diff --git a/delete_ovh_instance.yml b/delete_ovh_instance.yml index 3600621..c12008d 100644 --- a/delete_ovh_instance.yml +++ b/delete_ovh_instance.yml @@ -11,8 +11,8 @@ - name: Retrieve secrets ansible.builtin.include_tasks: "tasks/retrieve_secret_vars.yml" - - name: Include OVH application credentials - ansible.builtin.include_vars: "{{ remote_workdir }}/OVH_APPLICATION.yml" + - name: Include secrets from yml db + ansible.builtin.include_vars: "{{ remote_workdir }}/secrets.yml" - name: include role_delete_openstack_instance ansible.builtin.include_role: diff --git a/deploy_ovh_instance.yml b/deploy_ovh_instance.yml index 7fc83d2..dcd7c4e 100644 --- a/deploy_ovh_instance.yml +++ b/deploy_ovh_instance.yml @@ -24,8 +24,8 @@ tags: - always - - name: Include OVH application credentials - ansible.builtin.include_vars: "{{ remote_workdir }}/OVH_APPLICATION.yml" + - name: Include secrets from yml db + ansible.builtin.include_vars: "{{ remote_workdir }}/secrets.yml" tags: - always diff --git a/roles/role_deploy_dovecot/tasks/main.yml b/roles/role_deploy_dovecot/tasks/main.yml index fdd53fa..f056cdf 100644 --- a/roles/role_deploy_dovecot/tasks/main.yml +++ b/roles/role_deploy_dovecot/tasks/main.yml @@ -82,7 +82,7 @@ - name: Template dovecot config files ansible.builtin.template: - src: "{{ item }}" + src: "{{ item }}.j2" dest: "/usr/local/docker-mounted-files/docker-mail-stack/{{ item }}" become: true with_items: diff --git a/roles/role_deploy_openvpn-server/tasks/main.yml b/roles/role_deploy_openvpn-server/tasks/main.yml index da49e6d..4ba1b9a 100644 --- a/roles/role_deploy_openvpn-server/tasks/main.yml +++ b/roles/role_deploy_openvpn-server/tasks/main.yml @@ -8,15 +8,39 @@ recurse: yes become: true +- name: Remove temp directory + ansible.builtin.file: + path: "{{ remote_workdir }}/openvpn-server_conf" + state: absent + recurse: yes + changed_when: false + become: true + +- name: Create temp directory + ansible.builtin.file: + path: "{{ remote_workdir }}/openvpn-server_conf/keys" + state: directory + recurse: yes + changed_when: false + become: true + - name: Extract openvpn keys from secrets.tar.gz.enc shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 4 {{ item.name }}" + changed_when: false with_items: - name: secrets/docker-OpenVPN-server-stack/conf/server_keys/ - dir: "/mnt/volumes/openvpn-server_conf/keys" + dir: "{{ remote_workdir }}/openvpn-server_conf/keys" environment: SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}" become: true +- name: Copy openvpn keys + ansible.builtin.copy: + src: "{{ remote_workdir }}/openvpn-server_conf/keys" + dest: "/mnt/volumes/openvpn-server_conf/" + remote_src: yes + become: true + - name: Retrieve config repo ansible.builtin.git: repo: "ssh://git@git.scimetis.net:2222/yohan/config.git" diff --git a/tasks/mysql-server_install_from_backup_stage_1.yml b/tasks/mysql-server_install_from_backup_stage_1.yml index e55c80c..bdcb9c4 100644 --- a/tasks/mysql-server_install_from_backup_stage_1.yml +++ b/tasks/mysql-server_install_from_backup_stage_1.yml @@ -11,14 +11,13 @@ mode: '0755' become: true -- name: Extract from secrets.tar.gz.enc - shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 2 {{ item.name }}" - with_items: - - name: secrets/docker-mysql-stack/debian.cnf - dir: "/usr/local/docker-mounted-files/docker-mysql-server-stack" - environment: - SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}" +- name: Template mysql config files + ansible.builtin.template: + src: "templates/{{ item }}.j2" + dest: "/usr/local/docker-mounted-files/docker-mysql-server-stack/{{ item }}" become: true + with_items: + - debian.cnf # A local volume is needed where other stacks will be able to copy scripts like Nextcloud's nettoyer_quotas.sh - name: Create /mnt/volumes/mysql-server_scripts directory diff --git a/tasks/retrieve_secret_vars.yml b/tasks/retrieve_secret_vars.yml index ffa7f3f..a9c3f61 100644 --- a/tasks/retrieve_secret_vars.yml +++ b/tasks/retrieve_secret_vars.yml @@ -83,39 +83,22 @@ - name: Extract from secrets.tar.gz.enc shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 2 {{ item.name }}" + changed_when: false with_items: - name: secrets/bootstrap/id_rsa dir: "{{ remote_workdir }}" - - name: secrets/bootstrap/openrc.sh - dir: "{{ remote_workdir }}" - - name: secrets/bootstrap/OVH_APPLICATION.yml - dir: "{{ remote_workdir }}" environment: SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}" - name: Extract secrets.yml from secrets.tar.gz.enc shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 1 {{ item.name }}" + changed_when: false with_items: - name: secrets/secrets.yml dir: "{{ remote_workdir }}" environment: SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}" -- name: Set OpenStack credentials - ansible.builtin.include_tasks: "tasks/source_vars.yml" - with_items: - - OS_AUTH_URL - - OS_IDENTITY_API_VERSION - - OS_USER_DOMAIN_NAME - - OS_PROJECT_DOMAIN_NAME - - OS_TENANT_ID - - OS_TENANT_NAME - - OS_USERNAME - - OS_PASSWORD - - OS_REGION_NAME - vars: - shell_script: "{{ remote_workdir }}/openrc.sh" -# #- name: download bootstrap # ansible.builtin.command: # cmd: duplicity restore swift://bootstrap {{ workdir }} diff --git a/templates/debian.cnf.j2 b/templates/debian.cnf.j2 new file mode 100644 index 0000000..28d3b3b --- /dev/null +++ b/templates/debian.cnf.j2 @@ -0,0 +1,12 @@ +# Automatically generated for Debian scripts. DO NOT TOUCH! +[client] +host = localhost +user = debian-sys-maint +password = {{ mysql_debian_sys_maint_password }} +socket = /var/run/mysqld/mysqld.sock +[mysql_upgrade] +host = localhost +user = debian-sys-maint +password = {{ mysql_debian_sys_maint_password }} +socket = /var/run/mysqld/mysqld.sock +basedir = /usr