138 lines
4.2 KiB
YAML
138 lines
4.2 KiB
YAML
- hosts: localtest
|
|
become: true
|
|
vars:
|
|
#! SECRETS
|
|
# vaultwarden_url: "{{ lookup('env', 'vaultwarden_url') }}"
|
|
# bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}"
|
|
# bw_client_password: "{{ lookup('env', 'bw_client_password') }}"
|
|
# bw_client_id: "{{ lookup('env', 'bw_client_id') }}"
|
|
# user_mail: "{{ lookup('env', 'mail') }}"
|
|
# user: "{{ lookup('env', 'username') }}"
|
|
# # Token full access gitea
|
|
# bw_requested_password_id: "{{ lookup('env', 'bw_requested_password_id') }}"
|
|
#! PODS
|
|
# podman_registries_conf:
|
|
# aliases:
|
|
# myregistry: quay.io
|
|
# podman_registry_username: test
|
|
# podman_registry_password: test
|
|
podman_create_host_directories: true
|
|
# podman_firewall:
|
|
# - port: 8080-8081/tcp
|
|
# state: enabled
|
|
# - port: 12340/tcp
|
|
# state: enabled
|
|
# podman_selinux_ports:
|
|
# - ports: 8080-8081
|
|
# setype: http_port_t
|
|
podman_kube_specs:
|
|
- state: started
|
|
run_as_user: bot
|
|
run_as_group: bot
|
|
kube_file_content:
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: db
|
|
spec:
|
|
containers:
|
|
- name: db
|
|
image: docker.io/mysql:9
|
|
ports:
|
|
- containerPort: 1234
|
|
hostPort: 12340
|
|
volumeMounts:
|
|
- mountPath: /var/lib/db:Z
|
|
name: db
|
|
volumes:
|
|
- name: db
|
|
hostPath:
|
|
path: /var/lib/db
|
|
# podman_secrets:
|
|
# - name: mysql-root-password-container
|
|
# state: present
|
|
# skip_existing: true
|
|
# data: "{{ root_password_from_vault }}"
|
|
# - name: mysql-root-password-kube
|
|
# state: present
|
|
# skip_existing: true
|
|
# data: |
|
|
# apiVersion: v1
|
|
# data:
|
|
# password: "{{ root_password_from_vault | b64encode }}"
|
|
# kind: Secret
|
|
# metadata:
|
|
# name: mysql-root-password-kube
|
|
# - name: envoy-certificates
|
|
# state: present
|
|
# skip_existing: true
|
|
# data: |
|
|
# apiVersion: v1
|
|
# data:
|
|
# certificate.key: {{ key_from_vault | b64encode }}
|
|
# certificate.pem: {{ cert_from_vault | b64encode }}
|
|
# kind: Secret
|
|
# metadata:
|
|
# name: envoy-certificates
|
|
# - state: started
|
|
# run_as_user: webapp
|
|
# run_as_group: webapp
|
|
# kube_file_src: /path/to/webapp.yml
|
|
|
|
#! SECRETS
|
|
pre_tasks:
|
|
- name: Install Bitwarden CLI
|
|
ansible.builtin.command:
|
|
cmd: "{{ item }}"
|
|
delegate_to: localhost
|
|
loop:
|
|
- apk add --no-cache nodejs npm
|
|
- npm install -g @bitwarden/cli
|
|
|
|
- ansible.builtin.command:
|
|
cmd: bw logout
|
|
delegate_to: localhost
|
|
ignore_errors: true
|
|
|
|
- name: bitwarden token session
|
|
ansible.builtin.shell: "{{ item }}"
|
|
environment:
|
|
BW_CLIENTID: "{{ bw_client_id }}"
|
|
BW_CLIENTSECRET: "{{ bw_client_secret }}"
|
|
BW_PASSWORD: "{{ bw_client_password }}"
|
|
loop:
|
|
- bw config server {{ vaultwarden_url }}
|
|
- bw login --apikey
|
|
- bw unlock --passwordenv BW_PASSWORD --raw
|
|
delegate_to: localhost
|
|
register: bw_session_result
|
|
|
|
- name: Get secret from Bitwarden
|
|
command:
|
|
argv:
|
|
- bw
|
|
- get
|
|
- password
|
|
- "{{ bw_requested_password_id }}"
|
|
- --session
|
|
- "{{ bw_session_result.results[-1].stdout | trim }}"
|
|
delegate_to: localhost
|
|
register: gitea_token_result
|
|
no_log: true
|
|
changed_when: false
|
|
|
|
# - name: Return all secrets from a path
|
|
# ansible.builtin.debug:
|
|
# msg: "{{ gitea_token_result.stdout }}"
|
|
# delegate_to: localhost
|
|
|
|
- ansible.builtin.set_fact:
|
|
gitea_token : "{{ gitea_token_result.stdout | trim }}"
|
|
no_log: true
|
|
delegate_to: localhost
|
|
|
|
#! ROLES
|
|
roles:
|
|
#! By default, the files will be copied to or created in /etc/containers/systemd/$name.$type for root containers
|
|
#! and $HOME/.config/containers/systemd/$name.$type for rootless containers, on the managed node.
|
|
- name: linux-system-roles.podman |