CCCHH/ansible-infra
CCCHH/ansible-infra
4
2
Fork 1
Code Issues 4 Pull requests 1 Wiki Activity Actions

wip: ansible pull
Some checks failed
/ Ansible Lint (push) Failing after 50s
Details
/ Ansible Lint (pull_request) Failing after 47s
Details

Browse source
This commit is contained in:
June 2025-07-21 20:09:06 +02:00
commit 243a27b01c
Signed by: june
SSH key fingerprint: SHA256:o9EAq4Y9N9K0pBQeBTqhSDrND5E7oB+60ZNx0U1yPe0
6 changed files with 68 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.sops.yaml
View file

@ -11,6 +11,7 @@ keys:
- &admin_gpg_c6ristian B71138A6A8964A3C3B8899857B4F70C356765BAB - &admin_gpg_c6ristian B71138A6A8964A3C3B8899857B4F70C356765BAB
- &admin_gpg_lilly D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD - &admin_gpg_lilly D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- &admin_gpg_langoor 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 - &admin_gpg_langoor 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
- &host_netbox_ansible_pull_age_key age1ss82zwqkj438re78355p886r89csqrrfmkfp8lrrf8v23nza492qza4ey3
creation_rules: creation_rules:
- path_regex: inventories/chaosknoten/host_vars/cloud.* - path_regex: inventories/chaosknoten/host_vars/cloud.*
key_groups: key_groups:
@ -117,6 +118,8 @@ creation_rules:
- *admin_gpg_c6ristian - *admin_gpg_c6ristian
- *admin_gpg_lilly - *admin_gpg_lilly
- *admin_gpg_langoor - *admin_gpg_langoor
age:
- *host_netbox_ansible_pull_age_key
- path_regex: inventories/chaosknoten/host_vars/tickets.* - path_regex: inventories/chaosknoten/host_vars/tickets.*
key_groups: key_groups:
- pgp: - pgp:

