ansible_pull(role): ensure SOPS is installed

Also add the SOPS community collection as a requirement for this repo.

requirements.yml

@@ -3,3 +3,6 @@ collections:
   - name: debops.debops
     version: ">=3.1.0"
     source: https://galaxy.ansible.com
+  - name: community.sops
+    version: ">=2.2.4"
+    source: https://galaxy.ansible.com

roles/ansible_pull/tasks/main.yaml

@@ -1,9 +1,15 @@
 - name: ensure dependencies are installed
+  block:
+    - name: ensure apt dependencies are installed
       ansible.builtin.apt:
         name: virtualenv
         state: present
       become: true
 
+    - name: ensure SOPS is installed
+      ansible.builtin.include_role:
+        name: community.sops.install
+
 # https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-and-upgrading-ansible-with-pip
 # https://www.redhat.com/en/blog/python-venv-ansible
 - name: ensure Ansible installation exists

roles/ansible_pull/templates/ansible-pull.service.j2

@@ -7,6 +7,9 @@ OnFailure=ansible-pull-failure-notify.service
 [Service]
 Type=oneshot
 Environment="SOPS_AGE_KEY_FILE=/etc/ansible_pull_secrets/age_private_key"
+ExecStartPre=/usr/bin/bash -c 'if [ ! -e /home/chaos/ansible_pull_checkout ]; then git clone --depth 1 "{{ ansible_pull__repo_url }}" /home/chaos/ansible_pull_checkout ; fi'
+ExecStartPre=/usr/local/lib/ansible_pull_venv/bin/ansible-galaxy role install -r /home/chaos/ansible_pull_checkout/requirements.yml
+ExecStartPre=/usr/local/lib/ansible_pull_venv/bin/ansible-galaxy collection install -r /home/chaos/ansible_pull_checkout/requirements.yml
 ExecStart=/usr/local/lib/ansible_pull_venv/bin/ansible-pull \
           --directory /home/chaos/ansible_pull_checkout \
           --clean \