wip Fix #14 automatically rebuild vpn servers

KarmaComputing · Oct 19, 2024 · e9b43e4 · e9b43e4
1 parent 533ea93
commit e9b43e4
Show file tree

Hide file tree

Showing 8 changed files with 128 additions and 96 deletions.
diff --git a/.github/workflows/add-vpn-user.yml b/.github/workflows/add-vpn-user.yml
@@ -3,15 +3,9 @@ name: Add VPN User
 on:
   workflow_dispatch:
     inputs:
-      wireguard_vpn_ip_address:
-        description: 'wireguard_vpn_ip_address'
+      ansible_vault_password:
+        description: 'ansible_vault_password'
         required: true
-        default: '192.0.2.1'
-
-      ssh_username:
-        description: 'ssh_username'
-        required: true
-        default: 'root'
 
       PSONO_SECRET_ID:
         description: 'PSONO_SECRET_ID'
@@ -25,19 +19,31 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@v2
 
-    - name: Setting up SSH key
-      uses: webfactory/[email protected]
-      with:
-        ssh-private-key: ${{ secrets.VPN_SSH_PRIVATE_KEY }}
-
-    - name: SSH into remote host
+    - name: Setup ansible
       run: |
-        ssh -o StrictHostKeyChecking=no ${{ inputs.ssh_username }}@${{ inputs.wireguard_vpn_ip_address }} "date"
+        pip3 install ansible
 
-    - name: Generate new vpn peer config & Add save client config to password manager
-      run: |
-        ssh -o StrictHostKeyChecking=no ${{ inputs.ssh_username }}@${{ inputs.wireguard_vpn_ip_address }} -C "cd /etc/wireguard && PSONO_CI_API_KEY_ID=${{ secrets.PSONO_CI_API_KEY_ID }} PSONO_CI_API_SECRET_KEY_HEX=${{ secrets.PSONO_CI_API_SECRET_KEY_HEX }} PSONO_CI_SERVER_URL=${{ secrets.PSONO_CI_SERVER_URL }} PSONO_SECRET_ID=${{ inputs.PSONO_SECRET_ID }} ./add-vpn-user.sh"
 
+    - name: Run ansible
+      run: |
+        cd src/vpn
+        echo Creating ANSIBLE_VAULT_PASSWORD_FILE
+        TMPFILE=$(mktemp)
+        trap "rm -f ${TMPFILE@Q}" EXIT
+        echo -n "${{ inputs.ansible_vault_password }}" > $TMPFILE
+        export ANSIBLE_VAULT_PASSWORD_FILE=$TMPFILE
+
+        echo About to run playbook add-vpn-user.yml
+
+        # Bend over backwards to keep storing secrets in ansible vault rather than a specific CI/CD runner.
+        # note this uses dynamic inventory. Since you can't set/get group_vars from a dynamic inventory,
+        # this is an 'inventive' way using 'localhost' group_vars to the vpn hosts (in this case hetzer VM(s))
+        # api token out of ansible vault. The api token is stord in group_vars/localhost.yml (where in fact)
+        # the api token is used on other host groups.
+        # The dynamic vpn hosts inventory is using the dynamic inventory file inventory-vpn-servers-hcloud.yml
+
+        PSONO_SECRET_ID=${{ inputs.PSONO_SECRET_ID }} ansible-playbook --extra-vars _vault_hetzner_cloud_token=$(ANSIBLE_LOAD_CALLBACK_PLUGINS=1 ANSIBLE_STDOUT_CALLBACK=ansible.posix.json ansible localhost -i inventory.ini -m debug -a "msg={{ hostvars[inventory_hostname].hetzner_hcloud_token }}" | jq '.plays[0]["tasks"][0]["hosts"]["localhost"]["msg"]') -i inventory-vpn-servers-hcloud.yml  playbooks/add-vpn-user.yml
+        rm $TMPFILE
 
