name: Ansible on: push: branches: [main] paths: - 'ansible/**' workflow_dispatch: inputs: playbook: description: 'Playbook to run' required: true default: 'infra.yml' type: choice options: - infra.yml jobs: ansible: runs-on: ubuntu-latest defaults: run: working-directory: ansible steps: - name: Checkout uses: actions/checkout@v4 - name: Install dependencies run: pip install ansible && sudo apt-get install -y unzip - name: Setup Terraform uses: hashicorp/setup-terraform@v3 - name: Terraform Init working-directory: terraform env: AWS_ACCESS_KEY_ID: ${{ secrets.SPACES_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.SPACES_SECRET_KEY }} run: terraform init - name: Get droplet IP from Terraform state working-directory: terraform env: AWS_ACCESS_KEY_ID: ${{ secrets.SPACES_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.SPACES_SECRET_KEY }} TF_VAR_do_token: ${{ secrets.DO_TOKEN }} TF_VAR_cloudflare_api_token: ${{ secrets.CF_API_TOKEN }} TF_VAR_ssh_key_name: ${{ secrets.DO_SSH_KEY_NAME }} TF_VAR_domain: ${{ secrets.DOMAIN }} TF_VAR_admin_ip: ${{ secrets.ADMIN_IP }} run: echo "DROPLET_IP=$(terraform output -raw gitea_ip)" >> $GITHUB_ENV - name: Write SSH key run: | mkdir -p ~/.ssh echo "${{ secrets.DROPLET_SSH_KEY }}" > ~/.ssh/do chmod 600 ~/.ssh/do ssh-keyscan -H git-ssh.lunarfront.tech >> ~/.ssh/known_hosts - name: Write inventory run: | echo "[infra]" > inventory.ini echo "git-ssh.lunarfront.tech ansible_user=root ansible_ssh_private_key_file=~/.ssh/do" >> inventory.ini - name: Write vault password run: echo "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > .vault_pass - name: Run playbook run: | ansible-playbook -i inventory.ini ${{ inputs.playbook || 'infra.yml' }} \ --vault-password-file .vault_pass - name: Cleanup if: always() run: rm -f ~/.ssh/do .vault_pass