--- - name: get local machine-id command: cat /etc/machine-id register: get_local_machine_id_output delegate_to: localhost - name: set local machine-id ansible.builtin.set_fact: local_system_uuid: "{{ get_local_machine_id_output.stdout }}" delegate_to: localhost - name: get remote machine-id command: cat /etc/machine-id register: get_remote_machine_id_output - name: set remote machine-id ansible.builtin.set_fact: remote_system_uuid: "{{ get_remote_machine_id_output.stdout }}" - name: set remote workdir path ansible.builtin.set_fact: remote_workdir: /home/{{ ansible_user_id }}/.tmp_deploy_ovh - name: set local workdir path ansible.builtin.set_fact: local_workdir: /home/{{ lookup('env', 'USER') }}/.tmp_deploy_ovh - name: create remote workdir ansible.builtin.file: path: "{{ remote_workdir }}" state: directory - name: create local workdir ansible.builtin.file: path: "{{ local_workdir }}" state: directory delegate_to: localhost when: local_system_uuid != remote_system_uuid - name: Find secret files ansible.builtin.find: paths: "/mnt/archives_critiques/secrets" patterns: 'secrets.tar.gz.enc-*' register: find_secret_files_output remote_user: "{{ LINUX_USERNAME }}" vars: ansible_ssh_port: "{{ SECRET_SSH_PORT }}" delegate_to: "{{ SECRET_HOST }}" ignore_errors: true - name: Fetch secrets ansible.builtin.fetch: src: "{{ (find_secret_files_output.files | sort(attribute='mtime') | last).path }}" dest: "{{ local_workdir }}/secrets.tar.gz.enc" flat: yes remote_user: "{{ LINUX_USERNAME }}" vars: ansible_ssh_port: "{{ SECRET_SSH_PORT }}" delegate_to: "{{ SECRET_HOST }}" when: find_secret_files_output.files | length > 0 ignore_errors: true - name: Check local secrets.tar.gz.enc status stat: path: "{{ local_workdir }}/secrets.tar.gz.enc" register: local_stat_result delegate_to: localhost - name: Assert that local secrets.tar.gz.enc exists ansible.builtin.assert: that: - local_stat_result.stat.exists fail_msg: "ERROR: Could not auto-retrieve secrets.tar.gz.enc. Please copy it in {{ local_workdir }} on Ansible controller and restart the playbook." delegate_to: localhost - name: Copy secrets to remote server ansible.builtin.copy: src: "{{ local_workdir }}/secrets.tar.gz.enc" dest: "{{ remote_workdir }}/secrets.tar.gz.enc" when: local_system_uuid != remote_system_uuid - name: Extract from secrets.tar.gz.enc shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 2 {{ item.name }}" with_items: - name: secrets/bootstrap/id_rsa dir: "{{ remote_workdir }}" - name: secrets/bootstrap/openrc.sh dir: "{{ remote_workdir }}" - name: secrets/bootstrap/OVH_APPLICATION.yml dir: "{{ remote_workdir }}" - name: secrets/bootstrap/duplicity_passphrase dir: "{{ remote_workdir }}" environment: SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}" - name: Extract secrets.yml from secrets.tar.gz.enc shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 1 {{ item.name }}" with_items: - name: secrets/secrets.yml dir: "{{ remote_workdir }}" environment: SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}" - name: Set OpenStack credentials ansible.builtin.include_tasks: "tasks/source_vars.yml" with_items: - OS_AUTH_URL - OS_IDENTITY_API_VERSION - OS_USER_DOMAIN_NAME - OS_PROJECT_DOMAIN_NAME - OS_TENANT_ID - OS_TENANT_NAME - OS_USERNAME - OS_PASSWORD - OS_REGION_NAME vars: shell_script: "{{ remote_workdir }}/openrc.sh" # #- name: download bootstrap # ansible.builtin.command: # cmd: duplicity restore swift://bootstrap {{ workdir }} # environment: # SWIFT_USERNAME: "{{ OS_USERNAME }}" # SWIFT_PASSWORD: "{{ OS_PASSWORD }}" # SWIFT_AUTHURL: "{{ OS_AUTH_URL }}" # SWIFT_REGIONNAME: "{{ SWIFT_REGIONNAME }}" # SWIFT_TENANTNAME: "{{ OS_TENANT_NAME }}" # SWIFT_AUTHVERSION: "{{ OS_IDENTITY_API_VERSION }}" # PASSPHRASE: "{{ DUPLICITY_PASSPHRASE}}" # # /usr/bin/duplicity uses "-s" python argument to prevent loading modules from user's python directory, # # this variable will override that. # PYTHONPATH: ".local/lib/python3.9/site-packages" #