--- - name: gen_bootstrap hosts: localhost gather_facts: false vars_files: main.yml tasks: - name: Assert extra-vars are set ansible.builtin.assert: that: - item | length > 0 msg: "{{ item }} environment variable must be set" with_items: - KEY - DOC_KEY - name: Assert environment variable is not empty ansible.builtin.include_tasks: "tasks/assert_env_var_not_empty.yml" with_items: - OS_AUTH_URL - OS_IDENTITY_API_VERSION - OS_TENANT_NAME - OS_USERNAME - OS_PASSWORD - OS_REGION_NAME - SECRETS_ARCHIVE_PASSPHRASE - DUPLICITY_PASSPHRASE - name: Download secrets.tar.gz.enc ansible.builtin.get_url: url: "https://{{ CLOUD_SERVER }}/s/{{ KEY }}/download?path=%2F&files=secrets.tar.gz.enc" dest: "{{ WORKDIR }}/secrets.tar.gz.enc" - name: Install openssh-client ansible.builtin.package: name: openssh-client state: present - name: Create /root/.ssh directory ansible.builtin.file: path: /root/.ssh state: directory mode: '0700' - name: Extract from secrets.tar.gz.enc shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ WORKDIR }}/secrets.tar.gz.enc | tar -zxv -C {{ WORKDIR }}" - name: Change SSH private key permissions ansible.builtin.file: path: /root/.ssh/id_rsa mode: '0400' - name: Retrieve documentation ansible.builtin.get_url: url: "https://{{ CLOUD_SERVER }}/s/{{ DOC_KEY }}/download" dest: "{{ WORKDIR }}/Documentation.md" - name: Copy new documentation ansible.builtin.copy: src: "{{ WORKDIR }}/Documentation.md" dest: "{{ WORKDIR }}/secrets/bootstrap/Documentation.md" register: copy_output - name: Create secrets.tar.gz.enc shell: "tar -czvpf - -C {{ WORKDIR }} secrets | openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -salt -out {{ WORKDIR }}/secrets.tar.gz.enc" when: copy_output is changed - name: Copy mail content ansible.builtin.copy: content: "Secrets archive has changed. New file attached." dest: "{{ WORKDIR }}/mail" when: copy_output is changed - name: Install python2 ansible.builtin.package: name: python2 state: present - name: Send mail with new secrets ansible.builtin.command: "/root/sendmail.py -a {{ WORKDIR }}/secrets.tar.gz.enc {{ WORKDIR }}/mail /root/mail_credentials.json" when: copy_output is changed - name: Copy new secrets in Nextcloud share ansible.builtin.copy: src: "{{ WORKDIR }}/secrets.tar.gz.enc" dest: /mnt/cloud/Passwords/secrets.tar.gz.enc when: copy_output is changed - name: Create /mnt/archives_critiques/secrets directory on serveur-appart ansible.builtin.file: path: /mnt/archives_critiques/secrets state: directory owner: yohan group: yohan remote_user: yohan vars: ansible_ssh_port: 2224 delegate_to: chez-yohan.scimetis.net become: true - name: Get checksum of secrets.tar.gz.enc ansible.builtin.stat: path: "{{ WORKDIR }}/secrets.tar.gz.enc" register: stats_output - name: Copy new secrets on serveur-appart ansible.builtin.copy: src: "{{ WORKDIR }}/secrets.tar.gz.enc" dest: "/mnt/archives_critiques/secrets/secrets.tar.gz.enc-{{ stats_output.stat.checksum }}" remote_user: yohan vars: ansible_ssh_port: 2224 delegate_to: chez-yohan.scimetis.net - name: Clone repo ansible.builtin.git: repo: 'https://{{ GIT_SERVER }}/yohan/{{ item }}.git' dest: "{{ WORKDIR }}/{{ item }}" with_items: - docker-nextcloud-stack - docker-reverse-proxy-stack - docker-reverse-proxy - docker-gogs-stack - docker-mysql-stack - docker-mysql - systemd-mount-cinder-volume - name: Create backup directory ansible.builtin.file: path: "{{ WORKDIR }}/backup" state: directory - name: Archive Git repository ansible.builtin.command: "tar -czf {{ WORKDIR }}/backup/{{ item }}.tar.gz -C {{ WORKDIR }} {{ item }}" with_items: - docker-nextcloud-stack - docker-reverse-proxy-stack - docker-reverse-proxy - docker-gogs-stack - docker-mysql-stack - docker-mysql - systemd-mount-cinder-volume - name: Copy secrets in backup directory ansible.builtin.copy: src: "{{ WORKDIR }}/secrets.tar.gz.enc" dest: "{{ WORKDIR }}/backup/secrets.tar.gz.enc" # python3-swiftclient is a requirement of duplicity - name: Install python3-swiftclient ansible.builtin.package: name: python3-swiftclient state: present - name: Backup with duplicity ansible.builtin.command: "duplicity --num-retries 3 --full-if-older-than 1M --progress --archive-dir {{ ARCHIVE_DIR }} --name bootstrap --allow-source-mismatch '{{ WORKDIR }}/backup' swift://bootstrap" environment: SWIFT_AUTHURL: "{{ lookup('env','OS_AUTH_URL') }}" SWIFT_AUTHVERSION: "{{ lookup('env','OS_IDENTITY_API_VERSION') }}" SWIFT_TENANTNAME: "{{ lookup('env','OS_TENANT_NAME') }}" SWIFT_USERNAME: "{{ lookup('env','OS_USERNAME') }}" SWIFT_PASSWORD: "{{ lookup('env','OS_PASSWORD') }}" SWIFT_REGION_NAME: "{{ lookup('env','OS_REGION_NAME') }}" PASSPHRASE: "{{ lookup('env','DUPLICITY_PASSPHRASE') }}" - name: Clean old duplicity backups ansible.builtin.command: "duplicity remove-older-than 2M --archive-dir {{ ARCHIVE_DIR }} --name bootstrap --allow-source-mismatch --force swift://bootstrap" environment: SWIFT_AUTHURL: "{{ lookup('env','OS_AUTH_URL') }}" SWIFT_AUTHVERSION: "{{ lookup('env','OS_IDENTITY_API_VERSION') }}" SWIFT_TENANTNAME: "{{ lookup('env','OS_TENANT_NAME') }}" SWIFT_USERNAME: "{{ lookup('env','OS_USERNAME') }}" SWIFT_PASSWORD: "{{ lookup('env','OS_PASSWORD') }}" SWIFT_REGION_NAME: "{{ lookup('env','OS_REGION_NAME') }}" PASSPHRASE: "{{ lookup('env','DUPLICITY_PASSPHRASE') }}"