Fix idempotency.

This commit is contained in:
yohan 2024-06-20 14:05:41 +02:00
parent d314dc3533
commit bf086bc5d6
7 changed files with 50 additions and 32 deletions

View File

@ -11,8 +11,8 @@
- name: Retrieve secrets - name: Retrieve secrets
ansible.builtin.include_tasks: "tasks/retrieve_secret_vars.yml" ansible.builtin.include_tasks: "tasks/retrieve_secret_vars.yml"
- name: Include OVH application credentials - name: Include secrets from yml db
ansible.builtin.include_vars: "{{ remote_workdir }}/OVH_APPLICATION.yml" ansible.builtin.include_vars: "{{ remote_workdir }}/secrets.yml"
- name: include role_delete_openstack_instance - name: include role_delete_openstack_instance
ansible.builtin.include_role: ansible.builtin.include_role:

View File

@ -24,8 +24,8 @@
tags: tags:
- always - always
- name: Include OVH application credentials - name: Include secrets from yml db
ansible.builtin.include_vars: "{{ remote_workdir }}/OVH_APPLICATION.yml" ansible.builtin.include_vars: "{{ remote_workdir }}/secrets.yml"
tags: tags:
- always - always

View File

@ -82,7 +82,7 @@
- name: Template dovecot config files - name: Template dovecot config files
ansible.builtin.template: ansible.builtin.template:
src: "{{ item }}" src: "{{ item }}.j2"
dest: "/usr/local/docker-mounted-files/docker-mail-stack/{{ item }}" dest: "/usr/local/docker-mounted-files/docker-mail-stack/{{ item }}"
become: true become: true
with_items: with_items:

View File

@ -8,15 +8,39 @@
recurse: yes recurse: yes
become: true become: true
- name: Remove temp directory
ansible.builtin.file:
path: "{{ remote_workdir }}/openvpn-server_conf"
state: absent
recurse: yes
changed_when: false
become: true
- name: Create temp directory
ansible.builtin.file:
path: "{{ remote_workdir }}/openvpn-server_conf/keys"
state: directory
recurse: yes
changed_when: false
become: true
- name: Extract openvpn keys from secrets.tar.gz.enc - name: Extract openvpn keys from secrets.tar.gz.enc
shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 4 {{ item.name }}" shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 4 {{ item.name }}"
changed_when: false
with_items: with_items:
- name: secrets/docker-OpenVPN-server-stack/conf/server_keys/ - name: secrets/docker-OpenVPN-server-stack/conf/server_keys/
dir: "/mnt/volumes/openvpn-server_conf/keys" dir: "{{ remote_workdir }}/openvpn-server_conf/keys"
environment: environment:
SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}" SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
become: true become: true
- name: Copy openvpn keys
ansible.builtin.copy:
src: "{{ remote_workdir }}/openvpn-server_conf/keys"
dest: "/mnt/volumes/openvpn-server_conf/"
remote_src: yes
become: true
- name: Retrieve config repo - name: Retrieve config repo
ansible.builtin.git: ansible.builtin.git:
repo: "ssh://git@git.scimetis.net:2222/yohan/config.git" repo: "ssh://git@git.scimetis.net:2222/yohan/config.git"

View File

@ -11,14 +11,13 @@
mode: '0755' mode: '0755'
become: true become: true
- name: Extract from secrets.tar.gz.enc - name: Template mysql config files
shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 2 {{ item.name }}" ansible.builtin.template:
with_items: src: "templates/{{ item }}.j2"
- name: secrets/docker-mysql-stack/debian.cnf dest: "/usr/local/docker-mounted-files/docker-mysql-server-stack/{{ item }}"
dir: "/usr/local/docker-mounted-files/docker-mysql-server-stack"
environment:
SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
become: true become: true
with_items:
- debian.cnf
# A local volume is needed where other stacks will be able to copy scripts like Nextcloud's nettoyer_quotas.sh # A local volume is needed where other stacks will be able to copy scripts like Nextcloud's nettoyer_quotas.sh
- name: Create /mnt/volumes/mysql-server_scripts directory - name: Create /mnt/volumes/mysql-server_scripts directory

View File

@ -83,39 +83,22 @@
- name: Extract from secrets.tar.gz.enc - name: Extract from secrets.tar.gz.enc
shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 2 {{ item.name }}" shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 2 {{ item.name }}"
changed_when: false
with_items: with_items:
- name: secrets/bootstrap/id_rsa - name: secrets/bootstrap/id_rsa
dir: "{{ remote_workdir }}" dir: "{{ remote_workdir }}"
- name: secrets/bootstrap/openrc.sh
dir: "{{ remote_workdir }}"
- name: secrets/bootstrap/OVH_APPLICATION.yml
dir: "{{ remote_workdir }}"
environment: environment:
SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}" SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
- name: Extract secrets.yml from secrets.tar.gz.enc - name: Extract secrets.yml from secrets.tar.gz.enc
shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 1 {{ item.name }}" shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 1 {{ item.name }}"
changed_when: false
with_items: with_items:
- name: secrets/secrets.yml - name: secrets/secrets.yml
dir: "{{ remote_workdir }}" dir: "{{ remote_workdir }}"
environment: environment:
SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}" SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
- name: Set OpenStack credentials
ansible.builtin.include_tasks: "tasks/source_vars.yml"
with_items:
- OS_AUTH_URL
- OS_IDENTITY_API_VERSION
- OS_USER_DOMAIN_NAME
- OS_PROJECT_DOMAIN_NAME
- OS_TENANT_ID
- OS_TENANT_NAME
- OS_USERNAME
- OS_PASSWORD
- OS_REGION_NAME
vars:
shell_script: "{{ remote_workdir }}/openrc.sh"
#
#- name: download bootstrap #- name: download bootstrap
# ansible.builtin.command: # ansible.builtin.command:
# cmd: duplicity restore swift://bootstrap {{ workdir }} # cmd: duplicity restore swift://bootstrap {{ workdir }}

12
templates/debian.cnf.j2 Normal file
View File

@ -0,0 +1,12 @@
# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = debian-sys-maint
password = {{ mysql_debian_sys_maint_password }}
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = debian-sys-maint
password = {{ mysql_debian_sys_maint_password }}
socket = /var/run/mysqld/mysqld.sock
basedir = /usr