ansible/.gitlab-ci.yml

image: rehashedsalt/ansible-env:bleeding
variables:
  ANSIBLE_INVENTORY: inventories/production-no-auto
  ANSIBLE_STRATEGY: free
stages:
  - lint
  - test
  - play-pre
  - play-main
  - play-post
before_script:
  # Dump our key
  - eval $(ssh-agent -s)
  - echo "$ANSIBLE_SSH_KEY" | tr -d '\r' | ssh-add -
  - mkdir -p ~/.ssh
  - chmod -R 0700 ~/.ssh
  # Dump the vault password
  - touch ~/.vault_pass
  - chmod 0600 ~/.vault_pass
  - echo "$ANSIBLE_VAULT_PASSWORD" > ~/.vault_pass
  # Fix perms on the playbook root
  - chmod -R 0750 .
  # Join the Zerotier management network
  - |
    [ -n "$ZEROTIER_NETWORK_ID" ] && \
    service zerotier-one start && \
    sleep 5 && \
    zerotier-cli join "$ZEROTIER_NETWORK_ID" && \
    sleep 5 && \
    zerotier-cli info && \
    zerotier-cli listnetworks
  # Get ready for execution
  - ansible-galaxy install -r requirements.yml
  # Run a quick test SSH connection to the bastion box
  - ssh -o StrictHostKeyChecking=no ansible@bastion1.dallas.mgmt.desu.ltd uptime
  # And a quick test SSH connection over proxy
  - ssh -o StrictHostKeyChecking=no -o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd" ansible@bastion1.dallas.mgmt.desu.ltd uptime
after_script:
  - |
    [ -n "$ZEROTIER_NETWORK_ID" ] && \
    zerotier-cli leave "$ZEROTIER_NETWORK_ID"

Lint:
  stage: lint
  interruptible: yes
  except:
    - pipelines
    - schedules
  script:
    - ansible-lint --version
    - ansible-lint site.yml --offline

Test:
  stage: test
  retry: 1
  interruptible: yes
  except:
    - pipelines
  script:
    - ansible-playbook --skip-tags no-test,no-auto -C site.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass || error="$?"
    - if [ "$error" -eq 4 ]; then echo "Some hosts were unreachable; masking error"; unset error; fi
    - if [ -n "$error" ]; then echo "Return code $error"; false; fi

# PRE-MAIN CONFIGURATION
Local:
  stage: play-pre
  script:
    - ansible-playbook --skip-tags no-auto playbooks/site_local.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass
Pre:
  stage: play-pre
  script:
    - ansible-playbook --skip-tags no-auto playbooks/site_pre.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass

# MAIN CONFIGURATION
Main:
  stage: play-main
  retry: 1
  script:
    - ansible-playbook --skip-tags no-auto playbooks/site_main.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass
Common:
  stage: play-main
  script:
    - ansible-playbook --skip-tags no-auto playbooks/site_common.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass
Nagios:
  stage: play-main
  retry: 1
  script:
    - ansible-playbook -l vm-general-1.ashburn.mgmt.desu.ltd playbooks/prod_web.yml --tags nagios --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass

