Skip to content

Deploy VPN server(s) #126

Deploy VPN server(s)

Deploy VPN server(s) #126

name: Deploy VPN server(s)
on:
workflow_dispatch:
schedule:
- cron: '0 */2 * * *'
jobs:
deploy-vpn-server:
runs-on: ubuntu-24.04
concurrency:
group: ${{ github.ref }}
cancel-in-progress: false
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup ansible
run: |
pip3 install ansible
pip3 install -r src/vpn/requirements.txt
ansible-galaxy collection install --force --collections-path ./src/vpn --requirements-file ./src/vpn/requirements.yml
- name: Run ansible
run: |
cd src/vpn
echo Creating ANSIBLE_VAULT_PASSWORD_FILE
TMPFILE=$(mktemp)
trap "rm -f ${TMPFILE@Q}" EXIT
echo -n "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > $TMPFILE
export ANSIBLE_VAULT_PASSWORD_FILE=$TMPFILE
echo Run deploy vpn playbook
# Bend over backwards to keep storing secrets in ansible vault rather than a specific CI/CD runner.
# note this uses dynamic inventory. Since you can't set/get group_vars from a dynamic inventory,
# this is an 'inventive' way using 'localhost' group_vars to the vpn hosts (in this case hetzer VM(s))
# api token out of ansible vault. The api token is stord in group_vars/localhost.yml (where in fact)
# the api token is used on other host groups.
# The dynamic vpn hosts inventory is using the dynamic inventory file inventory-vpn-servers-hcloud.yml
export ANSIBLE_HOST_KEY_CHECKING=False
ansible-playbook --extra-vars _vault_hetzner_cloud_token=$(ANSIBLE_LOAD_CALLBACK_PLUGINS=1 ANSIBLE_STDOUT_CALLBACK=ansible.posix.json ansible localhost -i inventory.ini -m debug -a "msg={{ hostvars[inventory_hostname].hetzner_hcloud_token }}" | jq '.plays[0]["tasks"][0]["hosts"]["localhost"]["msg"]') -i inventory.ini -i inventory-vpn-servers-hcloud.yml playbooks/create-rebuild-vpn-server.yml
rm $TMPFILE
# Enable tmate debugging of manually-triggered workflows if the input option was provided
- name: Setup tmate session
uses: mxschmitt/action-tmate@v3
if: ${{ failure() }}