[Add vacku + vault]
This commit is contained in:
140
backup.yml
140
backup.yml
@@ -3,53 +3,18 @@
|
||||
# become: true
|
||||
gather_facts: false
|
||||
vars:
|
||||
user: staffadmin
|
||||
username: jingohalert
|
||||
password: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;prod
|
||||
35393433316665666435363662633832663632666532383539643365343263396536616533653435
|
||||
6536336661663262356135363538616362306333613036650a303064313266383962643263366431
|
||||
63636431646463613034633537313735646337363966616432363161643936313337643636383536
|
||||
3164396237373336610a616337613334393037346366653463396265336162663638336132366463
|
||||
3431
|
||||
# vault_pass: !vault |
|
||||
# $ANSIBLE_VAULT;1.2;AES256;prod
|
||||
# 31393635346263633965326334656663323439643166313736343337343032303234653264653065
|
||||
# 3933333731343231643033373436653764326131616635640a356566616337373031333065303166
|
||||
# 36363839323432353936336438636130373134353364326264393563663561346438356533656262
|
||||
# 3630386265633339630a306334363336396539353133383236316138333538623064333036316233
|
||||
# 6464
|
||||
user: sgratias
|
||||
token: !vault |
|
||||
$ANSIBLE_VAULT;1.2;AES256;prod
|
||||
36663034636138333863626233623737363834333134333235656132333933356237396132383266
|
||||
3266326438656130623337653464633062343433623333620a386561353637613263323837313230
|
||||
66666633373066363862343766646431396632653332333830323136343230336464333635343136
|
||||
3732643432306338640a666334373636653164646135633966333339323935363433663130313235
|
||||
36613831356265373964623464356263333666366539663131396535613633346138613665383864
|
||||
6331393663346638663832313035653765303938376230363936
|
||||
30383538646164373137616166636632353964373362323735626239656337306139616265323138
|
||||
3834383331316466653565323632616163353964643637660a363262383461363234363738613034
|
||||
64383132373061653337313365333734646635396635313133613861303730303163383764653664
|
||||
6537633761353939330a356236623265383931643530316430303938303735306536343163323163
|
||||
62636236346362663036343765363830383738623563613161373637383239623134376163653662
|
||||
3565333032326133326232326633386332633639373862313463
|
||||
tasks:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# ! alertmanager + ntfy
|
||||
# route:
|
||||
# receiver: 'ntfy'
|
||||
# repeat_interval: 4h
|
||||
# group_by: [ alertname ]
|
||||
|
||||
# receivers:
|
||||
# - name: "ntfy"
|
||||
# webhook_configs:
|
||||
# - url: "http://ntfy-alertmanager:8080"
|
||||
|
||||
# - command:
|
||||
# cmd: "echo 'mescouilles'"
|
||||
|
||||
|
||||
# - debug:
|
||||
# msg: "test ok"
|
||||
# delegate_to: localhost
|
||||
@@ -60,7 +25,7 @@
|
||||
# msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=apps/data/postgres token=prout url=https://hash.jingoh.fr') }}"
|
||||
|
||||
- ansible.builtin.git:
|
||||
repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/backup.git
|
||||
repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/sgratias/backup.git
|
||||
dest: "{{ playbook_dir }}/backup"
|
||||
single_branch: yes
|
||||
force: true
|
||||
@@ -121,90 +86,39 @@
|
||||
- /opt/dockerapps/appdata/vaultwarden/config.json
|
||||
#! wg portal
|
||||
- /opt/dockerapps/appdata/wg-portal/config/config.yml
|
||||
# - name: Get a cert from an https port
|
||||
# community.crypto.get_certificate:
|
||||
# host: "gitea.jingoh.fr"
|
||||
# port: 443
|
||||
# delegate_to: localhost
|
||||
# run_once: true
|
||||
# register: cert
|
||||
# tags: test3
|
||||
|
||||
|
||||
# - ansible.builtin.command:
|
||||
# cmd: "echo 'mescouilles'"
|
||||
# register: toto
|
||||
# tags: test3
|
||||
|
||||
|
||||
# - debug:
|
||||
# msg: "{{ toto }}"
|
||||
# tags: test3
|
||||
#! wg portal
|
||||
- /opt/dockerapps/appdata/mailserver/etc/config.toml
|
||||
|
||||
- name: Push backup to git
|
||||
ansible.builtin.shell: |
|
||||
git config user.email "stephane.gratiasquiquandon@gmail.com"
|
||||
git config user.name "staffadmin"
|
||||
git config user.name "sgratias"
|
||||
git add .
