ansible/ansible-runner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init runner v2

Browse Source
This commit is contained in:
master of disaster
2026-06-11 23:27:52 +02:00
parent d4157f080f
commit 7b32c7425a
5 changed files with 405 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
.gitea/workflows/ansible-runner.yaml
View File

@@ -1,102 +1,102 @@
name: 🏃Run Ansible
name: 🏃 Run Ansible
on:
workflow_call:
inputs:
playbook_path:
description: 'Path to playbook relative to the role repo (e.g. playbooks/deploy.yml)'
required: true
type: string
role_repo:
description: 'Gitea repository of the role (e.g. ansible/role-samba)'
required: true
type: string
inventory:
description: 'Inventory file relative to ansible-runner repo'
required: false
type: string
default: 'inventory/raspberries.yaml'
ansible_extra_args:
description: 'Additional Ansible arguments (e.g. --tags install)'
required: false
type: string
default: ''
secrets:
TOKEN:
required: true
jobs:
install_ansible:
runs-on: ubuntu-latest
run_ansible:
# Uses the custom ansible-act-runner image with Node, Python and Ansible pre-installed
runs-on: ansible
container:
image: cattheinvoker/ubuntu-act-baked:22.04
image: gitea.mod.home/${{ gitea.repository_owner }}/ansible-act-runner:latest
steps:
- name: 🔐Setup SSH for submodules
- name: 🔑 Setup SSH
run: |
echo "Key length: ${#SSH_PRIVATE_KEY}"
mkdir -p $HOME/.ssh
echo "$SSH_PRIVATE_KEY" | base64 -d > $HOME/.ssh/id_ed25519
chmod 600 $HOME/.ssh/id_ed25519
ls -laR
# ssh-keyscan -t rsa -p 2222 gitlab.mod.home > $HOME/.ssh/known_hosts
echo "Host *" >> ~/.ssh/config
echo " StrictHostKeyChecking no" >> ~/.ssh/config
echo " UserKnownHostsFile /dev/null" >> ~/.ssh/config
echo "Host gitea.mod.home" >> ~/.ssh/config
echo " port 2222" >> ~/.ssh/config
cat > ~/.ssh/config << 'SSHEOF'
Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
IdentityFile ~/.ssh/id_ed25519
Host gitea.mod.home
Port 2222
SSHEOF
chmod 600 ~/.ssh/config
env:
SSH_PRIVATE_KEY: ${{ secrets.SSHKEY_B64 }}
- name: 🛠️ Install Node.js fallback
run: |
if ! command -v node &> /dev/null; then
echo "Node nicht gefunden. Installiere..."
sudo apt-get update && sudo apt-get install -y nodejs
fi
- name: 🔎Checkout Repository
- name: 🔎 Checkout ansible-runner (Inventory & Vault)
uses: actions/checkout@v4
with:
submodules: recursive
repository: ${{ gitea.repository_owner }}/ansible-runner
token: ${{ secrets.TOKEN }}
fetch-depth: 0
# Python 3 installieren, was für pip und Ansible notwendig ist
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.x" # Wählt die neueste Python 3 Version
# Abhängigkeiten aktualisieren und Ansible über pip installieren
- name: Install Ansible via pip
run: |
python -m pip install --upgrade pip
pip install ansible
# vault file anlegen
- name: 🔑create vault file
run: echo "${{ secrets.ANSIBLE_VAULT_KEY }}" > .vault_pass.txt
- name: 📋Manuelles Submodule Update
run: |
git submodule init
git submodule update --recursive --init --force
- name: Install Ansible roles
run: |
ansible-galaxy role install -r requirements.yml --roles-path ./roles
- name: 🔎Check Ansible roles exists
run: |
ansible-galaxy list
- name: 🔎 Checkout Triggering Role Repo
- name: 🔎 Checkout Role Repo
uses: actions/checkout@v4
with:
token: ${{ secrets.TOKEN }}
repository: ${{ inputs.role_repo }}
path: active_role
fetch-depth: 0
- name: 🔎Check Ansible Playbook Syntax
- name: 🔑 Setup Vault Key
run: |
ansible-playbook --syntax-check active_role/${{ inputs.playbook_path }}
echo "${{ secrets.ANSIBLE_VAULT_KEY }}" > .vault_pass.txt
chmod 600 .vault_pass.txt
- name: 🏃Run Ansible deploy_valkey.yml.ansible
- name: 🔎 Syntax Check
run: |
ansible-playbook -i inventory/raspberries.yaml active_role/${{ inputs.playbook_path }} --vault-password-file .vault_pass.txt -v
# Beispiel für den Benachrichtigungsschritt
- name: 📨Telegram Benachrichtigung senden
ansible-playbook \
--syntax-check \
-i ${{ inputs.inventory }} \
active_role/${{ inputs.playbook_path }}
- name: 🏃 Run Playbook
run: |
ansible-playbook \
-i ${{ inputs.inventory }} \
active_role/${{ inputs.playbook_path }} \
--vault-password-file .vault_pass.txt \
${{ inputs.ansible_extra_args }} \
-v
- name: 🧹 Cleanup Secrets
if: always()
run: |
rm -f .vault_pass.txt
rm -f $HOME/.ssh/id_ed25519
- name: 📨 Telegram Notification
uses: chapvic/telegram-notify@master
if: always() # Stellt sicher, dass die Benachrichtigung immer gesendet wird
if: always()
with:
token: ${{ secrets.TELEGRAM_BOT_TOKEN }} # Ihr Bot-Token Secret
chat: ${{ secrets.TELEGRAM_CHAT_ID }} # Ihre Chat-ID Secret
status: ${{ job.status }} # Sendet den Job-Status (success/failure/cancelled)
title: "Deploy: ${{ inputs.role_repo }}"
token: ${{ secrets.TELEGRAM_BOT_TOKEN }}
chat: ${{ secrets.TELEGRAM_CHAT_ID }}
status: ${{ job.status }}
title: "Deploy: ${{ inputs.role_repo }} → ${{ inputs.playbook_path }}"

