Semaphore rejected the previous become_key=wed-ssh with 'access key type not supported for ansible become user' — that field is for a sudo PASSWORD (login_password type), not a reused SSH key. wed has passwordless sudo on every host (set up by the VM template), so the correct value is the built-in 'None' key.
148 lines
5.4 KiB
YAML
148 lines
5.4 KiB
YAML
---
|
|
# ============================================================================
|
|
# Semaphore configuration-as-code
|
|
# ============================================================================
|
|
# Drives a freshly-deployed Semaphore instance into its desired state via
|
|
# the Semaphore REST API. Idempotent: every object is checked first; only
|
|
# missing ones are created. Existing objects are left alone.
|
|
#
|
|
# Loaded from group_vars/all/semaphore.yml so that the configuration is
|
|
# version-controlled in the homelab repo and survives a wipe-and-redeploy
|
|
# of the Semaphore VM.
|
|
# ============================================================================
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# API connection (defaults to the local Traefik-fronted service-name URL).
|
|
# Override semaphore_api_url to point at a specific instance if needed.
|
|
# ---------------------------------------------------------------------------
|
|
semaphore_api_url: "https://semaphore.local.mk-labs.cloud/api"
|
|
semaphore_api_validate_certs: true
|
|
semaphore_api_token: "{{ vault_semaphore_api_token }}"
|
|
|
|
# Feature flag — keeps day1_deploy_semaphore.yml deploy-only by default.
|
|
# Set true to also run the configuration pass.
|
|
semaphore_configure: false
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Declarative configuration of the Semaphore instance.
|
|
# ---------------------------------------------------------------------------
|
|
#
|
|
# Top-level shape:
|
|
#
|
|
# semaphore_config:
|
|
# project: single dict — the lab uses one project ("mk-labs")
|
|
# keys: list of credentials Semaphore stores
|
|
# repositories: git repos Semaphore can clone
|
|
# inventories: Ansible inventories from those repos
|
|
# environments: env-var bundles
|
|
# templates: task templates that tie everything together
|
|
#
|
|
# Each list element has a unique "name" used as the natural identity key.
|
|
# ---------------------------------------------------------------------------
|
|
|
|
semaphore_config:
|
|
project:
|
|
name: mk-labs
|
|
alert: false
|
|
max_parallel_tasks: 0 # 0 = unlimited
|
|
|
|
keys:
|
|
# The ansible-vault password. login_password type with empty login
|
|
# — only the password field is consumed by Semaphore at runtime.
|
|
- name: ansible-vault-pass
|
|
type: login_password
|
|
login: ""
|
|
password: "{{ vault_ansible_vault_password }}"
|
|
|
|
# SSH key for the gitea deploy access (clone the homelab repo).
|
|
- name: gitea-deploy
|
|
type: ssh
|
|
ssh_login: git
|
|
ssh_private_key: "{{ vault_gitea_deploy_key }}"
|
|
|
|
# SSH key for the universal automation account 'wed' — pre-baked in
|
|
# every mk-labs VM template. This is the canonical user Semaphore
|
|
# uses to reach the fleet.
|
|
- name: wed-ssh
|
|
type: ssh
|
|
ssh_login: wed
|
|
ssh_private_key: "{{ vault_wed_ssh_private_key }}"
|
|
|
|
# SSH key Semaphore can use to reach the fleet as jarvis (admin
|
|
# account provisioned by linux-baseline). Retained for jobs that
|
|
# specifically need jarvis-level access; the default is wed-ssh.
|
|
- name: jarvis-ssh
|
|
type: ssh
|
|
ssh_login: jarvis
|
|
ssh_private_key: "{{ vault_jarvis_ssh_private_key }}"
|
|
|
|
repositories:
|
|
- name: homelab
|
|
git_url: "ssh://git@gitea.mk-labs.cloud:2221/rblundon/homelab.git"
|
|
git_branch: main
|
|
ssh_key: gitea-deploy
|
|
|
|
inventories:
|
|
- name: production
|
|
type: file
|
|
inventory_file: ansible/inventory.yml
|
|
repository: homelab
|
|
# wed is the universal automation account pre-baked in every VM
|
|
# template. Semaphore uses it for fleet-wide jobs.
|
|
ssh_key: wed-ssh
|
|
# become_key is Semaphore's sudo PASSWORD slot, not a second SSH
|
|
# key. wed has passwordless sudo on every host, so reference the
|
|
# built-in "None" key. (Semaphore rejects an SSH-type key here.)
|
|
become_key: None
|
|
|
|
environments:
|
|
- name: default
|
|
env:
|
|
ANSIBLE_HOST_KEY_CHECKING: "False"
|
|
ANSIBLE_FORCE_COLOR: "True"
|
|
|
|
templates:
|
|
- name: "day0_linux_baseline"
|
|
description: "Apply the mk-labs Linux baseline to one or more hosts."
|
|
app: ansible
|
|
playbook: ansible/playbooks/day0_linux_baseline.yml
|
|
inventory: production
|
|
repository: homelab
|
|
environment: default
|
|
vault_password: ansible-vault-pass
|
|
arguments: '["--diff"]'
|
|
survey_vars:
|
|
- name: target
|
|
title: "Target host or group"
|
|
description: "Inventory target (e.g. figment, semaphore_server, all)"
|
|
required: true
|
|
type: TextVar
|
|
default_value: "all"
|
|
|
|
- name: "day1_deploy_semaphore"
|
|
description: "Re-deploy Semaphore + PostgreSQL on figment."
|
|
app: ansible
|
|
playbook: ansible/playbooks/day1_deploy_semaphore.yml
|
|
inventory: production
|
|
repository: homelab
|
|
environment: default
|
|
vault_password: ansible-vault-pass
|
|
arguments: '["--diff"]'
|
|
|
|
- name: "day0_linux_baseline_check"
|
|
description: "Dry-run the baseline — shows diffs, applies nothing."
|
|
app: ansible
|
|
playbook: ansible/playbooks/day0_linux_baseline.yml
|
|
inventory: production
|
|
repository: homelab
|
|
environment: default
|
|
vault_password: ansible-vault-pass
|
|
arguments: '["--check","--diff"]'
|
|
survey_vars:
|
|
- name: target
|
|
title: "Target host or group"
|
|
description: "Inventory target (e.g. figment, semaphore_server, all)"
|
|
required: true
|
|
type: TextVar
|
|
default_value: "all"
|