configure service hosts too, and move ansible-pull tasks to 'base'

buildbot · Dec 14, 2014 · 253a480 · 253a480
1 parent efef58e
commit 253a480
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 23 deletions.
diff --git a/README.rst b/README.rst
@@ -18,6 +18,8 @@ To develop a patch on a test system, set the system's base hostname to correspon
 
     ansible-playbook local.yml
 
+To avoid installing a the Ansible crontask, add ``-e no_ansible_pull=true``.
+
 To use development secrets (which may be unencrypted), create ``dev-secrets.yml`` and invoke Ansible with ``-e secrets_file=dev-secrets.yml``.
 
 Secrets

diff --git a/local.yml b/local.yml
@@ -18,6 +18,30 @@
       key: "{{ansible_hostname}}"
     changed_when: False
 
+- name: configure service1
+  hosts: service1
+  gather_facts: no
+  connection: local
+  sudo: yes
+  roles:
+  - base-servicehost
+
+- name: configure service2
+  hosts: service2
+  gather_facts: no
+  connection: local
+  sudo: yes
+  roles:
+  - base-servicehost
+
+- name: configure service3
+  hosts: service3
+  gather_facts: no
+  connection: local
+  sudo: yes
+  roles:
+  - base-servicehost
+
 - name: configure ns1
   hosts: ns1
   gather_facts: no

diff --git a/roles/base-servicehost/tasks/main.yml b/roles/base-servicehost/tasks/main.yml
@@ -1,3 +1,2 @@
 ---
 - include: users.yml
-- include: ansible-pull.yml
diff --git a/roles/base-servicehost/templates/vault-password.j2 b/roles/base-servicehost/templates/vault-password.j2
diff --git a/...s/base-servicehost/tasks/ansible-pull.yml → roles/base/tasks/ansible-pull.yml b/...s/base-servicehost/tasks/ansible-pull.yml → roles/base/tasks/ansible-pull.yml
@@ -19,25 +19,21 @@
     state: directory
 
 - name: install vault password
-  template:
-    src: vault-password.j2
+  copy:
+    content: "{{ vault_password }}"
     dest: /var/ansible/.vault-password
     mode: 0600
     owner: "{{ service_account }}"
     group: wheel
 
 # ansible-pull expects the inventory file to exist already, even before it
-# clones the repo, so we clone the repo explicitly.  The repo needs to be owned
-# by the service user, so it's cloned in a command rather than with the 'git'
-# module
+# clones the repo, so we clone the repo explicitly.
 - name: clone ansible git repository
-  shell: "git clone {{ ansible_git_repository }} /var/ansible/repo && chown -R {{ service_account }}:wheel /var/ansible/repo"
-  args:
-    creates: /var/ansible/repo
-
-- name: test
-  debug:
-    msg: "{{ 'absent' if no_ansible_pull|default('false')|bool else 'present' }}"
+  sudo_user: "{{ service_account }}"
+  git:
+    repo: "{{ ansible_git_repository }}"
+    dest: /var/ansible/repo
+    accept_hostkey: yes
 
 - name: install ansible-pull crontask
   tags: ansible-pull
@@ -46,6 +42,6 @@
     job: "ansible-pull -C master -d /var/ansible/repo/ -m git -U {{ ansible_git_repository }} -o -s 3600 -i /var/ansible/repo/prod-hosts --vault-password-file=/var/ansible/.vault-password site.yml"
     user: "{{ service_account }}"
     minute: 0
-    state: "{{ 'present' if no_ansible_pull|default('false')|bool else 'absent' }}"
+    state: "{{ 'absent' if no_ansible_pull|default('false')|bool else 'present' }}"
 
 # vim:ft=yaml:nosi:noai:ts=2:sw=2
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
@@ -1,5 +1,5 @@
 ---
 - include: packages.yml
 - include: sudo.yml
-- include: users.yml
 - include: rootpw.yml
+- include: ansible-pull.yml
diff --git a/roles/base/tasks/users.yml b/roles/base/tasks/users.yml