113 lines
4.0 KiB
YAML
Executable File
113 lines
4.0 KiB
YAML
Executable File
---
|
|
- name: Assert environment variable is not empty
|
|
ansible.builtin.include_tasks: "tasks/assert_env_var_not_empty.yml"
|
|
with_items: "{{ BOOTSTRAP_REQUIRED_ENV_VARS }}"
|
|
|
|
- name: Assert variable is not empty
|
|
ansible.builtin.include_tasks: "tasks/assert_var_not_empty.yml"
|
|
with_items: "{{ BOOTSTRAP_REQUIRED_VARS }}"
|
|
|
|
- name: Download secrets.tar.gz.enc
|
|
ansible.builtin.get_url:
|
|
url: "https://{{ CLOUD_SERVER }}/s/{{ lookup('env','KEY') }}/download?path=%2F&files=secrets.tar.gz.enc"
|
|
dest: "{{ WORKDIR }}/secrets.tar.gz.enc"
|
|
|
|
- name: Create /root/.ssh directory
|
|
ansible.builtin.file:
|
|
path: /root/.ssh
|
|
state: directory
|
|
mode: '0700'
|
|
|
|
- name: Extract from secrets.tar.gz.enc
|
|
shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ WORKDIR }}/secrets.tar.gz.enc | tar -zxv -C {{ WORKDIR }}"
|
|
|
|
- name: Change SSH private key permissions
|
|
ansible.builtin.file:
|
|
path: /root/.ssh/id_rsa
|
|
mode: '0400'
|
|
|
|
- name: Retrieve documentation
|
|
ansible.builtin.get_url:
|
|
url: "https://{{ CLOUD_SERVER }}/s/{{ lookup('env','DOC_KEY') }}/download"
|
|
dest: "{{ WORKDIR }}/Documentation.md"
|
|
|
|
- name: Copy new documentation
|
|
ansible.builtin.copy:
|
|
src: "{{ WORKDIR }}/Documentation.md"
|
|
dest: "{{ WORKDIR }}/secrets/bootstrap/Documentation.md"
|
|
register: copy_output
|
|
|
|
- name: Create secrets.tar.gz.enc
|
|
shell: "tar -czvpf - -C {{ WORKDIR }} secrets | openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -salt -out {{ WORKDIR }}/secrets.tar.gz.enc"
|
|
when: copy_output is changed
|
|
|
|
- name: Copy mail content
|
|
ansible.builtin.copy:
|
|
content: "Secrets archive has changed. New file attached."
|
|
dest: "{{ WORKDIR }}/mail"
|
|
when: copy_output is changed
|
|
|
|
- name: Install python2
|
|
ansible.builtin.package:
|
|
name: python2
|
|
state: present
|
|
|
|
- name: Send mail with new secrets
|
|
ansible.builtin.command: "files/sendmail.py -a {{ WORKDIR }}/secrets.tar.gz.enc {{ WORKDIR }}/mail /root/mail_credentials.json"
|
|
when: copy_output is changed
|
|
|
|
- name: Copy new secrets in Nextcloud share
|
|
ansible.builtin.copy:
|
|
src: "{{ WORKDIR }}/secrets.tar.gz.enc"
|
|
dest: /mnt/cloud/Passwords/secrets.tar.gz.enc
|
|
when: copy_output is changed
|
|
|
|
- name: Create /mnt/archives_critiques/secrets directory on serveur-appart
|
|
ansible.builtin.file:
|
|
path: /mnt/archives_critiques/secrets
|
|
state: directory
|
|
owner: yohan
|
|
group: yohan
|
|
remote_user: yohan
|
|
vars:
|
|
ansible_ssh_port: 2224
|
|
delegate_to: chez-yohan.scimetis.net
|
|
become: true
|
|
|
|
- name: Get checksum of secrets.tar.gz.enc
|
|
ansible.builtin.stat:
|
|
path: "{{ WORKDIR }}/secrets.tar.gz.enc"
|
|
register: stats_output
|
|
|
|
- name: Copy new secrets on serveur-appart
|
|
ansible.builtin.copy:
|
|
src: "{{ WORKDIR }}/secrets.tar.gz.enc"
|
|
dest: "/mnt/archives_critiques/secrets/secrets.tar.gz.enc-{{ stats_output.stat.checksum }}"
|
|
remote_user: yohan
|
|
vars:
|
|
ansible_ssh_port: 2224
|
|
delegate_to: chez-yohan.scimetis.net
|
|
|
|
- name: Clone repo
|
|
ansible.builtin.git:
|
|
repo: 'https://{{ GIT_SERVER }}/yohan/{{ item }}.git'
|
|
dest: "{{ WORKDIR }}/{{ item }}"
|
|
with_items: "{{ BOOTSTRAP_REPOS }}"
|
|
|
|
- name: Archive Git repository
|
|
ansible.builtin.command: "tar -czf {{ WORKDIR }}/backup/{{ item }}.tar.gz -C {{ WORKDIR }} {{ item }}"
|
|
with_items: "{{ BOOTSTRAP_REPOS }}"
|
|
|
|
- name: Copy secrets in backup directory
|
|
ansible.builtin.copy:
|
|
src: "{{ WORKDIR }}/secrets.tar.gz.enc"
|
|
dest: "{{ WORKDIR }}/backup/secrets.tar.gz.enc"
|
|
|
|
- name: Backup with duplicity
|
|
ansible.builtin.command: "duplicity --num-retries 3 --full-if-older-than 1M --progress --archive-dir {{ ARCHIVE_DIR }} --name {{ lookup('env','BACKUP_WORKFLOW') }} --allow-source-mismatch '{{ WORKDIR }}/backup' swift://{{ lookup('env','BACKUP_WORKFLOW') }}"
|
|
environment: "{{ DUPLICITY_ENVIRONMENT }}"
|
|
|
|
- name: Clean old duplicity backups
|
|
ansible.builtin.command: "duplicity remove-older-than 2M --archive-dir {{ ARCHIVE_DIR }} --name {{ lookup('env','BACKUP_WORKFLOW') }} --allow-source-mismatch --force swift://{{ lookup('env','BACKUP_WORKFLOW') }}"
|
|
environment: "{{ DUPLICITY_ENVIRONMENT }}"
|