Tasks Update: Installer - Fix type error in Certbot task

ansible.cfg

@@ -1,5 +1,5 @@
 [defaults]
-inventory = inventories/xxx
+inventory = inventories/matte
 hash_behaviour = merge
 gathering = smart
 transport = local

init.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+if [ ! "$BASH_VERSION" ] ; then
+    exit 1
+fi
+
+echo "
+==============================
+
+MatteZ02 - Infra
+Install Script
+
+------------------------------
+"
+
+stop () {
+
+echo "
+==============================
+"
+
+exit 1
+
+}
+
+mkdir -p ~/.ssh/keys/matte &> /dev/null
+if [[ ! -f ~/.ssh/keys/matte/infra ]]
+then
+    ssh-keygen -f ~/.ssh/keys/matte/infra -t ed25519 -N '' &> /dev/null
+fi
+
+python3 -m venv ~/.venv/ansible &> /dev/null
+~/.venv/ansible/bin/pip3 install cryptography dnspython hvac jmespath netaddr pexpect &> /dev/null
+~/.venv/ansible/bin/pip3 install ansible &> /dev/null
+
+~/.venv/ansible/bin/ansible-galaxy collection install ansible.posix containers.podman --upgrade &> /dev/null
+
+
+mkdir -p ~/.ansible &> /dev/null
+
+if [[ ! -f ~/.ansible/vault/matte.yml ]]
+then
+    echo -n "Vault Password: "
+    read PASSWORD
+    echo "$PASSWORD" > ~/.ansible/vault/matte.yml
+fi
+
+~/.venv/ansible/bin/ansible-pull -U ssh://git@github.com/MatteZ02/infra -d ~/.ansible/pull/matte/infra --accept-host-key --private-key ~/.ssh/keys/matte/infra --vault-password-file ~/.ansible/vault/matte.yml tasks.yml -t installer
+
+echo "
+==============================
+"

install.sh

@@ -1,48 +0,0 @@
-#!/bin/bash
-
-if [ ! "$BASH_VERSION" ] ; then
-    exit 1
-fi
-
-echo "
-==============================
-
-MatteZ02 - Infra
-Install Script
-
-------------------------------
-"
-
-stop () {
-
-echo "
-==============================
-"
-
-exit 1
-
-}
-
-mkdir -p ~/.ssh &> /dev/null
-
-apt-get update &> /dev/null
-apt-get install -y python3-pip python3-venv jq git curl &> /dev/null
-python3 -m venv /opt/ansible &> /dev/null
-/opt/ansible/bin/pip3 install ansible hvac netaddr jmespath pexpect &> /dev/null
-
-/opt/ansible/bin/ansible-galaxy collection install -r requirements.yml --upgrade &> /dev/null
-
-mkdir -p ~/.ansible &> /dev/null
-
-if [[ ! -f ~/.ansible/vault.yml ]]
-then
-    echo -n "Vault Password: "
-    read PASSWORD
-    echo "$PASSWORD" > ~/.ansible/vault.yml
-fi
-
-/opt/ansible/bin/ansible-pull -U ssh://git@github.com/MatteZ02/infra --accept-host-key --private-key ~/.ssh/id_rsa --vault-password-file ~/.ansible/vault.yml tasks.yml -t installer
-
-echo "
-==============================
-"

inventories/matte/group_vars/arcadiamc.yml

@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.2;AES256;matte
+62346136653335363162326162383931386537613938323936313137303431373664326165613562
+3833613232666134346465313164393265313866396438640a396463376165633535636261656161
+65666130663862303234623932643131353539623635306266663330626666383533363039653737
+3736626335343832360a373961343766633963363766393333396366343737333630636531646362
+6564

inventories/matte/host_vars/rainbow.devices.waren.io.yml

@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.2;AES256;matte
+65326434306632636332646164346332366430303930656231353538613062323762303131346630
+3264653933373331373638363134633562643932326333660a393065303336306162373733316634
+61333437313261393336353235323862353538386563356132393532623439383231653665323163
+3665323733306635640a353366346639346133646331653637353530653431623132343932616465
+3466

