CCCHH/ansible-infra
CCCHH/ansible-infra
4
2
Fork 1
Code Issues 4 Pull requests 1 Wiki Activity Actions

wip: ansible pull
Some checks failed
/ Ansible Lint (push) Failing after 2m12s
Details

Browse source
This commit is contained in:
June 2025-06-14 20:28:53 +02:00
commit 2da6d13c18
Signed by: june
SSH key fingerprint: SHA256:o9EAq4Y9N9K0pBQeBTqhSDrND5E7oB+60ZNx0U1yPe0
6 changed files with 66 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -11,6 +11,7 @@ keys:
- &admin_gpg_c6ristian B71138A6A8964A3C3B8899857B4F70C356765BAB
- &admin_gpg_lilly D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- &admin_gpg_langoor 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
- &host_netbox_ansible_pull_age_key age1ss82zwqkj438re78355p886r89csqrrfmkfp8lrrf8v23nza492qza4ey3
creation_rules:
- path_regex: inventories/chaosknoten/host_vars/cloud.*
key_groups:
@ -117,6 +118,7 @@ creation_rules:
- *admin_gpg_c6ristian
- *admin_gpg_lilly
- *admin_gpg_langoor
- *host_netbox_ansible_pull_age_key
- path_regex: inventories/chaosknoten/host_vars/tickets.*
key_groups:
- pgp:

5
inventories/chaosknoten/host_vars/netbox.sops.yaml
View file

@ -1,14 +1,15 @@
netbox__db_password: ENC[AES256_GCM,data:4k0wmOe1c5AE298Juw5HMm5dttTKB1WsVxha4MwaIILpyIbJO0CfmzjYflfBTFPPGgVeuYdCobzchzqkP+8eAQ==,iv:25Cj2BLGJK9tMDr42AqV1IzJc5zG2dk1YH5vC0b1T3M=,tag:knyB+nALZwME8y7CAQ4BCg==,type:str]
secret__netbox_secret_key: ENC[AES256_GCM,data:zPzoFK5Sx7gJ31/Apwex9ffFU/GY+HxIfwrItCW68MM4kVvS33e+LY4cI0vbPYEUF10=,iv:SjpKxyxSAVo+p9vvE/YAQFCzAEudcZ1lwnJ6scxeQD4=,tag:oA+lBep610IfelGwdTohvw==,type:str]
secret__netbox_social_auth_keycloak_secret: ENC[AES256_GCM,data:HP753hmQ7ssbYSQRH0zcRC0vRN5bKptvMXo9jjzcuk4=,iv:GQUoojXLAJxqdB92kKLhavDaka0Rkkg2uocBLshdvTk=,tag:LVnL/JHMsAd5UmmpnUv7og==,type:str]
ansible_pull__age_private_key: ENC[AES256_GCM,data:YBBIMoRiYfBEnZOnu9gWJgKjzixJwNqM4KfymvdniI1pBoaAZnQH2mkYgKgvbYVo3llxOF2G6n17buaG0xD1TSEqWcYF92R5ZYY=,iv:3DImVFWQtVeeW9ZwftOURQu3m86DR6Y71aBOw66Zx8o=,tag:Gf/CAHDi+5eAYazRFLHQbA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2025-05-04T13:54:30Z"
mac: ENC[AES256_GCM,data:/+JlBnsQuJrx3+CXlH/0dtst8PdBw7cTnUpBavcQRXFjd5PsZ54kUCosFu7Y2ngL9xh6WOWKSJCKpHFb8TCrBhslJz+8SQiH97py9m59diMwG5m/RF3I3YHBIoonSZvl8ocDTbz5myycS41fad3CMs5XtGt/vEcceSFhgqjZs9A=,iv:yL8aRIn22zmTIQ53/e71t6o2z7q1fyvmgqvpz4va39M=,tag:DH1oCBbdOgK2NdanzMSn9w==,type:str]
lastmodified: "2025-06-14T17:44:05Z"
mac: ENC[AES256_GCM,data:L7+GHLqn1OgAqr7wTuhhwWS9vuDGNGjuo0yxY5BB4XSoDeja7aNe18KA8K9LC5/o8WtiRcr15uQUEtKT8dGrmZSmXRAJ+FC34B1E6OtjNzzuibLHFccq6SL3kxnnPQwgtvNLne+caSGOSYLIZOUej8VnbRTTvwTtPjUjH0fAjUQ=,iv:tCX6HEuXISrSo3IK3fdrPFAgCgXquBToKV4/kiK6MNE=,tag:DsKn+niR70XxnenBF8YfgA==,type:str]
pgp:
- created_at: "2025-05-04T13:51:50Z"
enc: |-

17
roles/ansible_pull/README.md Normal file
View file

@ -0,0 +1,17 @@
# `ansible_pull` role
A role for setting up automatic `ansible_pull` runs.
## Supported Distributions
Should work on Debian-based distributions.
## Required Arguments
- `ansible_pull__age_private_key`: The age private key to use to decrypt SOPS secrets with.
## Optional Arguments
- `ansible_pull__user`: The user to run `ansible_pull` as. Defaults to `ansible_user`.
## Links & Resources

1
roles/ansible_pull/defaults/main.yaml Normal file
View file

@ -0,0 +1 @@
ansible_pull__user: "{{ ansible_user }}"

9
roles/ansible_pull/meta/argument_specs.yaml Normal file
View file

@ -0,0 +1,9 @@
argument_specs:
main:
options:
ansible_pull__age_private_key:
type: str
required: true
ansible_pull__user:
type: str
required: false

34
roles/ansible_pull/tasks/main.yaml Normal file
View file

@ -0,0 +1,34 @@
- name: ensure dependencies are installed
ansible.builtin.apt:
name: virtualenv
state: present
become: true
# https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-and-upgrading-ansible-with-pip
# https://www.redhat.com/en/blog/python-venv-ansible
- name: ensure Ansible installation exists
ansible.builtin.pip:
name:
- ansible
- jmespath
state: present
virtualenv: /usr/local/lib/ansible_pull_venv
become: true
- name: ensure secrets directory exists
ansible.builtin.file:
path: /etc/ansible_pull_secrets
state: directory
mode: "0750"
owner: root
group: "{{ ansible_pull__user }}"
become: true
- name: ensure age private key is deployed
ansible.builtin.copy:
content: "{{ ansible_pull__age_private_key }}"
dest: /etc/ansible_pull_secrets/age_private_key
mode: "0640"
owner: root
group: "{{ ansible_pull__user }}"
become: true