From 27e6cadb9ae5fbf73fb0afe11dc8f9928e8ee12e Mon Sep 17 00:00:00 2001
From: Salt <rehashedsalt@cock.li>
Date: Wed, 17 Jun 2020 08:52:28 -0500
Subject: [PATCH] Work on switching to ansible in pull mode

---
 ansible-pull.cfg                              |  7 +++++
 roles/ansible-pull/files/ansiblevaultpass     |  6 +++++
 roles/ansible-pull/tasks/main.yml             | 27 +++++++++++++++++++
 .../templates/ansible-pull.service            | 14 ++++++++++
 .../ansible-pull/templates/ansible-pull.timer | 11 ++++++++
 roles/ansiblehost/tasks/main.yml              |  1 +
 site.yml                                      |  2 ++
 7 files changed, 68 insertions(+)
 create mode 100644 ansible-pull.cfg
 create mode 100644 roles/ansible-pull/files/ansiblevaultpass
 create mode 100644 roles/ansible-pull/tasks/main.yml
 create mode 100644 roles/ansible-pull/templates/ansible-pull.service
 create mode 100644 roles/ansible-pull/templates/ansible-pull.timer

diff --git a/ansible-pull.cfg b/ansible-pull.cfg
new file mode 100644
index 0000000..6bca86c
--- /dev/null
+++ b/ansible-pull.cfg
@@ -0,0 +1,7 @@
+[defaults]
+inventory = inventory
+deprecation_warnings = false
+ask_become_pass = false
+ask_vault_pass = false
+pipelining = true
+interpreter_python = python3
diff --git a/roles/ansible-pull/files/ansiblevaultpass b/roles/ansible-pull/files/ansiblevaultpass
new file mode 100644
index 0000000..0131d94
--- /dev/null
+++ b/roles/ansible-pull/files/ansiblevaultpass
@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.1;AES256
+31383561303637303735386663306631333063623336643030643634333262336664363461613239
+6230623439393465656161663432393732633662383833640a373433343236353835363130653937
+31346233663237383666306536633962613534623735366531666561656335393964316230633161
+3930636537313364380a376432363431346636363565383734613638316161643036623636656532
+66333038393738663464343534633766643734393165626538633962376161376262
diff --git a/roles/ansible-pull/tasks/main.yml b/roles/ansible-pull/tasks/main.yml
new file mode 100644
index 0000000..31cd8f4
--- /dev/null
+++ b/roles/ansible-pull/tasks/main.yml
@@ -0,0 +1,27 @@
+#!/usr/bin/ansible-playbook
+# vim:ft=ansible:
+---
+- name: Set up ansible-pull
+  block:
+    - name: Copy Ansible password file
+      copy:
+        src: ansiblevaultpass
+        dest: ~/ansiblevaultpass
+        mode: "0600"
+      become: yes
+      become_user: ansible
+    - name: Template out services
+      template:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        mode: "{{ item.mode }}"
+      loop:
+        - { src: "ansible-pull.service", dest: "/etc/systemd/system/ansible-pull.service", mode: "0644" }
+        - { src: "ansible-pull.timer", dest: "/etc/systemd/system/ansible-pull.timer", mode: "0644" }
+    - name: Enable timer
+      systemd:
+        daemon_reload: yes
+        name: ansible-pull.timer
+        enabled: yes
+        state: started
+  become: yes
diff --git a/roles/ansible-pull/templates/ansible-pull.service b/roles/ansible-pull/templates/ansible-pull.service
new file mode 100644
index 0000000..719dcdd
--- /dev/null
+++ b/roles/ansible-pull/templates/ansible-pull.service
@@ -0,0 +1,14 @@
+# vim:ft=dosini:
+[Unit]
+Description=Ansible pull service
+
+[Service]
+User=ansible
+Group=ansible
+# Forking and not oneshot here because we don't want it stuck in the Activating state forever
+Type=forking
+Environment=ANSIBLE_CONFIG=~/ansible-pull-repo/ansible-pull.cfg
+ExecStart=ansible-pull --tags pull --accept-host-key -U "https://git.9iron.club/salt/ansible" -d "~/ansible-pull-repo" --vault-password-file "~/ansiblevaultpass" site.yml
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/ansible-pull/templates/ansible-pull.timer b/roles/ansible-pull/templates/ansible-pull.timer
new file mode 100644
index 0000000..2379b0e
--- /dev/null
+++ b/roles/ansible-pull/templates/ansible-pull.timer
@@ -0,0 +1,11 @@
+# vim:ft=dosini:
+[Unit]
+Description=Ansible pull timer
+
+[Timer]
+Persistent=true
+OnBootSec=15min
+OnUnitActiveSec=4h
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/ansiblehost/tasks/main.yml b/roles/ansiblehost/tasks/main.yml
index 531334e..a30df63 100644
--- a/roles/ansiblehost/tasks/main.yml
+++ b/roles/ansiblehost/tasks/main.yml
@@ -19,4 +19,5 @@
       hour: "*/12"
       name: ansible-pull
       job: "cd /opt/ansible-repo && ANSIBLE_CONFIG=/opt/ansible-repo/ansiblehost-config.cfg HOME=/root /usr/local/bin/ansible-playbook \"{{ pullplaybook }}\" --vault-password-file /root/ansiblevaultpass > /var/log/ansible-pull.log 2>&1"
+      disabled: yes
   become: true
diff --git a/site.yml b/site.yml
index 3f2f0ab..1e1822b 100755
--- a/site.yml
+++ b/site.yml
@@ -3,6 +3,8 @@
 ---
 - hosts: all
   roles:
+    - role: ansible-pull
+      tags: [ common ]
     - role: common
       tags: [ common ]
     - role: zerotier