ansible_pull(role): ensure SOPS is installed

Also add the SOPS community collection as a requirement for this repo.

requirements.yml

@@ -3,3 +3,6 @@ collections:
   - name: debops.debops
     version: ">=3.1.0"
     source: https://galaxy.ansible.com
+  - name: community.sops
+    version: ">=2.2.4"
+    source: https://galaxy.ansible.com

roles/ansible_pull/tasks/main.yaml

@@ -1,8 +1,14 @@
 - name: ensure dependencies are installed
-  ansible.builtin.apt:
-    name: virtualenv
-    state: present
-  become: true
+  block:
+    - name: ensure apt dependencies are installed
+      ansible.builtin.apt:
+        name: virtualenv
+        state: present
+      become: true
+
+    - name: ensure SOPS is installed
+      ansible.builtin.include_role:
+        name: community.sops.install
 
 # https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-and-upgrading-ansible-with-pip
 # https://www.redhat.com/en/blog/python-venv-ansible

roles/ansible_pull/templates/ansible-pull.service.j2

@@ -7,6 +7,9 @@ OnFailure=ansible-pull-failure-notify.service
 [Service]
 Type=oneshot
 Environment="SOPS_AGE_KEY_FILE=/etc/ansible_pull_secrets/age_private_key"
+ExecStartPre=/usr/bin/bash -c 'if [ ! -e /home/chaos/ansible_pull_checkout ]; then git clone --depth 1 "{{ ansible_pull__repo_url }}" /home/chaos/ansible_pull_checkout ; fi'
+ExecStartPre=/usr/local/lib/ansible_pull_venv/bin/ansible-galaxy role install -r /home/chaos/ansible_pull_checkout/requirements.yml
+ExecStartPre=/usr/local/lib/ansible_pull_venv/bin/ansible-galaxy collection install -r /home/chaos/ansible_pull_checkout/requirements.yml
 ExecStart=/usr/local/lib/ansible_pull_venv/bin/ansible-pull \
           --directory /home/chaos/ansible_pull_checkout \
           --clean \