diff options
| author | Elizabeth Alexander Hunt <me@liz.coffee> | 2025-05-10 18:53:56 -0700 |
|---|---|---|
| committer | Elizabeth Alexander Hunt <me@liz.coffee> | 2025-05-10 20:24:13 -0700 |
| commit | 946bbfa548fbdad17980a535baaba70bbd56b499 (patch) | |
| tree | fdee372a0e8874108da97f6c22eeaf84b6b78927 /worker/scripts/ansible_playbook | |
| parent | 5a9186380619e959ad87f3990f8b2c324b4462d8 (diff) | |
| download | ci-946bbfa548fbdad17980a535baaba70bbd56b499.tar.gz ci-946bbfa548fbdad17980a535baaba70bbd56b499.zip | |
NPM is huuuge on debian. Just download the native release of bitwarden. Same with ansible, but use a docker container for that lazy loaded goooodnesssss.
Diffstat (limited to 'worker/scripts/ansible_playbook')
| -rw-r--r-- | worker/scripts/ansible_playbook | 76 |
1 files changed, 31 insertions, 45 deletions
diff --git a/worker/scripts/ansible_playbook b/worker/scripts/ansible_playbook index bfeeb8b..a85995b 100644 --- a/worker/scripts/ansible_playbook +++ b/worker/scripts/ansible_playbook @@ -4,6 +4,7 @@ import { BitwardenSession, getRequiredEnv, getStdout, + prependWith, type SecureNote, } from "@liz-ci/utils"; import type { AnsiblePlaybookJobProps } from "@liz-ci/model"; @@ -13,55 +14,40 @@ const args: AnsiblePlaybookJobProps = { playbooks: getRequiredEnv("playbooks"), }; -const tempKeyFile = await Deno.makeTempFile(); -const cwd = Deno.cwd(); const bitwardenSession = new BitwardenSession(); +const secretFiles = await Promise.all( + ["ansible_secrets", "ssh_key"] + .map((secretName) => + bitwardenSession + .getItem<SecureNote>(secretName) + .then(async ({ notes: recoveredSecret }) => { + const tempFile = await Deno.makeTempFile(); + await Deno.writeTextFile(tempFile, recoveredSecret); + return tempFile; + }) + ), +); +const [ansibleSecrets, sshKey] = secretFiles; try { - Deno.chdir(args.path); + const volumes = [ + `${args.path}:/ansible`, + `${sshKey}:/root/id_rsa`, + `${ansibleSecrets}:/ansible/secrets.yml`, + ]; + const playbookCmd = `ansible-playbook -e @secrets.yml ${args.playbooks}`; - const { notes: ansibleSecrets } = await bitwardenSession.getItem<SecureNote>( - "ansible_secrets", - ); - await Deno.writeTextFile("secrets.yml", ansibleSecrets); - - const { notes: privateKey } = await bitwardenSession.getItem<SecureNote>( - "ssh_key", - ); - - // Create a temporary file for the SSH key - await Deno.writeTextFile(tempKeyFile, privateKey); - await getStdout(["chmod", "600", tempKeyFile]); - - // Start ssh-agent and add the key - const sshAgent = await getStdout(["ssh-agent", "-s"]); - const [SSH_AGENT_PID, SSH_AUTH_SOCK] = [ - /SSH_AGENT_PID=(\d+)/, - /SSH_AUTH_SOCK=([^;]+)/, - ] - .map((regex) => sshAgent.match(regex)?.[1]) - .map((val) => { - if (!val) throw new Error("Failed to start ssh-agent"); - return val; - }); - - const sshEnv = { - SSH_AGENT_PID, - SSH_AUTH_SOCK, - }; - await getStdout(["ssh-add", tempKeyFile], { - env: sshEnv, - }); await getStdout([ - "ansible-playbook", - "-e", - "@secrets.yml", - ...args.playbooks.split(" "), - ], { env: sshEnv }); -} finally { - await Promise.allSettled([ - Deno.chdir.bind(null, cwd), - Deno.remove(tempKeyFile), - getStdout(["ssh-agent", "-k"]), + "docker", + "run", + ...prependWith(volumes, "-v"), + "willhallonline/ansible:latest", + ...playbookCmd.split(" "), ]); +} finally { + await Promise.allSettled( + [bitwardenSession.close()].concat( + secretFiles.map((p) => Deno.remove(p)), + ), + ); } |