73
.gitea/workflows/build-image.yaml Normal file
View File

@@ -0,0 +1,73 @@
name: 🐳 Build Ansible Act Runner Image
on:
push:
branches:
- main
paths:
- 'docker/Dockerfile'
workflow_dispatch:
inputs:
force_rebuild:
description: 'Force rebuild without cache'
required: false
default: 'false'
type: boolean
jobs:
build:
# Runs directly on the runner host to access the DinD sidecar
# DOCKER_HOST=tcp://localhost:2376 is already set via runner configmap
runs-on: docker
steps:
- name: 🔎 Checkout
uses: actions/checkout@v4
- name: 🏷️ Set Image Tags
id: tags
run: |
REGISTRY="gitea.mod.home"
ORG="${{ gitea.repository_owner }}"
IMAGE="ansible-act-runner"
SHORT_SHA="${{ gitea.sha }}"
SHORT_SHA="${SHORT_SHA:0:8}"
echo "image=${REGISTRY}/${ORG}/${IMAGE}" >> $GITHUB_OUTPUT
echo "tag_latest=${REGISTRY}/${ORG}/${IMAGE}:latest" >> $GITHUB_OUTPUT
echo "tag_sha=${REGISTRY}/${ORG}/${IMAGE}:${SHORT_SHA}" >> $GITHUB_OUTPUT
echo "short_sha=${SHORT_SHA}" >> $GITHUB_OUTPUT
- name: 🐳 Docker Login → Gitea Registry
run: |
echo "${{ secrets.REGISTRY_PASSWORD }}" | \
docker login gitea.mod.home \
--username "${{ secrets.REGISTRY_USER }}" \
--password-stdin
- name: 🐳 Build Image
run: |
BUILD_ARGS=""
if [ "${{ inputs.force_rebuild }}" = "true" ]; then
BUILD_ARGS="--no-cache"
fi
docker build ${BUILD_ARGS} \
-t ${{ steps.tags.outputs.tag_latest }} \
-t ${{ steps.tags.outputs.tag_sha }} \
-f docker/Dockerfile \
docker/
- name: 🐳 Push Image
run: |
docker push ${{ steps.tags.outputs.tag_latest }}
docker push ${{ steps.tags.outputs.tag_sha }}
- name: 📨 Telegram Notification
uses: chapvic/telegram-notify@master
if: always()
with:
token: ${{ secrets.TELEGRAM_BOT_TOKEN }}
chat: ${{ secrets.TELEGRAM_CHAT_ID }}
status: ${{ job.status }}
title: "🐳 Build: ansible-act-runner:${{ steps.tags.outputs.short_sha }}"

