103 lines
3.0 KiB
YAML
103 lines
3.0 KiB
YAML
name: 🏃 Run Ansible
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
playbook_path:
|
|
description: 'Path to playbook relative to the role repo (e.g. playbooks/deploy.yml)'
|
|
required: true
|
|
type: string
|
|
role_repo:
|
|
description: 'Gitea repository of the role (e.g. ansible/role-samba)'
|
|
required: true
|
|
type: string
|
|
inventory:
|
|
description: 'Inventory file relative to ansible-runner repo'
|
|
required: false
|
|
type: string
|
|
default: 'inventory/raspberries.yaml'
|
|
ansible_extra_args:
|
|
description: 'Additional Ansible arguments (e.g. --tags install)'
|
|
required: false
|
|
type: string
|
|
default: ''
|
|
secrets:
|
|
TOKEN:
|
|
required: true
|
|
|
|
jobs:
|
|
run_ansible:
|
|
# Uses the custom ansible-act-runner image with Node, Python and Ansible pre-installed
|
|
runs-on: ansible
|
|
container:
|
|
image: gitea.mod.home/${{ gitea.repository_owner }}/ansible-act-runner:latest
|
|
|
|
steps:
|
|
- name: 🔑 Setup SSH
|
|
run: |
|
|
mkdir -p $HOME/.ssh
|
|
echo "$SSH_PRIVATE_KEY" | base64 -d > $HOME/.ssh/id_ed25519
|
|
chmod 600 $HOME/.ssh/id_ed25519
|
|
cat > ~/.ssh/config << 'SSHEOF'
|
|
Host *
|
|
StrictHostKeyChecking no
|
|
UserKnownHostsFile /dev/null
|
|
IdentityFile ~/.ssh/id_ed25519
|
|
Host gitea.mod.home
|
|
Port 2222
|
|
SSHEOF
|
|
chmod 600 ~/.ssh/config
|
|
env:
|
|
SSH_PRIVATE_KEY: ${{ secrets.SSHKEY_B64 }}
|
|
|
|
- name: 🔎 Checkout ansible-runner (Inventory & Vault)
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: ${{ gitea.repository_owner }}/ansible-runner
|
|
token: ${{ secrets.TOKEN }}
|
|
fetch-depth: 0
|
|
|
|
- name: 🔎 Checkout Role Repo
|
|
uses: actions/checkout@v4
|
|
with:
|
|
token: ${{ secrets.TOKEN }}
|
|
repository: ${{ inputs.role_repo }}
|
|
path: active_role
|
|
fetch-depth: 0
|
|
|
|
- name: 🔑 Setup Vault Key
|
|
run: |
|
|
echo "${{ secrets.ANSIBLE_VAULT_KEY }}" > .vault_pass.txt
|
|
chmod 600 .vault_pass.txt
|
|
|
|
- name: 🔎 Syntax Check
|
|
run: |
|
|
ansible-playbook \
|
|
--syntax-check \
|
|
-i ${{ inputs.inventory }} \
|
|
active_role/${{ inputs.playbook_path }}
|
|
|
|
- name: 🏃 Run Playbook
|
|
run: |
|
|
ansible-playbook \
|
|
-i ${{ inputs.inventory }} \
|
|
active_role/${{ inputs.playbook_path }} \
|
|
--vault-password-file .vault_pass.txt \
|
|
${{ inputs.ansible_extra_args }} \
|
|
-v
|
|
|
|
- name: 🧹 Cleanup Secrets
|
|
if: always()
|
|
run: |
|
|
rm -f .vault_pass.txt
|
|
rm -f $HOME/.ssh/id_ed25519
|
|
|
|
- name: 📨 Telegram Notification
|
|
uses: chapvic/telegram-notify@master
|
|
if: always()
|
|
with:
|
|
token: ${{ secrets.TELEGRAM_BOT_TOKEN }}
|
|
chat: ${{ secrets.TELEGRAM_CHAT_ID }}
|
|
status: ${{ job.status }}
|
|
title: "Deploy: ${{ inputs.role_repo }} → ${{ inputs.playbook_path }}"
|