timer
@@ -1,9 +1,10 @@
 [Unit]
-Description=prune
+Description=cron
 
 [Timer]
 OnBootSec=10m
-OnUnitActiveSec=1h
+OnUnitInactiveSec=24h
+WakeSystem=true
 
 [Install]
 WantedBy=timers.target
diff --git a/rootfs/etc/systemd/system/internal-services.service b/rootfs/etc/systemd/system/internal-services.service
@@ -1,16 +1,15 @@
 [Unit]
-Description=Internal Services (Ping, SSH, Power Management)
+Description=Internal Services (Ping, Metrics, Power Management)
 BindsTo=docker.service
 After=cloud-compose.service
 StartLimitIntervalSec=120
 StartLimitBurst=3
 
 [Service]
-EnvironmentFile=/home/cloud-compose/env
+Environment="HOME=/home/cloud-compose"
 WorkingDirectory=/etc/libops
-ExecStartPre=/usr/bin/docker compose -f docker-compose.internal.yml pull
-ExecStart=/usr/bin/docker compose -f docker-compose.internal.yml up
-ExecStop=/usr/bin/docker compose -f docker-compose.internal.yml down
+ExecStart=/usr/bin/docker compose up
+ExecStop=/usr/bin/docker compose down
 Restart=on-failure
 RestartSec=30s
 
diff --git a/rootfs/etc/systemd/system/prune.service b/rootfs/etc/systemd/system/prune.service
diff --git a/rootfs/etc/systemd/system/runner.service b/rootfs/etc/systemd/system/runner.service
diff --git a/rootfs/home/cloud-compose/cron.sh b/rootfs/home/cloud-compose/cron.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -eou pipefail
+
+echo "Running daily cron"
+
+export DIR=/etc/libops
+bash /home/cloud-compose/rollout.sh
+
+/usr/bin/docker system prune -af
diff --git a/rootfs/home/cloud-compose/fluent-bit.conf b/rootfs/home/cloud-compose/fluent-bit.conf
@@ -1,6 +1,6 @@
 [INPUT]
     Name systemd
     Tag  cos_docker
-    Systemd_Filter _SYSTEMD_UNIT=internal-services.service
+    Systemd_Filter _SYSTEMD_UNIT=cloud-compose.service
     DB /var/log/google-fluentbit/sync-conf.log.db
     Read_From_Tail False
diff --git a/rootfs/home/cloud-compose/host-init.sh b/rootfs/home/cloud-compose/host-init.sh
@@ -36,6 +36,10 @@ echo "SITE_DOCKER_REGISTRY=us-docker.pkg.dev/${GCP_PROJECT}/private" >> env.tmp
 
 if ! diff <(md5sum env.tmp) <(md5sum env); then
   mv env.tmp env
+  cp env /etc/libops/.env
+  if [ -d /mnt/disks/data/compose ]; then
+    cp env /mnt/disks/data/compose/.env
+  fi
 fi
 
 # generate the docker compose init/up/down commands
diff --git a/rootfs/home/cloud-compose/init-app.sh b/rootfs/home/cloud-compose/init-app.sh
@@ -2,7 +2,6 @@
 
 set -eou pipefail
 
-
 # shellcheck disable=SC1091
 source /home/cloud-compose/env
 export HOME
@@ -14,36 +13,17 @@ if [ ! -d "$DIR" ]; then
 fi
 
 pushd "$DIR"
-git pull origin "$DOCKER_COMPOSE_BRANCH"
+git pull origin "$DOCKER_COMPOSE_BRANCH" || echo "Unable to git pull"
+
 /usr/bin/docker-credential-gcr configure-docker --registries us-docker.pkg.dev
 
