Skip to content

Rotate Wireguard VPN User Configs #963

Rotate Wireguard VPN User Configs

Rotate Wireguard VPN User Configs #963

name: Rotate Wireguard VPN User Configs
on:
workflow_dispatch:
schedule:
- cron: '30 */2 * * *'
jobs:
rotate-wireguard-vpn-user-configs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup ansible
run: |
pip3 install ansible
pip3 install -r src/vpn/requirements.txt
ansible-galaxy collection install --force --collections-path ./src/vpn --requirements-file ./src/vpn/requirements.yml
- name: Run ansible
run: |
cd src/vpn
echo Creating ANSIBLE_VAULT_PASSWORD_FILE
TMPFILE=$(mktemp)
trap "rm -f ${TMPFILE@Q}" EXIT
echo -n "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > $TMPFILE
export ANSIBLE_VAULT_PASSWORD_FILE=$TMPFILE
echo About to run playbook add-vpn-user.yml and load all PSONO secret IDs via group_vars/all WIREGUARD_VPN_PSONO_SECRET_IDS
# Bend over backwards to keep storing secrets in ansible vault rather than a specific CI/CD runner.
# note this uses dynamic inventory. Since you can't set/get group_vars from a dynamic inventory,
# this is an 'inventive' way using 'localhost' group_vars to the vpn hosts (in this case hetzer VM(s))
# api token out of ansible vault. The api token is stord in group_vars/localhost.yml (where in fact)
# the api token is used on other host groups.
# The dynamic vpn hosts inventory is using the dynamic inventory file inventory-vpn-servers-hcloud.yml
export ANSIBLE_HOST_KEY_CHECKING=False
ansible-playbook --extra-vars "_vault_hetzner_cloud_token=$(ANSIBLE_LOAD_CALLBACK_PLUGINS=1 ANSIBLE_STDOUT_CALLBACK=ansible.posix.json ansible localhost -i inventory.ini -m debug -a "msg={{ hostvars[inventory_hostname].hetzner_hcloud_token }}" | jq '.plays[0]["tasks"][0]["hosts"]["localhost"]["msg"]')" -i inventory-vpn-servers-hcloud.yml playbooks/add-vpn-user.yml
rm $TMPFILE
# Enable tmate debugging of manually-triggered workflows if the input option was provided
- name: Setup tmate session
uses: mxschmitt/action-tmate@v3
if: ${{ failure() }}