Trez/tar-valon-ansible
4
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Activity

Reworking playbooks and workflows.
Auto-Unseal for Vault / Unseal Vault (push) Successful in 35s
Details

Browse Source
This commit is contained in:
Trez.One
2025-09-13 17:35:28 -04:00
parent 16c0a6f956
commit 7c7ae8e19b
4 changed files with 56 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/dag-config-check.yml
+1 -14
View File
@@ -1,4 +1,3 @@
# .github/workflows/validate-dags.yml
name: Validate DAGs
on:
@@ -38,19 +37,7 @@ jobs:
directory: .
vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
requirements: collections/requirements.yml
playbook: |
- hosts: localhost
gather_facts: false
vars:
vault_addr: ${{ env.VAULT_ADDR }}
vault_token: ${{ env.VAULT_TOKEN }}
dags_path: ${{ env.DAGS_PATH }}
tasks:
- name: Render DAG templates
template:
src: "{{ item }}"
dest: "{{ item | regex_replace('\\.j2$', '') }}"
loop: "{{ lookup('fileglob', dags_path ~ '/*.yaml.j2', wantlist=True) }}"
playbook: playbooks/rinoa-render-dags.yml
- name: Install dagu
uses: jaxxstorm/action-install-gh-release@v1
.gitea/workflows/gitea_tar-valon_ansible_deploy.yml
+4 -8
View File
@@ -3,7 +3,7 @@ name: Gitea Branch PR & Ansible Deployment
on:
workflow_dispatch:
workflow_run:
workflows: [Home Assistant Config Check, Validate DAs]
workflows: [Home Assistant Config Check, Validate DAGs]
types:
- completed
branches: main
@@ -11,13 +11,9 @@ on:
branches-ignore:
- 'main'
paths:
- 'app-configs/**'
- 'inventory/hosts.yml'
- 'host_vars/**'
- 'group_vars/**'
- '**/tar-valon_config_deploy.yml'
- '**/gitea_tar-valon_ansible_deploy.yml'
- '!app-configs/rikku/homeassistant/**'
- '!app-configs/rinoa/dagu/dags/**'
- 'app-configs/**'
env:
VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
@@ -120,7 +116,7 @@ jobs:
uses: dawidd6/action-ansible-playbook@v3
with:
directory: .
playbook: tar-valon_config_deploy.yml
playbook: playbooks/tar-valon_config_deploy.yml
vault_password: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
key: ${{ secrets.ANSIBLE_PRIVATE_KEY }}
requirements: collections/requirements.yml
playbooks/rinoa-render-dags.yml
+51
View File
@@ -0,0 +1,51 @@
---
- name: Render DAG .yaml.j2 templates safely
hosts: localhost
connection: local
gather_facts: false
vars:
dags_path: "{{ lookup('env', 'DAGS_PATH') }}"
vault_addr: "{{ lookup('env', 'VAULT_ADDR') }}"
vault_token: "{{ lookup('env', 'VAULT_TOKEN') }}"
tasks:
- name: Build list of DAG template files
ansible.builtin.set_fact:
dag_templates: "{{ lookup('fileglob', dags_path ~ '/*.yaml.j2', wantlist=True) }}"
- name: Pre-check Vault secrets in templates
when: dag_templates | length > 0
block:
- name: Find all Vault lookup expressions in templates
ansible.builtin.set_fact:
vault_keys: >-
{{
dag_templates
| map('lookup', 'file', wantlist=True)
| map('regex_findall',
"lookup\\('community.hashi_vault.vault_kv2_get',\\s*'[^']+',\\s*engine_mount_point='[^']+',\\s*url=[^,]+,\\s*token=[^\\)]+\\)\\['secret'\\]\\['([^']+)'\\]")
| sum(start=[])
}}
- name: Warn if any Vault keys might be missing
loop: "{{ vault_keys }}"
ansible.builtin.debug:
msg: "Vault key '{{ item }}' will be required by templates"
- name: Render DAG templates in-place (guarded)
when: dag_templates | length > 0
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ item | regex_replace('\\.j2$', '') }}"
mode: '0644'
loop: "{{ dag_templates }}"
vars:
ansible_jinja2_native: true
ignore_errors: false
- name: Log rendered files
when: dag_templates | length > 0
loop: "{{ dag_templates }}"
ansible.builtin.debug:
msg: "Rendered {{ item }} -> {{ item | regex_replace('\\.j2$', '') }}"
tar-valon_config_deploy.yml → playbooks/tar-valon_config_deploy.yml
-4
View File
@@ -6,10 +6,6 @@
- benedikta
gather_facts: false
vars:
# template_base_path and vault_addr from group_vars/all.yml
# appdata_base_path, secrets_path, vault_token_cleaned from host_vars/<host>.yml
pre_tasks:
- name: Find all files for this host
ansible.builtin.find: