Files
a13labs.infra/.gitea/actions/setup-ansible-env/action.yml
T

100 lines
3.2 KiB
YAML

name: Setup Ansible Environment
description: Prepare the environment for A13labs CI/CD pipelines
inputs:
access-token:
description: "Bitwarden access token"
required: true
project-id:
description: "Bitwarden project ID"
required: true
organization-id:
description: "Bitwarden organization ID"
required: true
ansible-user:
description: "The user to use for Ansible"
required: true
ssh-auth-socket:
description: "The SSH_AUTH_SOCK environment variable"
default: "/tmp/ssh_agent.sock"
host-group:
description: "The host group to setup the Ansible environment"
default: "public"
outputs:
ssh-auth-sock:
description: "The SSH_AUTH_SOCK environment variable"
value: ${{ steps.start-ssh-agent.outputs.ssh-auth-sock }}
hosts:
description: "The list of hosts in the host group"
value: ${{ steps.read-hosts.outputs.hosts }}
runs:
using: "composite"
steps:
- name: Install required python packages
shell: bash
run: |
python3 -m pip install -r requirements/ansible.txt
- name: Prepare SSH key
shell: bash
env:
BW_ACCESS_TOKEN: ${{ inputs.access-token }}
BW_PROJECT_ID: ${{ inputs.project-id }}
BW_ORGANIZATION_ID: ${{ inputs.organization-id }}
run: |
sectool ssh unlock ansible
mkdir -p ~/.ssh
chmod 700 ~/.ssh
cp ssh-keys/ansible/id_ecdsa ~/.ssh/id_ecdsa
chmod 600 ~/.ssh/id_ecdsa
- name: Read hosts from inventory
id: read-hosts
shell: bash
env:
HOST_GROUP: ${{ inputs.host-group }}
run: |
ansible-inventory -i inventory/hosts --list --yaml --limit $HOST_GROUP | grep -oE '([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}' | sort -u > /tmp/ansible_hosts
echo "hosts=$(cat /tmp/ansible_hosts)" >> $GITEA_OUTPUT
- name: Read SSH host keys from remote hosts
shell: bash
run: |
mkdir -p ~/.ssh
for HOST in $(cat /tmp/ansible_hosts); do
ssh-keyscan "$HOST" >> ~/.ssh/known_hosts
done
chmod 600 ~/.ssh/known_hosts
- name: Enable SSH host key algorithms
shell: bash
run: |
echo "Host *" >> ~/.ssh/config
echo " HostKeyAlgorithms +sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com"
chmod 600 ~/.ssh/config
- name: Start SSH agent and add SSH key
id: start-ssh-agent
shell: bash
env:
BW_ACCESS_TOKEN: ${{ inputs.access-token }}
BW_PROJECT_ID: ${{ inputs.project-id }}
BW_ORGANIZATION_ID: ${{ inputs.organization-id }}
SSH_AUTH_SOCK: ${{ inputs.ssh-auth-socket }}
run: |
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
echo 'sectool vault get SSH_PASSWORD' > ~/.ssh_askpass && chmod +x ~/.ssh_askpass
DISPLAY=None SSH_ASKPASS=~/.ssh_askpass ssh-add ~/.ssh/id_ecdsa < /dev/null
rm ~/.ssh_askpass
echo "ssh-auth-sock=$SSH_AUTH_SOCK" >> $GITEA_OUTPUT
- name: Check SSH Connection to remote hosts
shell: bash
env:
ANSIBLE_USER: ${{ inputs.ansible-user }}
SSH_AUTH_SOCK: ${{ inputs.ssh-auth-socket }}
run: |
for HOST in $(cat /tmp/ansible_hosts); do
ssh "$ANSIBLE_USER@$HOST" echo "SSH connection to "$HOST" successful"
done