 # run the docker compose init command if it exists
 /mnt/disks/data/init
 
-# Pull all images and check if any were updated
-shopt -s nullglob
-RESTART=0
-grep "image:" ./*.{yml,yaml} | awk -F': ' '{print $2}' | while read -r IMAGE; do
-    # Skip empty lines and comments
-    if [ -z "$IMAGE" ] || [[ "$IMAGE" =~ ^# ]]; then
-      continue
-    fi
-
-    current_image_id=$(docker images --format "{{.ID}}" "$IMAGE" || echo "")
-    docker pull "$IMAGE"
-    new_image_id=$(docker images --format "{{.ID}}" "$IMAGE")
-
-    if [ "$current_image_id" != "$new_image_id" ]; then
-      RESTART=1
-    fi
-done
-shopt -u nullglob
-
-if [ "$RESTART" -eq 1 ]; then
-  SERVICE=$(grep -sl "WorkingDirectory=$DIR" /etc/systemd/system/*.service | xargs basename)
-  if [ -n "$SERVICE" ]; then
-    systemctl restart "$SERVICE"
-  fi
-fi
+export DIR
+bash /home/cloud-compose/rollout.sh
+
+chgrp developers /mnt/disks/data/compose
+chmod g+s /mnt/disks/data/compose
 
 popd
diff --git a/rootfs/home/cloud-compose/rollout.sh b/rootfs/home/cloud-compose/rollout.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+set -eou pipefail
+
+pushd "$DIR"
+
+# Pull all images and check if any were updated
+shopt -s nullglob
+RESTART=0
+grep "image:" ./*.{yml,yaml} | awk -F': ' '{print $2}' | while read -r IMAGE; do
+    # Skip empty lines and comments
+    if [ -z "$IMAGE" ] || [[ "$IMAGE" =~ ^# ]]; then
+      continue
+    fi
+
+    current_image_id=$(docker images --format "{{.ID}}" "$IMAGE" || echo "")
+    docker pull "$IMAGE"
+    new_image_id=$(docker images --format "{{.ID}}" "$IMAGE")
+
+    if [ "$current_image_id" != "$new_image_id" ]; then
+      RESTART=1
+    fi
+done
+shopt -u nullglob
+
+if [ "$RESTART" -eq 1 ]; then
+  SERVICE=$(grep -sl "WorkingDirectory=$DIR" /etc/systemd/system/*.service | xargs basename)
+  if [ -n "$SERVICE" ]; then
+    systemctl restart "$SERVICE"
+  fi
+fi
+
+popd
diff --git a/templates/cloud-init.yml b/templates/cloud-init.yml
@@ -3,6 +3,8 @@
 users:
 - name: cloud-compose
   shell: /bin/bash
+groups:
+  - developers
 
 bootcmd:
 - fsck.ext4 -tvy $(readlink -f /dev/disk/by-id/google-data) || mkfs.ext4 -m 0 -E lazy_itable_init=0,lazy_journal_init=0,discard $(readlink -f /dev/disk/by-id/google-data)
@@ -18,7 +20,5 @@ runcmd:
 - bash /home/cloud-compose/host-init.sh
 - bash /home/cloud-compose/init-app.sh
 - systemctl start cloud-compose.service
-# - systemctl start runner.service
-- systemctl start prune.timer
-# - systemctl start rollout.timer
 - systemctl start internal-services.service
+- systemctl start cron.timer
diff --git a/variables.tf b/variables.tf
@@ -1,11 +1,11 @@
 variable "project_id" {
-  description = "libops project ID (logical identifier, not GCP project ID)"
+  description = "The GCP project ID"
   type        = string
 }
 
 variable "project_number" {
   type        = string
-  description = "The GCP project to use"
+  description = "The GCP project number"
 }
 
 variable "region" {
@@ -22,7 +22,7 @@ variable "zone" {
 
 variable "name" {
   type        = string
-  description = "The site name"
+  description = "The site name (will be the name of the GCP instance)"
 }
 
 variable "machine_type" {
@@ -39,7 +39,7 @@ variable "disk_size_gb" {
 
 variable "os" {
   type        = string
-  default     = "cos-117-18613-439-28"
+  default     = "cos-125-19216-104-25"
   description = "The host OS to install on the GCP instance"
 }
 
@@ -77,3 +77,15 @@ variable "allowed_ips" {
   default     = []
   description = "CIDR IP Addresses allowed to turn on this site's GCP instance"
 }
+
+variable "allowed_ssh_ipv4" {
+  type        = list(string)
+  default     = []
+  description = "CIDR IPv4 Addresses allowed to to SSH into this site's GCP instance"
+}
+
+variable "allowed_ssh_ipv6" {
+  type        = list(string)
+  default     = []
+  description = "CIDR IPv6 Addresses allowed to SSH into this site's GCP instance"
+}
