This commit is contained in:
parent
ff5f8ffc80
commit
2da6d13c18
6 changed files with 66 additions and 2 deletions
|
@ -11,6 +11,7 @@ keys:
|
|||
- &admin_gpg_c6ristian B71138A6A8964A3C3B8899857B4F70C356765BAB
|
||||
- &admin_gpg_lilly D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
|
||||
- &admin_gpg_langoor 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
|
||||
- &host_netbox_ansible_pull_age_key age1ss82zwqkj438re78355p886r89csqrrfmkfp8lrrf8v23nza492qza4ey3
|
||||
creation_rules:
|
||||
- path_regex: inventories/chaosknoten/host_vars/cloud.*
|
||||
key_groups:
|
||||
|
@ -117,6 +118,7 @@ creation_rules:
|
|||
- *admin_gpg_c6ristian
|
||||
- *admin_gpg_lilly
|
||||
- *admin_gpg_langoor
|
||||
- *host_netbox_ansible_pull_age_key
|
||||
- path_regex: inventories/chaosknoten/host_vars/tickets.*
|
||||
key_groups:
|
||||
- pgp:
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
netbox__db_password: ENC[AES256_GCM,data:4k0wmOe1c5AE298Juw5HMm5dttTKB1WsVxha4MwaIILpyIbJO0CfmzjYflfBTFPPGgVeuYdCobzchzqkP+8eAQ==,iv:25Cj2BLGJK9tMDr42AqV1IzJc5zG2dk1YH5vC0b1T3M=,tag:knyB+nALZwME8y7CAQ4BCg==,type:str]
|
||||
secret__netbox_secret_key: ENC[AES256_GCM,data:zPzoFK5Sx7gJ31/Apwex9ffFU/GY+HxIfwrItCW68MM4kVvS33e+LY4cI0vbPYEUF10=,iv:SjpKxyxSAVo+p9vvE/YAQFCzAEudcZ1lwnJ6scxeQD4=,tag:oA+lBep610IfelGwdTohvw==,type:str]
|
||||
secret__netbox_social_auth_keycloak_secret: ENC[AES256_GCM,data:HP753hmQ7ssbYSQRH0zcRC0vRN5bKptvMXo9jjzcuk4=,iv:GQUoojXLAJxqdB92kKLhavDaka0Rkkg2uocBLshdvTk=,tag:LVnL/JHMsAd5UmmpnUv7og==,type:str]
|
||||
ansible_pull__age_private_key: ENC[AES256_GCM,data:YBBIMoRiYfBEnZOnu9gWJgKjzixJwNqM4KfymvdniI1pBoaAZnQH2mkYgKgvbYVo3llxOF2G6n17buaG0xD1TSEqWcYF92R5ZYY=,iv:3DImVFWQtVeeW9ZwftOURQu3m86DR6Y71aBOw66Zx8o=,tag:Gf/CAHDi+5eAYazRFLHQbA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2025-05-04T13:54:30Z"
|
||||
mac: ENC[AES256_GCM,data:/+JlBnsQuJrx3+CXlH/0dtst8PdBw7cTnUpBavcQRXFjd5PsZ54kUCosFu7Y2ngL9xh6WOWKSJCKpHFb8TCrBhslJz+8SQiH97py9m59diMwG5m/RF3I3YHBIoonSZvl8ocDTbz5myycS41fad3CMs5XtGt/vEcceSFhgqjZs9A=,iv:yL8aRIn22zmTIQ53/e71t6o2z7q1fyvmgqvpz4va39M=,tag:DH1oCBbdOgK2NdanzMSn9w==,type:str]
|
||||
lastmodified: "2025-06-14T17:44:05Z"
|
||||
mac: ENC[AES256_GCM,data:L7+GHLqn1OgAqr7wTuhhwWS9vuDGNGjuo0yxY5BB4XSoDeja7aNe18KA8K9LC5/o8WtiRcr15uQUEtKT8dGrmZSmXRAJ+FC34B1E6OtjNzzuibLHFccq6SL3kxnnPQwgtvNLne+caSGOSYLIZOUej8VnbRTTvwTtPjUjH0fAjUQ=,iv:tCX6HEuXISrSo3IK3fdrPFAgCgXquBToKV4/kiK6MNE=,tag:DsKn+niR70XxnenBF8YfgA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2025-05-04T13:51:50Z"
|
||||
enc: |-
|
||||
|
|
17
roles/ansible_pull/README.md
Normal file
17
roles/ansible_pull/README.md
Normal file
|
@ -0,0 +1,17 @@
|
|||
# `ansible_pull` role
|
||||
|
||||
A role for setting up automatic `ansible_pull` runs.
|
||||
|
||||
## Supported Distributions
|
||||
|
||||
Should work on Debian-based distributions.
|
||||
|
||||
## Required Arguments
|
||||
|
||||
- `ansible_pull__age_private_key`: The age private key to use to decrypt SOPS secrets with.
|
||||
|
||||
## Optional Arguments
|
||||
|
||||
- `ansible_pull__user`: The user to run `ansible_pull` as. Defaults to `ansible_user`.
|
||||
|
||||
## Links & Resources
|
1
roles/ansible_pull/defaults/main.yaml
Normal file
1
roles/ansible_pull/defaults/main.yaml
Normal file
|
@ -0,0 +1 @@
|
|||
ansible_pull__user: "{{ ansible_user }}"
|
9
roles/ansible_pull/meta/argument_specs.yaml
Normal file
9
roles/ansible_pull/meta/argument_specs.yaml
Normal file
|
@ -0,0 +1,9 @@
|
|||
argument_specs:
|
||||
main:
|
||||
options:
|
||||
ansible_pull__age_private_key:
|
||||
type: str
|
||||
required: true
|
||||
ansible_pull__user:
|
||||
type: str
|
||||
required: false
|
34
roles/ansible_pull/tasks/main.yaml
Normal file
34
roles/ansible_pull/tasks/main.yaml
Normal file
|
@ -0,0 +1,34 @@
|
|||
- name: ensure dependencies are installed
|
||||
ansible.builtin.apt:
|
||||
name: virtualenv
|
||||
state: present
|
||||
become: true
|
||||
|
||||
# https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-and-upgrading-ansible-with-pip
|
||||
# https://www.redhat.com/en/blog/python-venv-ansible
|
||||
- name: ensure Ansible installation exists
|
||||
ansible.builtin.pip:
|
||||
name:
|
||||
- ansible
|
||||
- jmespath
|
||||
state: present
|
||||
virtualenv: /usr/local/lib/ansible_pull_venv
|
||||
become: true
|
||||
|
||||
- name: ensure secrets directory exists
|
||||
ansible.builtin.file:
|
||||
path: /etc/ansible_pull_secrets
|
||||
state: directory
|
||||
mode: "0750"
|
||||
owner: root
|
||||
group: "{{ ansible_pull__user }}"
|
||||
become: true
|
||||
|
||||
- name: ensure age private key is deployed
|
||||
ansible.builtin.copy:
|
||||
content: "{{ ansible_pull__age_private_key }}"
|
||||
dest: /etc/ansible_pull_secrets/age_private_key
|
||||
mode: "0640"
|
||||
owner: root
|
||||
group: "{{ ansible_pull__user }}"
|
||||
become: true
|
Loading…
Add table
Add a link
Reference in a new issue