ansible-role-zerotier/tasks/authorize_node.yml

---
- block:
  - name: Get Zerotier NodeID
    shell: zerotier-cli info | awk '{print $3}'
    register: nodeid
    changed_when: false

  - name: Set NodeID as fact
    set_fact:
      zerotier_node_id: "{{ nodeid.stdout }}"

  when:
  - zerotier_accesstoken is defined
  - not ansible_check_mode
  tags:
  - configuration

- block:
  - name: Authorize members to network
    uri:
      url: "{{ zerotier_api_url }}/api/network/{{ zerotier_network_id }}/member/{{ zerotier_node_id }}"
      method: POST
      headers:
        Authorization: bearer {{ zerotier_accesstoken }}
      body:
        hidden: false
        config:
          authorized: "{{ zerotier_authorize_member }}"
      body_format: json
      register: auth_apiresult
    delegate_to: "{{ zerotier_api_delegate }}"

  - name: Configure members in network
    uri:
      url: "{{ zerotier_api_url }}/api/network/{{ zerotier_network_id }}/member/{{ zerotier_node_id }}"
      method: POST
      headers:
        Authorization: bearer {{ zerotier_accesstoken }}
      body:
        name: "{{ zerotier_register_short_hostname | ternary(inventory_hostname_short, inventory_hostname) }}"
        description: "{{ zerotier_member_description | default() }}"
        config:
          ipAssignments: "{{ zerotier_member_ip_assignments | default([]) | list }}"
      body_format: json
      register: conf_apiresult
    delegate_to: "{{ zerotier_api_delegate }}"

  when:
  - zerotier_accesstoken is defined
  - not ansible_check_mode
  tags:
  - configuration
  become: false
somes fixups 2018-02-16 01:59:14 +00:00			`---`
			`- block:`
			`- name: Get Zerotier NodeID`
			`shell: zerotier-cli info \| awk '{print $3}'`
			`register: nodeid`
			`changed_when: false`

			`- name: Set NodeID as fact`
			`set_fact:`
			`zerotier_node_id: "{{ nodeid.stdout }}"`

Drop privilege at block level Apparently `local_action` and `delegate_to` handle `become: false` differently. The later ignored it when it was done at task level. 2018-12-01 03:11:05 +00:00			`when:`
			`- zerotier_accesstoken is defined`
			`- not ansible_check_mode`
			`tags:`
			`- configuration`

			`- block:`
2 separate API calls - authorize member - configure member This is a workaround for the issue described in #17 2018-07-25 16:13:38 +00:00			`- name: Authorize members to network`
Make authentication delegation configurable Before this commit the authentication task was runned as a local_action so if the zerotier controller was on a different machine that the ansible controller, the zerotier controller API had to bind to 0.0.0.0 instead of 127.0.0.1 with the security implication this burden this imply (setup HTTPS, setup firewall and so on). With this commit this behaviour is now configurable with zerotier_api_delegate variable, by default that variable is set to localhost so it behave exactly as before this commit, but if set the action is run on the preferred machine, in my case the zerotier network controller is part of the same playbook so I set zerotier_api_delegate: zerotierNetworkControllerMachineName zerotier_api_url: http://127.0.0.1:9993/ So I can benefit from this ansible role without the burden of setting up global listening + HTTPS etc... 2018-10-15 16:08:01 +00:00			`uri:`
somes fixups 2018-02-16 01:59:14 +00:00			`url: "{{ zerotier_api_url }}/api/network/{{ zerotier_network_id }}/member/{{ zerotier_node_id }}"`
			`method: POST`
			`headers:`
			`Authorization: bearer {{ zerotier_accesstoken }}`
			`body:`
			`hidden: false`
			`config:`
			`authorized: "{{ zerotier_authorize_member }}"`
2 separate API calls - authorize member - configure member This is a workaround for the issue described in #17 2018-07-25 16:13:38 +00:00			`body_format: json`
Make authentication delegation configurable Before this commit the authentication task was runned as a local_action so if the zerotier controller was on a different machine that the ansible controller, the zerotier controller API had to bind to 0.0.0.0 instead of 127.0.0.1 with the security implication this burden this imply (setup HTTPS, setup firewall and so on). With this commit this behaviour is now configurable with zerotier_api_delegate variable, by default that variable is set to localhost so it behave exactly as before this commit, but if set the action is run on the preferred machine, in my case the zerotier network controller is part of the same playbook so I set zerotier_api_delegate: zerotierNetworkControllerMachineName zerotier_api_url: http://127.0.0.1:9993/ So I can benefit from this ansible role without the burden of setting up global listening + HTTPS etc... 2018-10-15 16:08:01 +00:00			`register: auth_apiresult`
			`delegate_to: "{{ zerotier_api_delegate }}"`
2 separate API calls - authorize member - configure member This is a workaround for the issue described in #17 2018-07-25 16:13:38 +00:00
			`- name: Configure members in network`
Make authentication delegation configurable Before this commit the authentication task was runned as a local_action so if the zerotier controller was on a different machine that the ansible controller, the zerotier controller API had to bind to 0.0.0.0 instead of 127.0.0.1 with the security implication this burden this imply (setup HTTPS, setup firewall and so on). With this commit this behaviour is now configurable with zerotier_api_delegate variable, by default that variable is set to localhost so it behave exactly as before this commit, but if set the action is run on the preferred machine, in my case the zerotier network controller is part of the same playbook so I set zerotier_api_delegate: zerotierNetworkControllerMachineName zerotier_api_url: http://127.0.0.1:9993/ So I can benefit from this ansible role without the burden of setting up global listening + HTTPS etc... 2018-10-15 16:08:01 +00:00			`uri:`
2 separate API calls - authorize member - configure member This is a workaround for the issue described in #17 2018-07-25 16:13:38 +00:00			`url: "{{ zerotier_api_url }}/api/network/{{ zerotier_network_id }}/member/{{ zerotier_node_id }}"`
			`method: POST`
			`headers:`
			`Authorization: bearer {{ zerotier_accesstoken }}`
			`body:`
			`name: "{{ zerotier_register_short_hostname \| ternary(inventory_hostname_short, inventory_hostname) }}"`
			`description: "{{ zerotier_member_description \| default() }}"`
			`config:`
somes fixups 2018-02-16 01:59:14 +00:00			`ipAssignments: "{{ zerotier_member_ip_assignments \| default([]) \| list }}"`
			`body_format: json`
Make authentication delegation configurable Before this commit the authentication task was runned as a local_action so if the zerotier controller was on a different machine that the ansible controller, the zerotier controller API had to bind to 0.0.0.0 instead of 127.0.0.1 with the security implication this burden this imply (setup HTTPS, setup firewall and so on). With this commit this behaviour is now configurable with zerotier_api_delegate variable, by default that variable is set to localhost so it behave exactly as before this commit, but if set the action is run on the preferred machine, in my case the zerotier network controller is part of the same playbook so I set zerotier_api_delegate: zerotierNetworkControllerMachineName zerotier_api_url: http://127.0.0.1:9993/ So I can benefit from this ansible role without the burden of setting up global listening + HTTPS etc... 2018-10-15 16:08:01 +00:00			`register: conf_apiresult`
			`delegate_to: "{{ zerotier_api_delegate }}"`
somes fixups 2018-02-16 01:59:14 +00:00
			`when:`
			`- zerotier_accesstoken is defined`
			`- not ansible_check_mode`
			`tags:`
			`- configuration`
Drop privilege at block level Apparently `local_action` and `delegate_to` handle `become: false` differently. The later ignored it when it was done at task level. 2018-12-01 03:11:05 +00:00			`become: false`