ansible_pull(role): introduce ansible_pull role

Introduce ansible_pull role for setting up automatic ansible_pull runs.
Also add accompanying host group and playbook play.

inventories/chaosknoten/hosts.yaml

@@ -186,3 +186,5 @@ alloy_hosts:
   hosts:
     grafana:
     ntfy:
+ansible_pull_hosts:
+  hosts:

inventories/z9/hosts.yaml

@@ -49,3 +49,5 @@ ola_hosts:
 proxmox_vm_template_hosts:
   hosts:
     thinkcccore0:
+ansible_pull_hosts:
+  hosts:

playbooks/deploy.yaml

@@ -78,5 +78,10 @@
       ansible.builtin.include_role:
         name: grafana.grafana.alloy
 
+- name: Ensure ansible_pull deployment on ansible_pull_hosts
+  hosts: ansible_pull_hosts
+  roles:
+    - ansible_pull
+
 - name: Run ensure_eh22_styleguide_dir Playbook
   ansible.builtin.import_playbook: ensure_eh22_styleguide_dir.yaml

roles/ansible_pull/README.md

@@ -0,0 +1,21 @@
+# `ansible_pull` role
+
+A role for setting up automatic `ansible_pull` runs.  
+
+## Supported Distributions
+
+Should work on Debian-based distributions.
+
+## Required Arguments
+
+- `ansible_pull__age_private_key`: The age private key to use to decrypt SOPS secrets with.
+- `ansible_pull__repo_url`: The URL of the repo to run the playbook from.
+- `ansible_pull__inventory`: The inventory to use.
+- `ansible_pull__playbook`: The playbook to run.
+- `ansible_pull__timer_on_calendar`: When to run the playbook. This is the argument to a systemd timers OnCalendar. See the systemd.time man page for reference.
+
+## Optional Arguments
+
+- `ansible_pull__user`: The user to run `ansible_pull` as. Defaults to `ansible_user`.
+- `ansible_pull__checkout`: The branch/tag/commit to check out to run the playbook from. Defaults to `main`.
+- `ansible_pull__timer_randomized_delay_sec`: The timer will be randomly delayed by a value between 0 and this. Useful to not have all timers fire at the same time, even if `ansible_pull__timer_on_calendar` is the same. Time value in seconds. Defaults to 0.

roles/ansible_pull/defaults/main.yaml

@@ -0,0 +1,3 @@
+ansible_pull__user: "{{ ansible_user }}"
+ansible_pull__checkout: "main"
+ansible_pull__timer_randomized_delay_sec: "0"

roles/ansible_pull/handlers/main.yaml

@@ -0,0 +1,4 @@
+- name: systemd daemon reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+  become: true

roles/ansible_pull/meta/argument_specs.yaml

@@ -0,0 +1,27 @@
+argument_specs:
+  main:
+    options:
+      ansible_pull__age_private_key:
+        type: str
+        required: true
+      ansible_pull__repo_url:
+        type: str
+        required: true
+      ansible_pull__inventory:
+        type: str
+        required: true
+      ansible_pull__playbook:
+        type: str
+        required: true
+      ansible_pull__timer_on_calendar:
+        type: str
+        required: true
+      ansible_pull__user:
+        type: str
+        required: false
+      ansible_pull__checkout:
+        type: str
+        required: false
+      ansible_pull__timer_randomized_delay_sec:
+        type: str
+        required: false

roles/ansible_pull/tasks/main.yaml

@@ -0,0 +1,63 @@
+- name: ensure dependencies are installed
+  ansible.builtin.apt:
+    name: virtualenv
+    state: present
+  become: true
+
+# https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-and-upgrading-ansible-with-pip
+# https://www.redhat.com/en/blog/python-venv-ansible
+- name: ensure Ansible installation exists
+  ansible.builtin.pip:
+    name:
+      - ansible
+      - jmespath
+    state: present
+    virtualenv: /usr/local/lib/ansible_pull_venv
+  become: true
+
+- name: ensure secrets directory exists
+  ansible.builtin.file:
+    path: /etc/ansible_pull_secrets
+    state: directory
+    mode: "0750"
+    owner: root
+    group: "{{ ansible_pull__user }}"
+  become: true
+
+- name: ensure age private key is deployed
+  ansible.builtin.copy:
+    content: "{{ ansible_pull__age_private_key }}"
+    dest: /etc/ansible_pull_secrets/age_private_key
+    mode: "0640"
+    owner: root
+    group: "{{ ansible_pull__user }}"
+  become: true
+
+- name: ensure systemd service exists
+  ansible.builtin.template:
+    src: ansible-pull.service.j2
+    dest: /etc/systemd/system/ansible-pull.service
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  notify:
+    - systemd daemon reload
+
+- name: ensure systemd timer exists
+  ansible.builtin.template:
+    src: ansible-pull.timer.j2
+    dest: /etc/systemd/system/ansible-pull.timer
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  notify:
+    - systemd daemon reload
+
+- name: ensure systemd timer is started and enabled
+  ansible.builtin.systemd_service:
+    name: ansible-pull.timer
+    state: started
+    enabled: true
+  become: true

roles/ansible_pull/templates/ansible-pull.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=ansible-pull for configuration and maintenance
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+Environment="SOPS_AGE_KEY_FILE=/etc/ansible_pull_secrets/age_private_key"
+ExecStart=/usr/local/lib/ansible_pull_venv/bin/ansible-pull \
+          --directory /home/chaos/ansible_pull_checkout \
+          --clean \
+          --url "{{ ansible_pull__repo_url }}" \
+          --checkout "{{ ansible_pull__checkout }}" \
+          --inventory "{{ ansible_pull__inventory }}" \
+          "{{ ansible_pull__playbook }}"
+User={{ ansible_pull__user }}

roles/ansible_pull/templates/ansible-pull.timer.j2

@@ -0,0 +1,9 @@
+[Unit]
+Description=ansible-pull for configuration and maintenance on a timer
+
+[Timer]
+OnCalendar={{ ansible_pull__timer_on_calendar }}
+RandomizedDelaySec={{ ansible_pull__timer_randomized_delay_sec }}
+
+[Install]
+WantedBy=timers.target