173
README.md Normal file
View File

@@ -0,0 +1,173 @@
# ansible-runner
Centralized Ansible runner repository for the homelab. Contains the inventory,
vault configuration, SSH credentials, and two reusable Gitea Actions workflows:
one that builds the custom runner image, and one that executes Ansible playbooks
from any role repository.
---
## Repository Structure
```
ansible-runner/
├── docker/
│ └── Dockerfile # Custom ansible-act-runner image
├── inventory/
│ └── raspberries.yaml # Ansible inventory
├── .gitea/
│ └── workflows/
│ ├── build-image.yaml # Builds and pushes the runner image
│ └── ansible-runner.yaml # Reusable workflow for all role repos
└── example-caller-workflow.yaml # Example: how to call from another repo
```
---
## Workflows
### `build-image.yaml` — Build the Ansible Act Runner Image
Triggers automatically when `docker/Dockerfile` changes on `main`, or manually
via `workflow_dispatch` with an optional force-rebuild flag.
Runs on the `docker` label (directly on the runner host) to access the DinD
sidecar that is configured in the OKD runner pod. Builds and pushes two tags:
- `gitea.mod.home/ansible/ansible-act-runner:latest`
- `gitea.mod.home/ansible/ansible-act-runner:<short-sha>`
### `ansible-runner.yaml` — Reusable Ansible Playbook Runner
A `workflow_call` workflow that can be called from any role repository.
Runs on the `ansible` label using the custom image, which has Node.js, Python,
Ansible, and all required collections pre-installed.
**Inputs:**
| Input | Required | Default | Description |
|-------|----------|---------|-------------|
| `role_repo` | ✅ | — | Gitea repo of the role, e.g. `ansible/role-samba` |
| `playbook_path` | ✅ | — | Path to playbook inside the role repo |
| `inventory` | ❌ | `inventory/raspberries.yaml` | Inventory file relative to this repo |
| `ansible_extra_args` | ❌ | `''` | Additional Ansible CLI arguments |
**Secrets passed through:**
| Secret | Description |
|--------|-------------|
| `TOKEN` | Gitea access token for checking out private repos |
---
## Calling from a Role Repository
Place a workflow file in `.gitea/workflows/` of your role repository:
```yaml
name: 🚀 Deploy
on:
push:
branches:
- main
workflow_dispatch:
jobs:
deploy:
uses: ansible/ansible-runner/.gitea/workflows/ansible-runner.yaml@main
with:
role_repo: ansible/role-samba
playbook_path: playbooks/deploy.yml
ansible_extra_args: '--tags install' # optional
secrets:
TOKEN: ${{ secrets.TOKEN }}
```
---
## Required Secrets
All secrets are configured at the **Organization level** in Gitea
(`ansible` org → Settings → Secrets) so they are available to all role
repositories without duplication.
| Secret | Used in | Description |
|--------|---------|-------------|
| `SSHKEY_B64` | `ansible-runner.yaml` | Base64-encoded ED25519 private key for SSH access to managed hosts |
| `ANSIBLE_VAULT_KEY` | `ansible-runner.yaml` | Ansible Vault password |
| `TOKEN` | `ansible-runner.yaml` | Gitea access token (`repo` scope) for checking out role repos |
| `REGISTRY_USER` | `build-image.yaml` | Gitea username for container registry login |
| `REGISTRY_PASSWORD` | `build-image.yaml` | Gitea access token with `package:write` scope |
| `TELEGRAM_BOT_TOKEN` | both | Telegram bot token for notifications |
| `TELEGRAM_CHAT_ID` | both | Telegram chat ID for notifications |
### Creating the Gitea Access Token
In Gitea → User Settings → Applications → Generate Token:
- For `TOKEN`: scopes `repo` (read/write)
- For `GITEA_REGISTRY_PASSWORD`: scope `package` (read/write)
---
## OKD Runner Configuration
The act runner pod in the OKD cluster (`gitea-act-runner` namespace) runs with
a DinD sidecar. The `build-image.yaml` workflow uses `runs-on: docker` to
execute directly on the runner host where `DOCKER_HOST=tcp://localhost:2376`
is available via the sidecar.
The `ansible-runner.yaml` workflow uses `runs-on: ansible` and spawns a
container from the custom image. Node.js, Python, Ansible, and all collections
are pre-installed — no runtime installation required.
### Runner Labels (configured in OKD ConfigMap)
The runner ConfigMap (`gitea-act-runner-config`) must have the following labels
registered. Without the `docker` label, `build-image.yaml` will not be picked
up by the runner.
```yaml
# configmap.yaml — labels section
runner:
labels:
- "docker:host" # required for build-image.yaml (runs-on: docker)
- "ansible:host" # required for ansible-runner.yaml (runs-on: ansible)
- "ubuntu-latest:docker://..."
```
| Label | `runs-on` value | Purpose |
|-------|----------------|---------|
| `docker:host` | `docker` | Direct host execution with DinD sidecar — used for Docker builds |
| `ansible:host` | `ansible` | Direct host execution — Ansible jobs via container image |
| `ubuntu-latest` | `ubuntu-latest` | Container execution via DinD |
> **Note:** After changing the ConfigMap labels, the runner pod must re-register.
> Delete the pod to force a restart: `kubectl delete pod -n gitea-act-runner -l app=gitea-act-runner`
---
## Bootstrap: First Image Build
No manual build from a laptop is required. The existing `gitea/act_runner:latest`
pod already has a DinD sidecar and the `docker:host` label registered, so it can
build and push the custom image itself.
**Steps:**
1. Create the repository in Gitea and push all files
2. Set the required secrets in the `ansible` org (see above)
3. Trigger the build manually via `workflow_dispatch` in Gitea Actions UI
The runner will build the image and push it to `gitea.mod.home/ansible/ansible-act-runner:latest`.
All subsequent builds are triggered automatically when `docker/Dockerfile` changes on `main`.
---
## Roadmap
- [ ] TLS for Gitea registry via cert-manager (remove insecure flag)
- [ ] Samba AD DC deployment playbook
- [ ] Bind9 DNS backend playbook
- [ ] Windows domain join playbook
- [ ] Fluentbit → VictoriaLogs for Samba log shipping

