From e47c76b52cda9b80afd4d460256d96d4f0fdb6d9 Mon Sep 17 00:00:00 2001 From: chrisjsimpson Date: Mon, 21 Oct 2024 22:35:32 +0100 Subject: [PATCH] #14 correct ansible-playbook --extra_vars -> --extra-vars #14 place keys to bootstrap add-vpn user runner --- .github/workflows/add-vpn-user.yml | 3 ++- src/vpn/group_vars/all.yml | 27 +++++++++++++++++++++++++++ src/vpn/group_vars/localhost.yml | 28 ---------------------------- src/vpn/playbooks/add-vpn-user.yml | 20 ++++++++++++++++++-- 4 files changed, 47 insertions(+), 31 deletions(-) diff --git a/.github/workflows/add-vpn-user.yml b/.github/workflows/add-vpn-user.yml index b73a2aa..8ed2c81 100644 --- a/.github/workflows/add-vpn-user.yml +++ b/.github/workflows/add-vpn-user.yml @@ -40,7 +40,8 @@ jobs: # the api token is used on other host groups. # The dynamic vpn hosts inventory is using the dynamic inventory file inventory-vpn-servers-hcloud.yml - ansible-playbook --extra_vars "PSONO_SECRET_ID=${{ inputs.PSONO_SECRET_ID }} _vault_hetzner_cloud_token=$(ANSIBLE_LOAD_CALLBACK_PLUGINS=1 ANSIBLE_STDOUT_CALLBACK=ansible.posix.json ansible localhost -i inventory.ini -m debug -a "msg={{ hostvars[inventory_hostname].hetzner_hcloud_token }}" | jq '.plays[0]["tasks"][0]["hosts"]["localhost"]["msg"]')" -i inventory-vpn-servers-hcloud.yml playbooks/add-vpn-user.yml + export ANSIBLE_HOST_KEY_CHECKING=False + ansible-playbook --extra-vars "PSONO_SECRET_ID=${{ inputs.PSONO_SECRET_ID }} _vault_hetzner_cloud_token=$(ANSIBLE_LOAD_CALLBACK_PLUGINS=1 ANSIBLE_STDOUT_CALLBACK=ansible.posix.json ansible localhost -i inventory.ini -m debug -a "msg={{ hostvars[inventory_hostname].hetzner_hcloud_token }}" | jq '.plays[0]["tasks"][0]["hosts"]["localhost"]["msg"]')" -i inventory-vpn-servers-hcloud.yml playbooks/add-vpn-user.yml rm $TMPFILE # Enable tmate debugging of manually-triggered workflows if the input option was provided diff --git a/src/vpn/group_vars/all.yml b/src/vpn/group_vars/all.yml index 7159886..f12c443 100644 --- a/src/vpn/group_vars/all.yml +++ b/src/vpn/group_vars/all.yml @@ -1 +1,28 @@ ansible_ssh_private_key_file: ~/.ssh/id_ed25519_server_bootstrap +ssh_private_key_server_bootstrap: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65653566363161306561663830356630363032336338346438346135653638633563366334313636 + 3563306530376631373936643137353565376465326235640a383136323663663938346439653432 + 30353330353462653365343933663933366234336234303365626263363236393862613338313439 + 3162393165663433660a306633333731663766643561663364386136333165303236393836326434 + 65613537346236363233633439343832636537316335626163396138356436666230303639623833 + 34643332653665383231373462316463613036646466363434366466656437373866313739336538 + 37356463633861353938636561313138383939323736636361363630323631373466353666663765 + 34653461316535363434356363306564376163336463333936396566326238613765663965363066 + 63383765666539363666633838643266373932386433383233386138666233363239623337323238 + 36363961333533386362666235366438316237336361336336396564313036303233303462366632 + 62363339636365633236386537613735383063383434653362303865373435623636386338663139 + 65623263393064323537643634353938653461643637646462376539343461366465643161666233 + 34346161313662383665616437343330666563313263323333333264663830646163326364643265 + 65333736333139333133313865353235623862313233666639633365326538663762396433363439 + 64376434336266336536386264373464656237613264633630373362393133373138343932386632 + 62636433333331626236306337636566343538383761326266666634333630363630303638656338 + 34313638356536363239623530643836373733653130333263336639623763663134356664623764 + 30653265623564653165613061353337306261366433326130306466363837396463623638323534 + 64643632663237643165333030343332383364656333386331343337633561616366626633656431 + 65643230663132373462626266626361353762353539656261313066313135626339313861653165 + 33366439383234623237633533353135363033613263383838316561313161663036376435316663 + 