From 06b9197c5be07f1b16035ee6313f3d9b4071e536 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 9 Jan 2024 19:46:40 +0000 Subject: [PATCH] Sync terraform state to `restic` This allows it to be backed up easily --- ansible/host_vars/restic/main.yml | 1 + ansible/main.yml | 1 + ansible/roles/s3_sync/files/rclone.conf | 7 ++++ ansible/roles/s3_sync/tasks/main.yml | 53 +++++++++++++++++++++++++ ansible/roles/s3_sync/vars/vault.yml | 14 +++++++ terraform/minio.tf | 3 -- terraform/rclone.tf | 28 +++++++++++++ terraform/state.tf | 4 ++ 8 files changed, 108 insertions(+), 3 deletions(-) create mode 100644 ansible/roles/s3_sync/files/rclone.conf create mode 100644 ansible/roles/s3_sync/tasks/main.yml create mode 100644 ansible/roles/s3_sync/vars/vault.yml delete mode 100644 terraform/minio.tf create mode 100644 terraform/rclone.tf diff --git a/ansible/host_vars/restic/main.yml b/ansible/host_vars/restic/main.yml index b321b34..04e2379 100644 --- a/ansible/host_vars/restic/main.yml +++ b/ansible/host_vars/restic/main.yml @@ -3,5 +3,6 @@ restic_backup_locations: - /mnt/host/mnt/speed - /mnt/host/etc/pve - /mnt/home-assistant + - /home/rclone/sync restic_forget: true diff --git a/ansible/main.yml b/ansible/main.yml index ea804a3..578fdb3 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -118,6 +118,7 @@ - hosts: restic roles: - restic + - s3_sync - hosts: gitea-runner roles: diff --git a/ansible/roles/s3_sync/files/rclone.conf b/ansible/roles/s3_sync/files/rclone.conf new file mode 100644 index 0000000..981064b --- /dev/null +++ b/ansible/roles/s3_sync/files/rclone.conf @@ -0,0 +1,7 @@ +[s3] +type = s3 +provider = AWS +access_key_id = {{ vault_access_key_id }} +secret_access_key = {{ vault_secret_access_key }} +region = eu-west-2 +server_side_encryption = AES256 diff --git a/ansible/roles/s3_sync/tasks/main.yml b/ansible/roles/s3_sync/tasks/main.yml new file mode 100644 index 0000000..fdb94b2 --- /dev/null +++ b/ansible/roles/s3_sync/tasks/main.yml @@ -0,0 +1,53 @@ +- name: Include vault + include_vars: vault.yml + +- name: Install rclone + package: + name: rclone + become: true + +- name: Install runitor + kewlfft.aur.aur: + name: runitor-bin + become: true + +- name: Make user + user: + name: rclone + shell: /bin/nologin + system: false + register: rclone_user + become: true + +- name: Create config directory + file: + path: "{{ rclone_user.home }}/.config/rclone" + state: directory + owner: rclone + mode: "0700" + become: true + +- name: Install rclone config + template: + src: files/rclone.conf + dest: "{{ rclone_user.home }}/.config/rclone/rclone.conf" + owner: rclone + mode: "0600" + become: true + +- name: Create config directory + file: + path: "{{ rclone_user.home }}/sync" + state: directory + owner: rclone + mode: "0700" + become: true + +- name: Schedule sync + cron: + name: Sync terraform state + hour: 23 + minute: 0 + job: CHECK_UUID={{ vault_healthchecks_id }} /usr/bin/runitor -- /usr/bin/rclone sync s3:0rng-terraform {{ rclone_user.home }}/sync/0rng-terraform + user: rclone + become: true diff --git a/ansible/roles/s3_sync/vars/vault.yml b/ansible/roles/s3_sync/vars/vault.yml new file mode 100644 index 0000000..4f1ccee --- /dev/null +++ b/ansible/roles/s3_sync/vars/vault.yml @@ -0,0 +1,14 @@ +$ANSIBLE_VAULT;1.1;AES256 +37613533316463396164343438656435336538386662303233363362336638323630386539663164 +3935363961323436386232373537356262393736303161640a623636353634346162323764653133 +63313838393764626436306161343934643237333733336465383235306163343561666234623337 +3561623665643631310a656466663533313362346134333731613062653862316438373331386664 +39303365633661356136396261616566343230386536336238336565386639613362326461666665 +63316337623362663839376561323063633931326133303730653037306461376230613663663465 +64613834316164363336383338643139366532336264646233323639646536326330663265356431 +61623938653633636539663063636139666261326130323139623565303632633335633266376666 +35363138396137336264386638613861313764383031373434646461613463386132303762383162 +65393464343432646266663831626531613239303431326661336636303432323065323664373233 +38333363346163356463386537393563346631343263323232633561313238663632393265316636 +62643261336332346535393661383166623733396564303832373162316166326635616637396537 +6661 diff --git a/terraform/minio.tf b/terraform/minio.tf deleted file mode 100644 index 39d7da4..0000000 --- a/terraform/minio.tf +++ /dev/null @@ -1,3 +0,0 @@ -resource "aws_iam_user" "minio" { - name = "minio" -} diff --git a/terraform/rclone.tf b/terraform/rclone.tf new file mode 100644 index 0000000..230b616 --- /dev/null +++ b/terraform/rclone.tf @@ -0,0 +1,28 @@ +resource "aws_iam_user" "rclone" { + name = "rclone" +} + +resource "aws_iam_user_policy" "read-terraform-state" { + name = "read-terraform-state" + user = aws_iam_user.rclone.name + + policy = <