From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Fri, 1 Dec 2023 01:33:13 +0000 (+0100)
Subject: Use gdrive_knife to download sources.
X-Git-Url: https://git.ekhem.eu.org/?a=commitdiff_plain;h=e0fc2e8b99eb713dc98c16ae8e5306bfe0f220af;p=turnup.git

Use gdrive_knife to download sources.
---

diff --git a/README b/README
index 88779e9..0f22b9a 100644
--- a/README
+++ b/README
@@ -13,16 +13,10 @@ ansible-galaxy collection install ansible.posix
 Instructions
 ------------
 
-Copy SSH keys.
-
-```
-ssh-copy-id -i <path_to_ssh_key> <server_ip>
-```
-
-Execute the playbook.
-
 ```
-ansible-playbook turnup.yaml --extra-vars @<credentials_file>.yaml \
+ansible-playbook turnup.yaml \
+  --extra-vars token=<path_to_token_json> \
+  --extra-vars key=<path_to_fernet_key> \
   --extra-vars ssh_key=<path_to_ssh_public_key> \
-  --extra-vars key_file=<path_to_fernet_key> --ask-vault-password
+  --extra-vars default_user=<user>
 ```
diff --git a/download.yaml b/download.yaml
deleted file mode 100644
index 545f78e..0000000
--- a/download.yaml
+++ /dev/null
@@ -1,65 +0,0 @@
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- name: Download from Google Drive
-  get_url:
-    url: "https://www.googleapis.com/drive/v3/files/{{ item.uid }}?alt=media"
-    headers:
-      Authorization: "Bearer {{ access_token }}"
-    dest: "/tmp/{{ item.uid }}"
-- name: Decrypt
-  command: |
-    python3 -c
-    "
-    from cryptography.fernet import Fernet
-
-    encryption_key = Fernet('{{ key }}')
-    with open('/tmp/{{ item.uid }}', 'rb') as in_file:
-      token = encryption_key.decrypt(in_file.read())
-      with open('/tmp/{{ item.name }}.zip', 'wb+') as outfile:
-        outfile.write(token)
-    "
-- name: Unarchive if necessary
-  command: |
-    python3 -c
-    "
-    import shutil
-    import zipfile
-
-    name = '/tmp/{{ item.name }}'
-    archive = name + '.zip'
-    if zipfile.is_zipfile(archive):
-      shutil.unpack_archive(archive, extract_dir='/tmp', format='zip')
-    else:
-      shutil.move(archive, name)
-    "
-- name: Ensure destination exists
-  file:
-    path: "{{ item.dest }}"
-    state: directory
-  become: true
-- name: Move to destination
-  command: mv "/tmp/{{ item.name }}" "{{ item.dest }}/"
-  args:
-    creates: "{{ item.dest }}/{{ item.name }}"
-  become: true
-- name: Stat destination
-  stat:
-    path: "{{ item.dest }}/{{ item.name }}"
-  register: dest_file
-- name: Recursively set permissions at destination
-  file:
-    path: "{{ item.dest }}/{{ item.name }}"
-    owner: "{{ item.owner }}"
-    group: "{{ item.group }}"
-    state: directory
-    recurse: yes
-  become: true
-  when: dest_file.stat.isdir
-- name: Set permissions at destination
-  file:
-    path: "{{ item.dest }}/{{ item.name }}"
-    owner: "{{ item.owner }}"
-    group: "{{ item.group }}"
-  become: true
-  when: not dest_file.stat.isdir
diff --git a/gdrive_auth.yaml b/gdrive_auth.yaml
deleted file mode 100644
index 76a6f45..0000000
--- a/gdrive_auth.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- name: Print authentication URL
-  debug:
-    msg: "Please authenticate and grant permissions at https://accounts.google.com/o/oauth2/v2/auth?client_id={{ client_id }}&redirect_uri={{ redirect_uri }}&scope={{ scope }}&response_type=code"
-- name: Obtain authorization code
-  pause:
-    prompt: "Enter authentication code"
-  register: code
-- name: Obtain authorization token
-  uri:
-    url: "https://accounts.google.com/o/oauth2/token"
-    method: POST
-    body:
-      code: "{{ code.user_input }}"
-      client_id: "{{ client_id }}"
-      client_secret: "{{ client_secret }}"
-      redirect_uri: "{{ redirect_uri }}"
-      grant_type: "authorization_code"
-    body_format: json
-    status_code: 200
-  register: token
-- name: Remember the access token
-  set_fact:
-    access_token: "{{ token.json.access_token }}"
diff --git a/install/download.yaml b/install/download.yaml
new file mode 100644
index 0000000..9cde662
--- /dev/null
+++ b/install/download.yaml
@@ -0,0 +1,37 @@
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- name: Create directory {{ item.dest }}
+  file:
+    path: "{{ item.dest }}"
+    state: directory
+  become: true
+- name: Download {{ item.name }} to {{ item.dest }}
+  command: python3 -m gdrive_knife download --token {{ auth_token }} \
+    --key {{ encryption_key }} {{ item.name }} {{ item.dest }}
+  args:
+    creates: "{{ item.dest }}/{{ item.name }}"
+  become: true
+- name: Create user {{ item.owner }}
+  user:
+    name: "{{ item.owner }}"
+  become: true
+- stat:
+    path: "{{ item.dest }}/{{ item.name }}"
+  register: dest_file
+- name: Recursively set permissions for {{ item.dest }}/{{ item.name }}
+  file:
+    path: "{{ item.dest }}/{{ item.name }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    state: directory
+    recurse: yes
+  become: true
+  when: dest_file.stat.isdir
+- name: Set permissions for {{ item.dest }}/{{ item.name }}
+  file:
