feat(role): add provisioner role

ansible_galaxy-requirements.yml

@@ -6,3 +6,5 @@ collections:
     version: 9.0.0
   - name: ansible.utils
     version: 5.0.0
+  - name: moreati.jq
+    version: 0.2.1

collections/ansible_collections/nullified/infrastructure/roles/provisioner/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+provisioner_artifacts_dir: '{{ provisioner_artifacts_dir | default("/srv/ansible/artifacts", true) }}'
+provisioner_github_token: "{{ custom_github_token | default('') }}"
+provisioner_helm_binary_path: '{{ provisioner_helm_binary_path | default("/usr/local/bin/helm", true) }}'
+provisioner_helm_version: latest
+provisioner_k8s_states_dir: '{{ provisioner_k8s_states_dir | default("/srv/ansible/states", true) }}'
+provisioner_kubeconfig_repository: '{{ provisioner_kubeconfig_repository | default("/srv/ansible/kubeconfig", true) }}'
+provisioner_kubectl_binary_path: '{{ provisioner_kubectl_binary_path | default("/usr/local/bin/kubectl", true) }}'
+provisioner_kubectl_version: latest
+provisioner_k3sup_binary_path: '{{ provisioner_k3sup_binary_path | default("/usr/local/bin/k3sup") }}'

collections/ansible_collections/nullified/infrastructure/roles/provisioner/handlers/main.yml

@@ -0,0 +1 @@
+---

collections/ansible_collections/nullified/infrastructure/roles/provisioner/meta/main.yml

@@ -0,0 +1,20 @@
+---
+galaxy_info:
+  author: Florian L.
+  namespace: nullified
+  description: Install server related configuration and tooling
+  # issue_tracker_url: http://example.com/issue/tracker
+  license: MIT
+  min_ansible_version: 2.15
+
+  # https://galaxy.ansible.com/api/v1/platforms/
+  platforms:
+    - name: Debian
+      versions:
+        - bookworm
+
+  galaxy_tags:
+    - utils
+    - system
+
+dependencies: []

collections/ansible_collections/nullified/infrastructure/roles/provisioner/tasks/load_facts.yml

@@ -0,0 +1,13 @@
+---
+- name: load provisioner facts
+  block:
+    - name: save current provisioner hostname
+      ansible.builtin.set_fact:
+        provisioner_hostname: '{{ lookup("pipe", "hostname") }}'
+    - name: retrieve provisioner inventory facts
+      ansible.builtin.set_fact:
+        provisioner_facts: '{{ dict(hostvars[provisioner_hostname]) | moreati.jq.jq(JSON_MATCH_QUERY) }}'
+      when: inventory_hostname == ansible_play_hosts_all[0]
+      run_once: true
+  vars:
+    JSON_MATCH_QUERY: 'to_entries | map(select(.key | match("^provisioner_.+")) | .key |= ltrimstr("provisioner_")) | from_entries'

collections/ansible_collections/nullified/infrastructure/roles/provisioner/tasks/main.yml

@@ -0,0 +1,56 @@
+---
+# add https://github.com/databus23/helm-diff
+- name: set default facts
+  ansible.builtin.set_fact:
+    provisioner_playbook_user: '{{ lookup("env", "USER") }}'
+  changed_when: false
+
+- name: install helm
+  ansible.builtin.include_role:
+    name: nullified.infrastructure.helm
+  vars:
+    helm_binary_path: '{{ provisioner_helm_binary_path }}'
+    helm_install_version: '{{ provisioner_helm_version }}'
+
+- name: install kubectl
+  ansible.builtin.include_role:
+    name: nullified.infrastructure.kubectl
+  vars:
+    kubectl_binary_path: '{{ provisioner_kubectl_binary_path }}'
+    kubectl_install_version: '{{ provisioner_kubectl_version }}'
+
+- name: install OpenTofu
+  become: true
+  nullified.infrastructure.github_artifact:
+    github_token: '{{ provisioner_github_token }}'
+    asset_name: 'tofu_{version}_amd64.deb'
+    asset_type: release
+    creates: '{{ provisioner_tofu_binary_path }}' # path used by the .deb, no control over it
+    repository: opentofu/opentofu
+    force: true
+    cmds:
+      - 'dpkg -i {asset_dirname}/{asset_filename}'
+
+- name: retrieve k3sup on Ansible controller
+  become: true
+  nullified.infrastructure.github_artifact:
+    asset_name: k3sup
+    asset_type: release
+    repository: alexellis/k3sup
+    creates: '{{ provisioner_k3sup_binary_path }}'
+    force: true
+    cmds:
+      - "install --mode=755 {asset_dirname}/{asset_filename} {{ provisioner_k3sup_binary_path }}"
+
+- name: create storage directories
+  become: true
+  ansible.builtin.file:
+    path: '{{ item }}'
+    mode: '0700'
+    owner: '{{ provisioner_playbook_user }}'
+    group: '{{ provisioner_playbook_user }}'
+    state: directory
+  loop:
+    - '{{ provisioner_artifacts_dir }}'
+    - '{{ provisioner_k8s_states_dir }}'
+    - '{{ provisioner_kubeconfig_repository }}'

collections/ansible_collections/nullified/infrastructure/roles/provisioner/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

collections/ansible_collections/nullified/infrastructure/roles/provisioner/vars/main.yml

