Sync terraform state to restic
This allows it to be backed up easily
This commit is contained in:
parent
4a69df1d6c
commit
06b9197c5b
8 changed files with 108 additions and 3 deletions
|
@ -3,5 +3,6 @@ restic_backup_locations:
|
||||||
- /mnt/host/mnt/speed
|
- /mnt/host/mnt/speed
|
||||||
- /mnt/host/etc/pve
|
- /mnt/host/etc/pve
|
||||||
- /mnt/home-assistant
|
- /mnt/home-assistant
|
||||||
|
- /home/rclone/sync
|
||||||
|
|
||||||
restic_forget: true
|
restic_forget: true
|
||||||
|
|
|
@ -118,6 +118,7 @@
|
||||||
- hosts: restic
|
- hosts: restic
|
||||||
roles:
|
roles:
|
||||||
- restic
|
- restic
|
||||||
|
- s3_sync
|
||||||
|
|
||||||
- hosts: gitea-runner
|
- hosts: gitea-runner
|
||||||
roles:
|
roles:
|
||||||
|
|
7
ansible/roles/s3_sync/files/rclone.conf
Normal file
7
ansible/roles/s3_sync/files/rclone.conf
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
[s3]
|
||||||
|
type = s3
|
||||||
|
provider = AWS
|
||||||
|
access_key_id = {{ vault_access_key_id }}
|
||||||
|
secret_access_key = {{ vault_secret_access_key }}
|
||||||
|
region = eu-west-2
|
||||||
|
server_side_encryption = AES256
|
53
ansible/roles/s3_sync/tasks/main.yml
Normal file
53
ansible/roles/s3_sync/tasks/main.yml
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
- name: Include vault
|
||||||
|
include_vars: vault.yml
|
||||||
|
|
||||||
|
- name: Install rclone
|
||||||
|
package:
|
||||||
|
name: rclone
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Install runitor
|
||||||
|
kewlfft.aur.aur:
|
||||||
|
name: runitor-bin
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Make user
|
||||||
|
user:
|
||||||
|
name: rclone
|
||||||
|
shell: /bin/nologin
|
||||||
|
system: false
|
||||||
|
register: rclone_user
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Create config directory
|
||||||
|
file:
|
||||||
|
path: "{{ rclone_user.home }}/.config/rclone"
|
||||||
|
state: directory
|
||||||
|
owner: rclone
|
||||||
|
mode: "0700"
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Install rclone config
|
||||||
|
template:
|
||||||
|
src: files/rclone.conf
|
||||||
|
dest: "{{ rclone_user.home }}/.config/rclone/rclone.conf"
|
||||||
|
owner: rclone
|
||||||
|
mode: "0600"
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Create config directory
|
||||||
|
file:
|
||||||
|
path: "{{ rclone_user.home }}/sync"
|
||||||
|
state: directory
|
||||||
|
owner: rclone
|
||||||
|
mode: "0700"
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Schedule sync
|
||||||
|
cron:
|
||||||
|
name: Sync terraform state
|
||||||
|
hour: 23
|
||||||
|
minute: 0
|
||||||
|
job: CHECK_UUID={{ vault_healthchecks_id }} /usr/bin/runitor -- /usr/bin/rclone sync s3:0rng-terraform {{ rclone_user.home }}/sync/0rng-terraform
|
||||||
|
user: rclone
|
||||||
|
become: true
|
14
ansible/roles/s3_sync/vars/vault.yml
generated
Normal file
14
ansible/roles/s3_sync/vars/vault.yml
generated
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
37613533316463396164343438656435336538386662303233363362336638323630386539663164
|
||||||
|
3935363961323436386232373537356262393736303161640a623636353634346162323764653133
|
||||||
|
63313838393764626436306161343934643237333733336465383235306163343561666234623337
|
||||||
|
3561623665643631310a656466663533313362346134333731613062653862316438373331386664
|
||||||
|
39303365633661356136396261616566343230386536336238336565386639613362326461666665
|
||||||
|
63316337623362663839376561323063633931326133303730653037306461376230613663663465
|
||||||
|
64613834316164363336383338643139366532336264646233323639646536326330663265356431
|
||||||
|
61623938653633636539663063636139666261326130323139623565303632633335633266376666
|
||||||
|
35363138396137336264386638613861313764383031373434646461613463386132303762383162
|
||||||
|
65393464343432646266663831626531613239303431326661336636303432323065323664373233
|
||||||
|
38333363346163356463386537393563346631343263323232633561313238663632393265316636
|
||||||
|
62643261336332346535393661383166623733396564303832373162316166326635616637396537
|
||||||
|
6661
|
|
@ -1,3 +0,0 @@
|
||||||
resource "aws_iam_user" "minio" {
|
|
||||||
name = "minio"
|
|
||||||
}
|
|
28
terraform/rclone.tf
Normal file
28
terraform/rclone.tf
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
resource "aws_iam_user" "rclone" {
|
||||||
|
name = "rclone"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_iam_user_policy" "read-terraform-state" {
|
||||||
|
name = "read-terraform-state"
|
||||||
|
user = aws_iam_user.rclone.name
|
||||||
|
|
||||||
|
policy = <<EOF
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Sid": "ReadTerraformState",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Action": [
|
||||||
|
"s3:GetObject",
|
||||||
|
"s3:ListBucket"
|
||||||
|
],
|
||||||
|
"Resource": [
|
||||||
|
"${aws_s3_bucket.tfstate.arn}/*",
|
||||||
|
"${aws_s3_bucket.tfstate.arn}"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
}
|
|
@ -2,6 +2,10 @@ resource "aws_iam_user" "terraform" {
|
||||||
name = "terraform"
|
name = "terraform"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "aws_iam_user" "minio" {
|
||||||
|
name = "minio"
|
||||||
|
}
|
||||||
|
|
||||||
resource "aws_s3_bucket" "tfstate" {
|
resource "aws_s3_bucket" "tfstate" {
|
||||||
bucket = "0rng-terraform"
|
bucket = "0rng-terraform"
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue