package_upgrade: true
packages:
  - ansible
  - git
  - curl
  - wget
  - ca-certificates
  - gnupg
  - lsb-release
users:
  - name: ansible
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - YOUR_SSH_PUBLIC_KEY
    groups: sudo
timezone: Europe/Paris
write_files:
  - path: /etc/node-role
    content: witness
    permissions: "0644"
  - path: /etc/ansible-pull.conf
    content: |
      REPO_URL=YOUR_FORGEJO_REPO_URL
      FORGEJO_TOKEN=YOUR_FORGEJO_TOKEN
      K3S_VERSION=v1.28.5+k3s1
      K3S_TOKEN=YOUR_K3S_TOKEN
    permissions: "0600"
  - path: /usr/local/bin/ansible-pull-wrapper.sh
    content: |
      #!/bin/bash
      set -e
      source /etc/ansible-pull.conf
      export K3S_TOKEN
      export FORGEJO_TOKEN
      export REPO_URL
      WORK_DIR="/var/lib/ansible-local"
      mkdir -p $WORK_DIR
      cd $WORK_DIR
      REPO_WITH_AUTH=$(echo $REPO_URL | sed "s|https://|https://git:$FORGEJO_TOKEN@|")
      if [ -d ".git" ]; then
        git pull origin main 2>&1 | logger -t ansible-pull
      else
        git clone $REPO_WITH_AUTH . 2>&1 | logger -t ansible-pull
      fi
      ansible-playbook ansible/site.yml -i localhost, --connection=local -e "k3s_version=$K3S_VERSION" 2>&1 | logger -t ansible-pull
    permissions: "0755"
runcmd:
  - echo '*/15 * * * * root /usr/local/bin/ansible-pull-wrapper.sh' > /etc/cron.d/ansible-pull
  - sleep 60 && /usr/local/bin/ansible-pull-wrapper.sh &