diff --git a/backup.yml b/backup.yml index 44bc4ca..87f804b 100644 --- a/backup.yml +++ b/backup.yml @@ -3,53 +3,18 @@ # become: true gather_facts: false vars: - user: staffadmin - username: jingohalert - password: !vault | - $ANSIBLE_VAULT;1.2;AES256;prod - 35393433316665666435363662633832663632666532383539643365343263396536616533653435 - 6536336661663262356135363538616362306333613036650a303064313266383962643263366431 - 63636431646463613034633537313735646337363966616432363161643936313337643636383536 - 3164396237373336610a616337613334393037346366653463396265336162663638336132366463 - 3431 - # vault_pass: !vault | - # $ANSIBLE_VAULT;1.2;AES256;prod - # 31393635346263633965326334656663323439643166313736343337343032303234653264653065 - # 3933333731343231643033373436653764326131616635640a356566616337373031333065303166 - # 36363839323432353936336438636130373134353364326264393563663561346438356533656262 - # 3630386265633339630a306334363336396539353133383236316138333538623064333036316233 - # 6464 + user: sgratias token: !vault | $ANSIBLE_VAULT;1.2;AES256;prod - 36663034636138333863626233623737363834333134333235656132333933356237396132383266 - 3266326438656130623337653464633062343433623333620a386561353637613263323837313230 - 66666633373066363862343766646431396632653332333830323136343230336464333635343136 - 3732643432306338640a666334373636653164646135633966333339323935363433663130313235 - 36613831356265373964623464356263333666366539663131396535613633346138613665383864 - 6331393663346638663832313035653765303938376230363936 + 30383538646164373137616166636632353964373362323735626239656337306139616265323138 + 3834383331316466653565323632616163353964643637660a363262383461363234363738613034 + 64383132373061653337313365333734646635396635313133613861303730303163383764653664 + 6537633761353939330a356236623265383931643530316430303938303735306536343163323163 + 62636236346362663036343765363830383738623563613161373637383239623134376163653662 + 3565333032326133326232326633386332633639373862313463 tasks: - - - - - -# ! alertmanager + ntfy -# route: -# receiver: 'ntfy' -# repeat_interval: 4h -# group_by: [ alertname ] - -# receivers: -# - name: "ntfy" -# webhook_configs: -# - url: "http://ntfy-alertmanager:8080" - - # - command: - # cmd: "echo 'mescouilles'" - - # - debug: # msg: "test ok" # delegate_to: localhost @@ -60,7 +25,7 @@ # msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=apps/data/postgres token=prout url=https://hash.jingoh.fr') }}" - ansible.builtin.git: - repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/backup.git + repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/sgratias/backup.git dest: "{{ playbook_dir }}/backup" single_branch: yes force: true @@ -121,90 +86,39 @@ - /opt/dockerapps/appdata/vaultwarden/config.json #! wg portal - /opt/dockerapps/appdata/wg-portal/config/config.yml - # - name: Get a cert from an https port - # community.crypto.get_certificate: - # host: "gitea.jingoh.fr" - # port: 443 - # delegate_to: localhost - # run_once: true - # register: cert - # tags: test3 - - - # - ansible.builtin.command: - # cmd: "echo 'mescouilles'" - # register: toto - # tags: test3 - - - # - debug: - # msg: "{{ toto }}" - # tags: test3 + #! wg portal + - /opt/dockerapps/appdata/mailserver/etc/config.toml - name: Push backup to git ansible.builtin.shell: | git config user.email "stephane.gratiasquiquandon@gmail.com" - git config user.name "staffadmin" + git config user.name "sgratias" git add . git commit -m "Push Backup with access token" - git push https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/backup.git + git push https://{{ user }}:{{ token }}@gitea.jingoh.fr/sgratias/backup.git args: chdir: "{{ playbook_dir }}/backup/" run_once: true delegate_to: localhost - # - name: Get a cert from an https port - # community.crypto.get_certificate: - # host: "gitea.jingoh.fr" - # port: 443 - # delegate_to: localhost - # run_once: true - # register: cert - # tags: test - - # - name: set - # ansible.builtin.set_fact: - # cert_date: "{{ cert.not_after | to_datetime('%Y%m%d%H%M%SZ') }}" - # tags: test - # - debug: - # msg: "{{ cert.not_after | to_datetime('%Y%m%d%H%M%SZ')}}" - # tags: test - - # - debug: - # msg: "{{ cert.not_after | to_datetime }} - {{ ansible_date_time.iso8601_basic }}" - # # loop: - # # - "{{ cert.not_after }}" - # # - "{{ ansible_date_time.iso8601_basic }}" - # tags: test - - # - debug: - # msg: "{{ item }}" - # loop: - # - "{{ ((cert.not_after | to_datetime('%Y%m%d%H%M%SZ') ) - (ansible_date_time.date | to_datetime('%Y-%m-%d') )).days }}" - # # - "{{ ansible_date_time.date.total_seconds() }}" - # tags: test - # when: - # - "{{ ((cert.not_after | to_datetime('%Y%m%d%H%M%SZ') ) - (ansible_date_time.date | to_datetime('%Y-%m-%d') )).days < 30 }}" - - # curl -u "$username:$password" -H "Title: HTTPS Certificats" -H "ta:closed_lock_with_key" -d "*.jingoh.fr Less than 20 days" https://alert.jingoh.fr/scaleway - # # when: cert.not_after - ansible_date_time.iso8601_basic > - - name: NTFY when docker compose changed - uri: - url: "https://alert.jingoh.fr/scaleway" - method: POST - user: "{{ username }}" - password: "{{ password }}" - headers: - Title: "docker-compose changed" - ta: "file_folder" - body: "Docker compose backup in gitea" - status_code: 200 - tags: test1 - delegate_to: localhost - when: fetch_files_backup.changed is true + # when: cert.not_after - ansible_date_time.iso8601_basic > + # - name: NTFY when docker compose changed + # uri: + # url: "https://alert.jingoh.fr/scaleway" + # method: POST + # headers: + # user: "{{ username }}" + # password: "{{ password }}" + # Title: "docker-compose changed" + # ta: "file_folder" + # body: "Docker compose backup in gitea" + # status_code: 200 + # tags: test1 + # delegate_to: localhost + # when: fetch_files_backup.changed is true # when: # - "{{ ((cert.not_after | to_datetime('%Y%m%d%H%M%SZ') ) - (ansible_date_time.date | to_datetime('%Y-%m-%d') )).days < 10 }}" diff --git a/collections/requirements.yml b/collections/requirements.yml index 2817d2b..8231adf 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -11,4 +11,5 @@ collections: # - name: geerlingguy.kibana # - name: softing.swarm - name: community.crypto - # - name: community.hashi_vault \ No newline at end of file + # - name: community.hashi_vault + - name: community.hashi_vault \ No newline at end of file diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..8231adf --- /dev/null +++ b/requirements.yml @@ -0,0 +1,15 @@ +collections: + # - name: devsec.hardening + # - name: prometheus.prometheus + # - name: community.crypto + - name: ansible.utils + # - name: community.grafana + - name: community.docker + # - name: geerlingguy.redis + # - name: git+https://github.com/netways/ansible-collection-elasticstack.git + # - name: elastic.elasticsearch + # - name: geerlingguy.kibana + # - name: softing.swarm + - name: community.crypto + # - name: community.hashi_vault + - name: community.hashi_vault \ No newline at end of file diff --git a/test-vault.yml b/test-vault.yml index a97a6eb..5d8cee8 100644 --- a/test-vault.yml +++ b/test-vault.yml @@ -1,8 +1,8 @@ --- -- name: Swarm - hosts: testswarm - become: true +- name: Vault + hosts: localhost + # become: true gather_facts: false @@ -28,16 +28,78 @@ # vault token create -explicit-max-ttl=8760h -policy=test -ttl=720h -renewable=true -display-name=test # - ansible.builtin.debug: - # msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/apps/my-app:test token=hvs.CAESIB4eVBWqRNDgcGXJpmvBe9nCpvCJ9-kM-OXq2p1WGlfBGh4KHGh2cy4xdFBYNnNMUEROOVlxOWFad3hERHI5Ulc url=http://myvault:8200') }}" + # msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/apps/my-app:test token= url=http://myvault:8200') }}" - - name: Return all secrets from a path - delegate_to: localhost + # - name: Return all secrets from a path + # delegate_to: localhost + # vars: + # # ansible_hashi_vault_url: 'https://myvault:8282' + # # ansible_hashi_vault_auth_method: ldap + # ansible.builtin.debug: + # msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/kv/data/test token= url=https://pwd.jingoh.fr') }}" + + + # - name: Vault that requires authentication via LDAP + # vars: + # ansible_hashi_vault_url: 'https://myvault:8282' + # ansible_hashi_vault_auth_method: ldap + # ansible_hashi_vault_mount_point: ldap + # ansible_hashi_vault_username: lbouvier@jingoh.fr + # ansible_hashi_vault_password: ptoto + # ansible.builtin.debug: + # msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/kv/data/test url=https://pwd.jingoh.fr auth_method=ldap mount_point=ldap username=lbouvier@jingoh.fr password=ptoto') }}" + + +# ! local mac os : export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES + + # - name: Vault that requires authentication via LDAP + # vars: + # ansible_hashi_vault_url: 'https://pwd.jingoh.fr' + # ansible_hashi_vault_auth_method: ldap + # ansible_hashi_vault_mount_point: ldap + # ansible_hashi_vault_username: lbouvier@jingoh.fr + # ansible_hashi_vault_password: ptoto + # ansible.builtin.debug: + # msg: "{{ lookup('community.hashi_vault.vault_list', 'secret=/kv/test') }}" + + + - name: Login and use the resulting token + community.hashi_vault.vault_login: + url: https://pwd.jingoh.fr + auth_method: userpass + username: lbouvier@jingoh.fr + password: ptoto + register: login_data + + + - name: Vault that requires authentication via LDAP ansible.builtin.debug: - msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=apps/data/postgres token=prout url=https://hash.jingoh.fr') }}" - - + msg: "{{ lookup('community.hashi_vault.hashi_vault', '/kv/data/test auth_method=ldap mount_point=ldap username=lbouvier@jingoh.fr password=ptoto url=https://pwd.jingoh.fr') }}" + - name: List kv2 secrets from Vault via the remote host with userpass auth + community.hashi_vault.vault_list: + url: 'https://pwd.jingoh.fr' + path: /kv/data/test + # For kv2, the path needs to follow the pattern 'mount_point/metadata' or 'mount_point/metadata/path' to list all secrets in that path + auth_method: ldap + username: lbouvier@jingoh.fr + password: ptoto + register: secret + - name: Display the secrets found at the path provided above + ansible.builtin.debug: + msg: "{{ secret.data.data['keys'] }}" + # Note that secret.data.data.keys won't work as 'keys' is a built-in method + - name: List access policies from Vault via the remote host + community.hashi_vault.vault_list: + url: 'https://pwd.jingoh.fr' + path: sys/policies/acl + register: policies + - name: Display the policy names + ansible.builtin.debug: + msg: "{{ policies.data.data['keys'] }}" + # Note that secret.data.data.keys won't work as 'keys' is a built-in method +# url=https://pwd.jingoh.fr auth_method=ldap mount_point=ldap username=lbouvier@jingoh.fr password=ptoto \ No newline at end of file