- hosts: tower # vars: # become: true gather_facts: false vars: # Variables depuis Environment (non-sensibles) vaultwarden_url: "https://vault.jingoh.fr" bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}" bw_client_password: "{{ lookup('env', 'bw_client_password') }}" bw_client_id: "{{ lookup('env', 'bw_client_id') }}" user_mail: "{{ lookup('env', 'mail') }}" user: "{{ lookup('env', 'username') }}" # Token full access gitea bw_requested_password_id: 34fe88a0-e9f0-42d1-9433-f75787327f4e dockerapps_path: /opt/dockerapps gitea_conf: /appdata/gitea/gitea/ gitea_db: /appdata/gitea/gitea-db/gitea-db-pg.sql # user: sgratias # user_mail: stephane.gratiasquiquandon@gmail.com tasks: ############ ###! DOCKER COMPOSE FILE ############ # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh # apk add --no-cache rust # pip install bitwarden-sdk / cargo # export BWS_ACCESS_TOKEN= # database_password: "{{ lookup('bitwarden.secrets.lookup', '') }}" #! SECRETS - name: Install Bitwarden CLI ansible.builtin.command: cmd: "{{ item }}" delegate_to: localhost loop: - apk add --no-cache nodejs npm - npm install -g @bitwarden/cli - ansible.builtin.command: cmd: bw logout delegate_to: localhost ignore_errors: true - name: bitwarden token session ansible.builtin.shell: "{{ item }}" environment: BW_CLIENTID: "{{ bw_client_id }}" BW_CLIENTSECRET: "{{ bw_client_secret }}" BW_PASSWORD: "{{ bw_client_password }}" loop: - bw config server {{ vaultwarden_url }} - bw login --apikey - bw unlock --passwordenv BW_PASSWORD --raw delegate_to: localhost register: bw_session_result - name: Get secret from Bitwarden command: argv: - bw - get - password - "{{ bw_requested_password_id }}" - --session - "{{ bw_session_result.results[-1].stdout | trim }}" delegate_to: localhost register: gitea_token_result no_log: true changed_when: false # - name: Return all secrets from a path # ansible.builtin.debug: # msg: "{{ gitea_token_result.stdout }}" # delegate_to: localhost - ansible.builtin.set_fact: gitea_token : "{{ gitea_token_result.stdout | trim }}" no_log: true delegate_to: localhost #! SECRETS - ansible.builtin.git: repo: https://{{ user }}:{{ gitea_token }}@gitea.jingoh.fr/{{ user }}/backup.git dest: "{{ playbook_dir }}/backup" single_branch: yes force: true delegate_to: localhost - ansible.builtin.fetch: src: "{{ item }}" dest: "{{ playbook_dir }}/backup/" register: fetch_files_backup loop: #! Docker-compose - /opt/dockerapps/docker-compose.yml # #! Dex & traefik-forward # - /opt/dockerapps/appdata/dex/config.yml # - /opt/dockerapps/appdata/dex/traefik-auth-conf.env #! Gitea & Runner - /opt/dockerapps/appdata/gitea/gitea/gitea/conf/app.ini - /opt/dockerapps/appdata/gitea/runner/config.yaml # - /opt/dockerapps/appdata/gitea/runner/act_runner/.runner #! Notification - /opt/dockerapps/appdata/alert/config/alertmanager.yml #! Homepage - /opt/dockerapps/appdata/homepage/homepage/bookmarks.yaml - /opt/dockerapps/appdata/homepage/homepage/services.yaml - /opt/dockerapps/appdata/homepage/homepage/settings.yaml #! Semaphore - /opt/dockerapps/appdata/semaphore/config/config.json #! Alertmanager - /opt/dockerapps/appdata/alertmanager/config/alertmanager.yml #! ALertmanager 2 ntfy - /opt/dockerapps/appdata/ntfy_alertmanager/etc/config #! Grafana - /opt/dockerapps/appdata/grafana/grafana.ini - /opt/dockerapps/appdata/grafana/ldap.toml #! prometheus - /opt/dockerapps/appdata/prometheus/prometheus/prometheus.yml - /opt/dockerapps/appdata/prometheus/prometheus/alerts_system.yml - /opt/dockerapps/appdata/prometheus/prometheus/alerts_network.yml # - /opt/dockerapps/appdata/prometheus/prometheus/alerts_internal.yml - /opt/dockerapps/appdata/prometheus/prometheus/promtool_test.yml # #! bind # - /opt/dockerapps/appdata/bind/config/named.conf # - /opt/dockerapps/appdata/bind/records/example.com.zone # - /opt/dockerapps/appdata/bind/records/jingoh.private.zone # #! crowdsec # - /opt/dockerapps/appdata/crowdsec/crowdsec/parsers/s01-parse/tcpudp-flood-traefik.yaml # - /opt/dockerapps/appdata/crowdsec/crowdsec/acquis.yaml # - /opt/dockerapps/appdata/crowdsec/dashboard/docker/Dockerfile # #! filebeat (kafka) # - /opt/dockerapps/appdata/kafka/filebeat.yml #! ldap - /opt/dockerapps/appdata/ldap/data/lldap_config.toml #! sftp - /opt/dockerapps/appdata/sftp/config/sftpgo.json #! vault_sync_ldap - /opt/dockerapps/appdata/vault_sync_ldap/jingoh.config.toml #! vault - /opt/dockerapps/appdata/vaultwarden/config.json #! wg portal - /opt/dockerapps/appdata/wg-portal/config/config.yml # #! wg portal # - /opt/dockerapps/appdata/mailserver/etc/config.toml #! gatus - /opt/dockerapps/appdata/gatus/config.yml #! syncthing - /opt/dockerapps/appdata/syncthing/config/config.xml #! authelia - /opt/dockerapps/appdata/authelia/config/configuration.yml #! sliver - /opt/dockerapps/appdata/sliver/statics/index.html - /opt/dockerapps/appdata/sliver/statics/favicon.ico - /opt/dockerapps/appdata/sliver/statics/robots.txt - /opt/dockerapps/appdata/sliver/statics/sitemap.xml - /opt/dockerapps/appdata/sliver/operators/sgratias_ops.jingoh.fr.cfg - name: Push backup to git ansible.builtin.shell: | git config user.email "{{ user_mail }}" git config user.name "{{ user }}" git add . git commit -m "Push Backup with access gitea_token" git push https://{{ user }}:{{ gitea_token }}@gitea.jingoh.fr/{{ user }}/backup.git args: chdir: "{{ playbook_dir }}/backup/" run_once: true delegate_to: localhost ############# #! GITEA ############ - ansible.builtin.pip: name: requests - ansible.builtin.file: path: "{{ dockerapps_path }}/backup/gitea" state: directory # mode: '0755' #/opt/dockerapps/appdata/gitea/gitea/gitea-dump-*.zip - name: DUMP gitea conf community.docker.docker_container_exec: container: gitea command: gitea dump -c /data/gitea/conf/app.ini user: git chdir: /data - ansible.builtin.find: paths: "{{ dockerapps_path }}{{ gitea_conf }}" patterns: 'gitea-dump-*.zip' register: result_gitea_conf - name: Print stdout ansible.builtin.debug: var: result_gitea_conf - name: Copy file with owner and permissions ansible.builtin.copy: src: "{{ item.path }}" dest: "{{ dockerapps_path }}/backup/gitea/{{ item.path.split('/')[-1]}}" remote_src: true loop: "{{ result_gitea_conf.files }}" # owner: foo # group: foo # mode: '0644' - name: Remove old gitea-dump ansible.builtin.file: path: "{{ item.path }}" state: absent loop: "{{ result_gitea_conf.files }}" #! need root # root@scaleway:/opt/dockerapps/appdata/gitea/gitea-db/gitea-db-pg.sql - name: PG_DUMP postgresql db community.docker.docker_container_exec: container: gitea-db command: pg_dump -U root gitea -f /var/lib/postgresql/data/gitea-db-pg.sql # chdir: "{{ dockerapps_path }}" register: result_gitea_db # - ansible.builtin.debug: # var: result_gitea_db.stdout - name: Copy file with owner and permissions become: true ansible.builtin.copy: src: "{{ dockerapps_path }}{{ gitea_db }}" dest: "{{ dockerapps_path }}/backup/gitea/{{ gitea_db.split('/')[-1] }}" remote_src: true - ansible.builtin.file: path: "{{ dockerapps_path }}/backup" state: directory mode: 0755 recurse: true become: true - name: logout bw ansible.builtin.command: cmd: bw logout delegate_to: localhost