This repository has been archived on 2022-08-22. You can view files and clone it, but cannot push or open issues or pull requests.
autonomic.new-hetzner/tasks/main.yml
decentral1se 6d71a5bd31
All checks were successful
continuous-integration/drone/push Build is passing
use scoped var, pass it down the line
2022-05-31 09:16:57 +02:00

149 lines
4.5 KiB
YAML

---
- name: Ensure mandatory variables are configured
assert:
that: "{{ item }} is defined"
fail_msg: "You must define the '{{ item }}' variable"
with_items:
- new_hetzner_user_accounts
- new_hetzner_server_image
- new_hetzner_server_name
- new_hetzner_server_type
- name: Include resource variables
include_vars: "{{ new_hetzner_user_accounts }}"
tags:
- molecule-notest
# Note(decentral1se): gives root SSH access for all members
- name: Ensure all Autonomic member SSH keys are registered
hcloud_ssh_key:
name: "{{ item.email }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
public_key: "{{ item.ssh_key }}"
state: present
with_items: "{{ members }}"
- name: Create new hetzner cloud instance
hcloud_server:
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
image: "{{ new_hetzner_server_image }}"
name: "{{ new_hetzner_server_name }}"
server_type: "{{ new_hetzner_server_type }}"
ssh_keys: "{{ members | map(attribute='email') | list }}"
labels:
managed: ansible
backups: "{{ new_hetzner_backups_enabled }}"
delete_protection: "{{ new_hetzner_delete_protection }}"
rebuild_protection: "{{ new_hetzner_rebuild_protection }}"
state: present
register: new_instance
async: 7200
poll: 0
- name: Wait for instance creation to complete
async_status:
jid: "{{ new_instance.ansible_job_id }}"
register: hetzner_job
until: hetzner_job.finished
retries: 300
# Note(decentral1se): before user accounts are created we connect as root. This
# is possible because we registered the SSH keys with Hetzner Cloud and when
# the new instance is created, those keys are in /root/authorized_keys
- name: Dynamically create root connection details for the new instance
add_host:
hostname: root-new-instance
ansible_host: "{{ hetzner_job.hcloud_server.ipv4_address }}"
ansible_ssh_extra_args: "-o StrictHostKeyChecking=no"
ansible_user: root
- name: "Wait for SSH on {{ new_hetzner_server_name }} to come up on port 22"
wait_for:
port: 22
host: "{{ hetzner_job.hcloud_server.ipv4_address }}"
search_regex: SSH
delay: 10
- name: Run the add-users role on the new instance
vars:
add_users_user_accounts: "{{ new_hetzner_user_accounts }}"
delegate_to: root-new-instance
import_role:
name: autonomic.add-users
tags:
- molecule-notest
- name: Run the sshd role on the new instance
vars:
sshd_user_accounts: "{{ new_hetzner_user_accounts }}"
delegate_to: root-new-instance
import_role:
name: autonomic.sshd
tags:
- molecule-notest
- name: Run all service restart handlers
delegate_to: root-new-instance
meta: flush_handlers
tags:
- molecule-notest
- name: "Wait for SSH to come up again on {{ sshd_port }}"
wait_for:
port: "{{ sshd_port }}"
host: "{{ hetzner_job.hcloud_server.ipv4_address }}"
search_regex: SSH
delay: 10
tags:
- molecule-notest
# Note(decentral1se): At this point we're connecting with our own new user
# account and using sudo based privilege escalation with the password generated
# by pass from the passwords repository. Dog fooding our own connection setup ensures it
# works
- name: "Dynamically create {{ lookup('env', 'REMOTE_USER') }} connection details for the new instance"
add_host:
hostname: user-new-instance
ansible_host: "{{ hetzner_job.hcloud_server.ipv4_address }}"
ansible_ssh_extra_args: "-o StrictHostKeyChecking=no"
ansible_user: "{{ ansible_user }}"
ansible_port: "{{ sshd_port }}"
# Note(decentral1se): Ansible refuses to use the correct password without specifying both of these
ansible_sudo_pass: "{{ lookup('passwordstore', 'users/{{ ansible_user }}/sudo/{{ new_hetzner_server_name }}') }}"
ansible_become_password: "{{ lookup('passwordstore', 'users/{{ ansible_user }}/sudo/{{ new_hetzner_server_name }}') }}"
tags:
- molecule-notest
- name: Run the ufw role on the new instance
delegate_to: user-new-instance
become: true
import_role:
name: autonomic.ufw
tags:
- molecule-notest
- name: Run the packages role on the new instance
delegate_to: user-new-instance
become: true
import_role:
name: autonomic.packages
tags:
- molecule-notest
- name: Run the name role on the new instance
delegate_to: user-new-instance
become: true
import_role:
name: autonomic.name
tags:
- molecule-notest
- name: Run the motd role on the new instance
delegate_to: user-new-instance
become: true
import_role:
name: autonomic.motd
tags:
- molecule-notest