lrvick/ansible_deploy.yml

## ansible_deploy.yml
---
- hosts:
  tasks:

    - apt:
      update_cache: true
      name: ansible
      state: present

    - name: Install trusted author PGP keys
      block:
      - copy: src=../../keys/pgp/{{ item }}.key dest=/etc/ansible/keys/authors/
        with_items:
          - joe
          - fred
          - sally
      - command: |
          GNUPGHOME=/etc/ansible/keys/gnupg gpg \
          gpg --import /etc/ansible/keys/authors

    - name: Install ansible-pull config
      copy:
        dest: /etc/ansible/ansible-pull.env
        content: |
          GIT_REPO=git@github.com:someorg/infra.git
          GIT_BRANCH=master
          GIT_PATH=/etc/ansible/repos/infra
          PLAYBOOK_FILE=ansible/playbooks/ansible_pull.yml
          KEY_FILE=/etc/ansible/ansible-pull.key
          GNUPGHOME=/etc/ansible/keys/gnupg/

    - name: Install ansible-pull read-only private key
      copy:
        dest: /etc/ansible/ansible-pull.key
        content: |
          ---your-repo-deploy-key-blob-here----

    - name: Install ansible-pull systemd unit
      copy:
        dest: /etc/systemd/systemd/system/ansible-pull.service
        content: |
          [Unit]
          Description=Run ansible-pull
          After=network.target

          [Service]
          EnvironmentFile=/etc/ansible/ansible-pull.env
          ExecStart=/usr/bin/ansible-pull \
            -U $GIT_REPO \
            -C $GIT_BRANCH \
            -d $PLAYBOOK_PATH \
            --verify-commit \
            --key-file $GIT_PRIVATE_KEY_PATH \
            $PLAYBOOK_FILE
          Type=oneshot

          [Install]
          WantedBy=multi-user.target

    - name: Install ansible-pull timer unit
      copy:
        dest: /etc/systemd/systemd/system/ansible-pull.timer
        content: |
          [Unit]
          Description=Run ansible-pull every 15 mins

          [Timer]
          OnBootSec=15min
          OnUnitActiveSec=15m

          [Install]
          WantedBy=timers.target

    - name: Enable ansible-pull systemd unit
      systemd:
        name: ansible-pull.service
        daemon_reload: true
        enabled: True

    - name: Enable ansible-pull systemd timer
      systemd:
        name: ansible-pull.timer
        daemon_reload: true
        state: started
        enabled: True
	---
	- hosts:
	tasks:

	- apt:
	update_cache: true
	name: ansible
	state: present

	- name: Install trusted author PGP keys
	block:
	- copy: src=../../keys/pgp/{{ item }}.key dest=/etc/ansible/keys/authors/
	with_items:
	- joe
	- fred
	- sally
	- command: \|
	GNUPGHOME=/etc/ansible/keys/gnupg gpg \
	gpg --import /etc/ansible/keys/authors

	- name: Install ansible-pull config
	copy:
	dest: /etc/ansible/ansible-pull.env
	content: \|
	GIT_REPO=git@github.com:someorg/infra.git
	GIT_BRANCH=master
	GIT_PATH=/etc/ansible/repos/infra
	PLAYBOOK_FILE=ansible/playbooks/ansible_pull.yml
	KEY_FILE=/etc/ansible/ansible-pull.key
	GNUPGHOME=/etc/ansible/keys/gnupg/

	- name: Install ansible-pull read-only private key
	copy:
	dest: /etc/ansible/ansible-pull.key
	content: \|
	---your-repo-deploy-key-blob-here----

	- name: Install ansible-pull systemd unit
	copy:
	dest: /etc/systemd/systemd/system/ansible-pull.service
	content: \|
	[Unit]
	Description=Run ansible-pull
	After=network.target

	[Service]
	EnvironmentFile=/etc/ansible/ansible-pull.env
	ExecStart=/usr/bin/ansible-pull \
	-U $GIT_REPO \
	-C $GIT_BRANCH \
	-d $PLAYBOOK_PATH \
	--verify-commit \
	--key-file $GIT_PRIVATE_KEY_PATH \
	$PLAYBOOK_FILE
	Type=oneshot

	[Install]
	WantedBy=multi-user.target

	- name: Install ansible-pull timer unit
	copy:
	dest: /etc/systemd/systemd/system/ansible-pull.timer
	content: \|
	[Unit]
	Description=Run ansible-pull every 15 mins

	[Timer]
	OnBootSec=15min
	OnUnitActiveSec=15m

	[Install]
	WantedBy=timers.target

	- name: Enable ansible-pull systemd unit
	systemd:
	name: ansible-pull.service
	daemon_reload: true
	enabled: True

	- name: Enable ansible-pull systemd timer
	systemd:
	name: ansible-pull.timer
	daemon_reload: true
	state: started
	enabled: True