124 lines
4.5 KiB
YAML
Executable File
124 lines
4.5 KiB
YAML
Executable File
---
|
|
- name: gen_bootstrap
|
|
hosts: localhost
|
|
gather_facts: false
|
|
vars_files: main.yml
|
|
tasks:
|
|
- name: Assert extra-vars are set
|
|
ansible.builtin.assert:
|
|
that:
|
|
- item | length > 0
|
|
msg: "{{ item }} environment variable must be set"
|
|
with_items:
|
|
- KEY
|
|
- DOC_KEY
|
|
- DUPLICITY_PASSPHRASE
|
|
|
|
- name: Assert SECRETS_ARCHIVE_PASSPHRASE environment variable is set
|
|
ansible.builtin.assert:
|
|
that:
|
|
- lookup('env','SECRETS_ARCHIVE_PASSPHRASE') | length > 0
|
|
msg: "SECRETS_ARCHIVE_PASSPHRASE environment variable must be set"
|
|
|
|
- name: Download secrets.tar.gz.enc
|
|
ansible.builtin.get_url:
|
|
url: "https://{{ CLOUD_SERVER }}/s/{{ KEY }}/download?path=%2F&files=secrets.tar.gz.enc"
|
|
dest: "{{ WORKDIR }}/secrets.tar.gz.enc"
|
|
|
|
- name: Install openssh-client
|
|
ansible.builtin.package:
|
|
name: openssh-client
|
|
state: present
|
|
|
|
- name: Create /root/.ssh directory
|
|
ansible.builtin.file:
|
|
path: /root/.ssh
|
|
state: directory
|
|
mode: '0700'
|
|
|
|
- name: Extract from secrets.tar.gz.enc
|
|
shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ WORKDIR }}/secrets.tar.gz.enc | tar -zxv -C {{ WORKDIR }}"
|
|
|
|
- name: Change SSH private key permissions
|
|
ansible.builtin.file:
|
|
path: /root/.ssh/id_rsa
|
|
mode: '0400'
|
|
|
|
- name: Retrieve documentation
|
|
ansible.builtin.get_url:
|
|
url: "https://{{ CLOUD_SERVER }}/s/{{ DOC_KEY }}/download"
|
|
dest: "{{ WORKDIR }}/Documentation.md"
|
|
|
|
- name: Copy new documentation
|
|
ansible.builtin.copy:
|
|
src: "{{ WORKDIR }}/Documentation.md"
|
|
dest: "{{ WORKDIR }}/secrets/bootstrap/Documentation.md"
|
|
register: copy_output
|
|
|
|
- name: Create secrets.tar.gz.enc
|
|
shell: "tar -czvpf - -C {{ WORKDIR }} secrets | openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -salt -out {{ WORKDIR }}/secrets.tar.gz.enc"
|
|
when: copy_output is changed
|
|
|
|
- name: Copy mail content
|
|
ansible.builtin.copy:
|
|
content: "Secrets archive has changed. New file attached."
|
|
dest: "{{ WORKDIR }}/mail"
|
|
when: copy_output is changed
|
|
|
|
- name: Install python2
|
|
ansible.builtin.package:
|
|
name: python2
|
|
state: present
|
|
|
|
- name: Send mail with new secrets
|
|
ansible.builtin.command: "/root/sendmail.py -a {{ WORKDIR }}/secrets.tar.gz.enc {{ WORKDIR }}/mail /root/mail_credentials.json"
|
|
when: copy_output is changed
|
|
|
|
- name: Copy new secrets in Nextcloud share
|
|
ansible.builtin.copy:
|
|
src: "{{ WORKDIR }}/secrets.tar.gz.enc"
|
|
dest: /mnt/cloud/Passwords/secrets.tar.gz.enc
|
|
when: copy_output is changed
|
|
|
|
- name: Create /mnt/archives_critiques/secrets directory in serveur-appart
|
|
ansible.builtin.file:
|
|
path: /mnt/archives_critiques/secrets
|
|
state: directory
|
|
owner: yohan
|
|
group: yohan
|
|
remote_user: yohan
|
|
vars:
|
|
ansible_ssh_port: 2224
|
|
delegate_to: chez-yohan.scimetis.net
|
|
become: true
|
|
|
|
- name: Get checksum of secrets.tar.gz.enc
|
|
ansible.builtin.stat:
|
|
path: "{{ WORKDIR }}/secrets.tar.gz.enc"
|
|
register: stats_output
|
|
|
|
- debug: var=stats_output
|
|
|
|
#FILENAME=secrets.tar.gz.enc-$(sha1sum ${DIRECTORY}/secrets.tar.gz.enc | awk -F' ' '{print $1}')
|
|
#scp -P 2224 ${DIRECTORY}/secrets.tar.gz.enc yohan@chez-yohan.scimetis.net:/mnt/archives_critiques/secrets/$FILENAME
|
|
#rm -rf ${DIRECTORY}/secrets* ${DIRECTORY}/Documentation.md
|
|
#
|
|
#for name in docker-nextcloud-stack docker-reverse-proxy-stack docker-reverse-proxy docker-gogs-stack docker-mysql-stack docker-mysql systemd-mount-cinder-volume
|
|
#do
|
|
# git clone https://git.scimetis.net/yohan/${name}.git ${DIRECTORY}/${name}
|
|
# tar -czf ${DIRECTORY}/${name}.tar.gz -C ${DIRECTORY} ${name}
|
|
# rm -rf ${DIRECTORY}/${name}
|
|
#done
|
|
#
|
|
#ARCHIVE_DIR=/mnt/volumes/duplicity_cache/data
|
|
#export SWIFT_USERNAME=$OS_USERNAME
|
|
#export SWIFT_PASSWORD=$OS_PASSWORD
|
|
#export SWIFT_AUTHURL=$OS_AUTH_URL
|
|
#export SWIFT_AUTHVERSION=$OS_IDENTITY_API_VERSION
|
|
#export SWIFT_TENANTNAME=$OS_TENANT_NAME
|
|
#export SWIFT_REGIONNAME=$OS_REGION_NAME
|
|
#export PASSPHRASE=$DUPLICITY_PASSPHRASE
|
|
#duplicity --num-retries 3 --full-if-older-than 1M --progress --archive-dir ${ARCHIVE_DIR} --name bootstrap --allow-source-mismatch "${DIRECTORY}" swift://bootstrap
|
|
#duplicity remove-older-than 2M --archive-dir ${ARCHIVE_DIR} --name bootstrap --allow-source-mismatch --force swift://bootstrap
|
|
|