- hosts: tower # vars: # become: true gather_facts: false vars: # Variables depuis Environment (non-sensibles) vaultwarden_url: "{{ lookup('env', 'vaultwarden_url') }}" bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}" bw_client_password: "{{ lookup('env', 'bw_client_password') }}" bw_client_id: "{{ lookup('env', 'bw_client_id') }}" user_mail: "{{ lookup('env', 'mail') }}" user: "{{ lookup('env', 'username') }}" # Token gitea-repository-rw bw_requested_password_id: "{{ lookup('env', 'bw_requested_password_id') }}" dockerapps_path: /opt/dockerapps gitea_conf: /appdata/gitea/gitea/ gitea_db: /appdata/gitea/gitea-db/gitea-db-pg.sql # user: sgratias # user_mail: stephane.gratiasquiquandon@gmail.com tasks: ############ ###! DOCKER COMPOSE FILE ############ # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh # apk add --no-cache rust # pip install bitwarden-sdk / cargo # export BWS_ACCESS_TOKEN= # database_password: "{{ lookup('bitwarden.secrets.lookup', '') }}" #! SECRETS - name: Install Bitwarden CLI ansible.builtin.command: cmd: "{{ item }}" delegate_to: localhost loop: - apk add --no-cache nodejs npm - npm install -g @bitwarden/cli - ansible.builtin.command: cmd: bw logout delegate_to: localhost ignore_errors: true - name: bitwarden token session ansible.builtin.shell: "{{ item }}" environment: BW_CLIENTID: "{{ bw_client_id }}" BW_CLIENTSECRET: "{{ bw_client_secret }}" BW_PASSWORD: "{{ bw_client_password }}" loop: - bw config server {{ vaultwarden_url }} - bw login --apikey - bw unlock --passwordenv BW_PASSWORD --raw delegate_to: localhost register: bw_session_result - name: Get secret from Bitwarden command: argv: - bw - get - password - "{{ bw_requested_password_id }}" - --session - "{{ bw_session_result.results[-1].stdout | trim }}" delegate_to: localhost register: gitea_token_result no_log: true changed_when: false # - name: Return all secrets from a path # ansible.builtin.debug: # msg: "{{ gitea_token_result.stdout }}" # delegate_to: localhost - ansible.builtin.set_fact: gitea_token : "{{ gitea_token_result.stdout | trim }}" no_log: true delegate_to: localhost #! SECRETS - ansible.builtin.git: repo: https://{{ user }}:{{ gitea_token }}@gitea.jingoh.fr/{{ user }}/backup.git dest: "{{ playbook_dir }}/backup" single_branch: yes force: true delegate_to: localhost - ansible.builtin.fetch: src: "{{ item }}" dest: "{{ playbook_dir }}/backup/" register: fetch_files_backup loop: #! Docker-compose - /opt/dockerapps/docker-compose.yml # #! Dex & traefik-forward # - /opt/dockerapps/appdata/dex/config.yml # - /opt/dockerapps/appdata/dex/traefik-auth-conf.env #! Gitea & Runner - /opt/dockerapps/appdata/gitea/gitea/gitea/conf/app.ini - /opt/dockerapps/appdata/gitea/runner/config.yaml # - /opt/dockerapps/appdata/gitea/runner/act_runner/.runner #! Notification - /opt/dockerapps/appdata/alert/config/alertmanager.yml #! Homepage - /opt/dockerapps/appdata/homepage/homepage/bookmarks.yaml - /opt/dockerapps/appdata/homepage/homepage/services.yaml - /opt/dockerapps/appdata/homepage/homepage/settings.yaml #! Semaphore - /opt/dockerapps/appdata/semaphore/config/config.json # #! Alertmanager # - /opt/dockerapps/appdata/alertmanager/config/alertmanager.yml # #! ALertmanager 2 ntfy # - /opt/dockerapps/appdata/ntfy_alertmanager/etc/config #! Grafana - /opt/dockerapps/appdata/grafana/grafana.ini - /opt/dockerapps/appdata/grafana/ldap.toml #! prometheus - /opt/dockerapps/appdata/prometheus/prometheus/prometheus.yml - /opt/dockerapps/appdata/prometheus/prometheus/alerts_system.yml - /opt/dockerapps/appdata/prometheus/prometheus/alerts_network.yml # - /opt/dockerapps/appdata/prometheus/prometheus/alerts_internal.yml - /opt/dockerapps/appdata/prometheus/prometheus/promtool_test.yml # #! bind # - /opt/dockerapps/appdata/bind/config/named.conf # - /opt/dockerapps/appdata/bind/records/example.com.zone # - /opt/dockerapps/appdata/bind/records/jingoh.private.zone # #! crowdsec # - /opt/dockerapps/appdata/crowdsec/crowdsec/parsers/s01-parse/tcpudp-flood-traefik.yaml # - /opt/dockerapps/appdata/crowdsec/crowdsec/acquis.yaml # - /opt/dockerapps/appdata/crowdsec/dashboard/docker/Dockerfile # #! filebeat (kafka) # - /opt/dockerapps/appdata/kafka/filebeat.yml #! ldap - /opt/dockerapps/appdata/ldap/data/lldap_config.toml #! sftp - /opt/dockerapps/appdata/sftp/config/sftpgo.json # #! vault_sync_ldap # - /opt/dockerapps/appdata/vault_sync_ldap/jingoh.config.toml # #! vault # - /opt/dockerapps/appdata/vaultwarden/config.json #! wg portal - /opt/dockerapps/appdata/wg-portal/config/config.yml # #! wg portal # - /opt/dockerapps/appdata/mailserver/etc/config.toml #! gatus - /opt/dockerapps/appdata/gatus/config.yml #! syncthing - /opt/dockerapps/appdata/syncthing/config/config.xml #! authelia - /opt/dockerapps/appdata/authelia/config/configuration.yml #! sliver - /opt/dockerapps/appdata/sliver/statics/index.html - /opt/dockerapps/appdata/sliver/statics/favicon.ico - /opt/dockerapps/appdata/sliver/statics/robots.txt - /opt/dockerapps/appdata/sliver/statics/sitemap.xml # - /opt/dockerapps/appdata/sliver/operators/sgratias_ops.jingoh.fr.cfg - name: Push backup to git ansible.builtin.shell: | git config user.email "{{ user_mail }}" git config user.name "{{ user }}" git add . git commit -m "Push Backup with access gitea_token" git push https://{{ user }}:{{ gitea_token }}@gitea.jingoh.fr/{{ user }}/backup.git args: chdir: "{{ playbook_dir }}/backup/" run_once: true delegate_to: localhost # ############# # #! GITEA # ############ # - ansible.builtin.pip: # name: requests # - ansible.builtin.file: # path: "{{ dockerapps_path }}/backup/gitea" # state: directory # # mode: '0755' # #/opt/dockerapps/appdata/gitea/gitea/gitea-dump-*.zip # - name: DUMP gitea conf # community.docker.docker_container_exec: # container: gitea # command: gitea dump -c /data/gitea/conf/app.ini # user: git # chdir: /data # - ansible.builtin.find: # paths: "{{ dockerapps_path }}{{ gitea_conf }}" # patterns: 'gitea-dump-*.zip' # register: result_gitea_conf # - name: Print stdout # ansible.builtin.debug: # var: result_gitea_conf # - name: Copy file with owner and permissions # ansible.builtin.copy: # src: "{{ item.path }}" # dest: "{{ dockerapps_path }}/backup/gitea/{{ item.path.split('/')[-1]}}" # remote_src: true # loop: "{{ result_gitea_conf.files }}" # # owner: foo # # group: foo # # mode: '0644' # - name: Remove old gitea-dump # ansible.builtin.file: # path: "{{ item.path }}" # state: absent # loop: "{{ result_gitea_conf.files }}" # #! need root # # root@scaleway:/opt/dockerapps/appdata/gitea/gitea-db/gitea-db-pg.sql # - name: PG_DUMP postgresql db # community.docker.docker_container_exec: # container: gitea-db # command: pg_dump -U root gitea -f /var/lib/postgresql/data/gitea-db-pg.sql # # chdir: "{{ dockerapps_path }}" # register: result_gitea_db # # - ansible.builtin.debug: # # var: result_gitea_db.stdout # - name: Copy file with owner and permissions # become: true # ansible.builtin.copy: # src: "{{ dockerapps_path }}{{ gitea_db }}" # dest: "{{ dockerapps_path }}/backup/gitea/{{ gitea_db.split('/')[-1] }}" # remote_src: true # - ansible.builtin.file: # path: "{{ dockerapps_path }}/backup" # state: directory # mode: 0755 # recurse: true # become: true # - name: logout bw # ansible.builtin.command: # cmd: bw logout # delegate_to: localhost