From 434ddfc95598c1f0e966b66b32c29422b12889b8 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 13 Oct 2025 16:32:30 +0200 Subject: [PATCH] ansible_pull(role): introduce ansible_pull role Introduce ansible_pull role for setting up automatic ansible_pull runs. Also add accompanying host group and playbook play. --- inventories/chaosknoten/hosts.yaml | 2 + inventories/z9/hosts.yaml | 2 + playbooks/deploy.yaml | 5 ++ roles/ansible_pull/README.md | 21 +++++++ roles/ansible_pull/defaults/main.yaml | 3 + roles/ansible_pull/handlers/main.yaml | 4 ++ roles/ansible_pull/meta/argument_specs.yaml | 27 ++++++++ roles/ansible_pull/tasks/main.yaml | 63 +++++++++++++++++++ .../templates/ansible-pull.service.j2 | 16 +++++ .../templates/ansible-pull.timer.j2 | 9 +++ 10 files changed, 152 insertions(+) create mode 100644 roles/ansible_pull/README.md create mode 100644 roles/ansible_pull/defaults/main.yaml create mode 100644 roles/ansible_pull/handlers/main.yaml create mode 100644 roles/ansible_pull/meta/argument_specs.yaml create mode 100644 roles/ansible_pull/tasks/main.yaml create mode 100644 roles/ansible_pull/templates/ansible-pull.service.j2 create mode 100644 roles/ansible_pull/templates/ansible-pull.timer.j2 diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index e0da92f..03d93f6 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -186,3 +186,5 @@ alloy_hosts: hosts: grafana: ntfy: +ansible_pull_hosts: + hosts: diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 62cacf1..9d5bb09 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -49,3 +49,5 @@ ola_hosts: proxmox_vm_template_hosts: hosts: thinkcccore0: +ansible_pull_hosts: + hosts: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index 952aeec..c11a0e7 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -78,5 +78,10 @@ ansible.builtin.include_role: name: grafana.grafana.alloy +- name: Ensure ansible_pull deployment on ansible_pull_hosts + hosts: ansible_pull_hosts + roles: + - ansible_pull + - name: Run ensure_eh22_styleguide_dir Playbook ansible.builtin.import_playbook: ensure_eh22_styleguide_dir.yaml diff --git a/roles/ansible_pull/README.md b/roles/ansible_pull/README.md new file mode 100644 index 0000000..f31c552 --- /dev/null +++ b/roles/ansible_pull/README.md @@ -0,0 +1,21 @@ +# `ansible_pull` role + +A role for setting up automatic `ansible_pull` runs. + +## Supported Distributions + +Should work on Debian-based distributions. + +## Required Arguments + +- `ansible_pull__age_private_key`: The age private key to use to decrypt SOPS secrets with. +- `ansible_pull__repo_url`: The URL of the repo to run the playbook from. +- `ansible_pull__inventory`: The inventory to use. +- `ansible_pull__playbook`: The playbook to run. +- `ansible_pull__timer_on_calendar`: When to run the playbook. This is the argument to a systemd timers OnCalendar. See the systemd.time man page for reference. + +## Optional Arguments + +- `ansible_pull__user`: The user to run `ansible_pull` as. Defaults to `ansible_user`. +- `ansible_pull__checkout`: The branch/tag/commit to check out to run the playbook from. Defaults to `main`. +- `ansible_pull__timer_randomized_delay_sec`: The timer will be randomly delayed by a value between 0 and this. Useful to not have all timers fire at the same time, even if `ansible_pull__timer_on_calendar` is the same. Time value in seconds. Defaults to 0. diff --git a/roles/ansible_pull/defaults/main.yaml b/roles/ansible_pull/defaults/main.yaml new file mode 100644 index 0000000..3b9acb2 --- /dev/null +++ b/roles/ansible_pull/defaults/main.yaml @@ -0,0 +1,3 @@ +ansible_pull__user: "{{ ansible_user }}" +ansible_pull__checkout: "main" +ansible_pull__timer_randomized_delay_sec: "0" diff --git a/roles/ansible_pull/handlers/main.yaml b/roles/ansible_pull/handlers/main.yaml new file mode 100644 index 0000000..ada2426 --- /dev/null +++ b/roles/ansible_pull/handlers/main.yaml @@ -0,0 +1,4 @@ +- name: systemd daemon reload + ansible.builtin.systemd_service: + daemon_reload: true + become: true diff --git a/roles/ansible_pull/meta/argument_specs.yaml b/roles/ansible_pull/meta/argument_specs.yaml new file mode 100644 index 0000000..e5c88af --- /dev/null +++ b/roles/ansible_pull/meta/argument_specs.yaml @@ -0,0 +1,27 @@ +argument_specs: + main: + options: + ansible_pull__age_private_key: + type: str + required: true + ansible_pull__repo_url: + type: str + required: true + ansible_pull__inventory: + type: str + required: true + ansible_pull__playbook: + type: str + required: true + ansible_pull__timer_on_calendar: + type: str + required: true + ansible_pull__user: + type: str + required: false + ansible_pull__checkout: + type: str + required: false + ansible_pull__timer_randomized_delay_sec: + type: str + required: false diff --git a/roles/ansible_pull/tasks/main.yaml b/roles/ansible_pull/tasks/main.yaml new file mode 100644 index 0000000..53fc219 --- /dev/null +++ b/roles/ansible_pull/tasks/main.yaml @@ -0,0 +1,63 @@ +- name: ensure dependencies are installed + ansible.builtin.apt: + name: virtualenv + state: present + become: true + +# https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-and-upgrading-ansible-with-pip +# https://www.redhat.com/en/blog/python-venv-ansible +- name: ensure Ansible installation exists + ansible.builtin.pip: + name: + - ansible + - jmespath + state: present + virtualenv: /usr/local/lib/ansible_pull_venv + become: true + +- name: ensure secrets directory exists + ansible.builtin.file: + path: /etc/ansible_pull_secrets + state: directory + mode: "0750" + owner: root + group: "{{ ansible_pull__user }}" + become: true + +- name: ensure age private key is deployed + ansible.builtin.copy: + content: "{{ ansible_pull__age_private_key }}" + dest: /etc/ansible_pull_secrets/age_private_key + mode: "0640" + owner: root + group: "{{ ansible_pull__user }}" + become: true + +- name: ensure systemd service exists + ansible.builtin.template: + src: ansible-pull.service.j2 + dest: /etc/systemd/system/ansible-pull.service + owner: root + group: root + mode: "0644" + become: true + notify: + - systemd daemon reload + +- name: ensure systemd timer exists + ansible.builtin.template: + src: ansible-pull.timer.j2 + dest: /etc/systemd/system/ansible-pull.timer + owner: root + group: root + mode: "0644" + become: true + notify: + - systemd daemon reload + +- name: ensure systemd timer is started and enabled + ansible.builtin.systemd_service: + name: ansible-pull.timer + state: started + enabled: true + become: true diff --git a/roles/ansible_pull/templates/ansible-pull.service.j2 b/roles/ansible_pull/templates/ansible-pull.service.j2 new file mode 100644 index 0000000..8a17190 --- /dev/null +++ b/roles/ansible_pull/templates/ansible-pull.service.j2 @@ -0,0 +1,16 @@ +[Unit] +Description=ansible-pull for configuration and maintenance +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +Environment="SOPS_AGE_KEY_FILE=/etc/ansible_pull_secrets/age_private_key" +ExecStart=/usr/local/lib/ansible_pull_venv/bin/ansible-pull \ + --directory /home/chaos/ansible_pull_checkout \ + --clean \ + --url "{{ ansible_pull__repo_url }}" \ + --checkout "{{ ansible_pull__checkout }}" \ + --inventory "{{ ansible_pull__inventory }}" \ + "{{ ansible_pull__playbook }}" +User={{ ansible_pull__user }} diff --git a/roles/ansible_pull/templates/ansible-pull.timer.j2 b/roles/ansible_pull/templates/ansible-pull.timer.j2 new file mode 100644 index 0000000..24bc8ba --- /dev/null +++ b/roles/ansible_pull/templates/ansible-pull.timer.j2 @@ -0,0 +1,9 @@ +[Unit] +Description=ansible-pull for configuration and maintenance on a timer + +[Timer] +OnCalendar={{ ansible_pull__timer_on_calendar }} +RandomizedDelaySec={{ ansible_pull__timer_randomized_delay_sec }} + +[Install] +WantedBy=timers.target