From 35278d73b75f7c4b7c2fb36e6d8a6b1c74bcfe0e Mon Sep 17 00:00:00 2001
From: Anton Vakhrushev <anwinged@ya.ru>
Date: Sat, 25 Feb 2023 20:52:58 +0300
Subject: [PATCH] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=B8=D0=BB=20?=
 =?UTF-8?q?=D1=81=D0=BA=D1=80=D0=B8=D0=BF=D1=82=20=D0=BB=D0=BE=D0=B3=D0=B8?=
 =?UTF-8?q?=D0=BD=D0=B0=20=D0=B2=20=D0=B4=D0=BE=D0=BA=D0=B5=D1=80=20=D1=80?=
 =?UTF-8?q?=D0=B5=D0=B5=D1=81=D1=82=D1=80=20yandex=20=D0=B4=D0=BB=D1=8F=20?=
 =?UTF-8?q?=D0=BA=D0=B0=D0=B6=D0=B4=D0=BE=D0=B3=D0=BE=20=D0=BF=D0=BE=D0=BB?=
 =?UTF-8?q?=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB=D1=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Makefile                                              |  4 ++++
 ansible/configuration.yml                             |  1 +
 .../docker-app/files/yandex-docker-registry-auth.sh   | 11 +++++++++++
 ansible/roles/docker-app/tasks/main.yml               |  6 ++++++
 4 files changed, 22 insertions(+)
 create mode 100644 ansible/roles/docker-app/files/yandex-docker-registry-auth.sh

diff --git a/Makefile b/Makefile
index 8c742b7..8fa5240 100644
--- a/Makefile
+++ b/Makefile
@@ -38,6 +38,7 @@ configure:
 		$(TAGS_ARGS) \
 		--inventory="$(INVENTORY)" \
 		--extra-vars='ansible_python_interpreter=/usr/bin/python3' \
+		-vvv \
 		$(PLAYBOOK)
 
 configure-prod:
@@ -46,6 +47,9 @@ configure-prod:
 configure-apps:
 	$(MAKE) configure TAGS="webserver,apps,env"
 
+configure-users:
+	$(MAKE) configure TAGS="apps,env"
+
 dry-run:
 	ANSIBLE_HOST_KEY_CHECKING=$(ANSIBLE_HOST_KEY_CHECKING) \
 	ansible-playbook \
diff --git a/ansible/configuration.yml b/ansible/configuration.yml
index 48339c1..301462c 100644
--- a/ansible/configuration.yml
+++ b/ansible/configuration.yml
@@ -19,6 +19,7 @@
         packages:
           - git
           - python3-pip
+          - acl
 
     - import_role:
         name: yatesr.timezone
diff --git a/ansible/roles/docker-app/files/yandex-docker-registry-auth.sh b/ansible/roles/docker-app/files/yandex-docker-registry-auth.sh
new file mode 100644
index 0000000..457cb3e
--- /dev/null
+++ b/ansible/roles/docker-app/files/yandex-docker-registry-auth.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env sh
+
+# See https://cloud.yandex.ru/docs/container-registry/tutorials/run-docker-on-vm#run
+
+set -eu
+
+curl --silent --show-error -H Metadata-Flavor:Google 169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token | \
+    cut -f1 -d',' | \
+    cut -f2 -d':' | \
+    tr -d '"' | \
+    docker login --username iam --password-stdin cr.yandex
diff --git a/ansible/roles/docker-app/tasks/main.yml b/ansible/roles/docker-app/tasks/main.yml
index 068eb67..7f97c8a 100644
--- a/ansible/roles/docker-app/tasks/main.yml
+++ b/ansible/roles/docker-app/tasks/main.yml
@@ -16,3 +16,9 @@
     owner: '{{ username }}'
     group: '{{ username }}'
     recurse: True
+
+- name: 'Login to yandex docker registry.'
+  ansible.builtin.script:
+    cmd: 'files/yandex-docker-registry-auth.sh'
+  become: yes
+  become_user: '{{ username }}'