duplicity_playbooks/gen_bootstrap.yml

164 lines
5.7 KiB
YAML
Raw Normal View History

2023-10-20 22:23:30 +00:00
---
- name: gen_bootstrap
hosts: localhost
gather_facts: false
vars_files: main.yml
tasks:
2023-10-21 08:37:55 +00:00
- name: Assert extra-vars are set
ansible.builtin.assert:
that:
- item | length > 0
msg: "{{ item }} environment variable must be set"
with_items:
- KEY
- DOC_KEY
- DUPLICITY_PASSPHRASE
- name: Assert SECRETS_ARCHIVE_PASSPHRASE environment variable is set
ansible.builtin.assert:
that:
- lookup('env','SECRETS_ARCHIVE_PASSPHRASE') | length > 0
msg: "SECRETS_ARCHIVE_PASSPHRASE environment variable must be set"
- name: Download secrets.tar.gz.enc
ansible.builtin.get_url:
url: "https://{{ CLOUD_SERVER }}/s/{{ KEY }}/download?path=%2F&files=secrets.tar.gz.enc"
2023-10-21 20:06:38 +00:00
dest: "{{ WORKDIR }}/secrets.tar.gz.enc"
2023-10-21 08:37:55 +00:00
- name: Install openssh-client
ansible.builtin.package:
name: openssh-client
state: present
- name: Create /root/.ssh directory
ansible.builtin.file:
path: /root/.ssh
state: directory
mode: '0700'
- name: Extract from secrets.tar.gz.enc
2023-10-21 20:06:38 +00:00
shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ WORKDIR }}/secrets.tar.gz.enc | tar -zxv -C {{ WORKDIR }}"
2023-10-21 08:37:55 +00:00
- name: Change SSH private key permissions
ansible.builtin.file:
path: /root/.ssh/id_rsa
mode: '0400'
2023-10-21 08:52:38 +00:00
- name: Retrieve documentation
ansible.builtin.get_url:
url: "https://{{ CLOUD_SERVER }}/s/{{ DOC_KEY }}/download"
2023-10-21 20:06:38 +00:00
dest: "{{ WORKDIR }}/Documentation.md"
2023-10-21 19:02:00 +00:00
- name: Copy new documentation
ansible.builtin.copy:
2023-10-21 20:06:38 +00:00
src: "{{ WORKDIR }}/Documentation.md"
dest: "{{ WORKDIR }}/secrets/bootstrap/Documentation.md"
2023-10-21 19:02:00 +00:00
register: copy_output
2023-10-21 19:20:07 +00:00
- name: Create secrets.tar.gz.enc
2023-10-21 20:06:38 +00:00
shell: "tar -czvpf - -C {{ WORKDIR }} secrets | openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -salt -out {{ WORKDIR }}/secrets.tar.gz.enc"
2023-10-21 19:02:00 +00:00
when: copy_output is changed
2023-10-21 19:20:07 +00:00
- name: Copy mail content
ansible.builtin.copy:
content: "Secrets archive has changed. New file attached."
