From a5404c2a83fdf21d4f030ec6a5816440cfa9397d Mon Sep 17 00:00:00 2001 From: yohan <783b8c87@scimetis.net> Date: Sat, 1 Jun 2024 17:57:22 +0200 Subject: [PATCH] Retrieve secrets file with SSH to secret host. --- README.md | 2 +- tasks/main.yml | 101 +++++++++++++++++++++++++++++++++++++++++++++---- vars/main.yml | 3 ++ 3 files changed, 97 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 626d7e5..8cc79c2 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ Usage ===== -KEY=XXXXXX SECRETS_ARCHIVE_PASSPHRASE=XXXXXXX ansible-playbook -e "WORKDIR=$HOME/secrets" -e "CLOUD_SERVER=cloud.scimetis.net" playbook.yml +SECRETS_ARCHIVE_PASSPHRASE=XXXXXXX ansible-playbook -e "WORKDIR=secrets" -e SECRET_HOST=host2.domain2 playbook.yml diff --git a/tasks/main.yml b/tasks/main.yml index 58d4d97..9763628 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,19 +1,104 @@ --- # tasks file for role_unpack_secrets -- name: Create secrets directory +- name: get local machine-id + command: cat /etc/machine-id + register: get_local_machine_id_output + delegate_to: localhost + changed_when: false + +- name: set local machine-id + ansible.builtin.set_fact: + local_system_uuid: "{{ get_local_machine_id_output.stdout }}" + delegate_to: localhost + +- name: get remote machine-id + command: cat /etc/machine-id + register: get_remote_machine_id_output + changed_when: false + +- name: set remote machine-id + ansible.builtin.set_fact: + remote_system_uuid: "{{ get_remote_machine_id_output.stdout }}" + +- name: set remote workdir path + ansible.builtin.set_fact: + remote_workdir: /home/{{ ansible_user_id }}/{{ WORKDIR }} + +- name: set local workdir path + ansible.builtin.set_fact: + local_workdir: /home/{{ lookup('env', 'USER') }}/{{ WORKDIR }} + +- name: remove remote workdir ansible.builtin.file: - path: "{{ WORKDIR }}/secrets" + path: "{{ remote_workdir }}" + state: absent + +- name: remove local workdir + ansible.builtin.file: + path: "{{ local_workdir }}" + state: absent + delegate_to: localhost + when: local_system_uuid != remote_system_uuid + +- name: create remote workdir + ansible.builtin.file: + path: "{{ remote_workdir }}" state: directory -- name: Download secrets.tar.gz.enc - ansible.builtin.get_url: - url: "https://{{ CLOUD_SERVER }}/s/{{ lookup('env','KEY') }}/download?path=%2F&files=secrets.tar.gz.enc" - dest: "{{ WORKDIR }}/secrets.tar.gz.enc" +- name: create local workdir + ansible.builtin.file: + path: "{{ local_workdir }}" + state: directory + delegate_to: localhost + when: local_system_uuid != remote_system_uuid + +- name: Find secret files + ansible.builtin.find: + paths: "/mnt/archives_critiques/secrets" + patterns: 'secrets.tar.gz.enc-*' + register: find_secret_files_output + remote_user: "{{ LINUX_USERNAME }}" + vars: + ansible_ssh_port: "{{ SECRET_SSH_PORT }}" + delegate_to: "{{ SECRET_HOST }}" + ignore_errors: true + +- name: Fetch secrets + ansible.builtin.fetch: + src: "{{ (find_secret_files_output.files | sort(attribute='mtime') | last).path }}" + dest: "{{ local_workdir }}/secrets.tar.gz.enc" + flat: yes + remote_user: "{{ LINUX_USERNAME }}" + vars: + ansible_ssh_port: "{{ SECRET_SSH_PORT }}" + delegate_to: "{{ SECRET_HOST }}" + when: find_secret_files_output.files | length > 0 + ignore_errors: true + +- name: Check local secrets.tar.gz.enc status + stat: + path: "{{ local_workdir }}/secrets.tar.gz.enc" + register: local_stat_result + delegate_to: localhost + +- name: Assert that local secrets.tar.gz.enc exists + ansible.builtin.assert: + that: + - local_stat_result.stat.exists + fail_msg: "ERROR: Could not auto-retrieve secrets.tar.gz.enc. Please copy it in {{ local_workdir }} on Ansible controller and restart the playbook." + delegate_to: localhost + +- name: Copy secrets to remote server + ansible.builtin.copy: + src: "{{ local_workdir }}/secrets.tar.gz.enc" + dest: "{{ remote_workdir }}/secrets.tar.gz.enc" + when: local_system_uuid != remote_system_uuid - name: Extract from secrets.tar.gz.enc - shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ WORKDIR }}/secrets.tar.gz.enc | tar -zxv -C {{ WORKDIR }}" + shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ remote_workdir }}" - name: Remove secrets.tar.gz.enc ansible.builtin.file: - path: "{{ WORKDIR }}/secrets.tar.gz.enc" + path: "{{ remote_workdir }}/secrets.tar.gz.enc" state: absent + diff --git a/vars/main.yml b/vars/main.yml index 33005fa..88cd932 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,2 +1,5 @@ --- # vars file for role_unpack_secrets +LINUX_USERNAME: "yohan" +SECRET_SSH_PORT: 2224 +WORKDIR: "secrets"