Provision a server by Ansible #12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Provision a server by Ansible | |
| on: | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_dispatch | |
| workflow_dispatch: | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions | |
| permissions: | |
| contents: read # for "git clone" | |
| defaults: | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrun | |
| run: | |
| # Enable fail-fast behavior using set -eo pipefail | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference | |
| shell: bash | |
| jobs: | |
| setup-server: | |
| name: Provision a server | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - name: Clone source code | |
| uses: actions/[email protected] # https://github.com/actions/checkout | |
| with: | |
| # Whether to configure the token or SSH key with the local git config. Default: true | |
| persist-credentials: false | |
| - name: Install mise to set up Ansible | |
| uses: jdx/[email protected] # https://github.com/jdx/mise-action | |
| with: | |
| version: 2025.3.2 # [default: latest] mise version to install | |
| install: true # [default: true] run `mise install` | |
| cache: true # [default: true] cache mise using GitHub's cache | |
| log_level: info # [default: info] log level | |
| working_directory: infra/ansible # [default: .] directory to run mise in | |
| env: | |
| # Workaround: don't install some dependencies that we don't use (java, maven) or don't want (python) | |
| # See: https://github.com/jdx/mise-action/issues/183 | |
| # https://mise.jdx.dev/configuration/settings.html#disable_tools | |
| MISE_DISABLE_TOOLS: java,maven,python | |
| - name: Show ansible version | |
| run: ansible --version | |
| - name: Decrypt ansible files | |
| working-directory: infra/ansible | |
| env: | |
| # https://docs.github.com/en/actions/security-guides/encrypted-secrets#using-encrypted-secrets-in-a-workflow | |
| VAULT_PASSWORD: ${{ secrets.VAULT_PASSWORD }} | |
| run: | | |
| printf '%s' "$VAULT_PASSWORD" >vault-pass.txt | |
| for FILENAME in vars/prod.yml coder_rsa; do | |
| echo "Decrypting ${FILENAME}.enc to $FILENAME" | |
| ansible-vault decrypt \ | |
| --vault-password-file vault-pass.txt \ | |
| --output "$FILENAME" \ | |
| "${FILENAME}.enc" | |
| done | |
| - name: Install required collections | |
| working-directory: infra/ansible | |
| run: ansible-galaxy role install --role-file requirements.galaxy.yml --roles-path roles | |
| - name: Run ansible in syntax check mode | |
| working-directory: infra/ansible | |
| run: ansible-playbook prod.yml -i prod.inventory --syntax-check | |
| - name: Run ansible | |
| working-directory: infra/ansible | |
| env: | |
| # Disable host key checking to suppress interactive prompt. | |
| # See: https://docs.ansible.com/ansible/3/user_guide/connection_details.html#managing-host-key-checking | |
| ANSIBLE_HOST_KEY_CHECKING: 'False' | |
| # See: https://docs.ansible.com/ansible/3/reference_appendices/config.html#envvar-ANSIBLE_PRIVATE_KEY_FILE | |
| ANSIBLE_PRIVATE_KEY_FILE: 'coder_rsa' | |
| run: ansible-playbook prod.yml -i prod.inventory | |
| - name: Cleanup | |
| if: always() | |
| working-directory: infra/ansible | |
| run: | | |
| for FILE in vault-pass.txt vars/prod.yml coder_rsa; do | |
| [ ! -f "$FILE" ] || rm -fv "$FILE" | |
| done |