duplicity_playbooks/gen_bootstrap.yml

---
- name: gen_bootstrap
  hosts: localhost
  gather_facts: false
  vars_files: main.yml
  tasks: 
    - name: Assert extra-vars are set
      ansible.builtin.assert:
        that:
          - item | length > 0
        msg: "{{ item }} environment variable must be set"
      with_items:
        - KEY
        - DOC_KEY
        - DUPLICITY_PASSPHRASE
    
    - name: Assert SECRETS_ARCHIVE_PASSPHRASE environment variable is set
      ansible.builtin.assert:
        that:
          - lookup('env','SECRETS_ARCHIVE_PASSPHRASE') | length > 0
        msg: "SECRETS_ARCHIVE_PASSPHRASE environment variable must be set"
    
    - name: Download secrets.tar.gz.enc
      ansible.builtin.get_url:
        url: "https://{{ CLOUD_SERVER }}/s/{{ KEY }}/download?path=%2F&files=secrets.tar.gz.enc"
        dest: "{{ WORKDIR }}/secrets.tar.gz.enc"
    
    - name: Install openssh-client
      ansible.builtin.package:
        name: openssh-client
        state: present
    
    - name: Create /root/.ssh directory
      ansible.builtin.file:
        path: /root/.ssh
        state: directory
        mode: '0700'
    
    - name: Extract from secrets.tar.gz.enc
      shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ WORKDIR }}/secrets.tar.gz.enc | tar -zxv -C {{ WORKDIR }}"

    - name: Change SSH private key permissions
      ansible.builtin.file:
        path: /root/.ssh/id_rsa
        mode: '0400'

    - name: Retrieve documentation
      ansible.builtin.get_url:
        url: "https://{{ CLOUD_SERVER }}/s/{{ DOC_KEY }}/download"
        dest: "{{ WORKDIR }}/Documentation.md"

    - name: Copy new documentation
      ansible.builtin.copy:
        src: "{{ WORKDIR }}/Documentation.md"
        dest: "{{ WORKDIR }}/secrets/bootstrap/Documentation.md"
      register: copy_output

    - name: Create secrets.tar.gz.enc
      shell: "tar -czvpf - -C {{ WORKDIR }} secrets | openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -salt -out {{ WORKDIR }}/secrets.tar.gz.enc"
      when: copy_output is changed

    - name: Copy mail content
      ansible.builtin.copy:
        content: "Secrets archive has changed. New file attached."
        dest: "{{ WORKDIR }}/mail"
      when: copy_output is changed

    - name: Install python2
      ansible.builtin.package:
        name: python2
        state: present

    - name: Send mail with new secrets
      ansible.builtin.command: "/root/sendmail.py -a {{ WORKDIR }}/secrets.tar.gz.enc {{ WORKDIR }}/mail /root/mail_credentials.json"
      when: copy_output is changed

    - name: Copy new secrets in Nextcloud share
      ansible.builtin.copy:
        src: "{{ WORKDIR }}/secrets.tar.gz.enc"
        dest: /mnt/cloud/Passwords/secrets.tar.gz.enc
      when: copy_output is changed

    - name: Create /mnt/archives_critiques/secrets directory on serveur-appart
      ansible.builtin.file:
        path: /mnt/archives_critiques/secrets
        state: directory
        owner: yohan
        group: yohan
      remote_user: yohan
      vars:
        ansible_ssh_port: 2224
      delegate_to: chez-yohan.scimetis.net
      become: true

    - name: Get checksum of secrets.tar.gz.enc
      ansible.builtin.stat:
        path: "{{ WORKDIR }}/secrets.tar.gz.enc"
      register: stats_output

    - name: Copy new secrets on serveur-appart
      ansible.builtin.copy:
        src: "{{ WORKDIR }}/secrets.tar.gz.enc"
        dest: "/mnt/archives_critiques/secrets/secrets.tar.gz.enc-{{ stats_output.stat.checksum }}"
      remote_user: yohan
      vars:
        ansible_ssh_port: 2224
      delegate_to: chez-yohan.scimetis.net