|
||||
git commit -m "Push Backup with access token"
|
||||
git push https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/backup.git
|
||||
git push https://{{ user }}:{{ token }}@gitea.jingoh.fr/sgratias/backup.git
|
||||
args:
|
||||
chdir: "{{ playbook_dir }}/backup/"
|
||||
run_once: true
|
||||
delegate_to: localhost
|
||||
|
||||
# - name: Get a cert from an https port
|
||||
# community.crypto.get_certificate:
|
||||
# host: "gitea.jingoh.fr"
|
||||
# port: 443
|
||||
# delegate_to: localhost
|
||||
# run_once: true
|
||||
# register: cert
|
||||
# tags: test
|
||||
|
||||
# - name: set
|
||||
# ansible.builtin.set_fact:
|
||||
# cert_date: "{{ cert.not_after | to_datetime('%Y%m%d%H%M%SZ') }}"
|
||||
# tags: test
|
||||
# - debug:
|
||||
# msg: "{{ cert.not_after | to_datetime('%Y%m%d%H%M%SZ')}}"
|
||||
# tags: test
|
||||
|
||||
# - debug:
|
||||
# msg: "{{ cert.not_after | to_datetime }} - {{ ansible_date_time.iso8601_basic }}"
|
||||
# # loop:
|
||||
# # - "{{ cert.not_after }}"
|
||||
# # - "{{ ansible_date_time.iso8601_basic }}"
|
||||
# tags: test
|
||||
|
||||
# - debug:
|
||||
# msg: "{{ item }}"
|
||||
# loop:
|
||||
# - "{{ ((cert.not_after | to_datetime('%Y%m%d%H%M%SZ') ) - (ansible_date_time.date | to_datetime('%Y-%m-%d') )).days }}"
|
||||
# # - "{{ ansible_date_time.date.total_seconds() }}"
|
||||
# tags: test
|
||||
# when:
|
||||
# - "{{ ((cert.not_after | to_datetime('%Y%m%d%H%M%SZ') ) - (ansible_date_time.date | to_datetime('%Y-%m-%d') )).days < 30 }}"
|
||||
|
||||
|
||||
|
||||
# curl -u "$username:$password" -H "Title: HTTPS Certificats" -H "ta:closed_lock_with_key" -d "*.jingoh.fr Less than 20 days" https://alert.jingoh.fr/scaleway
|
||||
|
||||
# # when: cert.not_after - ansible_date_time.iso8601_basic >
|
||||
- name: NTFY when docker compose changed
|
||||
uri:
|
||||
url: "https://alert.jingoh.fr/scaleway"
|
||||
method: POST
|
||||
user: "{{ username }}"
|
||||
password: "{{ password }}"
|
||||
headers:
|
||||
Title: "docker-compose changed"
|
||||
ta: "file_folder"
|
||||
body: "Docker compose backup in gitea"
|
||||
status_code: 200
|
||||
tags: test1
|
||||
delegate_to: localhost
|
||||
when: fetch_files_backup.changed is true
|
||||
# when: cert.not_after - ansible_date_time.iso8601_basic >
|
||||
# - name: NTFY when docker compose changed
|
||||
# uri:
|
||||
# url: "https://alert.jingoh.fr/scaleway"
|
||||
# method: POST
|
||||
# headers:
|
||||
# user: "{{ username }}"
|
||||
# password: "{{ password }}"
|
||||
# Title: "docker-compose changed"
|
||||
# ta: "file_folder"
|
||||
# body: "Docker compose backup in gitea"
|
||||
# status_code: 200
|
||||
# tags: test1
|
||||
# delegate_to: localhost
|
||||
# when: fetch_files_backup.changed is true
|
||||
# when:
|
||||
# - "{{ ((cert.not_after | to_datetime('%Y%m%d%H%M%SZ') ) - (ansible_date_time.date | to_datetime('%Y-%m-%d') )).days < 10 }}"
|
||||
|
||||
|
||||
@@ -12,3 +12,4 @@ collections:
|
||||
# - name: softing.swarm
|
||||
- name: community.crypto
|
||||
# - name: community.hashi_vault
|
||||
- name: community.hashi_vault
|
||||
15
requirements.yml
Normal file
15
requirements.yml
Normal file
@@ -0,0 +1,15 @@
|
||||
collections:
|
||||
# - name: devsec.hardening
|
||||
# - name: prometheus.prometheus
|
||||
# - name: community.crypto
|
||||
- name: ansible.utils
|
||||
# - name: community.grafana
|
||||
- name: community.docker
|
||||
# - name: geerlingguy.redis
|
||||
# - name: git+https://github.com/netways/ansible-collection-elasticstack.git
|
||||
# - name: elastic.elasticsearch
|
||||
# - name: geerlingguy.kibana
|
||||
# - name: softing.swarm
|
||||
- name: community.crypto
|
||||
# - name: community.hashi_vault
|
||||
- name: community.hashi_vault
|
||||
@@ -1,8 +1,8 @@
|
||||
|
||||
---
|
||||
- name: Swarm
|
||||
hosts: testswarm
|
||||
become: true
|
||||
- name: Vault
|
||||
hosts: localhost
|
||||
# become: true
|
||||
gather_facts: false
|
||||
|
||||
|
||||
@@ -28,16 +28,78 @@