inventories/matte/hosts.yml

@@ -0,0 +1,9 @@
+---
+matte:
+  children:
+    arcadiamc:
+      hosts:
+        rainbow.devices.waren.io:
+      vars:
+        ansible_user: wxl62975
+        ansible_ssh_common_args: "-o StrictHostKeyChecking=accept-new -o LogLevel=error"

protect.sh

@@ -10,12 +10,12 @@ action=$1
 
 encrypt() {
     echo "${underline}Encrypting...${nounderline}"
-    execute "ansible-vault encrypt --vault-id default@vault/mkj"
+    execute "ansible-vault encrypt --vault-id matte@vault/matte"
 }
 
 decrypt() {
     echo "${underline}Decrypting...${nounderline}"
-    execute "ansible-vault decrypt --vault-id default@vault/mkj"
+    execute "ansible-vault decrypt --vault-id matte@vault/matte"
 }
 
 list() {

tasks.yml

@@ -8,18 +8,24 @@
   tasks:
     - name: "Installer"
       import_tasks: tasks/installer.yml
+      vars:
+        ansible_python_interpreter: "{{ ansible_facts.user_dir }}/.venv/ansible/bin/python3"
       tags:
         - installer
         - never
 
     - name: "Maintenance"
       import_tasks: tasks/maintenance.yml
+      vars:
+        ansible_python_interpreter: "{{ ansible_facts.user_dir }}/.venv/ansible/bin/python3"
       tags:
         - maintenance
         - never
 
     - name: "Deployer"
       import_tasks: tasks/deployer.yml
+      vars:
+        ansible_python_interpreter: "{{ ansible_facts.user_dir }}/.venv/ansible/bin/python3"
       tags:
         - deployer
         - never

tasks/deployer.yml

@@ -0,0 +1,25 @@
+---
+- name: "Deployer - Certbot - Renew Certificates"
+  command: "certbot renew --config-dir ~/data/letsencrypt/config --logs-dir ~/data/letsencrypt/logs --work-dir ~/data/letsencrypt/work"
+  register: task
+  changed_when: task.stdout.find("No renewals were attempted.") == -1
+  tags:
+    - certbot
+    - tls
+
+- name: "Deployer - Certbot - Copy Certificates"
+  copy:
+    src: "~/data/letsencrypt/live/{{ cert }}/"
+    dest: "~/data/certificates/{{ cert }}/"
+    follow: true
+  loop: "{{ certs }}"
+  loop_control:
+    label: "{{ cert }}"
+    loop_var: "cert"
+  vars:
+    certs:
+      - arcadiamc
+  register: task
+  tags:
+    - certbot
+    - tls

