diff --git a/inventories/chaosknoten/host_vars/netbox.yaml b/inventories/chaosknoten/host_vars/netbox.yaml index 4726885..d8da335 100644 --- a/inventories/chaosknoten/host_vars/netbox.yaml +++ b/inventories/chaosknoten/host_vars/netbox.yaml @@ -1,3 +1,10 @@ +ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git +ansible_pull__inventory: inventories/chaosknoten +ansible_pull__playbook: playbooks/maintenance.yaml +ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" +ansible_pull__timer_randomized_delay_sec: 30min +ansible_pull__checkout: ansible_pull + netbox__version: "v4.1.7" netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}" netbox__custom_pipeline_oidc_group_and_role_mapping: true diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 93ea984..0891fff 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -180,3 +180,6 @@ alloy_hosts: hosts: grafana: ntfy: +ansible_pull_hosts: + hosts: + netbox: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index 952aeec..c11a0e7 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -78,5 +78,10 @@ ansible.builtin.include_role: name: grafana.grafana.alloy +- name: Ensure ansible_pull deployment on ansible_pull_hosts + hosts: ansible_pull_hosts + roles: + - ansible_pull + - name: Run ensure_eh22_styleguide_dir Playbook ansible.builtin.import_playbook: ensure_eh22_styleguide_dir.yaml diff --git a/roles/ansible_pull/README.md b/roles/ansible_pull/README.md index 8e3cb45..a7e3dc7 100644 --- a/roles/ansible_pull/README.md +++ b/roles/ansible_pull/README.md @@ -9,9 +9,15 @@ Should work on Debian-based distributions. ## Required Arguments - `ansible_pull__age_private_key`: The age private key to use to decrypt SOPS secrets with. +- `ansible_pull__repo_url`: The URL of the repo to run the playbook from. +- `ansible_pull__inventory`: The inventory to use. +- `ansible_pull__playbook`: The playbook to run. +- `ansible_pull__timer_on_calendar`: When to run the playbook. This is the argument to a systemd timers OnCalendar. See the systemd.time man page for reference. ## Optional Arguments - `ansible_pull__user`: The user to run `ansible_pull` as. Defaults to `ansible_user`. +- `ansible_pull__checkout`: The branch/tag/commit to check out to run the playbook from. Defaults to `main`. +- `ansible_pull__timer_randomized_delay_sec`: The timer will be randomly delayed by a value between 0 and this. Useful to not have all timers fire at the same time, even if `ansible_pull__timer_on_calendar` is the same. Time value in seconds. Defaults to 0. ## Links & Resources diff --git a/roles/ansible_pull/defaults/main.yaml b/roles/ansible_pull/defaults/main.yaml index 37d84ab..3b9acb2 100644 --- a/roles/ansible_pull/defaults/main.yaml +++ b/roles/ansible_pull/defaults/main.yaml @@ -1 +1,3 @@ ansible_pull__user: "{{ ansible_user }}" +ansible_pull__checkout: "main" +ansible_pull__timer_randomized_delay_sec: "0" diff --git a/roles/ansible_pull/handlers/main.yaml b/roles/ansible_pull/handlers/main.yaml new file mode 100644 index 0000000..ada2426 --- /dev/null +++ b/roles/ansible_pull/handlers/main.yaml @@ -0,0 +1,4 @@ +- name: systemd daemon reload + ansible.builtin.systemd_service: + daemon_reload: true + become: true diff --git a/roles/ansible_pull/meta/argument_specs.yaml b/roles/ansible_pull/meta/argument_specs.yaml index a57d10e..e5c88af 100644 --- a/roles/ansible_pull/meta/argument_specs.yaml +++ b/roles/ansible_pull/meta/argument_specs.yaml @@ -4,6 +4,24 @@ argument_specs: ansible_pull__age_private_key: type: str required: true + ansible_pull__repo_url: + type: str + required: true + ansible_pull__inventory: + type: str + required: true + ansible_pull__playbook: + type: str + required: true + ansible_pull__timer_on_calendar: + type: str + required: true ansible_pull__user: type: str required: false + ansible_pull__checkout: + type: str + required: false + ansible_pull__timer_randomized_delay_sec: + type: str + required: false diff --git a/roles/ansible_pull/tasks/main.yaml b/roles/ansible_pull/tasks/main.yaml index f0d26d7..53fc219 100644 --- a/roles/ansible_pull/tasks/main.yaml +++ b/roles/ansible_pull/tasks/main.yaml @@ -32,3 +32,32 @@ owner: root group: "{{ ansible_pull__user }}" become: true + +- name: ensure systemd service exists + ansible.builtin.template: + src: ansible-pull.service.j2 + dest: /etc/systemd/system/ansible-pull.service + owner: root + group: root + mode: "0644" + become: true + notify: + - systemd daemon reload + +- name: ensure systemd timer exists + ansible.builtin.template: + src: ansible-pull.timer.j2 + dest: /etc/systemd/system/ansible-pull.timer + owner: root + group: root + mode: "0644" + become: true + notify: + - systemd daemon reload + +- name: ensure systemd timer is started and enabled + ansible.builtin.systemd_service: + name: ansible-pull.timer + state: started + enabled: true + become: true diff --git a/roles/ansible_pull/templates/ansible-pull.service.j2 b/roles/ansible_pull/templates/ansible-pull.service.j2 new file mode 100644 index 0000000..8a17190 --- /dev/null +++ b/roles/ansible_pull/templates/ansible-pull.service.j2 @@ -0,0 +1,16 @@ +[Unit] +Description=ansible-pull for configuration and maintenance +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +Environment="SOPS_AGE_KEY_FILE=/etc/ansible_pull_secrets/age_private_key" +ExecStart=/usr/local/lib/ansible_pull_venv/bin/ansible-pull \ + --directory /home/chaos/ansible_pull_checkout \ + --clean \ + --url "{{ ansible_pull__repo_url }}" \ + --checkout "{{ ansible_pull__checkout }}" \ + --inventory "{{ ansible_pull__inventory }}" \ + "{{ ansible_pull__playbook }}" +User={{ ansible_pull__user }} diff --git a/roles/ansible_pull/templates/ansible-pull.timer.j2 b/roles/ansible_pull/templates/ansible-pull.timer.j2 new file mode 100644 index 0000000..24bc8ba --- /dev/null +++ b/roles/ansible_pull/templates/ansible-pull.timer.j2 @@ -0,0 +1,9 @@ +[Unit] +Description=ansible-pull for configuration and maintenance on a timer + +[Timer] +OnCalendar={{ ansible_pull__timer_on_calendar }} +RandomizedDelaySec={{ ansible_pull__timer_randomized_delay_sec }} + +[Install] +WantedBy=timers.target