|
||||
# vault token create -explicit-max-ttl=8760h -policy=test -ttl=720h -renewable=true -display-name=test
|
||||
|
||||
# - ansible.builtin.debug:
|
||||
# msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/apps/my-app:test token=hvs.CAESIB4eVBWqRNDgcGXJpmvBe9nCpvCJ9-kM-OXq2p1WGlfBGh4KHGh2cy4xdFBYNnNMUEROOVlxOWFad3hERHI5Ulc url=http://myvault:8200') }}"
|
||||
# msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/apps/my-app:test token= url=http://myvault:8200') }}"
|
||||
|
||||
- name: Return all secrets from a path
|
||||
delegate_to: localhost
|
||||
# - name: Return all secrets from a path
|
||||
# delegate_to: localhost
|
||||
# vars:
|
||||
# # ansible_hashi_vault_url: 'https://myvault:8282'
|
||||
# # ansible_hashi_vault_auth_method: ldap
|
||||
# ansible.builtin.debug:
|
||||
# msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/kv/data/test token= url=https://pwd.jingoh.fr') }}"
|
||||
|
||||
|
||||
# - name: Vault that requires authentication via LDAP
|
||||
# vars:
|
||||
# ansible_hashi_vault_url: 'https://myvault:8282'
|
||||
# ansible_hashi_vault_auth_method: ldap
|
||||
# ansible_hashi_vault_mount_point: ldap
|
||||
# ansible_hashi_vault_username: lbouvier@jingoh.fr
|
||||
# ansible_hashi_vault_password: ptoto
|
||||
# ansible.builtin.debug:
|
||||
# msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/kv/data/test url=https://pwd.jingoh.fr auth_method=ldap mount_point=ldap username=lbouvier@jingoh.fr password=ptoto') }}"
|
||||
|
||||
|
||||
# ! local mac os : export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
|
||||
|
||||
# - name: Vault that requires authentication via LDAP
|
||||
# vars:
|
||||
# ansible_hashi_vault_url: 'https://pwd.jingoh.fr'
|
||||
# ansible_hashi_vault_auth_method: ldap
|
||||
# ansible_hashi_vault_mount_point: ldap
|
||||
# ansible_hashi_vault_username: lbouvier@jingoh.fr
|
||||
# ansible_hashi_vault_password: ptoto
|
||||
# ansible.builtin.debug:
|
||||
# msg: "{{ lookup('community.hashi_vault.vault_list', 'secret=/kv/test') }}"
|
||||
|
||||
|
||||
- name: Login and use the resulting token
|
||||
community.hashi_vault.vault_login:
|
||||
url: https://pwd.jingoh.fr
|
||||
auth_method: userpass
|
||||
username: lbouvier@jingoh.fr
|
||||
password: ptoto
|
||||
register: login_data
|
||||
|
||||
|
||||
- name: Vault that requires authentication via LDAP
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=apps/data/postgres token=prout url=https://hash.jingoh.fr') }}"
|
||||
|
||||
|
||||
msg: "{{ lookup('community.hashi_vault.hashi_vault', '/kv/data/test auth_method=ldap mount_point=ldap username=lbouvier@jingoh.fr password=ptoto url=https://pwd.jingoh.fr') }}"
|
||||
|
||||
|
||||
- name: List kv2 secrets from Vault via the remote host with userpass auth
|
||||
community.hashi_vault.vault_list:
|
||||
url: 'https://pwd.jingoh.fr'
|
||||
path: /kv/data/test
|
||||
# For kv2, the path needs to follow the pattern 'mount_point/metadata' or 'mount_point/metadata/path' to list all secrets in that path
|
||||
auth_method: ldap
|
||||
username: lbouvier@jingoh.fr
|
||||
password: ptoto
|
||||
register: secret
|
||||
|
||||
- name: Display the secrets found at the path provided above
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ secret.data.data['keys'] }}"
|
||||
# Note that secret.data.data.keys won't work as 'keys' is a built-in method
|
||||
|
||||
- name: List access policies from Vault via the remote host
|
||||
community.hashi_vault.vault_list:
|
||||
url: 'https://pwd.jingoh.fr'
|
||||
path: sys/policies/acl
|
||||
register: policies
|
||||
|
||||
- name: Display the policy names
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ policies.data.data['keys'] }}"
|
||||
# Note that secret.data.data.keys won't work as 'keys' is a built-in method
|
||||
# url=https://pwd.jingoh.fr auth_method=ldap mount_point=ldap username=lbouvier@jingoh.fr password=ptoto
|
||||
Reference in New Issue
Block a user