Instructions
------------
-Copy SSH keys.
-
-```
-ssh-copy-id -i <path_to_ssh_key> <server_ip>
-```
-
-Execute the playbook.
-
```
-ansible-playbook turnup.yaml --extra-vars @<credentials_file>.yaml \
+ansible-playbook turnup.yaml \
+ --extra-vars token=<path_to_token_json> \
+ --extra-vars key=<path_to_fernet_key> \
--extra-vars ssh_key=<path_to_ssh_public_key> \
- --extra-vars key_file=<path_to_fernet_key> --ask-vault-password
+ --extra-vars default_user=<user>
```
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- name: Download from Google Drive
- get_url:
- url: "https://www.googleapis.com/drive/v3/files/{{ item.uid }}?alt=media"
- headers:
- Authorization: "Bearer {{ access_token }}"
- dest: "/tmp/{{ item.uid }}"
-- name: Decrypt
- command: |
- python3 -c
- "
- from cryptography.fernet import Fernet
-
- encryption_key = Fernet('{{ key }}')
- with open('/tmp/{{ item.uid }}', 'rb') as in_file:
- token = encryption_key.decrypt(in_file.read())
- with open('/tmp/{{ item.name }}.zip', 'wb+') as outfile:
- outfile.write(token)
- "
-- name: Unarchive if necessary
- command: |
- python3 -c
- "
- import shutil
- import zipfile
-
- name = '/tmp/{{ item.name }}'
- archive = name + '.zip'
- if zipfile.is_zipfile(archive):
- shutil.unpack_archive(archive, extract_dir='/tmp', format='zip')
- else:
- shutil.move(archive, name)
- "
-- name: Ensure destination exists
- file:
- path: "{{ item.dest }}"
- state: directory
- become: true
-- name: Move to destination
- command: mv "/tmp/{{ item.name }}" "{{ item.dest }}/"
- args:
- creates: "{{ item.dest }}/{{ item.name }}"
- become: true
-- name: Stat destination
- stat:
- path: "{{ item.dest }}/{{ item.name }}"
- register: dest_file
-- name: Recursively set permissions at destination
- file:
- path: "{{ item.dest }}/{{ item.name }}"
- owner: "{{ item.owner }}"
- group: "{{ item.group }}"
- state: directory
- recurse: yes
- become: true
- when: dest_file.stat.isdir
-- name: Set permissions at destination
- file:
- path: "{{ item.dest }}/{{ item.name }}"
- owner: "{{ item.owner }}"
- group: "{{ item.group }}"
- become: true
- when: not dest_file.stat.isdir
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- name: Print authentication URL
- debug:
- msg: "Please authenticate and grant permissions at https://accounts.google.com/o/oauth2/v2/auth?client_id={{ client_id }}&redirect_uri={{ redirect_uri }}&scope={{ scope }}&response_type=code"
-- name: Obtain authorization code
- pause:
- prompt: "Enter authentication code"
- register: code
-- name: Obtain authorization token
- uri:
- url: "https://accounts.google.com/o/oauth2/token"
- method: POST
- body:
- code: "{{ code.user_input }}"
- client_id: "{{ client_id }}"
- client_secret: "{{ client_secret }}"
- redirect_uri: "{{ redirect_uri }}"
- grant_type: "authorization_code"
- body_format: json
- status_code: 200
- register: token
-- name: Remember the access token
- set_fact:
- access_token: "{{ token.json.access_token }}"
--- /dev/null
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- name: Create directory {{ item.dest }}
+ file:
+ path: "{{ item.dest }}"
+ state: directory
+ become: true
+- name: Download {{ item.name }} to {{ item.dest }}
+ command: python3 -m gdrive_knife download --token {{ auth_token }} \
+ --key {{ encryption_key }} {{ item.name }} {{ item.dest }}
+ args:
+ creates: "{{ item.dest }}/{{ item.name }}"
+ become: true
+- name: Create user {{ item.owner }}
+ user:
+ name: "{{ item.owner }}"
+ become: true
+- stat:
+ path: "{{ item.dest }}/{{ item.name }}"
+ register: dest_file
+- name: Recursively set permissions for {{ item.dest }}/{{ item.name }}
+ file:
+ path: "{{ item.dest }}/{{ item.name }}"
+ owner: "{{ item.owner }}"
+ group: "{{ item.group }}"
+ state: directory
+ recurse: yes
+ become: true
+ when: dest_file.stat.isdir
+- name: Set permissions for {{ item.dest }}/{{ item.name }}
+ file:
+ path: "{{ item.dest }}/{{ item.name }}"
+ owner: "{{ item.owner }}"
+ group: "{{ item.group }}"
+ become: true
+ when: not dest_file.stat.isdir
--- /dev/null
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+ tasks:
+ - name: Install gdrive_knife
+ pip:
+ name: gdrive_knife
+ extra_args: --break-system-packages
+ state: latest
+ become: true
+ - include_tasks: download.yaml
+ with_items: "{{ inputs }}"
-files:
- - name: "ca"
- uid: "1AJwbH8Nk6UUeVwovawgt6BUKejeVHk7c"
- dest: "/etc"
- owner: "root"
- group: "root"
- - name: "cv.git"
- uid: "1FaQioS2ozLzAsnBEqpAQ4XIafA9ZPCqY"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "databases.sql"
- uid: "1fttpkqVMi6TJkfGKeoKSVxDlK44asdb4"
- dest: "/tmp"
- owner: "debian"
- group: "debian"
- - name: "dmenu.git"
- uid: "1mpk2ks6HIs8jJ-NiNH1Hdak2vDGBoPTP"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "dwm.git"
- uid: "14OtbUj7pBXTkLIYtFhg6gQ9KwTU6mYOt"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "gdrive_knife.git"
- uid: "1rafmbsbrgXxBjIyLhO1e1kj0NMOQC2Ng"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "guix.git"
- uid: "1T3SWWCODrMDMJAFxocCSfQrWBVPp2H4X"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "metadata.git"
- uid: "1UrLd8kiNncyR0cCxpZJtKWvAw3ygFyEw"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "metadata_prod.git"
- uid: "1L5G_bXUC2QduZlPLhS4-wmOTNMxwgCXq"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "notify.git"
- uid: "1JimiRQnm3drG8pSR_NrKs9q0ZXJ_KYzt"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "opendkim"
- uid: "1Pwq9RLCr_P53H3c6_ZzxOwRZk1925sfR"
- dest: "/etc"
- owner: "opendkim"
- group: "opendkim"
- - name: "password_store.git"
- uid: "1ZWu643FJBuMF3ypj5VUsLin8rF7WWhmp"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "private"
- uid: "14CQ169S7cY1rFH2rvHxIXxJWk4oNIktn"
- dest: "/srv/prod/storage"
- owner: "git"
- group: "git"
- - name: "server.git"
- uid: "1_ms-fjPR42hnofYr3u94ZBFwNkJ8g6aN"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "server_prod.git"
- uid: "14_dakCbEZ9JhZ6DDq2FylNcAb0tKdU49"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "st.git"
- uid: "1mM5I0hWNx0eAhHGreY82esfPJFMdWU9O"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "storage_drive.git"
- uid: "13uT-NIo9auTi-8-8dp_n41jAcGxa4M3J"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "storage_drive_prod.git"
- uid: "1l3y2ibXy9I7gIc8GpXDIsZL8jM3Y1XYy"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "turnup.git"