tasks/installer.yml

@@ -0,0 +1,130 @@
+---
+- name: "Installer - Ansible - Python Library"
+  pip:
+    name: ansible
+    state: latest
+    extra_args: --upgrade
+    virtualenv: ~/.venv/ansible
+    virtualenv_command: "python3 -m venv"
+  tags:
+    - ansible
+
+- name: "Installer : Ansible : Create Folder"
+  file:
+    path: ~/bin
+    state: directory
+  tags:
+    - ansible
+
+- name: "Installer : Ansible : Create Symbolic Links"
+  ansible.builtin.file:
+    src: ~/.venv/ansible/bin/{{ binary }}
+    dest: ~/bin/{{ binary }}
+    state: link
+  vars:
+    binaries:
+      - ansible
+      - ansible-community
+      - ansible-config
+      - ansible-console
+      - ansible-doc
+      - ansible-galaxy
+      - ansible-inventory
+      - ansible-playbook
+      - ansible-pull
+      - ansible-test
+      - ansible-vault
+  loop: "{{ binaries }}"
+  loop_control:
+    label: "{{ binary }}"
+    loop_var: "binary"
+  tags:
+    - ansible
+
+- name: "Installer - Ansible - Dependencies / Python Libraries"
+  pip:
+    name: "{{ library }}"
+    state: latest
+    extra_args: --upgrade
+    virtualenv: ~/.venv/ansible
+    virtualenv_command: "python3 -m venv"
+  vars:
+    libraries:
+      - cryptography
+      - dnspython
+      - hvac
+      - jmespath
+      - netaddr
+      - pexpect
+  loop: "{{ libraries }}"
+  loop_control:
+    label: "{{ library }}"
+    loop_var: "library"
+
+- name: "Installer : Certbot : Install"
+  pip:
+    name: certbot
+    state: latest
+    extra_args: --upgrade
+    virtualenv: ~/.venv/ansible
+    virtualenv_command: "python3 -m venv"
+  tags:
+    - certbot
+
+- name: "Installer : Certbot : Create Symbolic Links"
+  ansible.builtin.file:
+    src: ~/.venv/ansible/bin/{{ binary }}
+    dest: ~/bin/{{ binary }}
+    state: link
+  vars:
+    binaries:
+      - certbot
+  loop: "{{ binaries }}"
+  loop_control:
+    label: "{{ binary }}"
+    loop_var: "binary"
+  tags:
+    - certbot
+
+- name: "Installer : Certbot : Auth Hook"
+  get_url:
+    url: "https://git.waren.io/warengroup/acme-dns-auth/raw/branch/master/acme-dns-auth.py"
+    dest: "~/data/letsencrypt/config/renewal-hooks/pre/acme-dns-auth.py"
+    mode: '700'
+    force: true
+  tags:
+    - certbot
+
+- name: "Installer : Certbot : Create Certificates"
+  command: "certbot certonly --cert-name {{ cert.name }} --manual --preferred-challenges dns-01 --email {{ cert.email }} --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -n --manual-auth-hook ~/data/letsencrypt/config/renewal-hooks/pre/acme-dns-auth.py --debug-challenges --preferred-chain='ISRG Root X1' --key-type rsa -d {{ cert.domains | join(' -d ') }} --config-dir ~/data/letsencrypt/config --logs-dir ~/data/letsencrypt/logs --work-dir ~/data/letsencrypt/work"
+  loop: "{{ certs }}"
+  loop_control:
+    label: "{{ cert.name }}"
+    loop_var: "cert"
+  vars:
+    certs:
+      - name: arcadiamc
+        email: mattez02.contact@gmail.com
+        domains:
+          - arcadiamc.wgi.fi
+  register: task
+  changed_when: task.stdout.find("Certificate not yet due for renewal; no action taken.") == -1
+  tags:
+    - certbot
+
+- name: "Installer : Schedule : Maintenance"
+  cron:
+    name: "Matte - Maintenance"
+    hour: "*/3"
+    minute: "0"
+    job: "~/.venv/ansible/bin/ansible-pull -U ssh://git@github.com/MatteZ02/infra -d ~/.ansible/pull/matte/infra --accept-host-key --private-key ~/.ssh/keys/matte/infra --vault-password-file ~/.ansible/vault/matte.yml tasks.yml -t maintenance"
+  tags:
+    - cron
+
+- name: "Installer : Schedule : Deployer"
+  cron:
+    name: "Matte - Deployer"
+    minute: "*/5"
+    job: "~/.venv/ansible/bin/ansible-pull -U ssh://git@github.com/MatteZ02/infra -d ~/.ansible/pull/matte/infra --accept-host-key --private-key ~/.ssh/keys/matte/infra --vault-password-file ~/.ansible/vault/matte.yml tasks.yml -t deployer"
+  tags:
+    - cron

tasks/maintenance.yml

@@ -0,0 +1,36 @@
+---
+- name: "Installer - Ansible - Dependencies / Python Libraries"
+  pip:
+    name: "{{ library }}"
+    state: latest
+    extra_args: --upgrade
+    virtualenv: ~/.venv/ansible
+    virtualenv_command: "python3 -m venv"
+  vars:
+    libraries:
+      - cryptography
+      - dnspython
+      - hvac
+      - jmespath
+      - netaddr
+      - pexpect
+  loop: "{{ libraries }}"
+  loop_control:
+    label: "{{ library }}"
+    loop_var: "library"
+
+- name: "Maintenance : Ansible : Update"
+  pip:
+    name: ansible
+    state: latest
+    extra_args: --upgrade
+    virtualenv: ~/.venv/ansible
+    virtualenv_command: "python3 -m venv"
+
+- name: "Maintenance : Podman : Prune"
+  containers.podman.podman_prune:
+    container: yes
+    image: yes
+    image_filters:
+        dangling_only: no
+    volume: yes