--- - name: gen_bootstrap hosts: localhost gather_facts: false vars_files: main.yml tasks: - name: Assert extra-vars are set ansible.builtin.assert: that: - item | length > 0 msg: "{{ item }} environment variable must be set" with_items: - KEY - DOC_KEY - DUPLICITY_PASSPHRASE - name: Assert SECRETS_ARCHIVE_PASSPHRASE environment variable is set ansible.builtin.assert: that: - lookup('env','SECRETS_ARCHIVE_PASSPHRASE') | length > 0 msg: "SECRETS_ARCHIVE_PASSPHRASE environment variable must be set" - name: Download secrets.tar.gz.enc ansible.builtin.get_url: url: "https://{{ CLOUD_SERVER }}/s/{{ KEY }}/download?path=%2F&files=secrets.tar.gz.enc" dest: "{{ WORKDIR }}/secrets.tar.gz.enc" - name: Install openssh-client ansible.builtin.package: name: openssh-client state: present - name: Create /root/.ssh directory ansible.builtin.file: path: /root/.ssh state: directory mode: '0700' - name: Extract from secrets.tar.gz.enc shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ WORKDIR }}/secrets.tar.gz.enc | tar -zxv -C {{ WORKDIR }}" - name: Change SSH private key permissions ansible.builtin.file: path: /root/.ssh/id_rsa mode: '0400' - name: Retrieve documentation ansible.builtin.get_url: url: "https://{{ CLOUD_SERVER }}/s/{{ DOC_KEY }}/download" dest: "{{ WORKDIR }}/Documentation.md" - name: Copy new documentation ansible.builtin.copy: src: "{{ WORKDIR }}/Documentation.md" dest: "{{ WORKDIR }}/secrets/bootstrap/Documentation.md" register: copy_output - name: Create secrets.tar.gz.enc shell: "tar -czvpf - -C {{ WORKDIR }} secrets | openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -salt -out {{ WORKDIR }}/secrets.tar.gz.enc" when: copy_output is changed - name: Copy mail content ansible.builtin.copy: content: "Secrets archive has changed. New file attached." dest: "{{ WORKDIR }}/mail" when: copy_output is changed - name: Install python2 ansible.builtin.package: name: python2 state: present - name: Send mail with new secrets ansible.builtin.command: "/root/sendmail.py -a {{ WORKDIR }}/secrets.tar.gz.enc {{ WORKDIR }}/mail /root/mail_credentials.json" when: copy_output is changed - name: Copy new secrets in Nextcloud share ansible.builtin.copy: src: "{{ WORKDIR }}/secrets.tar.gz.enc" dest: /mnt/cloud/Passwords/secrets.tar.gz.enc when: copy_output is changed - name: Create /mnt/archives_critiques/secrets directory in serveur-appart ansible.builtin.file: path: /mnt/archives_critiques/secrets state: directory owner: yohan group: yohan remote_user: yohan remote_port: 2224 delegate_to: chez-yohan.scimetis.net become: true - name: Get checksum of secrets.tar.gz.enc ansible.builtin.stat: path: "{{ WORKDIR }}/secrets.tar.gz.enc" register: stats_output - debug: var=stats_output #FILENAME=secrets.tar.gz.enc-$(sha1sum ${DIRECTORY}/secrets.tar.gz.enc | awk -F' ' '{print $1}') #scp -P 2224 ${DIRECTORY}/secrets.tar.gz.enc yohan@chez-yohan.scimetis.net:/mnt/archives_critiques/secrets/$FILENAME #rm -rf ${DIRECTORY}/secrets* ${DIRECTORY}/Documentation.md # #for name in docker-nextcloud-stack docker-reverse-proxy-stack docker-reverse-proxy docker-gogs-stack docker-mysql-stack docker-mysql systemd-mount-cinder-volume #do # git clone https://git.scimetis.net/yohan/${name}.git ${DIRECTORY}/${name} # tar -czf ${DIRECTORY}/${name}.tar.gz -C ${DIRECTORY} ${name} # rm -rf ${DIRECTORY}/${name} #done # #ARCHIVE_DIR=/mnt/volumes/duplicity_cache/data #export SWIFT_USERNAME=$OS_USERNAME #export SWIFT_PASSWORD=$OS_PASSWORD #export SWIFT_AUTHURL=$OS_AUTH_URL #export SWIFT_AUTHVERSION=$OS_IDENTITY_API_VERSION #export SWIFT_TENANTNAME=$OS_TENANT_NAME #export SWIFT_REGIONNAME=$OS_REGION_NAME #export PASSPHRASE=$DUPLICITY_PASSPHRASE #duplicity --num-retries 3 --full-if-older-than 1M --progress --archive-dir ${ARCHIVE_DIR} --name bootstrap --allow-source-mismatch "${DIRECTORY}" swift://bootstrap #duplicity remove-older-than 2M --archive-dir ${ARCHIVE_DIR} --name bootstrap --allow-source-mismatch --force swift://bootstrap