@@ -0,0 +1,2 @@
+---
+provisioner_tofu_binary_path: /usr/bin/tofu # path used by the .deb, no control over it

inventory/group_vars/provisioner/vars.yml

@@ -0,0 +1,8 @@
+# Variables starting with 'provisioner_' in this file will be injected in all hosts configuration as 'ansible_facts.provisioner_facts.<key>'
+provisioner_artifacts_dir: /srv/ansible/artifacts
+provisioner_helm_binary_path: /usr/local/bin/helm
+provisioner_k8s_states_dir: /srv/ansible/states
+provisioner_kubeconfig_repository: /srv/ansible/kubeconfig
+provisioner_kubectl_binary_path: /usr/local/bin/kubectl
+provisioner_k3sup_binary_path: /usr/local/bin/k3sup
+provisioner_tofu_binary_path: /usr/bin/tofu #do not change this, the path is decided by the .deb package

inventory/host_vars/unobtainium/vars.yml

@@ -1,6 +1,5 @@
 ansible_become_password: "{{ vault_root_pass }}"
 ansible_host: "{{ vault_ansible_host }}"
-ansible_connection: local
 
 # common role
 common_apt_packages:
@@ -21,6 +20,3 @@ common_sysctl_configuration:
 security_firewall_filter_policy_output: accept
 security_firewall_filter_policy_forward: accept
 security_firewall_mangle_policy_forward: accept
-
-# provisioner role
-terraform_binary_path: '/usr/bin/tofu'

inventory/host_vars/unsepttrium/unsepttrium/vars.yml

@@ -0,0 +1,21 @@
+ansible_become_password: "{{ vault_root_pass }}"
+ansible_host: "{{ vault_ansible_host }}"
+
+# common role
+common_apt_packages:
+  - pcscd
+  - pinentry-curses
+common_git_enabled: true
+common_git_username: "{{ vault_common_gitconfig_username }}"
+common_git_email: "{{ vault_common_gitconfig_email }}"
+common_git_force_sign: true
+common_git_signing_key: "{{ vault_common_gitconfig_signingkey }}"
+common_install_fonts: true
+common_sysctl_configuration:
+  'fs.inotify.max_user_watches': 1048576
+  'vm.swappiness': 1
+
+# security role
+security_firewall_filter_policy_output: accept
+security_firewall_filter_policy_forward: accept
+security_firewall_mangle_policy_forward: accept

inventory/host_vars/unsepttrium/vars.yml

@@ -0,0 +1,21 @@
+ansible_become_password: "{{ vault_root_pass }}"
+ansible_host: "{{ vault_ansible_host }}"
+
+# common role
+common_apt_packages:
+  - pcscd
+  - pinentry-curses
+common_git_enabled: true
+common_git_username: "{{ vault_common_gitconfig_username }}"
+common_git_email: "{{ vault_common_gitconfig_email }}"
+common_git_force_sign: true
+common_git_signing_key: "{{ vault_common_gitconfig_signingkey }}"
+common_install_fonts: true
+common_sysctl_configuration:
+  'fs.inotify.max_user_watches': 1048576
+  'vm.swappiness': 1
+
+# security role
+security_firewall_filter_policy_output: accept
+security_firewall_filter_policy_forward: accept
+security_firewall_mangle_policy_forward: accept

playbooks/internal.yml

@@ -1,4 +1,21 @@
 ---
+- name: setup provisioners
+  hosts: internal:&provisioner
+  gather_facts: false
+  tasks:
+    - name: include provisioner role
+      include_role:
+        name: nullified.infrastructure.provisioner
+
+- name: load provisioner facts
+  hosts: internal
+  gather_facts: false
+  tasks:
+    - name: include provisioner role
+      include_role:
+        name: nullified.infrastructure.provisioner
+        tasks_from: load_facts.yml
+
 - name: setup internal infrastructure
   hosts: internal
   gather_facts: false

playbooks/provisioner.yml

@@ -0,0 +1,7 @@
+---
+- name: setup local provisioner
+  hosts: provisioner
+  tasks:
+    - name: include provisioner role
+      ansible.builtin.include_role:
+        name: nullified.infrastructure.provisioner

requirements.txt

@@ -13,3 +13,4 @@ pycurl==7.45.2
 pylint==2.17.5
 python-vagrant==1.0.0
 yamllint==1.32.0
+jq==1.7.0