149 lines
4.5 KiB
YAML
149 lines
4.5 KiB
YAML
---
|
|
- name: Ensure mandatory variables are configured
|
|
assert:
|
|
that: "{{ item }} is defined"
|
|
fail_msg: "You must define the '{{ item }}' variable"
|
|
with_items:
|
|
- new_hetzner_user_accounts
|
|
- new_hetzner_server_image
|
|
- new_hetzner_server_name
|
|
- new_hetzner_server_type
|
|
|
|
- name: Include resource variables
|
|
include_vars: "{{ new_hetzner_user_accounts }}"
|
|
tags:
|
|
- molecule-notest
|
|
|
|
# Note(decentral1se): gives root SSH access for all members
|
|
- name: Ensure all Autonomic member SSH keys are registered
|
|
hcloud_ssh_key:
|
|
name: "{{ item.email }}"
|
|
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
|
|
public_key: "{{ item.ssh_key }}"
|
|
state: present
|
|
with_items: "{{ members }}"
|
|
|
|
- name: Create new hetzner cloud instance
|
|
hcloud_server:
|
|
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
|
|
image: "{{ new_hetzner_server_image }}"
|
|
name: "{{ new_hetzner_server_name }}"
|
|
server_type: "{{ new_hetzner_server_type }}"
|
|
ssh_keys: "{{ members | map(attribute='email') | list }}"
|
|
labels:
|
|
managed: ansible
|
|
backups: "{{ new_hetzner_backups_enabled }}"
|
|
delete_protection: "{{ new_hetzner_delete_protection }}"
|
|
rebuild_protection: "{{ new_hetzner_rebuild_protection }}"
|
|
state: present
|
|
register: new_instance
|
|
async: 7200
|
|
poll: 0
|
|
|
|
- name: Wait for instance creation to complete
|
|
async_status:
|
|
jid: "{{ new_instance.ansible_job_id }}"
|
|
register: hetzner_job
|
|
until: hetzner_job.finished
|
|
retries: 300
|
|
|
|
# Note(decentral1se): before user accounts are created we connect as root. This
|
|
# is possible because we registered the SSH keys with Hetzner Cloud and when
|
|
# the new instance is created, those keys are in /root/authorized_keys
|
|
- name: Dynamically create root connection details for the new instance
|
|
add_host:
|
|
hostname: root-new-instance
|
|
ansible_host: "{{ hetzner_job.hcloud_server.ipv4_address }}"
|
|
ansible_ssh_extra_args: "-o StrictHostKeyChecking=no"
|
|
ansible_user: root
|
|
|
|
- name: "Wait for SSH on {{ new_hetzner_server_name }} to come up on port 22"
|
|
wait_for:
|
|
port: 22
|
|
host: "{{ hetzner_job.hcloud_server.ipv4_address }}"
|
|
search_regex: SSH
|
|
delay: 10
|
|
|
|
- name: Run the add-users role on the new instance
|
|
vars:
|
|
add_users_user_accounts: "{{ new_hetzner_user_accounts }}"
|
|
delegate_to: root-new-instance
|
|
import_role:
|
|
name: autonomic.add-users
|
|
tags:
|
|
- molecule-notest
|
|
|
|
- name: Run the sshd role on the new instance
|
|
vars:
|
|
sshd_user_accounts: "{{ new_hetzner_user_accounts }}"
|
|
delegate_to: root-new-instance
|
|
import_role:
|
|
name: autonomic.sshd
|
|
tags:
|
|
- molecule-notest
|
|
|
|
- name: Run all service restart handlers
|
|
delegate_to: root-new-instance
|
|
meta: flush_handlers
|
|
tags:
|
|
- molecule-notest
|
|
|
|
- name: "Wait for SSH to come up again on {{ sshd_port }}"
|
|
wait_for:
|
|
port: "{{ sshd_port }}"
|
|
host: "{{ hetzner_job.hcloud_server.ipv4_address }}"
|
|
search_regex: SSH
|
|
delay: 10
|
|
tags:
|
|
- molecule-notest
|
|
|
|
# Note(decentral1se): At this point we're connecting with our own new user
|
|
# account and using sudo based privilege escalation with the password generated
|
|
# by pass from the passwords repository. Dog fooding our own connection setup ensures it
|
|
# works
|
|
- name: "Dynamically create {{ lookup('env', 'REMOTE_USER') }} connection details for the new instance"
|
|
add_host:
|
|
hostname: user-new-instance
|
|
ansible_host: "{{ hetzner_job.hcloud_server.ipv4_address }}"
|
|
ansible_ssh_extra_args: "-o StrictHostKeyChecking=no"
|
|
ansible_user: "{{ ansible_user }}"
|
|
ansible_port: "{{ sshd_port }}"
|
|
|
|
# Note(decentral1se): Ansible refuses to use the correct password without specifying both of these
|
|
ansible_sudo_pass: "{{ lookup('passwordstore', 'users/{{ ansible_user }}/sudo/{{ new_hetzner_server_name }}') }}"
|
|
ansible_become_password: "{{ lookup('passwordstore', 'users/{{ ansible_user }}/sudo/{{ new_hetzner_server_name }}') }}"
|
|
tags:
|
|
- molecule-notest
|
|
|
|
- name: Run the ufw role on the new instance
|
|
delegate_to: user-new-instance
|
|
become: true
|
|
import_role:
|
|
name: autonomic.ufw
|
|
tags:
|
|
- molecule-notest
|
|
|
|
- name: Run the packages role on the new instance
|
|
delegate_to: user-new-instance
|
|
become: true
|
|
import_role:
|
|
name: autonomic.packages
|
|
tags:
|
|
- molecule-notest
|
|
|
|
- name: Run the name role on the new instance
|
|
delegate_to: user-new-instance
|
|
become: true
|
|
import_role:
|
|
name: autonomic.name
|
|
tags:
|
|
- molecule-notest
|
|
|
|
- name: Run the motd role on the new instance
|
|
delegate_to: user-new-instance
|
|
become: true
|
|
import_role:
|
|
name: autonomic.motd
|
|
tags:
|
|
- molecule-notest
|