ansible-infra/roles/ansible_pull/tasks/main.yaml

- name: ensure dependencies are installed
  ansible.builtin.apt:
    name: virtualenv
    state: present
  become: true

# https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-and-upgrading-ansible-with-pip
# https://www.redhat.com/en/blog/python-venv-ansible
- name: ensure Ansible installation exists
  ansible.builtin.pip:
    name:
      - ansible
      - jmespath
    state: present
    virtualenv: /usr/local/lib/ansible_pull_venv
  become: true

- name: ensure ansible-pull-failure-notify script installation exists
  ansible.builtin.template:
    src: ansible-pull-failure-notify.sh.j2
    dest: /usr/local/sbin/ansible-pull-failure-notify.sh
    owner: root
    group: root
    mode: "0755"
  become: true

- name: ensure secrets directory exists
  ansible.builtin.file:
    path: /etc/ansible_pull_secrets
    state: directory
    mode: "0750"
    owner: root
    group: "{{ ansible_pull__user }}"
  become: true

- name: ensure age private key is deployed
  ansible.builtin.copy:
    content: "{{ ansible_pull__age_private_key }}"
    dest: /etc/ansible_pull_secrets/age_private_key
    mode: "0640"
    owner: root
    group: "{{ ansible_pull__user }}"
  become: true

- name: ensure systemd services exists
  ansible.builtin.template:
    src: "{{ item }}.j2"
    dest: "/etc/systemd/system/{{ item }}"
    owner: root
    group: root
    mode: "0644"
  become: true
  loop:
    - ansible-pull.service
    - ansible-pull-failure-notify.service
  notify:
    - systemd daemon reload

- name: ensure systemd timer exists
  ansible.builtin.template:
    src: ansible-pull.timer.j2
    dest: /etc/systemd/system/ansible-pull.timer
    owner: root
    group: root
    mode: "0644"
  become: true
  notify:
    - systemd daemon reload

- name: ensure systemd timer is started and enabled
  ansible.builtin.systemd_service:
    name: ansible-pull.timer
    state: started
    enabled: true
  become: true