Use Ansible instead of Bash for provisioning

The deployment is not quite working, and I'm unable to test right now:
DigitalOcean is returning 503 for my requests.

As of this commit, I can run =ansible-playbook provider.yml= more than once and
it will actually be idempotent.

Notes:
- SSH fingerprint are now taken from the public key file instead of manually
supplying it in the terraform template using the =digitalocean_ssh_key=
resource;
- use Ansible instead of ad-hoc Bash scripts for provisioning the Droplets
created by Terraform;
- use the =filename.env.extension= to create the concrete files in CI;
- use the =user_data= to add the know SSH key pair to the newly created Droplet;
- add =rotate-ssh-keys.sh= utils;

2 files changed, 19 insertions, 8 deletions

diff --git a/scripts/ci/provision.sh b/scripts/ci/provision.sh
index 3ba89d9..56e481a 100755
--- a/scripts/ci/provision.sh
+++ b/scripts/ci/provision.sh
@@ -9,22 +9,21 @@ VPS_COMMIT_SHA="$(git rev-parse HEAD)"
 export VPS_COMMIT_SHA
 echo "Shutting down running containers and backing up data..."
 ssh "$TLD" "cd /home/vps/ && docker-compose down"
-scp ./secrets/borg_remote.pub "$TLD":/root/.ssh/id_rsa.pub
-scp ./secrets/borg_remote "$TLD":/root/.ssh/id_rsa
-envsubst < ./scripts/box/run-backup-template.sh | ssh "$TLD" 'cat > /home/vps/run-backup.sh && chmod +x /home/vps/run-backup.sh'
+scp ./secrets/borg/borg_remote.pub "$TLD":/root/.ssh/id_rsa.pub
+scp ./secrets/borg/borg_remote "$TLD":/root/.ssh/id_rsa
+envsubst < ./scripts/box/run-backup.env.sh | ssh "$TLD" 'cat > /home/vps/run-backup.sh && chmod +x /home/vps/run-backup.sh'
 ssh "$TLD" /home/vps/run-backup.sh
 echo "Done."
 
 echo "Running 'terraform plan' and storing the planfile..."
-# Terraform plan
 terraform --version
 terraform init
 mkdir -p "../vps-state/secrets/plan-files/"
 PLAN_FILE_NAME="$(date -Iseconds)-$VPS_COMMIT_SHA.tfplan"
 PLAN_FILE_PATH="../vps-state/secrets/plan-files/$PLAN_FILE_NAME"
+
 terraform plan -input=false -out="$PLAN_FILE_PATH"
 
-# Store on git repo
 pushd ../vps-state/
 git add "secrets/plan-files/$PLAN_FILE_NAME"
 git commit -m "CI: add .tfplan plan file for CI run $VPS_COMMIT_SHA"
@@ -44,6 +43,10 @@ git push origin master
 popd
 echo "Done."
 
+echo "Running the Ansible playbook..."
+ansible-playbook provision.yaml
+echo "Done."
+
 echo "Locking git-crypt repositories back..."
 git crypt lock
 pushd ../vps-state/
diff --git a/scripts/ci/setup.sh b/scripts/ci/setup.sh
index ee5ecf2..e6e85c9 100755
--- a/scripts/ci/setup.sh
+++ b/scripts/ci/setup.sh
@@ -18,9 +18,17 @@ popd
 echo "Done."
 
 # git smudge after git-crypt clears file permissions
-chmod 600 ./secrets/vps_box
-chmod 600 ./secrets/borg_remote
+chmod 600 ./secrets/ssh/vps-box-client
+chmod 600 ./secrets/borg/borg_remote
 cat .envrc >> ~/.buildenv
 
 source .envrc
-envsubst < ./ssh.conf >> ~/.ssh/config
+
+export SSH_SERVER_PRIVATE_KEY="$(cat ./secrets/ssh/vps-box-server)"
+export SSH_SERVER_PUBLIC_KEY="$(cat ./secrets/ssh/vps-box-server.pub)"
+
+envsubst < ./cloud-config.env.yaml > ./cloud-config.yaml
+envsubst < ./ssh.env.conf >> ~/.ssh/config
+envsubst < ./hosts.env > ./hosts
+envsubst < ./docker-compose.env.yaml > ./docker-compose.yaml
+envsubst < ./user-data.env.sh > ./user-data.sh