wip: ansible pull

roles/ansible_pull/README.md

@@ -0,0 +1,17 @@
+# `ansible_pull` role
+
+A role for setting up automatic `ansible_pull` runs.  
+
+## Supported Distributions
+
+Should work on Debian-based distributions.
+
+## Required Arguments
+
+- `ansible_pull__age_private_key`: The age private key to use to decrypt SOPS secrets with.
+
+## Optional Arguments
+
+- `ansible_pull__user`: The user to run `ansible_pull` as. Defaults to `ansible_user`.
+
+## Links & Resources

roles/ansible_pull/defaults/main.yaml

@@ -0,0 +1 @@
+ansible_pull__user: "{{ ansible_user }}"

roles/ansible_pull/meta/argument_specs.yaml

@@ -0,0 +1,9 @@
+argument_specs:
+  main:
+    options:
+      ansible_pull__age_private_key:
+        type: str
+        required: true
+      ansible_pull__user:
+        type: str
+        required: false

roles/ansible_pull/tasks/main.yaml

@@ -0,0 +1,34 @@
+- name: ensure dependencies are installed
+  ansible.builtin.apt:
+    name: virtualenv
+    state: present
+  become: true
+
+# https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-and-upgrading-ansible-with-pip
+# https://www.redhat.com/en/blog/python-venv-ansible
+- name: ensure Ansible installation exists
+  ansible.builtin.pip:
+    name:
+      - ansible
+      - jmespath
+    state: present
+    virtualenv: /usr/local/lib/ansible_pull_venv
+  become: true
+
+- name: ensure secrets directory exists
+  ansible.builtin.file:
+    path: /etc/ansible_pull_secrets
+    state: directory
+    mode: "0750"
+    owner: root
+    group: "{{ ansible_pull__user }}"
+  become: true
+
+- name: ensure age private key is deployed
+  ansible.builtin.copy:
+    content: "{{ ansible_pull__age_private_key }}"
+    dest: /etc/ansible_pull_secrets/age_private_key
+    mode: "0640"
+    owner: root
+    group: "{{ ansible_pull__user }}"
+  become: true