7
inventories/chaosknoten/host_vars/netbox.sops.yaml
View file

@ -1,9 +1,10 @@
netbox__db_password: ENC[AES256_GCM,data:4k0wmOe1c5AE298Juw5HMm5dttTKB1WsVxha4MwaIILpyIbJO0CfmzjYflfBTFPPGgVeuYdCobzchzqkP+8eAQ==,iv:25Cj2BLGJK9tMDr42AqV1IzJc5zG2dk1YH5vC0b1T3M=,tag:knyB+nALZwME8y7CAQ4BCg==,type:str] netbox__db_password: ENC[AES256_GCM,data:4k0wmOe1c5AE298Juw5HMm5dttTKB1WsVxha4MwaIILpyIbJO0CfmzjYflfBTFPPGgVeuYdCobzchzqkP+8eAQ==,iv:25Cj2BLGJK9tMDr42AqV1IzJc5zG2dk1YH5vC0b1T3M=,tag:knyB+nALZwME8y7CAQ4BCg==,type:str]
secret__netbox_secret_key: ENC[AES256_GCM,data:zPzoFK5Sx7gJ31/Apwex9ffFU/GY+HxIfwrItCW68MM4kVvS33e+LY4cI0vbPYEUF10=,iv:SjpKxyxSAVo+p9vvE/YAQFCzAEudcZ1lwnJ6scxeQD4=,tag:oA+lBep610IfelGwdTohvw==,type:str] secret__netbox_secret_key: ENC[AES256_GCM,data:zPzoFK5Sx7gJ31/Apwex9ffFU/GY+HxIfwrItCW68MM4kVvS33e+LY4cI0vbPYEUF10=,iv:SjpKxyxSAVo+p9vvE/YAQFCzAEudcZ1lwnJ6scxeQD4=,tag:oA+lBep610IfelGwdTohvw==,type:str]
secret__netbox_social_auth_keycloak_secret: ENC[AES256_GCM,data:HP753hmQ7ssbYSQRH0zcRC0vRN5bKptvMXo9jjzcuk4=,iv:GQUoojXLAJxqdB92kKLhavDaka0Rkkg2uocBLshdvTk=,tag:LVnL/JHMsAd5UmmpnUv7og==,type:str] secret__netbox_social_auth_keycloak_secret: ENC[AES256_GCM,data:HP753hmQ7ssbYSQRH0zcRC0vRN5bKptvMXo9jjzcuk4=,iv:GQUoojXLAJxqdB92kKLhavDaka0Rkkg2uocBLshdvTk=,tag:LVnL/JHMsAd5UmmpnUv7og==,type:str]
ansible_pull__age_private_key: ENC[AES256_GCM,data:KgD61z3hYRPSoCXmJgOMmHFqXtqoKHRPUT/+ayEImPsbpk+6B1hVscQbmsKJFWNsyQlCAV2MqYlIrP68pP9ckfURIaN8g5n9X+Y=,iv:eTjmF0e4/5NSnORZVtZKTaL4r1RBg1ZbHZueOrnMVlY=,tag:v1ndJchirNLPvg8mWA1otA==,type:str]
sops: sops:
lastmodified: "2025-05-04T13:54:30Z" lastmodified: "2025-07-21T18:08:40Z"
mac: ENC[AES256_GCM,data:/+JlBnsQuJrx3+CXlH/0dtst8PdBw7cTnUpBavcQRXFjd5PsZ54kUCosFu7Y2ngL9xh6WOWKSJCKpHFb8TCrBhslJz+8SQiH97py9m59diMwG5m/RF3I3YHBIoonSZvl8ocDTbz5myycS41fad3CMs5XtGt/vEcceSFhgqjZs9A=,iv:yL8aRIn22zmTIQ53/e71t6o2z7q1fyvmgqvpz4va39M=,tag:DH1oCBbdOgK2NdanzMSn9w==,type:str] mac: ENC[AES256_GCM,data:SvTSvRYd7ljYpQb72yRkQ+fDrDWRMQzFwTrI4RuLglBCzKNxu1g2JFAVFUSNRybWASCYhg0FqtHoC31HRHbs24g43fRFrXrvBB3sCwQ503y7A78/UfX55Bz3VBqYVJfh9w/Fm23Tak0ki1CQoAl53lz88eUHjCJjeyKtY81/PnI=,iv:y4C3RMWPsnTTgkscvfqVEzcgAg6L0QaKinzcBFLOfSg=,tag:kIcvmJXSNhpQDUHy+ZpPyQ==,type:str]
pgp: pgp:
- created_at: "2025-07-20T18:28:09Z" - created_at: "2025-07-20T18:28:09Z"
enc: |- enc: |-
@ -219,4 +220,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533 fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.10.2

17
roles/ansible_pull/README.md Normal file
View file

@ -0,0 +1,17 @@
# `ansible_pull` role
A role for setting up automatic `ansible_pull` runs.
## Supported Distributions
Should work on Debian-based distributions.
## Required Arguments
- `ansible_pull__age_private_key`: The age private key to use to decrypt SOPS secrets with.
## Optional Arguments
- `ansible_pull__user`: The user to run `ansible_pull` as. Defaults to `ansible_user`.
## Links & Resources

1
roles/ansible_pull/defaults/main.yaml Normal file
View file

@ -0,0 +1 @@
ansible_pull__user: "{{ ansible_user }}"

9
roles/ansible_pull/meta/argument_specs.yaml Normal file
View file

@ -0,0 +1,9 @@
argument_specs:
main:
options:
ansible_pull__age_private_key:
type: str
required: true
ansible_pull__user:
type: str
required: false

34
roles/ansible_pull/tasks/main.yaml Normal file
View file

@ -0,0 +1,34 @@
- name: ensure dependencies are installed
ansible.builtin.apt:
name: virtualenv
state: present
become: true
# https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-and-upgrading-ansible-with-pip
# https://www.redhat.com/en/blog/python-venv-ansible
- name: ensure Ansible installation exists
ansible.builtin.pip:
name:
- ansible
- jmespath
state: present
virtualenv: /usr/local/lib/ansible_pull_venv
become: true
- name: ensure secrets directory exists
ansible.builtin.file:
path: /etc/ansible_pull_secrets
state: directory
mode: "0750"
owner: root
group: "{{ ansible_pull__user }}"
become: true
- name: ensure age private key is deployed
ansible.builtin.copy:
content: "{{ ansible_pull__age_private_key }}"
dest: /etc/ansible_pull_secrets/age_private_key
mode: "0640"
owner: root
group: "{{ ansible_pull__user }}"
become: true