# CLEANUP
Cleanup:
  stage: play-post
  script:
    - ansible-playbook --skip-tags no-auto playbooks/site_post.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass
Switch to using our brand-spankin new ansible-env container 2021-09-24 21:18:22 -05:00			`image: rehashedsalt/ansible-env:bleeding`
Set Ansible strategy to free on GitLab CI operations This should speed up the nightly full playbook runs 2022-02-15 15:07:38 -06:00			`variables:`
Modify GitLab CI to use the no-auto variant of the prod inventory 2022-03-19 13:22:28 -05:00			`ANSIBLE_INVENTORY: inventories/production-no-auto`
Set Ansible strategy to free on GitLab CI operations This should speed up the nightly full playbook runs 2022-02-15 15:07:38 -06:00			`ANSIBLE_STRATEGY: free`
Add a GitLab CI file Note: Still not using GitLab for now, but this may help when I do 2021-06-20 20:26:09 -05:00			`stages:`
Move linting to its own stage, install python-is-python3 in setup 2021-07-31 20:03:38 -05:00			`- lint`
Add a GitLab CI file Note: Still not using GitLab for now, but this may help when I do 2021-06-20 20:26:09 -05:00			`- test`
Rework GitLab pipelines 2022-03-07 10:46:02 -06:00			`- play-pre`
			`- play-main`
			`- play-post`
Add a GitLab CI file Note: Still not using GitLab for now, but this may help when I do 2021-06-20 20:26:09 -05:00			`before_script:`
			`# Dump our key`
			`- eval $(ssh-agent -s)`
			`- echo "$ANSIBLE_SSH_KEY" \| tr -d '\r' \| ssh-add -`
			`- mkdir -p ~/.ssh`
			`- chmod -R 0700 ~/.ssh`
			`# Dump the vault password`
Use a well-known vault password file location I caved 2022-07-23 18:04:15 -05:00			`- touch ~/.vault_pass`
			`- chmod 0600 ~/.vault_pass`
			`- echo "$ANSIBLE_VAULT_PASSWORD" > ~/.vault_pass`
Add a GitLab CI file Note: Still not using GitLab for now, but this may help when I do 2021-06-20 20:26:09 -05:00			`# Fix perms on the playbook root`
			`- chmod -R 0750 .`
Add integration with my ZT management network 2021-07-31 20:30:16 -05:00			`# Join the Zerotier management network`
Fix block commands in setup script 2021-07-31 20:34:09 -05:00			`- \|`
			`[ -n "$ZEROTIER_NETWORK_ID" ] && \`
Add integration with my ZT management network 2021-07-31 20:30:16 -05:00			`service zerotier-one start && \`
Add some sleeps to give the service time to start up 2021-07-31 20:46:58 -05:00			`sleep 5 && \`
Add integration with my ZT management network 2021-07-31 20:30:16 -05:00			`zerotier-cli join "$ZEROTIER_NETWORK_ID" && \`
Add some sleeps to give the service time to start up 2021-07-31 20:46:58 -05:00			`sleep 5 && \`
Add integration with my ZT management network 2021-07-31 20:30:16 -05:00			`zerotier-cli info && \`
			`zerotier-cli listnetworks`
Add a GitLab CI file Note: Still not using GitLab for now, but this may help when I do 2021-06-20 20:26:09 -05:00			`# Get ready for execution`
Move requirements.yml to root 2021-08-01 21:39:36 -05:00			`- ansible-galaxy install -r requirements.yml`
Add a second test in the pre script for jump compat 2022-02-15 14:28:27 -06:00			`# Run a quick test SSH connection to the bastion box`
Oops, disable strict host key checking on that new sanity check I just added 2022-02-15 14:22:21 -06:00			`- ssh -o StrictHostKeyChecking=no ansible@bastion1.dallas.mgmt.desu.ltd uptime`
Add a second test in the pre script for jump compat 2022-02-15 14:28:27 -06:00			`# And a quick test SSH connection over proxy`
I'm stupid; specify the name on that check 2022-02-15 14:30:26 -06:00			`- ssh -o StrictHostKeyChecking=no -o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd" ansible@bastion1.dallas.mgmt.desu.ltd uptime`
Add integration with my ZT management network 2021-07-31 20:30:16 -05:00			`after_script:`
Fix block commands in setup script 2021-07-31 20:34:09 -05:00			`- \|`
			`[ -n "$ZEROTIER_NETWORK_ID" ] && \`
Add integration with my ZT management network 2021-07-31 20:30:16 -05:00			`zerotier-cli leave "$ZEROTIER_NETWORK_ID"`
Add a GitLab CI file Note: Still not using GitLab for now, but this may help when I do 2021-06-20 20:26:09 -05:00
			`Lint:`
Disable lints and tests for pipelines 2021-08-01 14:55:25 -05:00			`stage: lint`
Mark lint and test stages as interruptible 2021-07-31 21:04:25 -05:00			`interruptible: yes`