+    path: "{{ item.dest }}/{{ item.name }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+  become: true
+  when: not dest_file.stat.isdir
diff --git a/install/sources_from_drive.yaml b/install/sources_from_drive.yaml
new file mode 100644
index 0000000..179810a
--- /dev/null
+++ b/install/sources_from_drive.yaml
@@ -0,0 +1,13 @@
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+  tasks:
+    - name: Install gdrive_knife
+      pip:
+        name: gdrive_knife
+        extra_args: --break-system-packages
+        state: latest
+      become: true
+    - include_tasks: download.yaml
+      with_items: "{{ inputs }}"
diff --git a/sources.yaml b/sources.yaml
index b6f3f99..9ba19b5 100644
--- a/sources.yaml
+++ b/sources.yaml
@@ -1,116 +1,81 @@
-files:
-  - name: "ca"
-    uid: "1AJwbH8Nk6UUeVwovawgt6BUKejeVHk7c"
-    dest: "/etc"
-    owner: "root"
-    group: "root"
-  - name: "cv.git"
-    uid: "1FaQioS2ozLzAsnBEqpAQ4XIafA9ZPCqY"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "databases.sql"
-    uid: "1fttpkqVMi6TJkfGKeoKSVxDlK44asdb4"
-    dest: "/tmp"
-    owner: "debian"
-    group: "debian"
-  - name: "dmenu.git"
-    uid: "1mpk2ks6HIs8jJ-NiNH1Hdak2vDGBoPTP"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "dwm.git"
-    uid: "14OtbUj7pBXTkLIYtFhg6gQ9KwTU6mYOt"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "gdrive_knife.git"
-    uid: "1rafmbsbrgXxBjIyLhO1e1kj0NMOQC2Ng"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "guix.git"
-    uid: "1T3SWWCODrMDMJAFxocCSfQrWBVPp2H4X"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "metadata.git"
-    uid: "1UrLd8kiNncyR0cCxpZJtKWvAw3ygFyEw"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "metadata_prod.git"
-    uid: "1L5G_bXUC2QduZlPLhS4-wmOTNMxwgCXq"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "notify.git"
-    uid: "1JimiRQnm3drG8pSR_NrKs9q0ZXJ_KYzt"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "opendkim"
-    uid: "1Pwq9RLCr_P53H3c6_ZzxOwRZk1925sfR"
-    dest: "/etc"
-    owner: "opendkim"
-    group: "opendkim"
-  - name: "password_store.git"
-    uid: "1ZWu643FJBuMF3ypj5VUsLin8rF7WWhmp"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "private"
-    uid: "14CQ169S7cY1rFH2rvHxIXxJWk4oNIktn"
-    dest: "/srv/prod/storage"
-    owner: "git"
-    group: "git"
-  - name: "server.git"
-    uid: "1_ms-fjPR42hnofYr3u94ZBFwNkJ8g6aN"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "server_prod.git"
-    uid: "14_dakCbEZ9JhZ6DDq2FylNcAb0tKdU49"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "st.git"
-    uid: "1mM5I0hWNx0eAhHGreY82esfPJFMdWU9O"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "storage_drive.git"
-    uid: "13uT-NIo9auTi-8-8dp_n41jAcGxa4M3J"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "storage_drive_prod.git"
-    uid: "1l3y2ibXy9I7gIc8GpXDIsZL8jM3Y1XYy"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "turnup.git"
-    uid: "12olfracbi1AIcwVTMrBfqwbw6WmCtwzG"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "vmail"
-    uid: "1yIQJNczXX-YDPG7ws5CUYDs758AmOytJ"
-    dest: "/var"
-    owner: "vmail"
-    group: "vmail"
-  - name: "website.git"
-    uid: "13RqrCYU0M-QcN-NWFEuSjPB8eNhTAWT3"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "yt_dlp_server.git"
-    uid: "1xIT5yzbk4N17xD4BV-df5swMVEHiUjey"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
-  - name: "yt_dlp_server_prod.git"
-    uid: "1cYjkQ_C21z5h2ji5LR2AnqNyUUflttGU"
-    dest: "/srv/git"
-    owner: "git"
-    group: "www-data"
+- name: ca
+  dest: /etc
+  owner: root
+  group: root
+- name: cron.git
+  dest: /srv/git
+  owner: git
+  group: www-data
+- name: cv.git
+  dest: /srv/git
+  owner: git
+  group: www-data
+- name: database
+  dest: /tmp
+  owner: debian
+  group: debian
+- name: databases.git
+  dest: /srv/git
+  owner: git
+  group: www-data
+  group: www-data
+- name: dmenu.git
+  dest: /srv/git
+  owner: git
+  group: www-data
+- name: dwm.git
+  dest: /srv/git
+  owner: git
+  group: www-data
+- name: gdrive_knife.git
+  dest: /srv/git
+  owner: git
+  group: www-data
+- name: gdrive_proxy.git
+  dest: /srv/git
+  owner: git
+  group: www-data
+- name: guix.git
+  dest: /srv/git
+  owner: git
+  group: www-data
+- name: metadata.git
+  dest: /srv/git
+  owner: git
+  group: www-data
+- name: opendkim
+  dest: /etc
+  owner: opendkim
+  group: opendkim
+- name: passwords.git
+  dest: /srv/git
+  owner: git
+  group: www-data
+- name: private
+  dest: /srv/prod/gdrive_proxy
+  owner: git
+  group: git
+- name: server.git
+  dest: /srv/git
+  owner: git
+  group: www-data
+- name: st.git
+  dest: /srv/git
+  owner: git
+  group: www-data
+- name: turnup.git
+  dest: /srv/git
+  owner: git
+  group: www-data
+- name: vmail
+  dest: /var
+  owner: vmail
+  group: vmail
+- name: website.git
+  dest: /srv/git
+  owner: git
+  group: www-data
+- name: ydlpd.git
+  dest: /srv/git
+  owner: git
+  group: www-data
diff --git a/turnup.yaml b/turnup.yaml
index 4513229..1aafc0f 100644
--- a/turnup.yaml
+++ b/turnup.yaml
@@ -2,35 +2,18 @@
 # License: GPL-3.0 or later.
 
