Further ansible updates

ansible/deploy-wireguard.sh

@@ -3,4 +3,4 @@
 # https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/
 # https://github.com/githubixx/ansible-role-wireguard
 
-ansible-playbook -i inventory-wireguard --skip-tags wg-install,bare-metal ./playbook-deploy-controller.yml
+ansible-playbook -u ansible --private-key /opt/ansible/ssh.key -i inventory-wireguard ./playbooks/wireguard.yml

ansible/inventory

@@ -1,16 +1,19 @@
 ---
+all:
+  hosts:
+    frame1:
+      ansible_host: 10.5.5.177
+    dispatcher:
+      ansible_connection: local
 wg:
   hosts:
       frame1:
-        ansible_host: 10.5.5.100
         wireguard_address: 192.168.254.11/32
-      frame2:
+      dispatcher:
-        ansible_host: 10.5.5.101
+        wireguard_containerized: true
-        wireguard_address: 192.168.254.11/32
-      controller:
-        ansible_connection: local
         wireguard_address: 192.168.254.1/32
         wireguard_endpoint: ""
+        wireguard_table: "Off"
         wireguard_postup:
           - ip route add 192.168.254.0/24 via 192.168.254.1 dev wg0
           - iptables -t nat -A PREROUTING -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT
@@ -26,7 +29,6 @@ wg:
           - iptables -D -A INPUT -i wg0 -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT
           - iptables -D -A INPUT -i wg0 -s 192.168.254.0/24 -d 0.0.0.0/0 -j DROP
   vars:
-    wireguard_allowed_ips: "172.16.8.10/24"
+    wireguard_allowed_ips: "192.168.254.0/24"
-    wireguard_endpoint: piframefleet.domain.tld
+    wireguard_endpoint: 10.5.5.246:51821
     wireguard_persistent_keepalive: 30
-    wireguard_table: Off

ansible/playbooks/setup-ansible.yml

@@ -0,0 +1,21 @@
+---
+  - hosts: all
+    become: yes
+    tasks:
+      - name: Add ansible user to PiFrame
+        user:
+          name: ansible
+          groups:
+            - sudo
+          shell: /bin/bash
+      - name: Add ansible ssh key as authorized key
+        authorized_key:
+          user: ansible
+          key: "{{ lookup('file', '/opt/ansible/ssh.key.pub') }}"
+      - name: Setup ansible with sudoers access
+        copy:
+          dest: /etc/sudoers.d/ansible
+          mode: '0600'
+          owner: root
+          group: root
+          content: ansible ALL=(ALL) NOPASSWD:ALL

ansible/playbooks/wireguard.yml

@@ -1,4 +1,5 @@
 ---
 - hosts: controller
+  become: yes
   roles:
     - wireguard

ansible/setup-ansible-host.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+ssh $2@$1 'echo Just ensuring the ssh key is accepted ahead of configuration'
+ansible-playbook ./playbooks/ansible-setup.yml -i $1, -u $2 -k

piframefleet/Dockerfile

@@ -41,7 +41,7 @@ RUN apt update && apt upgrade -y && \
   echo "**** filebrowser ****" && \
   curl -fsSL https://filebrowser.org/get.sh | bash && \
   echo "**** ansible ****" && \
-  apt install -y python3-apt ansible ansible-lint ansible-doc && \
+  apt install -y python3-apt sshpass ansible ansible-lint ansible-doc && \
   echo "**** cleanup ****" && \
   rm /opt/arch_detect.sh && \
   rm /opt/s6-overlay.tar.gz && \

piframefleet/root/etc/cont-init.d/00-welcome

@@ -18,3 +18,11 @@ Service Status
   - FileBrowser : ${ENABLE_FILEBROWSER}
 -------------------------------------
 "
+if [ -f "/opt/ansible/ssh.key" ] ; then
+echo "
+-------------------------------------
+Ansible SSH Key"
+cat /opt/ansible/ssh.key.pub
+echo "-------------------------------------
+"
+fi

piframefleet/root/etc/cont-init.d/30-config

@@ -13,6 +13,9 @@ fi
 if [ ! -d "/opt/ansible" ] ; then
   mkdir /opt/ansible
 fi
+if [ ! -f "/opt/ansible/ssh.key" ] ; then
+  ssh-keygen -t rsa -b 4096 -f /opt/ansible/ssh.key -N '""'
+fi
 if [ ! -d "/opt/ansible/roles" ] ; then
   mkdir /opt/ansible/roles
 fi