2023-10-21 20:06:38 +00:00
dest: "{{ WORKDIR }}/mail"
2023-10-21 19:20:07 +00:00
when: copy_output is changed
2023-10-21 19:34:13 +00:00
- name: Install python2
ansible.builtin.package:
name: python2
state: present
2023-10-21 19:20:07 +00:00
- name: Send mail with new secrets
2023-10-21 20:06:38 +00:00
ansible.builtin.command: "/root/sendmail.py -a {{ WORKDIR }}/secrets.tar.gz.enc {{ WORKDIR }}/mail /root/mail_credentials.json"
2023-10-21 19:20:07 +00:00
when: copy_output is changed
- name: Copy new secrets in Nextcloud share
ansible.builtin.copy:
2023-10-21 20:06:38 +00:00
src: "{{ WORKDIR }}/secrets.tar.gz.enc"
2023-10-21 19:20:07 +00:00
dest: /mnt/cloud/Passwords/secrets.tar.gz.enc
when: copy_output is changed
2023-10-21 20:33:57 +00:00
- name: Create /mnt/archives_critiques/secrets directory on serveur-appart
2023-10-21 20:06:38 +00:00
ansible.builtin.file:
path: /mnt/archives_critiques/secrets
state: directory
owner: yohan
group: yohan
remote_user: yohan
2023-10-21 20:18:29 +00:00
vars:
ansible_ssh_port: 2224
2023-10-21 20:06:38 +00:00
delegate_to: chez-yohan.scimetis.net
become: true
- name: Get checksum of secrets.tar.gz.enc
ansible.builtin.stat:
path: "{{ WORKDIR }}/secrets.tar.gz.enc"
register: stats_output
2023-10-21 20:33:57 +00:00
- name: Copy new secrets on serveur-appart
ansible.builtin.copy:
src: "{{ WORKDIR }}/secrets.tar.gz.enc"
dest: "/mnt/archives_critiques/secrets/secrets.tar.gz.enc-{{ stats_output.stat.checksum }}"
remote_user: yohan
vars:
ansible_ssh_port: 2224
delegate_to: chez-yohan.scimetis.net
2023-10-21 20:06:38 +00:00
2023-10-21 21:12:39 +00:00
- name: Clone repo
ansible.builtin.git:
repo: 'https://{{ GIT_SERVER }}/yohan/{{ item }}.git'
dest: "{{ WORKDIR }}/{{ item }}"
with_items:
- docker-nextcloud-stack
- docker-reverse-proxy-stack
- docker-reverse-proxy
- docker-gogs-stack
- docker-mysql-stack
- docker-mysql
- systemd-mount-cinder-volume
- name: Create backup directory
ansible.builtin.file:
path: "{{ WORKDIR }}/backup"
state: directory
- name: Archive Git repository
ansible.builtin.command: "tar -czf {{ WORKDIR }}/backup/{{ item }}.tar.gz -C {{ WORKDIR }} {{ item }}"
with_items:
- docker-nextcloud-stack
- docker-reverse-proxy-stack
- docker-reverse-proxy
- docker-gogs-stack
- docker-mysql-stack
- docker-mysql
- systemd-mount-cinder-volume
- name: Copy secrets in backup directory
ansible.builtin.copy:
src: "{{ WORKDIR }}/secrets.tar.gz.enc"
dest: "{{ WORKDIR }}/backup/secrets.tar.gz.enc"
- name: Backup with duplicity
ansible.builtin.command: "duplicity --num-retries 3 --full-if-older-than 1M --progress --archive-dir {{ ARCHIVE_DIR }} --name bootstrap --allow-source-mismatch '{{ WORKDIR }}/backup' swift://bootstrap"
env:
SWIFT_AUTHURL: "{{ OS_AUTH_URL }}"
SWIFT_AUTHVERSION: "{{ OS_IDENTITY_API_VERSION }}"
SWIFT_TENANTNAME: "{{ OS_TENANT_NAME }}"
SWIFT_USERNAME: "{{ OS_USERNAME }}"
SWIFT_PASSWORD: "{{ OS_PASSWORD }}"
SWIFT_REGION_NAME: "{{ OS_REGION_NAME }}"
PASSPHRASE: "{{ DUPLICITY_PASSPHRASE }}"
2023-10-21 20:06:38 +00:00
2023-10-21 21:12:39 +00:00
- name: Clean old duplicity backups
ansible.builtin.command: "duplicity remove-older-than 2M --archive-dir {{ ARCHIVE_DIR }} --name bootstrap --allow-source-mismatch --force swift://bootstrap"
env:
SWIFT_AUTHURL: "{{ OS_AUTH_URL }}"
SWIFT_AUTHVERSION: "{{ OS_IDENTITY_API_VERSION }}"
SWIFT_TENANTNAME: "{{ OS_TENANT_NAME }}"
SWIFT_USERNAME: "{{ OS_USERNAME }}"
SWIFT_PASSWORD: "{{ OS_PASSWORD }}"
SWIFT_REGION_NAME: "{{ OS_REGION_NAME }}"
PASSPHRASE: "{{ DUPLICITY_PASSPHRASE }}"