Add variable to force LOCAL_AND_REMOTE secrets extraction.

2024-06-01 19:11:28 +02:00 · 2024-06-01 19:11:28 +02:00 · 570452d8ec
commit 570452d8ec
parent 55bcd81ada
2 changed files with 17 additions and 0 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -99,8 +99,24 @@
  environment:
    SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"

+- name: Extract from secrets.tar.gz.enc on localhost
+  shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ local_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ local_workdir }}"
+  environment:
+    SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
+  delegate_to: localhost
+  when:
+    - local_system_uuid != remote_system_uuid
+    - LOCAL_AND_REMOTE
+
 - name: Remove secrets.tar.gz.enc
  ansible.builtin.file:
    path: "{{ remote_workdir }}/secrets.tar.gz.enc"
    state: absent

+- name: Remove secrets.tar.gz.enc on localhost
+  ansible.builtin.file:
+    path: "{{ local_workdir }}/secrets.tar.gz.enc"
+    state: absent
+  delegate_to: localhost
+  when:
+    - local_system_uuid != remote_system_uuid
--- a/vars/main.yml
+++ b/vars/main.yml
@ -3,3 +3,4 @@
 LINUX_USERNAME: "yohan"
 SECRET_SSH_PORT: 2224
 WORKDIR: "secrets"
+LOCAL_AND_REMOTE: false