- uid: "12olfracbi1AIcwVTMrBfqwbw6WmCtwzG"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "vmail"
- uid: "1yIQJNczXX-YDPG7ws5CUYDs758AmOytJ"
- dest: "/var"
- owner: "vmail"
- group: "vmail"
- - name: "website.git"
- uid: "13RqrCYU0M-QcN-NWFEuSjPB8eNhTAWT3"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "yt_dlp_server.git"
- uid: "1xIT5yzbk4N17xD4BV-df5swMVEHiUjey"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
- - name: "yt_dlp_server_prod.git"
- uid: "1cYjkQ_C21z5h2ji5LR2AnqNyUUflttGU"
- dest: "/srv/git"
- owner: "git"
- group: "www-data"
+- name: ca
+ dest: /etc
+ owner: root
+ group: root
+- name: cron.git
+ dest: /srv/git
+ owner: git
+ group: www-data
+- name: cv.git
+ dest: /srv/git
+ owner: git
+ group: www-data
+- name: database
+ dest: /tmp
+ owner: debian
+ group: debian
+- name: databases.git
+ dest: /srv/git
+ owner: git
+ group: www-data
+ group: www-data
+- name: dmenu.git
+ dest: /srv/git
+ owner: git
+ group: www-data
+- name: dwm.git
+ dest: /srv/git
+ owner: git
+ group: www-data
+- name: gdrive_knife.git
+ dest: /srv/git
+ owner: git
+ group: www-data
+- name: gdrive_proxy.git
+ dest: /srv/git
+ owner: git
+ group: www-data
+- name: guix.git
+ dest: /srv/git
+ owner: git
+ group: www-data
+- name: metadata.git
+ dest: /srv/git
+ owner: git
+ group: www-data
+- name: opendkim
+ dest: /etc
+ owner: opendkim
+ group: opendkim
+- name: passwords.git
+ dest: /srv/git
+ owner: git
+ group: www-data
+- name: private
+ dest: /srv/prod/gdrive_proxy
+ owner: git
+ group: git
+- name: server.git
+ dest: /srv/git
+ owner: git
+ group: www-data
+- name: st.git
+ dest: /srv/git
+ owner: git
+ group: www-data
+- name: turnup.git
+ dest: /srv/git
+ owner: git
+ group: www-data
+- name: vmail
+ dest: /var
+ owner: vmail
+ group: vmail
+- name: website.git
+ dest: /srv/git
+ owner: git
+ group: www-data
+- name: ydlpd.git
+ dest: /srv/git
+ owner: git
+ group: www-data
# License: GPL-3.0 or later.
- hosts: servers
- vars_files:
- - sources.yaml
tasks:
- - stat:
- path: "{{ item.dest }}/{{ item.name }}"
- with_items: "{{ files }}"
- register: files_stats
- - name: Finish if nothing is missing
- meta: end_play
- when: "files_stats.results | selectattr('stat.exists', 'equalto', False) \
- | length == 0"
- - name: Obtain an access token for Google Drive
- include_tasks: gdrive_auth.yaml
- vars:
- redirect_uri: "urn:ietf:wg:oauth:2.0:oob"
- scope: "https://www.googleapis.com/auth/drive.readonly"
- - name: Download from Google Drive if missing
- include_tasks: download.yaml
- vars:
- key: "{{ lookup('file', '{{ key_file }}') }}"
- with_items: "{{ files }}"
- when: "(item.dest + '/' + item.name) is not exists"
-
+ - set_fact:
+ auth_token: "{{ lookup('file', '{{ token }}') | to_nice_json }}"
+ encryption_key: "{{ lookup('file', '{{ key }}') }}"
+ inputs: "{{ lookup('file', 'sources.yaml') | from_yaml }}"
+ public_key: "{{ lookup('file', '{{ ssh_key }}') }}"
+ users:
+ - git
+ - "{{ default_user }}"
+- import_playbook: install/sources_from_drive.yaml
- import_playbook: install/ssl_certificates.yaml
-- name: Recreate database
- import_playbook: database.yaml
-
-
- hosts: servers
tasks:
- find:
projects / turnup.git / commitdiff