ovh_instance_playbooks/tasks/retrieve_secret_vars.yml
2024-06-20 14:05:41 +02:00

119 lines
3.9 KiB
YAML

---
- name: get local machine-id
command: cat /etc/machine-id
register: get_local_machine_id_output
delegate_to: localhost
changed_when: false
- name: set local machine-id
ansible.builtin.set_fact:
local_system_uuid: "{{ get_local_machine_id_output.stdout }}"
delegate_to: localhost
- name: get remote machine-id
command: cat /etc/machine-id
register: get_remote_machine_id_output
changed_when: false
- name: set remote machine-id
ansible.builtin.set_fact:
remote_system_uuid: "{{ get_remote_machine_id_output.stdout }}"
- name: set remote workdir path
ansible.builtin.set_fact:
remote_workdir: /home/{{ ansible_user }}/.tmp_deploy_ovh
- name: set local workdir path
ansible.builtin.set_fact:
local_workdir: /home/{{ lookup('env', 'USER') }}/.tmp_deploy_ovh
- name: create remote workdir
ansible.builtin.file:
path: "{{ remote_workdir }}"
state: directory
- name: create local workdir
ansible.builtin.file:
path: "{{ local_workdir }}"
state: directory
delegate_to: localhost
when: local_system_uuid != remote_system_uuid
- name: Find secret files
ansible.builtin.find:
paths: "/mnt/archives_critiques/secrets"
patterns: 'secrets.tar.gz.enc-*'
register: find_secret_files_output
remote_user: "{{ LINUX_USERNAME }}"
vars:
ansible_ssh_port: "{{ SECRET_SSH_PORT }}"
delegate_to: "{{ SECRET_HOST }}"
ignore_errors: true
- name: Fetch secrets
ansible.builtin.fetch:
src: "{{ (find_secret_files_output.files | sort(attribute='mtime') | last).path }}"
dest: "{{ local_workdir }}/secrets.tar.gz.enc"
flat: yes
remote_user: "{{ LINUX_USERNAME }}"
vars:
ansible_ssh_port: "{{ SECRET_SSH_PORT }}"
delegate_to: "{{ SECRET_HOST }}"
when: find_secret_files_output.files | length > 0
ignore_errors: true
- name: Check local secrets.tar.gz.enc status
stat:
path: "{{ local_workdir }}/secrets.tar.gz.enc"
register: local_stat_result
delegate_to: localhost
- name: Assert that local secrets.tar.gz.enc exists
ansible.builtin.assert:
that:
- local_stat_result.stat.exists
fail_msg: "ERROR: Could not auto-retrieve secrets.tar.gz.enc. Please copy it in {{ local_workdir }} on Ansible controller and restart the playbook."
delegate_to: localhost
- name: Copy secrets to remote server
ansible.builtin.copy:
src: "{{ local_workdir }}/secrets.tar.gz.enc"
dest: "{{ remote_workdir }}/secrets.tar.gz.enc"
when: local_system_uuid != remote_system_uuid
- name: Extract from secrets.tar.gz.enc
shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 2 {{ item.name }}"
changed_when: false
with_items:
- name: secrets/bootstrap/id_rsa
dir: "{{ remote_workdir }}"
environment:
SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
- name: Extract secrets.yml from secrets.tar.gz.enc
shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 1 {{ item.name }}"
changed_when: false
with_items:
- name: secrets/secrets.yml
dir: "{{ remote_workdir }}"
environment:
SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
#- name: download bootstrap
# ansible.builtin.command:
# cmd: duplicity restore swift://bootstrap {{ workdir }}
# environment:
# SWIFT_USERNAME: "{{ OS_USERNAME }}"
# SWIFT_PASSWORD: "{{ OS_PASSWORD }}"
# SWIFT_AUTHURL: "{{ OS_AUTH_URL }}"
# SWIFT_REGIONNAME: "{{ SWIFT_REGIONNAME }}"
# SWIFT_TENANTNAME: "{{ OS_TENANT_NAME }}"
# SWIFT_AUTHVERSION: "{{ OS_IDENTITY_API_VERSION }}"
# PASSPHRASE: "{{ duplicity_passphrase }}"
# # /usr/bin/duplicity uses "-s" python argument to prevent loading modules from user's python directory,
# # this variable will override that.
# PYTHONPATH: ".local/lib/python3.9/site-packages"
#