Disable lints and tests for pipelines 2021-08-01 14:55:25 -05:00			`except:`
			`- pipelines`
Disable them for schedules too 2021-08-01 14:56:59 -05:00			`- schedules`
Add a GitLab CI file Note: Still not using GitLab for now, but this may help when I do 2021-06-20 20:26:09 -05:00			`script:`
			`- ansible-lint --version`
Lint in offline mode 2023-03-20 20:54:36 -05:00			`- ansible-lint site.yml --offline`
Add a GitLab CI file Note: Still not using GitLab for now, but this may help when I do 2021-06-20 20:26:09 -05:00
Revert "Break out testing into its own triple-parallelized flow" This reverts commit 9e5e2a23d47441e767d0f37d16d7e36bc9ad8c0d. 2021-08-05 11:50:08 -05:00			`Test:`
Add a GitLab CI file Note: Still not using GitLab for now, but this may help when I do 2021-06-20 20:26:09 -05:00			`stage: test`
Add retry args to prevent one-off failures in the future 2021-09-26 15:59:31 -05:00			`retry: 1`
Disable lints and tests for pipelines 2021-08-01 14:55:25 -05:00			`interruptible: yes`
			`except:`
			`- pipelines`
Add a GitLab CI file Note: Still not using GitLab for now, but this may help when I do 2021-06-20 20:26:09 -05:00			`script:`
Use a well-known vault password file location I caved 2022-07-23 18:04:15 -05:00			`- ansible-playbook --skip-tags no-test,no-auto -C site.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass \|\| error="$?"`
Revert "Break out testing into its own triple-parallelized flow" This reverts commit 9e5e2a23d47441e767d0f37d16d7e36bc9ad8c0d. 2021-08-05 11:50:08 -05:00			`- if [ "$error" -eq 4 ]; then echo "Some hosts were unreachable; masking error"; unset error; fi`
			`- if [ -n "$error" ]; then echo "Return code $error"; false; fi`
Add a GitLab CI file Note: Still not using GitLab for now, but this may help when I do 2021-06-20 20:26:09 -05:00
Rework GitLab pipelines 2022-03-07 10:46:02 -06:00			`# PRE-MAIN CONFIGURATION`
			`Local:`
			`stage: play-pre`
Split plays into three parts that execute (and fail) in parallel 2021-07-31 19:49:14 -05:00			`script:`
Use a well-known vault password file location I caved 2022-07-23 18:04:15 -05:00			`- ansible-playbook --skip-tags no-auto playbooks/site_local.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass`
Rework GitLab pipelines 2022-03-07 10:46:02 -06:00			`Pre:`
			`stage: play-pre`
Define and execute a play for homelab stuff 2021-11-20 19:04:12 -06:00			`script:`
Use a well-known vault password file location I caved 2022-07-23 18:04:15 -05:00			`- ansible-playbook --skip-tags no-auto playbooks/site_pre.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass`
Rework GitLab pipelines 2022-03-07 10:46:02 -06:00
			`# MAIN CONFIGURATION`
			`Main:`
			`stage: play-main`
Retry Main 2022-10-21 08:29:18 -05:00			`retry: 1`
Rework GitLab pipelines 2022-03-07 10:46:02 -06:00			`script:`
Use a well-known vault password file location I caved 2022-07-23 18:04:15 -05:00			`- ansible-playbook --skip-tags no-auto playbooks/site_main.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass`
Rework GitLab pipelines 2022-03-07 10:46:02 -06:00			`Common:`
			`stage: play-main`
			`script:`
Use a well-known vault password file location I caved 2022-07-23 18:04:15 -05:00			`- ansible-playbook --skip-tags no-auto playbooks/site_common.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass`
Rework GitLab pipelines 2022-03-07 10:46:02 -06:00			`Nagios:`
			`stage: play-main`
Give the Nagios bullshit it's own play I guess 2022-03-04 21:29:24 -06:00			`retry: 1`
			`script:`
Use a well-known vault password file location I caved 2022-07-23 18:04:15 -05:00			`- ansible-playbook -l vm-general-1.ashburn.mgmt.desu.ltd playbooks/prod_web.yml --tags nagios --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass`
Rework GitLab pipelines 2022-03-07 10:46:02 -06:00
			`# CLEANUP`
			`Cleanup:`
			`stage: play-post`
			`script:`
Use a well-known vault password file location I caved 2022-07-23 18:04:15 -05:00			`- ansible-playbook --skip-tags no-auto playbooks/site_post.yml --ssh-common-args='-o ProxyCommand="ssh -W %h:%p -q ansible@bastion1.dallas.mgmt.desu.ltd"' --vault-password-file ~/.vault_pass`