--- - name: backup bootstrap hosts: localhost gather_facts: false vars_files: main.yml tasks: - name: Assert environment variable is not empty ansible.builtin.include_tasks: "tasks/assert_env_var_not_empty.yml" with_items: "{{ BOOTSTRAP_REQUIRED_ENV_VARS }}" - name: Download secrets.tar.gz.enc ansible.builtin.get_url: url: "https://{{ CLOUD_SERVER }}/s/{{ lookup('env','KEY') }}/download?path=%2F&files=secrets.tar.gz.enc" dest: "{{ WORKDIR }}/secrets.tar.gz.enc" - name: Install openssh-client ansible.builtin.package: name: openssh-client state: present - name: Create /root/.ssh directory ansible.builtin.file: path: /root/.ssh state: directory mode: '0700' - name: Extract required secrets from secrets.tar.gz.enc shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in /root/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 2 {{ item.name }}" with_items: - name: secrets/docker-duplicity-stack/mail_credentials.json dir: /root/ - name: secrets/bootstrap/id_rsa dir: /root/.ssh - name: Change secret file permissions ansible.builtin.file: path: "{{ item }}" mode: '0400' owner: root group: root with_items: - /root/mail_credentials.json - /root/.ssh/id_rsa - name: Copy ssh config ansible.builtin.copy: src: /root/duplicity_playbooks/files/config dest: /root/.ssh/config mode: '0640' owner: root group: root - name: Extract from secrets.tar.gz.enc shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ WORKDIR }}/secrets.tar.gz.enc | tar -zxv -C {{ WORKDIR }}" - name: Retrieve documentation ansible.builtin.get_url: url: "https://{{ CLOUD_SERVER }}/s/{{ lookup('env','DOC_KEY') }}/download" dest: "{{ WORKDIR }}/Documentation.md" - name: Copy new documentation ansible.builtin.copy: src: "{{ WORKDIR }}/Documentation.md" dest: "{{ WORKDIR }}/secrets/bootstrap/Documentation.md" register: copy_output - name: Create secrets.tar.gz.enc shell: "tar -czvpf - -C {{ WORKDIR }} secrets | openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -salt -out {{ WORKDIR }}/secrets.tar.gz.enc" when: copy_output is changed - name: Copy mail content ansible.builtin.copy: content: "Secrets archive has changed. New file attached." dest: "{{ WORKDIR }}/mail" when: copy_output is changed - name: Install python2 ansible.builtin.package: name: python2 state: present when: copy_output is changed - name: Copy sendmail.py ansible.builtin.copy: src: /root/duplicity_playbooks/files/sendmail.py dest: /root/sendmail.py mode: '0770' when: copy_output is changed - name: Send mail with new secrets ansible.builtin.command: "/root/sendmail.py -a {{ WORKDIR }}/secrets.tar.gz.enc {{ WORKDIR }}/mail /root/mail_credentials.json" when: copy_output is changed - name: Copy new secrets in Nextcloud share ansible.builtin.copy: src: "{{ WORKDIR }}/secrets.tar.gz.enc" dest: /mnt/cloud/Passwords/secrets.tar.gz.enc when: copy_output is changed - name: Create /mnt/archives_critiques/secrets directory on serveur-appart ansible.builtin.file: path: /mnt/archives_critiques/secrets state: directory owner: yohan group: yohan remote_user: yohan vars: ansible_ssh_port: 2224 delegate_to: chez-yohan.scimetis.net become: true - name: Get checksum of secrets.tar.gz.enc ansible.builtin.stat: path: "{{ WORKDIR }}/secrets.tar.gz.enc" register: stats_output - name: Copy new secrets on serveur-appart ansible.builtin.copy: src: "{{ WORKDIR }}/secrets.tar.gz.enc" dest: "/mnt/archives_critiques/secrets/secrets.tar.gz.enc-{{ stats_output.stat.checksum }}" remote_user: yohan vars: ansible_ssh_port: 2224 delegate_to: chez-yohan.scimetis.net - name: Clone repo ansible.builtin.git: repo: 'https://{{ GIT_SERVER }}/yohan/{{ item }}.git' dest: "{{ WORKDIR }}/{{ item }}" with_items: "{{ BOOTSTRAP_REPOS }}" - name: Create backup directory ansible.builtin.file: path: "{{ WORKDIR }}/backup" state: directory - name: Archive Git repository ansible.builtin.command: "tar -czf {{ WORKDIR }}/backup/{{ item }}.tar.gz -C {{ WORKDIR }} {{ item }}" with_items: "{{ BOOTSTRAP_REPOS }}" - name: Copy secrets in backup directory ansible.builtin.copy: src: "{{ WORKDIR }}/secrets.tar.gz.enc" dest: "{{ WORKDIR }}/backup/secrets.tar.gz.enc" # python3-swiftclient is a requirement of duplicity - name: Install python3-swiftclient ansible.builtin.package: name: python3-swiftclient state: present - name: Backup with duplicity ansible.builtin.command: "duplicity --num-retries 3 --full-if-older-than 1M --progress --archive-dir {{ ARCHIVE_DIR }} --name {{ lookup('env','BACKUP_WORKFLOW') }} --allow-source-mismatch '{{ WORKDIR }}/backup' swift://{{ lookup('env','BACKUP_WORKFLOW') }}" environment: "{{ DUPLICITY_ENVIRONMENT }}" - name: Clean old duplicity backups ansible.builtin.command: "duplicity remove-older-than 2M --archive-dir {{ ARCHIVE_DIR }} --name {{ lookup('env','BACKUP_WORKFLOW') }} --allow-source-mismatch --force swift://{{ lookup('env','BACKUP_WORKFLOW') }}" environment: "{{ DUPLICITY_ENVIRONMENT }}"