sgratias/semaphore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Add vacku + vault]

Browse Source
This commit is contained in:
sgratias
2025-06-03 23:09:19 +02:00
parent 0fcc70f430
commit 146d4fbd77
4 changed files with 115 additions and 123 deletions
Download Patch File Download Diff File Expand all files Collapse all files

140
backup.yml
View File

@@ -3,53 +3,18 @@
# become: true # become: true
gather_facts: false gather_facts: false
vars: vars:
user: staffadmin user: sgratias
username: jingohalert
password: !vault |
$ANSIBLE_VAULT;1.2;AES256;prod
35393433316665666435363662633832663632666532383539643365343263396536616533653435
6536336661663262356135363538616362306333613036650a303064313266383962643263366431
63636431646463613034633537313735646337363966616432363161643936313337643636383536
3164396237373336610a616337613334393037346366653463396265336162663638336132366463
3431
# vault_pass: !vault |
# $ANSIBLE_VAULT;1.2;AES256;prod
# 31393635346263633965326334656663323439643166313736343337343032303234653264653065
# 3933333731343231643033373436653764326131616635640a356566616337373031333065303166
# 36363839323432353936336438636130373134353364326264393563663561346438356533656262
# 3630386265633339630a306334363336396539353133383236316138333538623064333036316233
# 6464
token: !vault | token: !vault |
$ANSIBLE_VAULT;1.2;AES256;prod $ANSIBLE_VAULT;1.2;AES256;prod
36663034636138333863626233623737363834333134333235656132333933356237396132383266 30383538646164373137616166636632353964373362323735626239656337306139616265323138
3266326438656130623337653464633062343433623333620a386561353637613263323837313230 3834383331316466653565323632616163353964643637660a363262383461363234363738613034
66666633373066363862343766646431396632653332333830323136343230336464333635343136 64383132373061653337313365333734646635396635313133613861303730303163383764653664
3732643432306338640a666334373636653164646135633966333339323935363433663130313235 6537633761353939330a356236623265383931643530316430303938303735306536343163323163
36613831356265373964623464356263333666366539663131396535613633346138613665383864 62636236346362663036343765363830383738623563613161373637383239623134376163653662
6331393663346638663832313035653765303938376230363936 3565333032326133326232326633386332633639373862313463
tasks: tasks:
# ! alertmanager + ntfy
# route:
# receiver: 'ntfy'
# repeat_interval: 4h
# group_by: [ alertname ]
# receivers:
# - name: "ntfy"
# webhook_configs:
# - url: "http://ntfy-alertmanager:8080"
# - command:
# cmd: "echo 'mescouilles'"
# - debug: # - debug:
# msg: "test ok" # msg: "test ok"
# delegate_to: localhost # delegate_to: localhost
@@ -60,7 +25,7 @@
# msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=apps/data/postgres token=prout url=https://hash.jingoh.fr') }}" # msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=apps/data/postgres token=prout url=https://hash.jingoh.fr') }}"
- ansible.builtin.git: - ansible.builtin.git:
repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/backup.git repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/sgratias/backup.git
dest: "{{ playbook_dir }}/backup" dest: "{{ playbook_dir }}/backup"
single_branch: yes single_branch: yes
force: true force: true
@@ -121,90 +86,39 @@
- /opt/dockerapps/appdata/vaultwarden/config.json - /opt/dockerapps/appdata/vaultwarden/config.json
#! wg portal #! wg portal
- /opt/dockerapps/appdata/wg-portal/config/config.yml - /opt/dockerapps/appdata/wg-portal/config/config.yml