78
docker/Dockerfile Normal file
View File

@@ -0,0 +1,78 @@
FROM ubuntu:24.04
LABEL maintainer="homelab"
LABEL description="Ansible Act Runner - Custom Image"
ENV DEBIAN_FRONTEND=noninteractive
ENV NODE_VERSION=20
ENV ANSIBLE_FORCE_COLOR=1
ENV PIP_NO_CACHE_DIR=1
ARG ACT_RUNNER_VERSION=0.2.11
RUN apt-get update && apt-get install -y --no-install-recommends \
curl \
wget \
git \
ca-certificates \
gnupg \
unzip \
jq \
rsync \
openssh-client \
sshpass \
python3 \
python3-pip \
python3-venv \
python3-dev \
smbclient \
krb5-user \
libkrb5-dev \
python3-kerberos \
dnsutils \
build-essential \
libssl-dev \
libffi-dev \
&& rm -rf /var/lib/apt/lists/*
# Node.js 20 LTS
RUN curl -fsSL https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash - \
&& apt-get install -y --no-install-recommends nodejs \
&& rm -rf /var/lib/apt/lists/*
# act_runner binary
RUN curl -fsSL \
https://gitea.com/gitea/act_runner/releases/download/v${ACT_RUNNER_VERSION}/act_runner-${ACT_RUNNER_VERSION}-linux-amd64 \
-o /usr/local/bin/act_runner \
&& chmod +x /usr/local/bin/act_runner
# Ansible + pip packages
RUN python3 -m pip install --break-system-packages \
ansible-core \
ansible \
jmespath \
netaddr \
passlib \
cryptography \
pywinrm \
requests \
boto3
# Ansible Collections
RUN ansible-galaxy collection install \
community.general \
community.crypto \
ansible.posix \
kubernetes.core \
community.windows \
microsoft.ad
RUN useradd -m -s /bin/bash runner
WORKDIR /data
# Smoke tests
RUN node --version \
&& python3 --version \
&& ansible --version \
&& act_runner --version

18
example-caller-workflow.yaml Normal file
View File

@@ -0,0 +1,18 @@
name: 🚀 Deploy
on:
push:
branches:
- main
workflow_dispatch:
jobs:
deploy:
uses: ansible/ansible-runner/.gitea/workflows/ansible-runner.yaml@main
with:
role_repo: ansible/role-samba # role repository to check out
playbook_path: playbooks/deploy.yml # path inside the role repo
inventory: inventory/raspberries.yaml # optional — this is the default
ansible_extra_args: '--tags install' # optional
secrets:
TOKEN: ${{ secrets.TOKEN }}