     # Enable tmate debugging of manually-triggered workflows if the input option was provided
     - name: Setup tmate session

diff --git a/.github/workflows/deploy-vpn-server.yml b/.github/workflows/deploy-vpn-server.yml
@@ -41,7 +41,7 @@ jobs:
         export ANSIBLE_VAULT_PASSWORD_FILE=$TMPFILE
         
         echo Run deploy vpn playbook
-        ansible-playbook -i inventory.ini playbooks/create-rebuild-vpn-server.yml
+        ansible-playbook -i inventory.ini -i inventory-vpn-servers-hcloud.yml playbooks/create-rebuild-vpn-server.yml
         rm $TMPFILE
 
     # Enable tmate debugging of manually-triggered workflows if the input option was provided

diff --git a/.github/workflows/deploy-vpn.yml b/.github/workflows/deploy-vpn.yml
diff --git a/src/vpn/group_vars/localhost.yml b/src/vpn/group_vars/localhost.yml
@@ -8,3 +8,33 @@ hetzner_hcloud_token: !vault |
           37343634613861616566653037396566646465386439653133363361306639363233643064316462
           38393735646365363465313663616264323233653230383837616263313735316135386165393935
           38323439613635323738
+server_bootstrap_public_ssh_key: |
+          ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJ1bghgIXT9CQu+stzt+XA+0U8kF7xruvL9Hhiij55A
+
+server_bootstrap_private_ssh_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          64336662363563336435633939333333303634323337346237396533393334313435633139363363
+          6230666131326566333265366661323230666634383336610a633739663661386632633361336632
+          65343866343464656133333635303835623863343836663166323538366130313064316330646162
+          3038623438303630340a316163386161386637373334353836623230373830623637363363393930
+          36663366666239613862656331646536643464346563373135616531323063396464386564383631
+          65353735376637346530313530383264633135643263653961646637303831626238643466373465
+          63396238623230646535346333393336613461656332666632613330633830353134383234643633
+          65383230383133653534616536653238643639356262353431326439353735656361323730643830
+          32393736306161343666323238356630636465343065613165613031613736333730303765636134
+          35643466663761336533386634376131613034313131323762653965323165633432666165343363
+          37303034333061326130306566663438656332656436323832636630373863656265326263376163
+          66323662633762356238656263333839653331626564663733376464356436306436313739616238
+          36383633333664386661636338326235653265363332383039326138303839326639363466613334
+          35333635313761313839353665306436383434636232333831383662343830343136643064363765
+          63376638333031646165656163313963343634626433666334313935346338356630643666383134
+          30616630313034363565346438653264653462643661333930366138363638656265323237393434
+          38616131363136316237646136643366393037363639663264666266616264363039366235343637
+          30343534393633646336373536636339656135353262633134616231663030373964656137613533
+          34306134363833366564323436666233613662376337376436373338643266353933396164323963
+          61656431643461316637313638316235343436333230383334663137663534393063316365646363
+          39323963656631623165303664663634666536323436333965383762613837393065323866613564
+          62623930343230346561653466663536623031323738663263353564393333363766623164386637
+          39356661376132616264383133346331623134333932646132393264373461313438336330373237
+          30366431363238326530303161306534306264363630646236323632353233346430626136303534
+          3463
diff --git a/src/vpn/group_vars/vpn_servers.yml b/src/vpn/group_vars/vpn_servers.yml
@@ -58,3 +58,11 @@ PSONO_CI_SERVER_URL: !vault |
           61613138636133346435353938323831653435343666613534343937363237636333313431346162
           6131343833386163380a383330383861666636623662326437303933376636396661333332646237
           30356337653463303662653036646132643063633163373464323235306338656339
+ansible_user: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          61623135363936396665323961303463353733633166306536653034366366323761316138313638
+          3832333831643664353032366233313938393132613863300a373266363637633431373362366230
+          36623833613830613938666161656534313534616639386230333232396435326335326264396164
+          3836383031353335660a303563643337346537646130653934373635646136373131313339636134
+          3434
+ansible_ssh_private_key_file: ~/.ssh/id_ed25519_server_bootstrap
diff --git a/src/vpn/inventory-vpn-servers-hcloud.yml b/src/vpn/inventory-vpn-servers-hcloud.yml
@@ -0,0 +1,6 @@
+plugin: hetzner.hcloud.hcloud
+api_token: "{{ _vault_hetzner_cloud_token }}"
+groups:
+    # Get only instances named 'vpn-server'
+    vpn_servers: name == 'vpn-server'
+
diff --git a/src/vpn/playbooks/create-rebuild-vpn-server.yml b/src/vpn/playbooks/create-rebuild-vpn-server.yml
@@ -1,15 +1,69 @@
 ---
 - name: 
   hosts: localhost
-  ignore_unreachable: true
 