# - name: Get a cert from an https port #! wg portal
# community.crypto.get_certificate: - /opt/dockerapps/appdata/mailserver/etc/config.toml
# host: "gitea.jingoh.fr"
# port: 443
# delegate_to: localhost
# run_once: true
# register: cert
# tags: test3
# - ansible.builtin.command:
# cmd: "echo 'mescouilles'"
# register: toto
# tags: test3
# - debug:
# msg: "{{ toto }}"
# tags: test3
- name: Push backup to git - name: Push backup to git
ansible.builtin.shell: | ansible.builtin.shell: |
git config user.email "stephane.gratiasquiquandon@gmail.com" git config user.email "stephane.gratiasquiquandon@gmail.com"
git config user.name "staffadmin" git config user.name "sgratias"
git add . git add .
git commit -m "Push Backup with access token" git commit -m "Push Backup with access token"
git push https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/backup.git git push https://{{ user }}:{{ token }}@gitea.jingoh.fr/sgratias/backup.git
args: args:
chdir: "{{ playbook_dir }}/backup/" chdir: "{{ playbook_dir }}/backup/"
run_once: true run_once: true
delegate_to: localhost delegate_to: localhost
# - name: Get a cert from an https port
# community.crypto.get_certificate:
# host: "gitea.jingoh.fr"
# port: 443
# delegate_to: localhost
# run_once: true
# register: cert
# tags: test
# - name: set
# ansible.builtin.set_fact:
# cert_date: "{{ cert.not_after | to_datetime('%Y%m%d%H%M%SZ') }}"
# tags: test
# - debug:
# msg: "{{ cert.not_after | to_datetime('%Y%m%d%H%M%SZ')}}"
# tags: test
# - debug:
# msg: "{{ cert.not_after | to_datetime }} - {{ ansible_date_time.iso8601_basic }}"
# # loop:
# # - "{{ cert.not_after }}"
# # - "{{ ansible_date_time.iso8601_basic }}"
# tags: test
# - debug:
# msg: "{{ item }}"
# loop:
# - "{{ ((cert.not_after | to_datetime('%Y%m%d%H%M%SZ') ) - (ansible_date_time.date | to_datetime('%Y-%m-%d') )).days }}"
# # - "{{ ansible_date_time.date.total_seconds() }}"
# tags: test
# when:
# - "{{ ((cert.not_after | to_datetime('%Y%m%d%H%M%SZ') ) - (ansible_date_time.date | to_datetime('%Y-%m-%d') )).days < 30 }}"
# curl -u "$username:$password" -H "Title: HTTPS Certificats" -H "ta:closed_lock_with_key" -d "*.jingoh.fr Less than 20 days" https://alert.jingoh.fr/scaleway # curl -u "$username:$password" -H "Title: HTTPS Certificats" -H "ta:closed_lock_with_key" -d "*.jingoh.fr Less than 20 days" https://alert.jingoh.fr/scaleway
# # when: cert.not_after - ansible_date_time.iso8601_basic > # when: cert.not_after - ansible_date_time.iso8601_basic >
- name: NTFY when docker compose changed # - name: NTFY when docker compose changed
uri: # uri:
url: "https://alert.jingoh.fr/scaleway" # url: "https://alert.jingoh.fr/scaleway"
method: POST # method: POST
user: "{{ username }}" # headers:
password: "{{ password }}" # user: "{{ username }}"
headers: # password: "{{ password }}"
Title: "docker-compose changed" # Title: "docker-compose changed"
ta: "file_folder" # ta: "file_folder"
body: "Docker compose backup in gitea" # body: "Docker compose backup in gitea"
status_code: 200 # status_code: 200
tags: test1 # tags: test1
delegate_to: localhost # delegate_to: localhost
when: fetch_files_backup.changed is true # when: fetch_files_backup.changed is true
# when: # when:
# - "{{ ((cert.not_after | to_datetime('%Y%m%d%H%M%SZ') ) - (ansible_date_time.date | to_datetime('%Y-%m-%d') )).days < 10 }}" # - "{{ ((cert.not_after | to_datetime('%Y%m%d%H%M%SZ') ) - (ansible_date_time.date | to_datetime('%Y-%m-%d') )).days < 10 }}"

