M .build.yml => .build.yml +2 -1
@@ 33,9 33,10 @@ tasks:
terraform validate
- deploy: |
mkdir -p ~/.ssh
- cp ansible/ssh_host_keys/xenrox.net ~/.ssh/known_hosts
+ cat ansible/ssh_host_keys/* > ~/.ssh/known_hosts
set +x
. ~/.vault-secret
set -x
cd ansible
ansible-playbook playbooks/avalon.yml
+ ansible-playbook playbooks/fenrir.yml
M host_vars/fenrir.xenrox.net/vars.yml => host_vars/fenrir.xenrox.net/vars.yml +1 -0
@@ 1,2 1,3 @@
---
+ci_deploy_target: true
wireguard_address: 10.0.0.2
M host_vars/xenrox.net/vars.yml => host_vars/xenrox.net/vars.yml +1 -0
@@ 11,6 11,7 @@ wireguard_address: 10.0.0.1
wireguard_vpn_subnet: 10.200.200.0/24
borg_user: u272193-sub1
+ci_deploy_target: true
croc_relay: true
hostname: avalon.xenrox.net
srht: true
A roles/xenrox/defaults/main.yml => roles/xenrox/defaults/main.yml +5 -0
@@ 0,0 1,5 @@
+---
+# Set to true for hosts whose playbooks are executed in the CI/CD pipeline
+ci_deploy_target: false
+ssh_pubkeys:
+ - yubikey.pub
M roles/xenrox/tasks/main.yml => roles/xenrox/tasks/main.yml +5 -0
@@ 30,6 30,11 @@
append: true
groups: wheel
+- name: Add SSH public key for auto-deployment
+ ansible.builtin.set_fact:
+ ssh_pubkeys: "{{ ssh_pubkeys + ['xenrox_ansible.pub'] }}"
+ when: ci_deploy_target
+
- name: Read SSH public keys
ansible.builtin.set_fact:
authorized_keys: "{% for key in ssh_pubkeys %}{{ lookup('file', '../public_keys/' + key) }}\n{% endfor %}"
M roles/xenrox/vars/main.yml => roles/xenrox/vars/main.yml +0 -3
@@ 2,6 2,3 @@
xenrox_packages:
- sudo
- zsh
-ssh_pubkeys:
- - yubikey.pub
- - xenrox_ansible.pub
A ssh_host_keys/fenrir.xenrox.net => ssh_host_keys/fenrir.xenrox.net +3 -0
@@ 0,0 1,3 @@
+|1|QGqxZIv4cwqGFwz9PBgLPs9H0q8=|dWoffkwu/W93jbJ3EOJAxATsewk= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9lJag/d2MAwaJekn2JzCzrxN1v8ynA3rVDQ8sZHn1j8KwXssKiFW73FtQoaRyB6WbUYVaSX5dQrvhXT9uMryMBMsgaHdEo/fo2XJhISCnV/l5kev/EeE0HGvJ/z4/4ycqR3TsquRsM222T8PEinjEZnBQmFfRJ8EuWTavay4ZxRlstANZNX9C/+VeWZ28X5zIZuSOYlvTZ5HgP0jD36bJr0UAO7mWM9IOH+2atkHCiOeqVwM5rP4ivG38SVHI85EGK3km8jQZU95VOCDfDqm385CkWC8Pt7KPWtixLYMumoTge9poXXKCsHVBYtln6PtgUemprkcGBlD+AHiFf7u7nYSTHzltUbNzt66Bd5uOG1OGkBKiGOjwhcTxTax4PbxJTYFa6EXU3USwpPeksMzrzEc/Cd1oV+NGZJaewzbm645QafBb4Q1y+Z+b4GYb+XkDFpFK0ZsLH+hd88iEbFqr27Qeh81+DoZr5aLxoNfXgC/YxVHkVmrnZMdJPWEl5mE=
+|1|Ogun8TkKreYuq3sv7DhRgr1Rw00=|9N/OfmAFjHscOheR7NjMFRNQCdM= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPmyWL1JinEe8Q5Yqeum2y+eHl7vR7sm49M4UQE5yt7OK0wSP62skHRRtQ1V8ZOs3a9XGQEE3ZJRFrg6HxlVK/k=
+|1|2nTX7USL6SKppJr0/gRrE8SxKgI=|MRXp77R0eatNHHbrc6VNfZvcUQk= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOlShdpi8OGC/9u9t6ODBkBCke71Z5JVcRg09xwV1CDE