Fix idempotency.

delete_ovh_instance.yml

@@ -11,8 +11,8 @@
     - name: Retrieve secrets
       ansible.builtin.include_tasks: "tasks/retrieve_secret_vars.yml"
 
-    - name: Include OVH application credentials
+    - name: Include secrets from yml db
-      ansible.builtin.include_vars: "{{ remote_workdir }}/OVH_APPLICATION.yml"
+      ansible.builtin.include_vars: "{{ remote_workdir }}/secrets.yml"
 
     - name: include role_delete_openstack_instance
       ansible.builtin.include_role:

deploy_ovh_instance.yml

@@ -24,8 +24,8 @@
       tags:
         - always
 
-    - name: Include OVH application credentials
+    - name: Include secrets from yml db
-      ansible.builtin.include_vars: "{{ remote_workdir }}/OVH_APPLICATION.yml"
+      ansible.builtin.include_vars: "{{ remote_workdir }}/secrets.yml"
       tags:
         - always
 

roles/role_deploy_dovecot/tasks/main.yml

@@ -82,7 +82,7 @@
 
 - name: Template dovecot config files 
   ansible.builtin.template:
-    src: "{{ item }}"
+    src: "{{ item }}.j2"
     dest: "/usr/local/docker-mounted-files/docker-mail-stack/{{ item }}"
   become: true
   with_items:

roles/role_deploy_openvpn-server/tasks/main.yml

@@ -8,15 +8,39 @@
     recurse: yes
   become: true
 
+- name: Remove temp directory
+  ansible.builtin.file:
+    path: "{{ remote_workdir }}/openvpn-server_conf"
+    state: absent
+    recurse: yes
+  changed_when: false
+  become: true
+
+- name: Create temp directory
+  ansible.builtin.file:
+    path: "{{ remote_workdir }}/openvpn-server_conf/keys"
+    state: directory
+    recurse: yes
+  changed_when: false
+  become: true
+
 - name: Extract openvpn keys from secrets.tar.gz.enc
   shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 4 {{ item.name }}"
+  changed_when: false
   with_items:
     - name: secrets/docker-OpenVPN-server-stack/conf/server_keys/
-      dir: "/mnt/volumes/openvpn-server_conf/keys"
+      dir: "{{ remote_workdir }}/openvpn-server_conf/keys"
   environment:
     SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
   become: true
 
+- name: Copy openvpn keys
+  ansible.builtin.copy:
+    src: "{{ remote_workdir }}/openvpn-server_conf/keys"
+    dest: "/mnt/volumes/openvpn-server_conf/"
+    remote_src: yes
+  become: true
+
 - name: Retrieve config repo
   ansible.builtin.git:
     repo: "ssh://git@git.scimetis.net:2222/yohan/config.git"

tasks/mysql-server_install_from_backup_stage_1.yml

@@ -11,14 +11,13 @@
     mode: '0755'
   become: true
 
-- name: Extract from secrets.tar.gz.enc
+- name: Template mysql config files 
-  shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 2 {{ item.name }}"
+  ansible.builtin.template:
-  with_items:
+    src: "templates/{{ item }}.j2"
-    - name: secrets/docker-mysql-stack/debian.cnf
+    dest: "/usr/local/docker-mounted-files/docker-mysql-server-stack/{{ item }}"
-      dir: "/usr/local/docker-mounted-files/docker-mysql-server-stack"
-  environment:
-    SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
   become: true
+  with_items:
+    - debian.cnf
 
 # A local volume is needed where other stacks will be able to copy scripts like Nextcloud's nettoyer_quotas.sh
 - name: Create /mnt/volumes/mysql-server_scripts directory

tasks/retrieve_secret_vars.yml

@@ -83,39 +83,22 @@
 
 - name: Extract from secrets.tar.gz.enc
   shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 2 {{ item.name }}"
+  changed_when: false
   with_items:
     - name: secrets/bootstrap/id_rsa
       dir: "{{ remote_workdir }}"
-    - name: secrets/bootstrap/openrc.sh
-      dir: "{{ remote_workdir }}"
-    - name: secrets/bootstrap/OVH_APPLICATION.yml
-      dir: "{{ remote_workdir }}"
   environment:
     SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
 
 - name: Extract secrets.yml from secrets.tar.gz.enc
   shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 1 {{ item.name }}"
+  changed_when: false
   with_items:
     - name: secrets/secrets.yml
       dir: "{{ remote_workdir }}"
   environment:
     SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
 
-- name: Set OpenStack credentials
-  ansible.builtin.include_tasks: "tasks/source_vars.yml"
-  with_items:
-    - OS_AUTH_URL
-    - OS_IDENTITY_API_VERSION
-    - OS_USER_DOMAIN_NAME
-    - OS_PROJECT_DOMAIN_NAME
-    - OS_TENANT_ID
-    - OS_TENANT_NAME
-    - OS_USERNAME
-    - OS_PASSWORD
-    - OS_REGION_NAME
-  vars:
-    shell_script: "{{ remote_workdir }}/openrc.sh"
-#
 #- name: download bootstrap
 #  ansible.builtin.command:
 #    cmd: duplicity restore swift://bootstrap {{ workdir }}

templates/debian.cnf.j2

@@ -0,0 +1,12 @@
+# Automatically generated for Debian scripts. DO NOT TOUCH!
+[client]
+host     = localhost
+user     = debian-sys-maint
+password = {{ mysql_debian_sys_maint_password }}
+socket   = /var/run/mysqld/mysqld.sock
+[mysql_upgrade]
+host     = localhost
+user     = debian-sys-maint
+password = {{ mysql_debian_sys_maint_password }}
+socket   = /var/run/mysqld/mysqld.sock
+basedir  = /usr