wip: ansible pull

2025-07-23 15:27:38 +02:00
10 changed files with 99 additions and 0 deletions
--- a/inventories/chaosknoten/host_vars/netbox.yaml
+++ b/inventories/chaosknoten/host_vars/netbox.yaml
@ -1,3 +1,10 @@
+ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
+ansible_pull__inventory: inventories/chaosknoten
+ansible_pull__playbook: playbooks/maintenance.yaml
+ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
+ansible_pull__timer_randomized_delay_sec: 30min
+ansible_pull__checkout: ansible_pull
+
 netbox__version: "v4.1.7"
 netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
 netbox__custom_pipeline_oidc_group_and_role_mapping: true
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@ -180,3 +180,6 @@ alloy_hosts:
  hosts:
    grafana:
    ntfy:
+ansible_pull_hosts:
+  hosts:
+    netbox:
--- a/playbooks/deploy.yaml
+++ b/playbooks/deploy.yaml
@ -78,5 +78,10 @@
      ansible.builtin.include_role:
        name: grafana.grafana.alloy

+- name: Ensure ansible_pull deployment on ansible_pull_hosts
+  hosts: ansible_pull_hosts
+  roles:
+    - ansible_pull
+
 - name: Run ensure_eh22_styleguide_dir Playbook
  ansible.builtin.import_playbook: ensure_eh22_styleguide_dir.yaml
--- a/roles/ansible_pull/README.md
+++ b/roles/ansible_pull/README.md
@ -9,9 +9,15 @@ Should work on Debian-based distributions.
 ## Required Arguments

 - `ansible_pull__age_private_key`: The age private key to use to decrypt SOPS secrets with.
+- `ansible_pull__repo_url`: The URL of the repo to run the playbook from.
+- `ansible_pull__inventory`: The inventory to use.
+- `ansible_pull__playbook`: The playbook to run.
+- `ansible_pull__timer_on_calendar`: When to run the playbook. This is the argument to a systemd timers OnCalendar. See the systemd.time man page for reference.

 ## Optional Arguments

 - `ansible_pull__user`: The user to run `ansible_pull` as. Defaults to `ansible_user`.
+- `ansible_pull__checkout`: The branch/tag/commit to check out to run the playbook from. Defaults to `main`.
+- `ansible_pull__timer_randomized_delay_sec`: The timer will be randomly delayed by a value between 0 and this. Useful to not have all timers fire at the same time, even if `ansible_pull__timer_on_calendar` is the same. Time value in seconds. Defaults to 0.

 ## Links & Resources
--- a/roles/ansible_pull/defaults/main.yaml
+++ b/roles/ansible_pull/defaults/main.yaml
@ -1 +1,3 @@
 ansible_pull__user: "{{ ansible_user }}"
+ansible_pull__checkout: "main"
+ansible_pull__timer_randomized_delay_sec: "0"
--- a/roles/ansible_pull/handlers/main.yaml
+++ b/roles/ansible_pull/handlers/main.yaml
@ -0,0 +1,4 @@
+- name: systemd daemon reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+  become: true
--- a/roles/ansible_pull/meta/argument_specs.yaml
+++ b/roles/ansible_pull/meta/argument_specs.yaml
@ -4,6 +4,24 @@ argument_specs:
      ansible_pull__age_private_key:
        type: str
        required: true
+      ansible_pull__repo_url:
+        type: str
+        required: true
+      ansible_pull__inventory:
+        type: str
+        required: true
+      ansible_pull__playbook:
+        type: str
+        required: true
+      ansible_pull__timer_on_calendar:
+        type: str
+        required: true
      ansible_pull__user:
        type: str
        required: false
+      ansible_pull__checkout:
+        type: str
+        required: false
+      ansible_pull__timer_randomized_delay_sec:
+        type: str
+        required: false
--- a/roles/ansible_pull/tasks/main.yaml
+++ b/roles/ansible_pull/tasks/main.yaml
@ -32,3 +32,32 @@
    owner: root
    group: "{{ ansible_pull__user }}"
  become: true
+
+- name: ensure systemd service exists
+  ansible.builtin.template:
+    src: ansible-pull.service.j2
+    dest: /etc/systemd/system/ansible-pull.service
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  notify:
+    - systemd daemon reload
+
+- name: ensure systemd timer exists
+  ansible.builtin.template:
+    src: ansible-pull.timer.j2
+    dest: /etc/systemd/system/ansible-pull.timer
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  notify:
+    - systemd daemon reload
+
+- name: ensure systemd timer is started and enabled
+  ansible.builtin.systemd_service:
+    name: ansible-pull.timer
+    state: started
+    enabled: true
+  become: true
--- a/roles/ansible_pull/templates/ansible-pull.service.j2
+++ b/roles/ansible_pull/templates/ansible-pull.service.j2
@ -0,0 +1,16 @@
+[Unit]
+Description=ansible-pull for configuration and maintenance
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+Environment="SOPS_AGE_KEY_FILE=/etc/ansible_pull_secrets/age_private_key"
+ExecStart=/usr/local/lib/ansible_pull_venv/bin/ansible-pull \
+          --directory /home/chaos/ansible_pull_checkout \
+          --clean \
+          --url "{{ ansible_pull__repo_url }}" \
+          --checkout "{{ ansible_pull__checkout }}" \
+          --inventory "{{ ansible_pull__inventory }}" \
+          "{{ ansible_pull__playbook }}"
+User={{ ansible_pull__user }}
--- a/roles/ansible_pull/templates/ansible-pull.timer.j2
+++ b/roles/ansible_pull/templates/ansible-pull.timer.j2
@ -0,0 +1,9 @@
+[Unit]
+Description=ansible-pull for configuration and maintenance on a timer
+
+[Timer]
+OnCalendar={{ ansible_pull__timer_on_calendar }}
+RandomizedDelaySec={{ ansible_pull__timer_randomized_delay_sec }}
+
+[Install]
+WantedBy=timers.target