   tasks:
+    - name: Attempt to destroy vpn-server regardless if exists or not
+      hetzner.hcloud.server:
+        api_token: "{{ hetzner_hcloud_token }}"
+        name: vpn-server
+        location: hel1
+        state: absent
+      ignore_errors: true
+
+    - name: Ensure public ssh_key published to Hetzner
+      hetzner.hcloud.ssh_key:
+        api_token: "{{ hetzner_hcloud_token }}"
+        name: server_bootstrap_public_ssh_key
+        public_key: "{{ server_bootstrap_public_ssh_key }}"
+        state: present
+      ignore_errors: true
+
     - name: Create/Rebuild vpn-server
       hetzner.hcloud.server:
         api_token: "{{ hetzner_hcloud_token }}"
         name: vpn-server
-        location: eu-central
-        server_type: cx11
+        location: hel1
+        server_type: cx22
         image: ubuntu-20.04
-        state: rebuild
+        state: present
+        ssh_keys:
+          - server_bootstrap_public_ssh_key
+      register: hcloud_server
+
+    - name: Store vpn_server_ipv4_address and vpn_server_ipv6_address
+      ansible.builtin.set_fact:
+        vpn_server_ipv4_address: "{{ hcloud_server.hcloud_server['ipv4_address'] }}"
+        vpn_server_ipv6_address: "{{ hcloud_server.hcloud_server['ipv6'] }}"
+
+    - name: Attempt to start vpn-server
+      hetzner.hcloud.server:
+        api_token: "{{ hetzner_hcloud_token }}"
+        name: vpn-server
+        state: started
+      ignore_errors: true
+      retries: 3
+      delay: 5
+
+    - name: Display vpn_server_ipv4_address & vpn_server_ipv6_address
+      debug:
+        msg:
+          - "{{ vpn_server_ipv4_address }}"
+          - "{{ vpn_server_ipv6_address }}"
+
+    - name: Replace first changeme with vpn_server_ipv4_address and second changeme with root
+      ansible.builtin.replace:
+        path: ../inventory.ini
+        regexp: '^(changeme)(.*ansible_user=)(changeme)$'
+        replace: '{{ vpn_server_ipv4_address }}\2root'
+
+    - name: Wait for port 22 on vpn_server
+      ansible.builtin.wait_for:
+        host: "{{ vpn_server_ipv4_address }}"
+        port: 22
+        state: started
 
+- name: Include deploy-vpn.yml play
+  ansible.builtin.import_playbook: deploy-vpn-client.yml
+  vars:
+    vpn_servers: "{{ vpn_server_ipv4_address }}"
diff --git a/src/vpn/playbooks/deploy-vpn-client.yml b/src/vpn/playbooks/deploy-vpn-client.yml
@@ -1,6 +1,6 @@
 ---
 - name: Install and configure L2TP IPsec vpn client on Ubuntu 22.04
-  hosts: vpn_servers
+  hosts: "{{ vpn_servers | default('vpn_servers') }}"
   become: yes
   vars:
     wireguard_dir: "/etc/wireguard/"
@@ -132,7 +132,6 @@
         mode: '0755'
         owner: root
         group: root
-      delegate_to: localhost
 
     - name: Generate laptop-private.key
       command: wg genkey
@@ -208,7 +207,6 @@
       template:
        src: wg-client.conf.j2
        dest: "{{ wireguard_dir }}wg-client.conf"
-      delegate_to: localhost
       tags: [ wireguard ]
 
     - name: Template save-vpn-credentials-to-password-vault.sh