Use Ansible to clone & update private git repositories via ssh
Juli 7, 2018 7:21 amOne of the first things I wanted to do when I started using Ansible was to clone a git repository on a remote machine as I keep configuration, scripts, and source code in github or gitlab repositories. Things that are not meant for the public, I store in private repositories that I want to clone via ssh. Cloning and updating them I now want to automate with Ansible.
There are different ways to go for this task:
- Checkout the repo locally and copy it to the server via a Ansible synchronize task
- Generate an ssh key on the server and allow cloning the repo with that key manually
- Copy a local ssh key to the server and allow cloning the repo with that key
- use ssh-agent to load the local key and forward the agent to the server
1 2 3 4 5 6 7 |
---
- hosts: webserver
tasks:
- name: Ensure repo is up-to-date
git:
repo: git@github.com/ntlx/my-private-repo.git
dest: repos/my-private-repo
|
ssh-add ~/.ssh/id_rsa
Now we need to enable the forwarding of the ssh agent to the remote machine so we can access the loaded key remotely. There are different ways to do so, but I find it most useful to do it in your ansible.cfg like this:
1 2 |
[ssh_connection] ssh_args=-o ForwardAgent=yes |
That way, you allow the forwarding for all your Ansible-managed hosts at once.
Now you can go on executing your playbook and should be able to clone the repository on the remote host.
To make it even easier, we can add a task to load the ssh-key before executing the other tasks in the playbook. For this, add the local host to your Ansible inventory:
1 2 |
[local] local_machine ansible_connection=local ansible_host=localhost |
Now we can add a small shell task to load the ssh-key:
1 2 3 4 5 6 7 8 9 10 11 12 |
--- - hosts: local - name: load ssh key shell: | ssh-add ~/.ssh/id_rsa - hosts: webserver tasks: - name: Ensure repo is up-to-date git: repo: git@github.com/ntlx/my-private-repo.git dest: repos/my-private-repo |
When you now execute the playbook, you shouldn’t need to load the ssh-key before.