wip Fix #16 continually bootstrap vpn users

KarmaComputing · Oct 24, 2024 · 77a71c7 · 77a71c7
1 parent d3be0bd
commit 77a71c7
Show file tree

Hide file tree

Showing 4 changed files with 80 additions and 23 deletions.
diff --git a/.github/workflows/rotate-wireguard-vpn-user-configs.yml b/.github/workflows/rotate-wireguard-vpn-user-configs.yml
@@ -0,0 +1,46 @@
+name: Rotate Wireguard VPN User Configs
+
+on:
+  workflow_dispatch:
+
+jobs:
+  rotate-wireguard-vpn-user-configs:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Setup ansible
+      run: |
+        pip3 install ansible
+        pip3 install -r src/vpn/requirements.txt
+        ansible-galaxy collection install --force --collections-path ./src/vpn --requirements-file ./src/vpn/requirements.yml
+
+
+    - name: Run ansible
+      run: |
+        cd src/vpn
+        echo Creating ANSIBLE_VAULT_PASSWORD_FILE
+        TMPFILE=$(mktemp)
+        trap "rm -f ${TMPFILE@Q}" EXIT
+        echo -n "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > $TMPFILE
+        export ANSIBLE_VAULT_PASSWORD_FILE=$TMPFILE
+
+        echo About to run playbook add-vpn-user.yml
+
+        # Bend over backwards to keep storing secrets in ansible vault rather than a specific CI/CD runner.
+        # note this uses dynamic inventory. Since you can't set/get group_vars from a dynamic inventory,
+        # this is an 'inventive' way using 'localhost' group_vars to the vpn hosts (in this case hetzer VM(s))
+        # api token out of ansible vault. The api token is stord in group_vars/localhost.yml (where in fact)
+        # the api token is used on other host groups.
+        # The dynamic vpn hosts inventory is using the dynamic inventory file inventory-vpn-servers-hcloud.yml
+
+        export ANSIBLE_HOST_KEY_CHECKING=False
+        ansible-playbook --extra-vars "PSONO_SECRET_ID=${{ inputs.PSONO_SECRET_ID }} _vault_hetzner_cloud_token=$(ANSIBLE_LOAD_CALLBACK_PLUGINS=1 ANSIBLE_STDOUT_CALLBACK=ansible.posix.json ansible localhost -i inventory.ini -m debug -a "msg={{ hostvars[inventory_hostname].hetzner_hcloud_token }}" | jq '.plays[0]["tasks"][0]["hosts"]["localhost"]["msg"]')" -i inventory-vpn-servers-hcloud.yml  playbooks/add-vpn-user.yml
+        rm $TMPFILE
+
+    # Enable tmate debugging of manually-triggered workflows if the input option was provided
+    - name: Setup tmate session
+      uses: mxschmitt/action-tmate@v3
+      if: ${{ failure() }}
diff --git a/src/vpn/group_vars/all.yml b/src/vpn/group_vars/all.yml
@@ -26,3 +26,8 @@ ssh_private_key_server_bootstrap: !vault |
           61336235303331353338626131363162363163353661346531646539306337356166396433636565
           30666266356365316430343331663663353461316232386239316434383539656661326261373063
           6531
+
+WIREGUARD_VPN_PSONO_SECRET_IDS:
+  - abc123
+  - def456
+  - etc
diff --git a/src/vpn/playbooks/add-vpn-user.yml b/src/vpn/playbooks/add-vpn-user.yml
@@ -7,26 +7,8 @@
 
   tasks:
 
-    - name: Ensure ~/.ssh directory exists on localhost/runner
-      delegate_to: localhost
-      ansible.builtin.file:
-        path: ~/.ssh
-        state: directory
-        mode: '0755'
-
-    - name: Template ssh_private_key_server_bootstrap
-      ansible.builtin.template:
-        src: templates/ssh/ssh_private_key_server_bootstrap.j2
-        dest: "{{ ansible_ssh_private_key_file }}"
-        mode: '0600'
-      delegate_to: localhost
-      tags:
-        - 'ssh'
-
-    - name: Generate new vpn peer config & Add save client config to password manager
-      ansible.builtin.shell: |
-        PSONO_CI_API_KEY_ID={{ PSONO_CI_API_KEY_ID }} PSONO_CI_API_SECRET_KEY_HEX={{ PSONO_CI_API_SECRET_KEY_HEX }} PSONO_CI_SERVER_URL={{ PSONO_CI_SERVER_URL }} PSONO_SECRET_ID={{ PSONO_SECRET_ID }} ./add-vpn-user.sh
-        exit 0
-      args:
-        chdir: "{{ wireguard_dir }}"
-      become: yes
+    - name: Include task list in play only if the condition is true
+      ansible.builtin.include_tasks: ./tasks/tasks_add_vpn_user.yaml
+      loop: "{{ WIREGUARD_VPN_PSONO_SECRET_IDS }}"
+      loop_control:
+        loop_var: PSONO_SECRET_ID
diff --git a/src/vpn/playbooks/tasks/tasks_add_vpn_user.yaml b/src/vpn/playbooks/tasks/tasks_add_vpn_user.yaml
@@ -0,0 +1,24 @@
+---
+- name: Ensure ~/.ssh directory exists on localhost/runner
+  delegate_to: localhost
+  ansible.builtin.file:
+    path: ~/.ssh
+    state: directory
+    mode: '0755'
+
+- name: Template ssh_private_key_server_bootstrap
+  ansible.builtin.template:
+    src: templates/ssh/ssh_private_key_server_bootstrap.j2
+    dest: "{{ ansible_ssh_private_key_file }}"
+    mode: '0600'
+  delegate_to: localhost
+  tags:
+    - 'ssh'
+
+- name: Generate new vpn peer config & Add save client config to password manager
+  ansible.builtin.shell: |
+    PSONO_CI_API_KEY_ID={{ PSONO_CI_API_KEY_ID }} PSONO_CI_API_SECRET_KEY_HEX={{ PSONO_CI_API_SECRET_KEY_HEX }} PSONO_CI_SERVER_URL={{ PSONO_CI_SERVER_URL }} PSONO_SECRET_ID={{ PSONO_SECRET_ID }} ./add-vpn-user.sh
+    exit 0
+  args:
+    chdir: "{{ wireguard_dir }}"
+  become: yes