duplicity_playbooks/gen_bootstrap.yml

---
- name: gen_bootstrap
  hosts: localhost
  gather_facts: false
  vars_files: main.yml
  tasks: 
    - name: Assert extra-vars are set
      ansible.builtin.assert:
        that:
          - item | length > 0
        msg: "{{ item }} environment variable must be set"
      with_items:
        - KEY
        - DOC_KEY
        - DUPLICITY_PASSPHRASE
    
    - name: Assert SECRETS_ARCHIVE_PASSPHRASE environment variable is set
      ansible.builtin.assert:
        that:
          - lookup('env','SECRETS_ARCHIVE_PASSPHRASE') | length > 0
        msg: "SECRETS_ARCHIVE_PASSPHRASE environment variable must be set"
    
    - name: Download secrets.tar.gz.enc
      ansible.builtin.get_url:
        url: "https://{{ CLOUD_SERVER }}/s/{{ KEY }}/download?path=%2F&files=secrets.tar.gz.enc"
        dest: /mnt/volumes/tmp_duplicity_workdir/data/secrets.tar.gz.enc
    
    - name: Install openssh-client
      ansible.builtin.package:
        name: openssh-client
        state: present
    
    - name: Create /root/.ssh directory
      ansible.builtin.file:
        path: /root/.ssh
        state: directory
        mode: '0700'
    
    - name: Extract from secrets.tar.gz.enc
      shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in /mnt/volumes/tmp_duplicity_workdir/data/secrets.tar.gz.enc | tar -zxv -C /mnt/volumes/tmp_duplicity_workdir/data"

    - name: Change SSH private key permissions
      ansible.builtin.file:
        path: /root/.ssh/id_rsa
        mode: '0400'

    - name: Retrieve documentation
      ansible.builtin.get_url:
        url: "https://{{ CLOUD_SERVER }}/s/{{ DOC_KEY }}/download"
        dest: /mnt/volumes/tmp_duplicity_workdir/data/Documentation.md

    - name: Copy new documentation
      ansible.builtin.copy:
        src: /mnt/volumes/tmp_duplicity_workdir/data/Documentation.md
        dest: /mnt/volumes/tmp_duplicity_workdir/data/secrets/bootstrap/Documentation.md
      register: copy_output

    - name: Create secrets.tar.gz.enc
      shell: "tar -czvpf - -C /mnt/volumes/tmp_duplicity_workdir/data secrets | openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -salt -out /mnt/volumes/tmp_duplicity_workdir/data/secrets.tar.gz.enc"
      when: copy_output is changed

    - name: Copy mail content
      ansible.builtin.copy:
        content: "Secrets archive has changed. New file attached."
        dest: /mnt/volumes/tmp_duplicity_workdir/data/mail
      when: copy_output is changed

    - name: Install python2
      ansible.builtin.package:
        name: python2
        state: present

    - name: Send mail with new secrets
      ansible.builtin.command: /root/sendmail.py -a /mnt/volumes/tmp_duplicity_workdir/data/secrets.tar.gz.enc /mnt/volumes/tmp_duplicity_workdir/data/mail /root/mail_credentials.json
      when: copy_output is changed

    - name: Copy new secrets in Nextcloud share
      ansible.builtin.copy:
        src: /mnt/volumes/tmp_duplicity_workdir/data/secrets.tar.gz.enc
        dest: /mnt/cloud/Passwords/secrets.tar.gz.enc
      when: copy_output is changed