diff --git a/bootstrap.yml b/bootstrap.yml index 98d0e0e..52acafb 100755 --- a/bootstrap.yml +++ b/bootstrap.yml @@ -24,14 +24,37 @@ state: directory mode: '0700' + - name: Extract required secrets from secrets.tar.gz.enc + shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in /root/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 2 {{ item.name }}" + with_items: + - name: secrets/docker-duplicity-stack/mail_credentials.json + dir: /root/ + - name: secrets/bootstrap/id_rsa + dir: /root/.ssh + + - name: Change secret file permissions + ansible.builtin.file: + path: "{{ item }}" + mode: '0400' + owner: root + group: root + with_items: + - /root/mail_credentials.json + - /root/.ssh/id_rsa + + - name: Copy ssh config + ansible.builtin.copy: + src: /root/duplicity_playbooks/files/config + dest: /root/.ssh/config + mode: '0640' + owner: root + group: root + when: copy_output is changed + + - name: Send mail with new secrets - name: Extract from secrets.tar.gz.enc shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ WORKDIR }}/secrets.tar.gz.enc | tar -zxv -C {{ WORKDIR }}" - - name: Change SSH private key permissions - ansible.builtin.file: - path: /root/.ssh/id_rsa - mode: '0400' - - name: Retrieve documentation ansible.builtin.get_url: url: "https://{{ CLOUD_SERVER }}/s/{{ lookup('env','DOC_KEY') }}/download" @@ -57,6 +80,14 @@ ansible.builtin.package: name: python2 state: present + when: copy_output is changed + + - name: Copy sendmail.py + ansible.builtin.copy: + src: /root/duplicity_playbooks/files/sendmail.py + dest: /root/sendmail.py + mode: '0770' + when: copy_output is changed - name: Send mail with new secrets ansible.builtin.command: "/root/sendmail.py -a {{ WORKDIR }}/secrets.tar.gz.enc {{ WORKDIR }}/mail /root/mail_credentials.json" diff --git a/tasks/down.yml b/tasks/down.yml index 3f5af0f..dc440b2 100755 --- a/tasks/down.yml +++ b/tasks/down.yml @@ -13,14 +13,6 @@ delegate_to: 172.17.0.1 become: true -- name: Remove docker-duplicity-stack directory - ansible.builtin.file: - path: "/home/{{ user }}/repository/docker-duplicity-stack" - state: absent - remote_user: "{{ user }}" - delegate_to: 172.17.0.1 - become: true - - name: unmount /mnt/cloud ansible.posix.mount: path: /mnt/cloud diff --git a/tasks/start.yml b/tasks/start.yml index a147fb1..795544e 100755 --- a/tasks/start.yml +++ b/tasks/start.yml @@ -22,8 +22,6 @@ - name: Extract from secrets.tar.gz.enc shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in /root/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 2 {{ item.name }}" with_items: - - name: secrets/docker-duplicity-stack/mail_credentials.json - dir: /root/ - name: secrets/bootstrap/id_rsa dir: /root/.ssh - name: secrets/docker-duplicity-stack/nextcloud_password.sh @@ -36,36 +34,6 @@ path: /root/.ssh/id_rsa mode: '0400' -- name: Remove docker-duplicity-stack directory - ansible.builtin.file: - path: "/home/{{ user }}/repository/docker-duplicity-stack" - state: absent - remote_user: "{{ user }}" - delegate_to: 172.17.0.1 - become: true - -- name: Clone docker-duplicity-stack repo - ansible.builtin.git: - repo: 'https://{{ GIT_SERVER }}/yohan/docker-duplicity-stack.git' - dest: "/home/{{ user }}/repository/docker-duplicity-stack" - clone: yes - force: true - remote_user: "{{ user }}" - delegate_to: 172.17.0.1 - become: true - -- name: Copy files - ansible.builtin.copy: - src: "{{ item }}" - dest: "/home/{{ user }}/repository/docker-duplicity-stack" - mode: '0400' - remote_user: "{{ user }}" - delegate_to: 172.17.0.1 - become: true - with_items: - - /root/mail_credentials.json - - /root/.ssh/id_rsa - - name: Set Nextcloud credentials ansible.builtin.include_tasks: "tasks/source_vars.yml" with_items: @@ -235,15 +203,9 @@ output_logs: true detach: false network_mode: host - working_dir: "/home/{{ user }}/repository/docker-duplicity-stack" volumes: - /mnt/volumes:/mnt/volumes:z - /mnt/cloud:/mnt/cloud:z - - /home/{{ user }}/repository/docker-duplicity-stack/backup_scripts:/mnt/scripts:z - - /home/{{ user }}/repository/docker-duplicity-stack/sendmail.py:/root/sendmail.py:z - - /home/{{ user }}/repository/docker-duplicity-stack/mail_credentials.json:/root/mail_credentials.json:z - - /home/{{ user }}/repository/docker-duplicity-stack/id_rsa:/root/.ssh/id_rsa:Z - - /home/{{ user }}/repository/docker-duplicity-stack/config:/root/.ssh/config:Z - /home/{{ user }}/repository/duplicity_playbooks_temp:/root/duplicity_playbooks:Z env: OS_AUTH_URL: "{{ OS_AUTH_URL }}"