systems
/
infrastructure
1
Fork 0
Code Issues 1 Pull Requests 18 Actions Activity

Sync terraform state to `restic`
/ terraform (push) Successful in 31s Details
/ ansible (push) Successful in 1m47s Details 

This allows it to be backed up easily
This commit is contained in:
Jake Howard 2024-01-09 19:46:40 +00:00
parent 4a69df1d6c
commit 06b9197c5b
Signed by: jake
GPG Key ID: 57AFB45680EDD477
8 changed files with 108 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ansible/host_vars/restic/main.yml
View File

@ -3,5 +3,6 @@ restic_backup_locations:
- /mnt/host/mnt/speed
- /mnt/host/etc/pve
- /mnt/home-assistant
- /home/rclone/sync
restic_forget: true

1
ansible/main.yml
View File

@ -118,6 +118,7 @@
- hosts: restic
roles:
- restic
- s3_sync
- hosts: gitea-runner
roles:

7
ansible/roles/s3_sync/files/rclone.conf Normal file
View File

@ -0,0 +1,7 @@
[s3]
type = s3
provider = AWS
access_key_id = {{ vault_access_key_id }}
secret_access_key = {{ vault_secret_access_key }}
region = eu-west-2
server_side_encryption = AES256

53
ansible/roles/s3_sync/tasks/main.yml Normal file
View File

@ -0,0 +1,53 @@
- name: Include vault
include_vars: vault.yml
- name: Install rclone
package:
name: rclone
become: true
- name: Install runitor
kewlfft.aur.aur:
name: runitor-bin
become: true
- name: Make user
user:
name: rclone
shell: /bin/nologin
system: false
register: rclone_user
become: true
- name: Create config directory
file:
path: "{{ rclone_user.home }}/.config/rclone"
state: directory
owner: rclone
mode: "0700"
become: true
- name: Install rclone config
template:
src: files/rclone.conf
dest: "{{ rclone_user.home }}/.config/rclone/rclone.conf"
owner: rclone
mode: "0600"
become: true
- name: Create config directory
file:
path: "{{ rclone_user.home }}/sync"
state: directory
owner: rclone
mode: "0700"
become: true
- name: Schedule sync
cron:
name: Sync terraform state
hour: 23
minute: 0
job: CHECK_UUID={{ vault_healthchecks_id }} /usr/bin/runitor -- /usr/bin/rclone sync s3:0rng-terraform {{ rclone_user.home }}/sync/0rng-terraform
user: rclone
become: true

14
ansible/roles/s3_sync/vars/vault.yml generated Normal file
View File

@ -0,0 +1,14 @@
$ANSIBLE_VAULT;1.1;AES256
37613533316463396164343438656435336538386662303233363362336638323630386539663164
3935363961323436386232373537356262393736303161640a623636353634346162323764653133
63313838393764626436306161343934643237333733336465383235306163343561666234623337
3561623665643631310a656466663533313362346134333731613062653862316438373331386664
39303365633661356136396261616566343230386536336238336565386639613362326461666665
63316337623362663839376561323063633931326133303730653037306461376230613663663465
64613834316164363336383338643139366532336264646233323639646536326330663265356431
61623938653633636539663063636139666261326130323139623565303632633335633266376666
35363138396137336264386638613861313764383031373434646461613463386132303762383162
65393464343432646266663831626531613239303431326661336636303432323065323664373233
38333363346163356463386537393563346631343263323232633561313238663632393265316636
62643261336332346535393661383166623733396564303832373162316166326635616637396537
6661

3
terraform/minio.tf
View File

@ -1,3 +0,0 @@
resource "aws_iam_user" "minio" {
name = "minio"
}

28
terraform/rclone.tf Normal file
View File

@ -0,0 +1,28 @@
resource "aws_iam_user" "rclone" {
name = "rclone"
}
resource "aws_iam_user_policy" "read-terraform-state" {
name = "read-terraform-state"
user = aws_iam_user.rclone.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadTerraformState",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"${aws_s3_bucket.tfstate.arn}/*",
"${aws_s3_bucket.tfstate.arn}"
]
}
]
}
EOF
}

4
terraform/state.tf
View File

@ -2,6 +2,10 @@ resource "aws_iam_user" "terraform" {
name = "terraform"
}
resource "aws_iam_user" "minio" {
name = "minio"
}
resource "aws_s3_bucket" "tfstate" {
bucket = "0rng-terraform"
}