#for name in docker-nextcloud-stack docker-reverse-proxy-stack docker-reverse-proxy docker-gogs-stack docker-mysql-stack docker-mysql systemd-mount-cinder-volume
#do  
#    git clone https://git.scimetis.net/yohan/${name}.git ${DIRECTORY}/${name}
#    tar -czf ${DIRECTORY}/${name}.tar.gz -C ${DIRECTORY} ${name}
#    rm -rf ${DIRECTORY}/${name}
#done
#
#ARCHIVE_DIR=/mnt/volumes/duplicity_cache/data
#export SWIFT_USERNAME=$OS_USERNAME
#export SWIFT_PASSWORD=$OS_PASSWORD
#export SWIFT_AUTHURL=$OS_AUTH_URL
#export SWIFT_AUTHVERSION=$OS_IDENTITY_API_VERSION
#export SWIFT_TENANTNAME=$OS_TENANT_NAME
#export SWIFT_REGIONNAME=$OS_REGION_NAME
#export PASSPHRASE=$DUPLICITY_PASSPHRASE
#duplicity --num-retries 3 --full-if-older-than 1M --progress --archive-dir ${ARCHIVE_DIR} --name bootstrap --allow-source-mismatch "${DIRECTORY}" swift://bootstrap
#duplicity remove-older-than 2M --archive-dir ${ARCHIVE_DIR} --name bootstrap --allow-source-mismatch --force swift://bootstrap
New playbook gen_bootstrap.yml. 2023-10-20 22:23:30 +00:00			`---`
			`- name: gen_bootstrap`
			`hosts: localhost`
			`gather_facts: false`
			`vars_files: main.yml`
			`tasks:`
Improve gen_bootstrap.yml. 2023-10-21 08:37:55 +00:00			`- name: Assert extra-vars are set`
			`ansible.builtin.assert:`
			`that:`
			`- item \| length > 0`
			`msg: "{{ item }} environment variable must be set"`
			`with_items:`
			`- KEY`
			`- DOC_KEY`
			`- DUPLICITY_PASSPHRASE`

			`- name: Assert SECRETS_ARCHIVE_PASSPHRASE environment variable is set`
			`ansible.builtin.assert:`
			`that:`
			`- lookup('env','SECRETS_ARCHIVE_PASSPHRASE') \| length > 0`
			`msg: "SECRETS_ARCHIVE_PASSPHRASE environment variable must be set"`

			`- name: Download secrets.tar.gz.enc`
			`ansible.builtin.get_url:`
			`url: "https://{{ CLOUD_SERVER }}/s/{{ KEY }}/download?path=%2F&files=secrets.tar.gz.enc"`
Improve gen_bootstrap.yml. 2023-10-21 20:06:38 +00:00			`dest: "{{ WORKDIR }}/secrets.tar.gz.enc"`
Improve gen_bootstrap.yml. 2023-10-21 08:37:55 +00:00
			`- name: Install openssh-client`
			`ansible.builtin.package:`
			`name: openssh-client`
			`state: present`

			`- name: Create /root/.ssh directory`
			`ansible.builtin.file:`
			`path: /root/.ssh`
			`state: directory`
			`mode: '0700'`

			`- name: Extract from secrets.tar.gz.enc`
Improve gen_bootstrap.yml. 2023-10-21 20:06:38 +00:00			`shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ WORKDIR }}/secrets.tar.gz.enc \| tar -zxv -C {{ WORKDIR }}"`
Improve gen_bootstrap.yml. 2023-10-21 08:37:55 +00:00
			`- name: Change SSH private key permissions`
			`ansible.builtin.file:`
			`path: /root/.ssh/id_rsa`
			`mode: '0400'`

Improve gen_bootstrap.yml. 2023-10-21 08:52:38 +00:00			`- name: Retrieve documentation`
			`ansible.builtin.get_url:`
			`url: "https://{{ CLOUD_SERVER }}/s/{{ DOC_KEY }}/download"`
Improve gen_bootstrap.yml. 2023-10-21 20:06:38 +00:00			`dest: "{{ WORKDIR }}/Documentation.md"`
Improve gen_bootstrap.yml. 2023-10-21 19:02:00 +00:00
			`- name: Copy new documentation`
			`ansible.builtin.copy:`
Improve gen_bootstrap.yml. 2023-10-21 20:06:38 +00:00			`src: "{{ WORKDIR }}/Documentation.md"`
			`dest: "{{ WORKDIR }}/secrets/bootstrap/Documentation.md"`
Improve gen_bootstrap.yml. 2023-10-21 19:02:00 +00:00			`register: copy_output`

Improve gen_bootstrap.yml. 2023-10-21 19:20:07 +00:00			`- name: Create secrets.tar.gz.enc`
Improve gen_bootstrap.yml. 2023-10-21 20:06:38 +00:00			`shell: "tar -czvpf - -C {{ WORKDIR }} secrets \| openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -salt -out {{ WORKDIR }}/secrets.tar.gz.enc"`
Improve gen_bootstrap.yml. 2023-10-21 19:02:00 +00:00			`when: copy_output is changed`
Improve gen_bootstrap.yml. 2023-10-21 19:20:07 +00:00
			`- name: Copy mail content`
			`ansible.builtin.copy:`
			`content: "Secrets archive has changed. New file attached."`
Improve gen_bootstrap.yml. 2023-10-21 20:06:38 +00:00			`dest: "{{ WORKDIR }}/mail"`
Improve gen_bootstrap.yml. 2023-10-21 19:20:07 +00:00			`when: copy_output is changed`

