- hosts: localtest become: true vars: #! SECRETS # vaultwarden_url: "{{ lookup('env', 'vaultwarden_url') }}" # bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}" # bw_client_password: "{{ lookup('env', 'bw_client_password') }}" # bw_client_id: "{{ lookup('env', 'bw_client_id') }}" # user_mail: "{{ lookup('env', 'mail') }}" # user: "{{ lookup('env', 'username') }}" # # Token full access gitea # bw_requested_password_id: "{{ lookup('env', 'bw_requested_password_id') }}" #! PODS # podman_registries_conf: # aliases: # myregistry: quay.io # podman_registry_username: test # podman_registry_password: test podman_create_host_directories: true # podman_firewall: # - port: 8080-8081/tcp # state: enabled # - port: 12340/tcp # state: enabled # podman_selinux_ports: # - ports: 8080-8081 # setype: http_port_t podman_kube_specs: - state: started run_as_user: bot run_as_group: bot kube_file_content: apiVersion: v1 kind: Pod metadata: name: db spec: containers: - name: db image: docker.io/mysql:9 ports: - containerPort: 1234 hostPort: 12340 volumeMounts: - mountPath: /var/lib/db:Z name: db volumes: - name: db hostPath: path: /var/lib/db # podman_secrets: # - name: mysql-root-password-container # state: present # skip_existing: true # data: "{{ root_password_from_vault }}" # - name: mysql-root-password-kube # state: present # skip_existing: true # data: | # apiVersion: v1 # data: # password: "{{ root_password_from_vault | b64encode }}" # kind: Secret # metadata: # name: mysql-root-password-kube # - name: envoy-certificates # state: present # skip_existing: true # data: | # apiVersion: v1 # data: # certificate.key: {{ key_from_vault | b64encode }} # certificate.pem: {{ cert_from_vault | b64encode }} # kind: Secret # metadata: # name: envoy-certificates # - state: started # run_as_user: webapp # run_as_group: webapp # kube_file_src: /path/to/webapp.yml #! SECRETS pre_tasks: - name: Install Bitwarden CLI ansible.builtin.command: cmd: "{{ item }}" delegate_to: localhost loop: - apk add --no-cache nodejs npm - npm install -g @bitwarden/cli - ansible.builtin.command: cmd: bw logout delegate_to: localhost ignore_errors: true - name: bitwarden token session ansible.builtin.shell: "{{ item }}" environment: BW_CLIENTID: "{{ bw_client_id }}" BW_CLIENTSECRET: "{{ bw_client_secret }}" BW_PASSWORD: "{{ bw_client_password }}" loop: - bw config server {{ vaultwarden_url }} - bw login --apikey - bw unlock --passwordenv BW_PASSWORD --raw delegate_to: localhost register: bw_session_result - name: Get secret from Bitwarden command: argv: - bw - get - password - "{{ bw_requested_password_id }}" - --session - "{{ bw_session_result.results[-1].stdout | trim }}" delegate_to: localhost register: gitea_token_result no_log: true changed_when: false # - name: Return all secrets from a path # ansible.builtin.debug: # msg: "{{ gitea_token_result.stdout }}" # delegate_to: localhost - ansible.builtin.set_fact: gitea_token : "{{ gitea_token_result.stdout | trim }}" no_log: true delegate_to: localhost #! ROLES roles: #! By default, the files will be copied to or created in /etc/containers/systemd/$name.$type for root containers #! and $HOME/.config/containers/systemd/$name.$type for rootless containers, on the managed node. - name: linux-system-roles.podman