CI: Add and use Ansible playbook to deploy backend

This avoids a bunch of manual one-time set-up for the server, e.g.
installing Docker and creating a systemd service. This also removes a
dependency on some third party GitHub actions.

.github/workflows/server-cd.yml

@@ -46,6 +46,11 @@ jobs:
     if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     steps:
+      - name: set up WARP (workaround for IPv6 on GitHub Actions)
+        uses: fscarmen/warp-on-actions@v1.1
+        with:
+          stack: ipv6
+
       - name: checkout current repository
         uses: actions/checkout@v4
 
@@ -73,24 +78,18 @@ jobs:
           push: true
           tags: stenal/baltic-stock-server:latest
 
-      - name: deploy production docker-compose.yml
-        uses: appleboy/scp-action@v0.1.7
-        with:
-          host: ${{ secrets.SSH_HOST }}
-          username: ${{ secrets.SSH_USER }}
-          key: ${{ secrets.SSH_KEY }}
-          port: ${{ secrets.SSH_PORT }}
-          source: "server/docker/prod/docker-compose.yml"
-          target: "~"
-          strip_components: 3
+      - name: setup SSH for Ansible
+        shell: bash
+        run: |
+          eval `ssh-agent -s`
+          mkdir -p /home/runner/.ssh/
+          touch /home/runner/.ssh/id_rsa
+          echo -e "${{secrets.SSH_KEY}}" > /home/runner/.ssh/id_rsa
+          chmod 700 /home/runner/.ssh/id_rsa
+          ssh-keyscan -t rsa,dsa,ecdsa,ed25519 ${{ secrets.SSH_HOST }} >> /home/runner/.ssh/known_hosts
 
-      - name: Deploy published images
-        uses: appleboy/ssh-action@v1.0.3
-        with:
-          host: ${{ secrets.SSH_HOST }}
-          username: ${{ secrets.SSH_USER }}
-          key: ${{ secrets.SSH_KEY }}
-          port: ${{ secrets.SSH_PORT }}
-          script: |
-            docker compose pull
-            docker compose up -d
+      - name: run Ansible deployment playbook
+        working-directory: ./ansible
+        shell: bash
+        run: |
+          ansible-playbook -vv --private-key /home/runner/.ssh/id_rsa -u ${{secrets.SSH_USER}} -i ${{ secrets.SSH_HOST }}, backend.yml

ansible/backend.yml

@@ -0,0 +1,78 @@
+---
+
+- name: deploy backend
+  hosts: all
+  tasks:
+    - name: apt update && apt upgrade
+      become: true
+      apt:
+        update_cache: yes
+        upgrade: yes
+
+    - name: download Docker apt repository key
+      become: true
+      ansible.builtin.get_url:
+        url: https://download.docker.com/linux/ubuntu/gpg
+        dest: /etc/apt/keyrings/docker.asc
+
+    - name: add Docker apt repository
+      become: true
+      ansible.builtin.apt_repository:
+        repo: deb [{% if ansible_architecture == "aarch64" %}arch=arm64{% endif %} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable
+        state: present
+        filename: docker
+
+    - name: install Docker
+      become: true
+      apt:
+        pkg:
+        - docker-ce
+        - docker-ce-cli
+        - containerd.io
+        - docker-buildx-plugin
+        - docker-compose-plugin
+
+    - name: create deployment directory
+      become: true
+      ansible.builtin.file:
+        path: /usr/local/share/baltic-stocks
+        state: directory
+        mode: '0755'
+
+    - name: deploy docker-compose.yml
+      become: true
+      copy:
+        src: ../server/docker/prod/docker-compose.yml
+        dest: /usr/local/share/baltic-stocks/docker-compose.yml
+
+    - name: create baltic-stocks service user
+      become: true
+      ansible.builtin.user:
+        name: baltic-stocks
+        group: docker
+
+    - name: deploy systemd service
+      become: true
+      copy:
+          src: baltic-stocks.service
+          dest: /etc/systemd/system/baltic-stocks.service
+      register: service_deploy_result
+
+    - name: reload systemd daemon if necessary
+      become: true
+      ansible.builtin.systemd_service:
+        daemon_reload: true
+      when: service_deploy_result.changed
+
+
+    - name: docker compose pull
+      command:
+        cmd: "docker compose -f /usr/local/share/baltic-stocks/docker-compose.yml pull"
+
+    # missing manual step: deploy .env file to same directory as docker-compose
+    - name: enable and run systemd service
+      become: true
+      ansible.builtin.systemd_service:
+        name: baltic-stocks.service
+        enabled: true
+        state: restarted

ansible/files/baltic-stocks.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Baltic Stocks running in Docker Compose (https://github.com/StenAL/Baltic-stocks)
+Requires=docker.service
+After=docker.service
+
+[Service]
+Type=oneshot
+User=baltic-stocks
+RemainAfterExit=true
+WorkingDirectory=/usr/local/share/baltic-stocks
+ExecStart=/usr/bin/docker compose up -d
+ExecStop=/usr/bin/docker compose down
+
+[Install]
+WantedBy=multi-user.target