90 lines
3.0 KiB
YAML
90 lines
3.0 KiB
YAML
name: Ansible Apply
|
|
|
|
on:
|
|
schedule:
|
|
- cron: "0 2 * * 0"
|
|
push:
|
|
branches:
|
|
- main
|
|
paths:
|
|
- "ansible/**"
|
|
- .github/workflows/ansible-apply.yaml
|
|
|
|
jobs:
|
|
ansible-apply:
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v2
|
|
|
|
- name: Setup Sectool
|
|
uses: a13labs/setup-sectool@v1
|
|
|
|
- name: Install Python and required packages
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y python3-pip
|
|
python3 -m pip install -r requirements.txt
|
|
|
|
- name: Setup SSH Key
|
|
env:
|
|
VAULT_MASTER_PASSWORD: ${{ secrets.VAULT_MASTER_PASSWORD }}
|
|
run: |
|
|
sectool ssh unlock ansible
|
|
mkdir -p ~/.ssh
|
|
chmod 700 ~/.ssh
|
|
cp ssh-keys/ansible/id_ecdsa ~/.ssh/id_ecdsa
|
|
chmod 600 ~/.ssh/id_ecdsa
|
|
|
|
- name: Read SSH Trusted Hosts keys
|
|
env:
|
|
TRUSTED_HOSTS: ${{ secrets.TRUSTED_HOSTS }}
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
for HOST in $TRUSTED_HOSTS; do
|
|
ssh-keyscan $HOST >> ~/.ssh/known_hosts
|
|
done
|
|
chmod 600 ~/.ssh/known_hosts
|
|
|
|
- name: Enable SSH host key algorithms
|
|
run: |
|
|
echo "Host *" >> ~/.ssh/config
|
|
echo " HostKeyAlgorithms +sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com"
|
|
chmod 600 ~/.ssh/config
|
|
|
|
- name: Start SSH Agent
|
|
env:
|
|
VAULT_MASTER_PASSWORD: ${{ secrets.VAULT_MASTER_PASSWORD }}
|
|
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
|
|
run: |
|
|
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
|
|
echo 'sectool vault get SSH_PASSWORD' > ~/.ssh_askpass && chmod +x ~/.ssh_askpass
|
|
DISPLAY=None SSH_ASKPASS=~/.ssh_askpass ssh-add ~/.ssh/id_ecdsa < /dev/null
|
|
rm ~/.ssh_askpass
|
|
|
|
- name: Check SSH Connection to remote hosts
|
|
env:
|
|
TRUSTED_HOSTS: ${{ secrets.TRUSTED_HOSTS }}
|
|
ANSIBLE_USER: ${{ secrets.ANSIBLE_USER }}
|
|
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
|
|
run: |
|
|
for HOST in $TRUSTED_HOSTS; do
|
|
ssh $ANSIBLE_USER@$HOST echo "SSH connection to $HOST successful"
|
|
done
|
|
|
|
- name: Apply Ansible Playbook
|
|
env:
|
|
VAULT_MASTER_PASSWORD: ${{ secrets.VAULT_MASTER_PASSWORD }}
|
|
ANSIBLE_USER: ${{ secrets.ANSIBLE_USER }}
|
|
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
|
|
run: |
|
|
cd ansible
|
|
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_cis.yml --skip-tags roles::cis::suid
|
|
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_encryption.yml
|
|
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_microk8s.yml
|
|
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_gitea.yml
|
|
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_nextcloud.yml
|
|
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_wordpress.yml
|
|
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_m3uproxy.yml
|