Sync terraform state to restic

This allows it to be backed up easily

ansible/host_vars/restic/main.yml

@@ -3,5 +3,6 @@ restic_backup_locations:
   - /mnt/host/mnt/speed
   - /mnt/host/etc/pve
   - /mnt/home-assistant
+  - /home/rclone/sync
 
 restic_forget: true

ansible/main.yml

@@ -118,6 +118,7 @@
 - hosts: restic
   roles:
     - restic
+    - s3_sync
 
 - hosts: gitea-runner
   roles:

ansible/roles/s3_sync/files/rclone.conf

@@ -0,0 +1,7 @@
+[s3]
+type = s3
+provider = AWS
+access_key_id = {{ vault_access_key_id }}
+secret_access_key = {{ vault_secret_access_key }}
+region = eu-west-2
+server_side_encryption = AES256

ansible/roles/s3_sync/tasks/main.yml

@@ -0,0 +1,53 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Install rclone
+  package:
+    name: rclone
+  become: true
+
+- name: Install runitor
+  kewlfft.aur.aur:
+    name: runitor-bin
+  become: true
+
+- name: Make user
+  user:
+    name: rclone
+    shell: /bin/nologin
+    system: false
+  register: rclone_user
+  become: true
+
+- name: Create config directory
+  file:
+    path: "{{ rclone_user.home }}/.config/rclone"
+    state: directory
+    owner: rclone
+    mode: "0700"
+  become: true
+
+- name: Install rclone config
+  template:
+    src: files/rclone.conf
+    dest: "{{ rclone_user.home }}/.config/rclone/rclone.conf"
+    owner: rclone
+    mode: "0600"
+  become: true
+
+- name: Create config directory
+  file:
+    path: "{{ rclone_user.home }}/sync"
+    state: directory
+    owner: rclone
+    mode: "0700"
+  become: true
+
+- name: Schedule sync
+  cron:
+    name: Sync terraform state
+    hour: 23
+    minute: 0
+    job: CHECK_UUID={{ vault_healthchecks_id }} /usr/bin/runitor -- /usr/bin/rclone sync s3:0rng-terraform {{ rclone_user.home }}/sync/0rng-terraform
+    user: rclone
+  become: true

ansible/roles/s3_sync/vars/vault.yml

@@ -0,0 +1,14 @@
+$ANSIBLE_VAULT;1.1;AES256
+37613533316463396164343438656435336538386662303233363362336638323630386539663164
+3935363961323436386232373537356262393736303161640a623636353634346162323764653133
+63313838393764626436306161343934643237333733336465383235306163343561666234623337
+3561623665643631310a656466663533313362346134333731613062653862316438373331386664
+39303365633661356136396261616566343230386536336238336565386639613362326461666665
+63316337623362663839376561323063633931326133303730653037306461376230613663663465
+64613834316164363336383338643139366532336264646233323639646536326330663265356431
+61623938653633636539663063636139666261326130323139623565303632633335633266376666
+35363138396137336264386638613861313764383031373434646461613463386132303762383162
+65393464343432646266663831626531613239303431326661336636303432323065323664373233
+38333363346163356463386537393563346631343263323232633561313238663632393265316636
+62643261336332346535393661383166623733396564303832373162316166326635616637396537
+6661

terraform/minio.tf

@@ -1,3 +0,0 @@
-resource "aws_iam_user" "minio" {
-  name = "minio"
-}

terraform/rclone.tf

@@ -0,0 +1,28 @@
+resource "aws_iam_user" "rclone" {
+  name = "rclone"
+}
+
+resource "aws_iam_user_policy" "read-terraform-state" {
+  name = "read-terraform-state"
+  user = aws_iam_user.rclone.name
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "ReadTerraformState",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "${aws_s3_bucket.tfstate.arn}/*",
+                "${aws_s3_bucket.tfstate.arn}"
+            ]
+        }
+    ]
+}
+EOF
+}

terraform/state.tf

@@ -2,6 +2,10 @@ resource "aws_iam_user" "terraform" {
   name = "terraform"
 }
 
+resource "aws_iam_user" "minio" {
+  name = "minio"
+}
+
 resource "aws_s3_bucket" "tfstate" {
   bucket = "0rng-terraform"
 }