152 lines
5.0 KiB
YAML
152 lines
5.0 KiB
YAML
---
|
|
- name: Stop container service
|
|
ansible.builtin.systemd:
|
|
name: container-global-cron
|
|
state: stopped
|
|
become: true
|
|
register: result_global_cron_systemd_stop
|
|
failed_when: "result_global_cron_systemd_stop is failed and 'Could not find the requested service' not in result_global_cron_systemd_stop.msg"
|
|
|
|
- name: Check if global-cron container is running
|
|
command: 'podman ps -q --filter "name=global-cron"'
|
|
changed_when: false
|
|
register: podman_ps
|
|
become: true
|
|
|
|
- name: Assert that no global-cron container is running
|
|
ansible.builtin.assert:
|
|
that:
|
|
- podman_ps.stdout_lines | length == 0
|
|
|
|
- name: Create /usr/local/docker-mounted-files/docker-global-cron-stack directory
|
|
ansible.builtin.file:
|
|
path: "/usr/local/docker-mounted-files/docker-global-cron-stack"
|
|
state: directory
|
|
mode: '0755'
|
|
become: true
|
|
|
|
- name: Deploy SSH private key
|
|
copy:
|
|
src: "{{ PRIVATE_KEY_FILE }}"
|
|
dest: "/usr/local/docker-mounted-files/docker-global-cron-stack/"
|
|
mode: 0600
|
|
owner: root
|
|
group: root
|
|
become: true
|
|
|
|
- name: Deploy SSH config
|
|
copy:
|
|
src: "config"
|
|
dest: "/usr/local/docker-mounted-files/docker-global-cron-stack/"
|
|
mode: 0600
|
|
owner: root
|
|
group: root
|
|
become: true
|
|
|
|
- name: Create /usr/local/docker-mounted-files/docker-global-cron-stack/scripts directory
|
|
ansible.builtin.file:
|
|
path: "/usr/local/docker-mounted-files/docker-global-cron-stack/scripts"
|
|
state: directory
|
|
mode: '0755'
|
|
become: true
|
|
|
|
- name: Remove temp directory
|
|
ansible.builtin.file:
|
|
path: "{{ remote_workdir }}/cron"
|
|
state: absent
|
|
changed_when: false
|
|
become: true
|
|
|
|
- name: Create temp directory
|
|
ansible.builtin.file:
|
|
path: "{{ remote_workdir }}/cron"
|
|
state: directory
|
|
recurse: yes
|
|
changed_when: false
|
|
become: true
|
|
|
|
- name: Extract cron scripts from secrets.tar.gz.enc
|
|
shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 3 {{ item.name }}"
|
|
changed_when: false
|
|
with_items:
|
|
- name: secrets/docker-cron-global-stack_ovh1/scripts/duplicity.sh
|
|
dir: "{{ remote_workdir }}/cron"
|
|
- name: secrets/docker-cron-global-stack_ovh1/scripts/update_edf_prices.sh
|
|
dir: "{{ remote_workdir }}/cron"
|
|
environment:
|
|
SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
|
|
become: true
|
|
|
|
- name: Extract crontab.yaml from secrets.tar.gz.enc
|
|
shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 2 {{ item.name }}"
|
|
changed_when: false
|
|
with_items:
|
|
- name: secrets/docker-cron-global-stack_ovh1/crontab.yaml
|
|
dir: "{{ remote_workdir }}/cron"
|
|
environment:
|
|
SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
|
|
become: true
|
|
|
|
- name: Copy cron files
|
|
ansible.builtin.copy:
|
|
src: "{{ remote_workdir }}/cron/{{ item.name }}"
|
|
dest: "{{ item.dir }}"
|
|
remote_src: yes
|
|
owner: root
|
|
group: root
|
|
mode: "{{ item.mode }}"
|
|
with_items:
|
|
- name: duplicity.sh
|
|
dir: /usr/local/docker-mounted-files/docker-global-cron-stack/scripts/
|
|
mode: "u=rwx,g=r,o="
|
|
- name: update_edf_prices.sh
|
|
dir: /usr/local/docker-mounted-files/docker-global-cron-stack/scripts/
|
|
mode: "u=rwx,g=r,o="
|
|
- name: crontab.yaml
|
|
dir: /usr/local/docker-mounted-files/docker-global-cron-stack/
|
|
mode: "u=rw,g=r,o="
|
|
become: true
|
|
|
|
# podman logout is needed before podman login if registry was recreated
|
|
- name: Logout from {{ private_registry_domain }}
|
|
containers.podman.podman_logout:
|
|
registry: "{{ private_registry_domain }}"
|
|
changed_when: false
|
|
# We ignore failures because the image should be in the cache
|
|
failed_when: false
|
|
become: true
|
|
|
|
- name: Login to {{ private_registry_domain }} and create ${XDG_RUNTIME_DIR}/containers/auth.json
|
|
containers.podman.podman_login:
|
|
username: "{{ private_registry_user }}"
|
|
password: "{{ private_registry_password }}"
|
|
registry: "{{ private_registry_domain }}"
|
|
changed_when: false
|
|
# We ignore failures because the image should be in the cache
|
|
failed_when: false
|
|
become: true
|
|
|
|
- name: Create cron container
|
|
containers.podman.podman_container:
|
|
name: global-cron
|
|
image: "{{ private_registry_domain }}/cron:3e98b9758b"
|
|
state: present
|
|
network:
|
|
- host
|
|
volume:
|
|
- /usr/local/docker-mounted-files/docker-global-cron-stack/crontab.yaml:/root/crontab.yaml:Z
|
|
- /usr/local/docker-mounted-files/docker-global-cron-stack/id_rsa:/root/.ssh/id_rsa:Z
|
|
- /usr/local/docker-mounted-files/docker-global-cron-stack/config:/root/.ssh/config:Z
|
|
- /usr/local/docker-mounted-files/docker-global-cron-stack/scripts:/root/scripts:Z
|
|
generate_systemd:
|
|
path: /etc/systemd/system
|
|
become: true
|
|
|
|
#- name: start/enable container service
|
|
# ansible.builtin.systemd:
|
|
# daemon-reload: true
|
|
# name: container-global-cron
|
|
# state: started
|
|
# enabled: true
|
|
# become: true
|