33373866636232373662383432646562616130633363393461386164346634353630376131303331 + 61336235303331353338626131363162363163353661346531646539306337356166396433636565 + 30666266356365316430343331663663353461316232386239316434383539656661326261373063 + 6531 diff --git a/src/vpn/group_vars/localhost.yml b/src/vpn/group_vars/localhost.yml index 8b1e9d5..79661b1 100644 --- a/src/vpn/group_vars/localhost.yml +++ b/src/vpn/group_vars/localhost.yml @@ -10,31 +10,3 @@ hetzner_hcloud_token: !vault | 38323439613635323738 server_bootstrap_public_ssh_key: | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJ1bghgIXT9CQu+stzt+XA+0U8kF7xruvL9Hhiij55A - -ssh_private_key_server_bootstrap: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 65653566363161306561663830356630363032336338346438346135653638633563366334313636 - 3563306530376631373936643137353565376465326235640a383136323663663938346439653432 - 30353330353462653365343933663933366234336234303365626263363236393862613338313439 - 3162393165663433660a306633333731663766643561663364386136333165303236393836326434 - 65613537346236363233633439343832636537316335626163396138356436666230303639623833 - 34643332653665383231373462316463613036646466363434366466656437373866313739336538 - 37356463633861353938636561313138383939323736636361363630323631373466353666663765 - 34653461316535363434356363306564376163336463333936396566326238613765663965363066 - 63383765666539363666633838643266373932386433383233386138666233363239623337323238 - 36363961333533386362666235366438316237336361336336396564313036303233303462366632 - 62363339636365633236386537613735383063383434653362303865373435623636386338663139 - 65623263393064323537643634353938653461643637646462376539343461366465643161666233 - 34346161313662383665616437343330666563313263323333333264663830646163326364643265 - 65333736333139333133313865353235623862313233666639633365326538663762396433363439 - 64376434336266336536386264373464656237613264633630373362393133373138343932386632 - 62636433333331626236306337636566343538383761326266666634333630363630303638656338 - 34313638356536363239623530643836373733653130333263336639623763663134356664623764 - 30653265623564653165613061353337306261366433326130306466363837396463623638323534 - 64643632663237643165333030343332383364656333386331343337633561616366626633656431 - 65643230663132373462626266626361353762353539656261313066313135626339313861653165 - 33366439383234623237633533353135363033613263383838316561313161663036376435316663 - 33373866636232373662383432646562616130633363393461386164346634353630376131303331 - 61336235303331353338626131363162363163353661346531646539306337356166396433636565 - 30666266356365316430343331663663353461316232386239316434383539656661326261373063 - 6531 diff --git a/src/vpn/playbooks/add-vpn-user.yml b/src/vpn/playbooks/add-vpn-user.yml index 7a3f6cd..15a95b0 100644 --- a/src/vpn/playbooks/add-vpn-user.yml +++ b/src/vpn/playbooks/add-vpn-user.yml @@ -2,15 +2,31 @@ - name: Add VPN user hosts: "{{ vpn_servers | default('vpn_servers') }}" gather_facts: false - become: yes vars: wireguard_dir: "/etc/wireguard/" tasks: + - name: Ensure ~/.ssh directory exists on localhost/runner + delegate_to: localhost + ansible.builtin.file: + path: ~/.ssh + state: directory + mode: '0755' + + - name: Template ssh_private_key_server_bootstrap + ansible.builtin.template: + src: templates/ssh/ssh_private_key_server_bootstrap.j2 + dest: "{{ ansible_ssh_private_key_file }}" + mode: '0600' + delegate_to: localhost + tags: + - 'ssh' + - name: Generate new vpn peer config & Add save client config to password manager ansible.builtin.shell: | PSONO_CI_API_KEY_ID={{ PSONO_CI_API_KEY_ID }} PSONO_CI_API_SECRET_KEY_HEX={{ PSONO_CI_API_SECRET_KEY_HEX }} PSONO_CI_SERVER_URL={{ PSONO_CI_SERVER_URL }} PSONO_SECRET_ID={{ PSONO_SECRET_ID }} ./add-vpn-user.sh exit 0 args: - chdir: "{{ wireguard_dir }}" \ No newline at end of file + chdir: "{{ wireguard_dir }}" + become: yes \ No newline at end of file