From 243a27b01cb689b2326990e9d9f700584b4ba88c Mon Sep 17 00:00:00 2001 From: June Date: Mon, 21 Jul 2025 20:09:06 +0200 Subject: [PATCH] wip: ansible pull --- .sops.yaml | 3 ++ .../chaosknoten/host_vars/netbox.sops.yaml | 7 ++-- roles/ansible_pull/README.md | 17 ++++++++++ roles/ansible_pull/defaults/main.yaml | 1 + roles/ansible_pull/meta/argument_specs.yaml | 9 +++++ roles/ansible_pull/tasks/main.yaml | 34 +++++++++++++++++++ 6 files changed, 68 insertions(+), 3 deletions(-) create mode 100644 roles/ansible_pull/README.md create mode 100644 roles/ansible_pull/defaults/main.yaml create mode 100644 roles/ansible_pull/meta/argument_specs.yaml create mode 100644 roles/ansible_pull/tasks/main.yaml diff --git a/.sops.yaml b/.sops.yaml index d19954a..7a79c76 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,6 +11,7 @@ keys: - &admin_gpg_c6ristian B71138A6A8964A3C3B8899857B4F70C356765BAB - &admin_gpg_lilly D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD - &admin_gpg_langoor 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 + - &host_netbox_ansible_pull_age_key age1ss82zwqkj438re78355p886r89csqrrfmkfp8lrrf8v23nza492qza4ey3 creation_rules: - path_regex: inventories/chaosknoten/host_vars/cloud.* key_groups: @@ -117,6 +118,8 @@ creation_rules: - *admin_gpg_c6ristian - *admin_gpg_lilly - *admin_gpg_langoor + age: + - *host_netbox_ansible_pull_age_key - path_regex: inventories/chaosknoten/host_vars/tickets.* key_groups: - pgp: diff --git a/inventories/chaosknoten/host_vars/netbox.sops.yaml b/inventories/chaosknoten/host_vars/netbox.sops.yaml index 3ae3b55..eb67157 100644 --- a/inventories/chaosknoten/host_vars/netbox.sops.yaml +++ b/inventories/chaosknoten/host_vars/netbox.sops.yaml @@ -1,9 +1,10 @@ netbox__db_password: ENC[AES256_GCM,data:4k0wmOe1c5AE298Juw5HMm5dttTKB1WsVxha4MwaIILpyIbJO0CfmzjYflfBTFPPGgVeuYdCobzchzqkP+8eAQ==,iv:25Cj2BLGJK9tMDr42AqV1IzJc5zG2dk1YH5vC0b1T3M=,tag:knyB+nALZwME8y7CAQ4BCg==,type:str] secret__netbox_secret_key: ENC[AES256_GCM,data:zPzoFK5Sx7gJ31/Apwex9ffFU/GY+HxIfwrItCW68MM4kVvS33e+LY4cI0vbPYEUF10=,iv:SjpKxyxSAVo+p9vvE/YAQFCzAEudcZ1lwnJ6scxeQD4=,tag:oA+lBep610IfelGwdTohvw==,type:str] secret__netbox_social_auth_keycloak_secret: ENC[AES256_GCM,data:HP753hmQ7ssbYSQRH0zcRC0vRN5bKptvMXo9jjzcuk4=,iv:GQUoojXLAJxqdB92kKLhavDaka0Rkkg2uocBLshdvTk=,tag:LVnL/JHMsAd5UmmpnUv7og==,type:str] +ansible_pull__age_private_key: ENC[AES256_GCM,data:KgD61z3hYRPSoCXmJgOMmHFqXtqoKHRPUT/+ayEImPsbpk+6B1hVscQbmsKJFWNsyQlCAV2MqYlIrP68pP9ckfURIaN8g5n9X+Y=,iv:eTjmF0e4/5NSnORZVtZKTaL4r1RBg1ZbHZueOrnMVlY=,tag:v1ndJchirNLPvg8mWA1otA==,type:str] sops: - lastmodified: "2025-05-04T13:54:30Z" - mac: ENC[AES256_GCM,data:/+JlBnsQuJrx3+CXlH/0dtst8PdBw7cTnUpBavcQRXFjd5PsZ54kUCosFu7Y2ngL9xh6WOWKSJCKpHFb8TCrBhslJz+8SQiH97py9m59diMwG5m/RF3I3YHBIoonSZvl8ocDTbz5myycS41fad3CMs5XtGt/vEcceSFhgqjZs9A=,iv:yL8aRIn22zmTIQ53/e71t6o2z7q1fyvmgqvpz4va39M=,tag:DH1oCBbdOgK2NdanzMSn9w==,type:str] + lastmodified: "2025-07-21T18:08:40Z" + mac: ENC[AES256_GCM,data:SvTSvRYd7ljYpQb72yRkQ+fDrDWRMQzFwTrI4RuLglBCzKNxu1g2JFAVFUSNRybWASCYhg0FqtHoC31HRHbs24g43fRFrXrvBB3sCwQ503y7A78/UfX55Bz3VBqYVJfh9w/Fm23Tak0ki1CQoAl53lz88eUHjCJjeyKtY81/PnI=,iv:y4C3RMWPsnTTgkscvfqVEzcgAg6L0QaKinzcBFLOfSg=,tag:kIcvmJXSNhpQDUHy+ZpPyQ==,type:str] pgp: - created_at: "2025-07-20T18:28:09Z" enc: |- @@ -219,4 +220,4 @@ sops: -----END PGP MESSAGE----- fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 unencrypted_suffix: _unencrypted - version: 3.9.4 + version: 3.10.2 diff --git a/roles/ansible_pull/README.md b/roles/ansible_pull/README.md new file mode 100644 index 0000000..8e3cb45 --- /dev/null +++ b/roles/ansible_pull/README.md @@ -0,0 +1,17 @@ +# `ansible_pull` role + +A role for setting up automatic `ansible_pull` runs. + +## Supported Distributions + +Should work on Debian-based distributions. + +## Required Arguments + +- `ansible_pull__age_private_key`: The age private key to use to decrypt SOPS secrets with. + +## Optional Arguments + +- `ansible_pull__user`: The user to run `ansible_pull` as. Defaults to `ansible_user`. + +## Links & Resources diff --git a/roles/ansible_pull/defaults/main.yaml b/roles/ansible_pull/defaults/main.yaml new file mode 100644 index 0000000..37d84ab --- /dev/null +++ b/roles/ansible_pull/defaults/main.yaml @@ -0,0 +1 @@ +ansible_pull__user: "{{ ansible_user }}" diff --git a/roles/ansible_pull/meta/argument_specs.yaml b/roles/ansible_pull/meta/argument_specs.yaml new file mode 100644 index 0000000..a57d10e --- /dev/null +++ b/roles/ansible_pull/meta/argument_specs.yaml @@ -0,0 +1,9 @@ +argument_specs: + main: + options: + ansible_pull__age_private_key: + type: str + required: true + ansible_pull__user: + type: str + required: false diff --git a/roles/ansible_pull/tasks/main.yaml b/roles/ansible_pull/tasks/main.yaml new file mode 100644 index 0000000..f0d26d7 --- /dev/null +++ b/roles/ansible_pull/tasks/main.yaml @@ -0,0 +1,34 @@ +- name: ensure dependencies are installed + ansible.builtin.apt: + name: virtualenv + state: present + become: true + +# https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-and-upgrading-ansible-with-pip +# https://www.redhat.com/en/blog/python-venv-ansible +- name: ensure Ansible installation exists + ansible.builtin.pip: + name: + - ansible + - jmespath + state: present + virtualenv: /usr/local/lib/ansible_pull_venv + become: true + +- name: ensure secrets directory exists + ansible.builtin.file: + path: /etc/ansible_pull_secrets + state: directory + mode: "0750" + owner: root + group: "{{ ansible_pull__user }}" + become: true + +- name: ensure age private key is deployed + ansible.builtin.copy: + content: "{{ ansible_pull__age_private_key }}" + dest: /etc/ansible_pull_secrets/age_private_key + mode: "0640" + owner: root + group: "{{ ansible_pull__user }}" + become: true