 - hosts: servers
-  vars_files:
-    - sources.yaml
   tasks:
-    - stat:
-        path: "{{ item.dest }}/{{ item.name }}"
-      with_items: "{{ files }}"
-      register: files_stats
-    - name: Finish if nothing is missing
-      meta: end_play
-      when: "files_stats.results | selectattr('stat.exists', 'equalto', False) \
-             | length == 0"
-    - name: Obtain an access token for Google Drive
-      include_tasks: gdrive_auth.yaml
-      vars:
-        redirect_uri: "urn:ietf:wg:oauth:2.0:oob"
-        scope: "https://www.googleapis.com/auth/drive.readonly"
-    - name: Download from Google Drive if missing
-      include_tasks: download.yaml
-      vars:
-        key: "{{ lookup('file', '{{ key_file }}') }}"
-      with_items: "{{ files }}"
-      when: "(item.dest + '/' + item.name) is not exists"
-
+    - set_fact:
+        auth_token: "{{ lookup('file', '{{ token }}') | to_nice_json }}"
+        encryption_key: "{{ lookup('file', '{{ key }}') }}"
+        inputs: "{{ lookup('file', 'sources.yaml') | from_yaml }}"
+        public_key: "{{ lookup('file', '{{ ssh_key }}') }}"
+        users:
+          - git
+          - "{{ default_user }}"
+- import_playbook: install/sources_from_drive.yaml
 - import_playbook: install/ssl_certificates.yaml
 
-- name: Recreate database
-  import_playbook: database.yaml
-
-
 - hosts: servers
   tasks:
     - find: