From 8388657d336c2a660e042eb85c91597f4c088db8 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 16 Oct 2025 17:42:13 +0200
Subject: [PATCH] renovate(role): introduce first basic Renovate role

Sets up Renovate using Docker and systemd service and timer to run
regularly.
Also add accompanying host group and playbook play.
---
 inventories/chaosknoten/hosts.yaml      |  2 ++
 playbooks/deploy.yaml                   |  5 +++
 roles/renovate/README.md                | 11 ++++++
 roles/renovate/files/renovate.service   | 10 ++++++
 roles/renovate/files/renovate.timer     |  8 +++++
 roles/renovate/handlers/main.yaml       |  4 +++
 roles/renovate/meta/argument_specs.yaml |  6 ++++
 roles/renovate/meta/main.yaml           |  3 ++
 roles/renovate/tasks/main.yaml          | 46 +++++++++++++++++++++++++
 9 files changed, 95 insertions(+)
 create mode 100644 roles/renovate/README.md
 create mode 100644 roles/renovate/files/renovate.service
 create mode 100644 roles/renovate/files/renovate.timer
 create mode 100644 roles/renovate/handlers/main.yaml
 create mode 100644 roles/renovate/meta/argument_specs.yaml
 create mode 100644 roles/renovate/meta/main.yaml
 create mode 100644 roles/renovate/tasks/main.yaml

diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml
index d40de96..9c7ab6f 100644
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@@ -195,3 +195,5 @@ ansible_pull_hosts:
     wiki:
 msmtp_hosts:
   hosts:
+renovate_hosts:
+  hosts:
diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml
index dc3a22d..d7bacac 100644
--- a/playbooks/deploy.yaml
+++ b/playbooks/deploy.yaml
@@ -88,5 +88,10 @@
   roles:
     - msmtp
 
+- name: Ensure Renovate is setup on renovate_hosts
+  hosts: renovate_hosts
+  roles:
+    - renovate
+
 - name: Run ensure_eh22_styleguide_dir Playbook
   ansible.builtin.import_playbook: ensure_eh22_styleguide_dir.yaml
diff --git a/roles/renovate/README.md b/roles/renovate/README.md
new file mode 100644
index 0000000..f19a458
--- /dev/null
+++ b/roles/renovate/README.md
@@ -0,0 +1,11 @@
+# Role `renovate`
+
+A role for setting up [Renovate](https://docs.renovatebot.com/).
+
+## Supported Distributions
+
+Should work on Debian-based distributions.
+
+## Required Arguments
+
+- `renovate__config`: The Renovate config to deploy.
diff --git a/roles/renovate/files/renovate.service b/roles/renovate/files/renovate.service
new file mode 100644
index 0000000..ca9f7ed
--- /dev/null
+++ b/roles/renovate/files/renovate.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=renovate
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/docker run --rm \
+    -v "/etc/renovate/config.js:/usr/src/app/config.js" \
+    renovate/renovate
diff --git a/roles/renovate/files/renovate.timer b/roles/renovate/files/renovate.timer
new file mode 100644
index 0000000..f7a3a63
--- /dev/null
+++ b/roles/renovate/files/renovate.timer
@@ -0,0 +1,8 @@
+[Unit]
+Description=renovate running every 15 minutes
+
+[Timer]
+OnCalendar=*-*-* *:00,15,30,45:00
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/renovate/handlers/main.yaml b/roles/renovate/handlers/main.yaml
new file mode 100644
index 0000000..ada2426
--- /dev/null
+++ b/roles/renovate/handlers/main.yaml
@@ -0,0 +1,4 @@
+- name: systemd daemon reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+  become: true
diff --git a/roles/renovate/meta/argument_specs.yaml b/roles/renovate/meta/argument_specs.yaml
new file mode 100644
index 0000000..8be0fb1
--- /dev/null
+++ b/roles/renovate/meta/argument_specs.yaml
@@ -0,0 +1,6 @@
+argument_specs:
+  main:
+    options:
+      renovate__config:
+        type: str
+        required: true
diff --git a/roles/renovate/meta/main.yaml b/roles/renovate/meta/main.yaml
new file mode 100644
index 0000000..cb7d8e0
--- /dev/null
+++ b/roles/renovate/meta/main.yaml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: docker
diff --git a/roles/renovate/tasks/main.yaml b/roles/renovate/tasks/main.yaml
new file mode 100644
index 0000000..f6988ab
--- /dev/null
+++ b/roles/renovate/tasks/main.yaml
@@ -0,0 +1,46 @@
+- name: ensure renovate config directory exists
+  ansible.builtin.file:
+    path: /etc/renovate
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  become: true
+
+- name: ensure renovate config
+  ansible.builtin.copy:
+    content: "{{ renovate__config }}"
+    dest: /etc/renovate/config.js
+    owner: root
+    group: root
+    mode: "0640"
+  become: true
+
+- name: ensure systemd service exists
+  ansible.builtin.copy:
+    src: renovate.service
+    dest: /etc/systemd/system/renovate.service
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  notify:
+    - systemd daemon reload
+
+- name: ensure systemd timer exists
+  ansible.builtin.copy:
+    src: renovate.timer
+    dest: /etc/systemd/system/renovate.timer
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  notify:
+    - systemd daemon reload
+
+- name: ensure systemd timer is started and enabled
+  ansible.builtin.systemd_service:
+    name: renovate.timer
+    state: started
+    enabled: true
+  become: true