Improve gen_bootstrap.yml. 2023-10-21 19:34:13 +00:00			`- name: Install python2`
			`ansible.builtin.package:`
			`name: python2`
			`state: present`

Improve gen_bootstrap.yml. 2023-10-21 19:20:07 +00:00			`- name: Send mail with new secrets`
Improve gen_bootstrap.yml. 2023-10-21 20:06:38 +00:00			`ansible.builtin.command: "/root/sendmail.py -a {{ WORKDIR }}/secrets.tar.gz.enc {{ WORKDIR }}/mail /root/mail_credentials.json"`
Improve gen_bootstrap.yml. 2023-10-21 19:20:07 +00:00			`when: copy_output is changed`

			`- name: Copy new secrets in Nextcloud share`
			`ansible.builtin.copy:`
Improve gen_bootstrap.yml. 2023-10-21 20:06:38 +00:00			`src: "{{ WORKDIR }}/secrets.tar.gz.enc"`
Improve gen_bootstrap.yml. 2023-10-21 19:20:07 +00:00			`dest: /mnt/cloud/Passwords/secrets.tar.gz.enc`
			`when: copy_output is changed`

Improve gen_bootstrap.yml. 2023-10-21 20:33:57 +00:00			`- name: Create /mnt/archives_critiques/secrets directory on serveur-appart`
Improve gen_bootstrap.yml. 2023-10-21 20:06:38 +00:00			`ansible.builtin.file:`
			`path: /mnt/archives_critiques/secrets`
			`state: directory`
			`owner: yohan`
			`group: yohan`
			`remote_user: yohan`
Improve gen_bootstrap.yml. 2023-10-21 20:18:29 +00:00			`vars:`
			`ansible_ssh_port: 2224`
Improve gen_bootstrap.yml. 2023-10-21 20:06:38 +00:00			`delegate_to: chez-yohan.scimetis.net`
			`become: true`

			`- name: Get checksum of secrets.tar.gz.enc`
			`ansible.builtin.stat:`
			`path: "{{ WORKDIR }}/secrets.tar.gz.enc"`
			`register: stats_output`

Improve gen_bootstrap.yml. 2023-10-21 20:33:57 +00:00			`- name: Copy new secrets on serveur-appart`
			`ansible.builtin.copy:`
			`src: "{{ WORKDIR }}/secrets.tar.gz.enc"`
			`dest: "/mnt/archives_critiques/secrets/secrets.tar.gz.enc-{{ stats_output.stat.checksum }}"`
			`remote_user: yohan`
			`vars:`
			`ansible_ssh_port: 2224`
			`delegate_to: chez-yohan.scimetis.net`
Improve gen_bootstrap.yml. 2023-10-21 20:06:38 +00:00
			`#for name in docker-nextcloud-stack docker-reverse-proxy-stack docker-reverse-proxy docker-gogs-stack docker-mysql-stack docker-mysql systemd-mount-cinder-volume`
			`#do`
			`# git clone https://git.scimetis.net/yohan/${name}.git ${DIRECTORY}/${name}`
			`# tar -czf ${DIRECTORY}/${name}.tar.gz -C ${DIRECTORY} ${name}`
			`# rm -rf ${DIRECTORY}/${name}`
			`#done`
			`#`
			`#ARCHIVE_DIR=/mnt/volumes/duplicity_cache/data`
			`#export SWIFT_USERNAME=$OS_USERNAME`
			`#export SWIFT_PASSWORD=$OS_PASSWORD`
			`#export SWIFT_AUTHURL=$OS_AUTH_URL`
			`#export SWIFT_AUTHVERSION=$OS_IDENTITY_API_VERSION`
			`#export SWIFT_TENANTNAME=$OS_TENANT_NAME`
			`#export SWIFT_REGIONNAME=$OS_REGION_NAME`
			`#export PASSPHRASE=$DUPLICITY_PASSPHRASE`
			`#duplicity --num-retries 3 --full-if-older-than 1M --progress --archive-dir ${ARCHIVE_DIR} --name bootstrap --allow-source-mismatch "${DIRECTORY}" swift://bootstrap`
			`#duplicity remove-older-than 2M --archive-dir ${ARCHIVE_DIR} --name bootstrap --allow-source-mismatch --force swift://bootstrap`