3
collections/requirements.yml
View File

@@ -11,4 +11,5 @@ collections:
# - name: geerlingguy.kibana # - name: geerlingguy.kibana
# - name: softing.swarm # - name: softing.swarm
- name: community.crypto - name: community.crypto
# - name: community.hashi_vault # - name: community.hashi_vault
- name: community.hashi_vault

15
requirements.yml Normal file
View File

@@ -0,0 +1,15 @@
collections:
# - name: devsec.hardening
# - name: prometheus.prometheus
# - name: community.crypto
- name: ansible.utils
# - name: community.grafana
- name: community.docker
# - name: geerlingguy.redis
# - name: git+https://github.com/netways/ansible-collection-elasticstack.git
# - name: elastic.elasticsearch
# - name: geerlingguy.kibana
# - name: softing.swarm
- name: community.crypto
# - name: community.hashi_vault
- name: community.hashi_vault

80
test-vault.yml
View File

@@ -1,8 +1,8 @@
--- ---
- name: Swarm - name: Vault
hosts: testswarm hosts: localhost
become: true # become: true
gather_facts: false gather_facts: false
@@ -28,16 +28,78 @@
# vault token create -explicit-max-ttl=8760h -policy=test -ttl=720h -renewable=true -display-name=test # vault token create -explicit-max-ttl=8760h -policy=test -ttl=720h -renewable=true -display-name=test
# - ansible.builtin.debug: # - ansible.builtin.debug:
# msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/apps/my-app:test token=hvs.CAESIB4eVBWqRNDgcGXJpmvBe9nCpvCJ9-kM-OXq2p1WGlfBGh4KHGh2cy4xdFBYNnNMUEROOVlxOWFad3hERHI5Ulc url=http://myvault:8200') }}" # msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/apps/my-app:test token= url=http://myvault:8200') }}"
- name: Return all secrets from a path # - name: Return all secrets from a path
delegate_to: localhost # delegate_to: localhost
# vars:
# # ansible_hashi_vault_url: 'https://myvault:8282'
# # ansible_hashi_vault_auth_method: ldap
# ansible.builtin.debug:
# msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/kv/data/test token= url=https://pwd.jingoh.fr') }}"
# - name: Vault that requires authentication via LDAP
# vars:
# ansible_hashi_vault_url: 'https://myvault:8282'
# ansible_hashi_vault_auth_method: ldap
# ansible_hashi_vault_mount_point: ldap
# ansible_hashi_vault_username: lbouvier@jingoh.fr
# ansible_hashi_vault_password: ptoto
# ansible.builtin.debug:
# msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/kv/data/test url=https://pwd.jingoh.fr auth_method=ldap mount_point=ldap username=lbouvier@jingoh.fr password=ptoto') }}"
# ! local mac os : export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
# - name: Vault that requires authentication via LDAP
# vars:
# ansible_hashi_vault_url: 'https://pwd.jingoh.fr'
# ansible_hashi_vault_auth_method: ldap
# ansible_hashi_vault_mount_point: ldap
# ansible_hashi_vault_username: lbouvier@jingoh.fr
# ansible_hashi_vault_password: ptoto
# ansible.builtin.debug:
# msg: "{{ lookup('community.hashi_vault.vault_list', 'secret=/kv/test') }}"
- name: Login and use the resulting token
community.hashi_vault.vault_login:
url: https://pwd.jingoh.fr
auth_method: userpass
username: lbouvier@jingoh.fr
password: ptoto
register: login_data
- name: Vault that requires authentication via LDAP
ansible.builtin.debug: ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=apps/data/postgres token=prout url=https://hash.jingoh.fr') }}" msg: "{{ lookup('community.hashi_vault.hashi_vault', '/kv/data/test auth_method=ldap mount_point=ldap username=lbouvier@jingoh.fr password=ptoto url=https://pwd.jingoh.fr') }}"
- name: List kv2 secrets from Vault via the remote host with userpass auth
community.hashi_vault.vault_list:
url: 'https://pwd.jingoh.fr'
path: /kv/data/test
# For kv2, the path needs to follow the pattern 'mount_point/metadata' or 'mount_point/metadata/path' to list all secrets in that path
auth_method: ldap
username: lbouvier@jingoh.fr
password: ptoto
register: secret
- name: Display the secrets found at the path provided above
ansible.builtin.debug:
msg: "{{ secret.data.data['keys'] }}"
# Note that secret.data.data.keys won't work as 'keys' is a built-in method
- name: List access policies from Vault via the remote host
community.hashi_vault.vault_list:
url: 'https://pwd.jingoh.fr'
path: sys/policies/acl
register: policies
- name: Display the policy names
ansible.builtin.debug:
msg: "{{ policies.data.data['keys'] }}"
# Note that secret.data.data.keys won't work as 'keys' is a built-in method
# url=https://pwd.jingoh.fr auth_method=ldap mount_point=ldap username=lbouvier@jingoh.fr password=ptoto