- hosts: tower # vars: # become: true gather_facts: false vars: # Variables depuis Environment (non-sensibles) app_env: "{{ lookup('env', 'bw_client_id') }}" vaultwarden_url: "https://vault.jingoh.fr" bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}" bw_client_password: "{{ lookup('env', 'bw_client_password') }}" bw_client_id: "{{ lookup('env', 'bw_client_id') }}" dockerapps_path: /opt/dockerapps gitea_conf: /appdata/gitea/gitea/ gitea_db: /appdata/gitea/gitea-db/gitea-db-pg.sql user: sgratias user_mail: stephane.gratiasquiquandon@gmail.com token: !vault | $ANSIBLE_VAULT;1.2;AES256;prod 30383538646164373137616166636632353964373362323735626239656337306139616265323138 3834383331316466653565323632616163353964643637660a363262383461363234363738613034 64383132373061653337313365333734646635396635313133613861303730303163383764653664 6537633761353939330a356236623265383931643530316430303938303735306536343163323163 62636236346362663036343765363830383738623563613161373637383239623134376163653662 3565333032326133326232326633386332633639373862313463 tasks: ############ ###! DOCKER COMPOSE FILE ############ # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh # apk add --no-cache rust # pip install bitwarden-sdk / cargo # export BWS_ACCESS_TOKEN= # database_password: "{{ lookup('bitwarden.secrets.lookup', '') }}" # #! ants - gouv # - debug: # msg: "{{ lookup('bitwarden.secrets.lookup', 'cc0c7222-858d-44be-86ab-e0534b6f34a9') }}" # delegate_to: localhost # environment: # BW_CLIENTID: "{{ bw_client_id }}" # BWS_ACCESS_TOKEN: "{{ bw_client_secret }}" # BW_PASSWORD: "{{ bw_client_password }}" # #! fin test # - name: Check if bw is installed # command: which bw # register: bw_check # ignore_errors: yes # delegate_to: localhost # changed_when: false #! script # - name: Install Bitwarden CLI # ansible.builtin.command: # cmd: "{{ item }}" # delegate_to: localhost # loop: # - apk add --no-cache nodejs npm # - npm install -g @bitwarden/cli # - ansible.builtin.command: # cmd: bw logout # delegate_to: localhost # ignore_errors: true - name: bitwarden token session ansible.builtin.shell: "{{ item }}" environment: BW_CLIENTID: "{{ bw_client_id }}" BW_CLIENTSECRET: "{{ bw_client_secret }}" BW_PASSWORD: "{{ bw_client_password }}" loop: - bw config server {{ vaultwarden_url }} - bw login --apikey - bw unlock --passwordenv BW_PASSWORD --raw delegate_to: localhost register: bw_session_result - name: Return all secrets from a path ansible.builtin.debug: msg: "{{ bw_session_result }}" delegate_to: localhost - name: Get secret from Bitwarden command: argv: - bw - get - password - "cc0c7222-858d-44be-86ab-e0534b6f34a9" - --session - "{{ bw_session_result.results[-1].stdout | trim }}" delegate_to: localhost register: gitea_token_result no_log: true changed_when: false - name: Return all secrets from a path ansible.builtin.debug: msg: "{{ gitea_token_result }}" delegate_to: localhost - name: logout ansible.builtin.command: cmd: bw logout delegate_to: localhost # - name: Set BW_SESSION as environment variable globally # ansible.builtin.set_fact: # bw_session: "{{ bw_session_result.results[-1].stdout | trim }}" # no_log: true # - name: bitwarden token session # ansible.builtin.command: # shell: bw unlock --passwordenv BW_PASSWORD --raw # environment: # BW_CLIENTID: "{{ bw_client_id }}" # BW_CLIENTSECRET: "{{ bw_client_secret }}" # BW_PASSWORD: "{{ bw_client_password }}" # delegate_to: localhost # - name: Utiliser le lookup # ansible.builtin.debug: # msg: "{{ lookup('community.general.bitwarden', 'Token full access gitea', field='password', bw_session='{{ bw_session }}') }}" # environment: # BW_SESSION: "{{ bw_session }}" # delegate_to: localhost # # - name: Return all secrets from a path # # ansible.builtin.debug: "{{ bw_session }}" # - name: Return all secrets from a path # delegate_to: localhost # ansible.builtin.debug: # msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=apps/data/postgres token=prout url=https://hash.jingoh.fr') }}" # - ansible.builtin.git: # repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/{{ user }}/backup.git # dest: "{{ playbook_dir }}/backup" # single_branch: yes # force: true # delegate_to: localhost # - ansible.builtin.fetch: # src: "{{ item }}" # dest: "{{ playbook_dir }}/backup/" # register: fetch_files_backup # loop: # #! Docker-compose # - /opt/dockerapps/docker-compose.yml # # #! Dex & traefik-forward # # - /opt/dockerapps/appdata/dex/config.yml # # - /opt/dockerapps/appdata/dex/traefik-auth-conf.env # #! Gitea & Runner # - /opt/dockerapps/appdata/gitea/gitea/gitea/conf/app.ini # - /opt/dockerapps/appdata/gitea/runner/config.yaml # # - /opt/dockerapps/appdata/gitea/runner/act_runner/.runner # #! Notification # - /opt/dockerapps/appdata/alert/config/alertmanager.yml # #! Homepage # - /opt/dockerapps/appdata/homepage/homepage/bookmarks.yaml # - /opt/dockerapps/appdata/homepage/homepage/services.yaml # - /opt/dockerapps/appdata/homepage/homepage/settings.yaml # #! Semaphore # - /opt/dockerapps/appdata/semaphore/config/config.json # #! Alertmanager # - /opt/dockerapps/appdata/alertmanager/config/alertmanager.yml # #! ALertmanager 2 ntfy # - /opt/dockerapps/appdata/ntfy_alertmanager/etc/config # #! Grafana # - /opt/dockerapps/appdata/grafana/grafana.ini # - /opt/dockerapps/appdata/grafana/ldap.toml # #! prometheus # - /opt/dockerapps/appdata/prometheus/prometheus/prometheus.yml # - /opt/dockerapps/appdata/prometheus/prometheus/alerts_system.yml # - /opt/dockerapps/appdata/prometheus/prometheus/alerts_network.yml # # - /opt/dockerapps/appdata/prometheus/prometheus/alerts_internal.yml # - /opt/dockerapps/appdata/prometheus/prometheus/promtool_test.yml # # #! bind # # - /opt/dockerapps/appdata/bind/config/named.conf # # - /opt/dockerapps/appdata/bind/records/example.com.zone # # - /opt/dockerapps/appdata/bind/records/jingoh.private.zone # # #! crowdsec # # - /opt/dockerapps/appdata/crowdsec/crowdsec/parsers/s01-parse/tcpudp-flood-traefik.yaml # # - /opt/dockerapps/appdata/crowdsec/crowdsec/acquis.yaml # # - /opt/dockerapps/appdata/crowdsec/dashboard/docker/Dockerfile # # #! filebeat (kafka) # # - /opt/dockerapps/appdata/kafka/filebeat.yml # #! ldap # - /opt/dockerapps/appdata/ldap/data/lldap_config.toml # #! sftp # - /opt/dockerapps/appdata/sftp/config/sftpgo.json # #! vault_sync_ldap # - /opt/dockerapps/appdata/vault_sync_ldap/jingoh.config.toml # #! vault # - /opt/dockerapps/appdata/vaultwarden/config.json # #! wg portal # - /opt/dockerapps/appdata/wg-portal/config/config.yml # # #! wg portal # # - /opt/dockerapps/appdata/mailserver/etc/config.toml # #! gatus # - /opt/dockerapps/appdata/gatus/config.yml # #! syncthing # - /opt/dockerapps/appdata/syncthing/config/config.xml # #! authelia # - /opt/dockerapps/appdata/authelia/config/configuration.yml # - name: Push backup to git # ansible.builtin.shell: | # git config user.email "{{ user_mail }}" # git config user.name "{{ user }}" # git add . # git commit -m "Push Backup with access token" # git push https://{{ user }}:{{ token }}@gitea.jingoh.fr/{{ user }}/backup.git # args: # chdir: "{{ playbook_dir }}/backup/" # run_once: true # delegate_to: localhost # ############# # #! GITEA # ############ # - ansible.builtin.file: # path: "{{ dockerapps_path }}/backup/gitea" # state: directory # # mode: '0755' # #/opt/dockerapps/appdata/gitea/gitea/gitea-dump-*.zip # - name: DUMP gitea conf # community.docker.docker_container_exec: # container: gitea # command: gitea dump -c /data/gitea/conf/app.ini # user: git # chdir: /data # - ansible.builtin.find: # paths: "{{ dockerapps_path }}{{ gitea_conf }}" # patterns: 'gitea-dump-*.zip' # register: result_gitea_conf # - name: Print stdout # ansible.builtin.debug: # var: result_gitea_conf # - name: Copy file with owner and permissions # ansible.builtin.copy: # src: "{{ item.path }}" # dest: "{{ dockerapps_path }}/backup/gitea/{{ item.path.split('/')[-1]}}" # remote_src: true # loop: "{{ result_gitea_conf.files }}" # # owner: foo # # group: foo # # mode: '0644' # - name: Remove old gitea-dump # ansible.builtin.file: # path: "{{ item.path }}" # state: absent # loop: "{{ result_gitea_conf.files }}" # #! need root # # root@scaleway:/opt/dockerapps/appdata/gitea/gitea-db/gitea-db-pg.sql # - name: PG_DUMP postgresql db # community.docker.docker_container_exec: # container: gitea-db # command: pg_dump -U root gitea -f /var/lib/postgresql/data/gitea-db-pg.sql # # chdir: "{{ dockerapps_path }}" # register: result_gitea_db # - ansible.builtin.debug: # var: result_gitea_db.stdout # - name: Copy file with owner and permissions # become: true # ansible.builtin.copy: # src: "{{ dockerapps_path }}{{ gitea_db }}" # dest: "{{ dockerapps_path }}/backup/gitea/{{ gitea_db.split('/')[-1] }}" # remote_src: true # - ansible.builtin.file: # path: "{{ dockerapps_path }}/backup" # state: directory # mode: 0755 # recurse: true # become: true