roles/whawty/auth/store/tasks/sync-client.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

---
- name: make sure sync client config directory exists
  file:
    path: "/etc/whawty/auth/.store-{{ item.key }}-sync"
    state: directory

- name: generate ssh config for whawty-auth store sync client
  copy:
    content: |
      Host whawty-auth-server
      Hostname {{ item.value.sync.hostname }}
      {% if 'port' in item.value.sync %}
      Port {{ item.value.sync.port }}
      {% endif %}
      User {{ item.value.sync.user }}
      IdentityFile /etc/whawty/auth/.store-{{ item.key }}-sync/id_ed25519
      IdentitiesOnly yes
      UserKnownHostsFile /etc/whawty/auth/.store-{{ item.key }}-sync/known_hosts
      ControlMaster auto
      ControlPath /run/ssh-master.whawty-auth-store-sync-{{ item.key }}
      ControlPersist 300
    dest: "/etc/whawty/auth/.store-{{ item.key }}-sync/ssh_config"

- name: generate ssh keypair for sync client
  openssh_keypair:
    path: /etc/whawty/auth/.store-{{ item.key }}-sync/id_ed25519
    type: ed25519
    comment: "whawty-auth-sync-{{ item.key }}@{{ inventory_hostname }}"

- name: generate sync script
  copy:
    content: |
      #!/bin/bash
      {% set rsync_args = [] %}
      {% if 'permissions' in item.value %}
      {%   if 'file-mode' in item.value.permissions %}
      {%     set _dummy = rsync_args.append(" --chmod=F"~item.value.permissions['file-mode']) %}
      {%   endif %}
      {%   if 'owner' in item.value.permissions %}
      {%     set _dummy = rsync_args.append(" --chown="~item.value.permissions.owner~":"~item.value.permissions.group) %}
      {%   endif %}
      {% endif %}
      while true; do
        /usr/bin/rsync -rtWi --delete --delete-delay --delay-updates --partial-dir=.tmp{{ rsync_args | join('') }} -e 'ssh -F "/etc/whawty/auth/.store-{{ item.key }}-sync/ssh_config"' 'rsync://whawty-auth-server/store' '{{ item.value.config.basedir }}'
      {% if (item.value.sync.prometheus | default(False)) %}
        result=$?
        now=$(date +"%s")
        cat <<EOF | sponge /var/lib/prometheus-node-exporter/textfile-collector/whawty-auth-store-sync-{{ item.key }}.prom
      whawty_auth_store_sync_run{name="{{ item.key }}"} $now
      whawty_auth_store_sync_exit_code{name="{{ item.key }}"} $result
      EOF
      {% endif %}
        sleep 60
      done
    dest: /etc/whawty/auth/.store-{{ item.key }}-sync/run.sh
    mode: 0755

- name: generate known_hosts file
  shell: "ssh-keyscan{% if 'port' in item.value.sync %} -p {{ item.value.sync.port }}{% endif %} {{ item.value.sync.hostname }} > /etc/whawty/auth/.store-{{ item.key }}-sync/known_hosts"
  args:
    creates: "/etc/whawty/auth/.store-{{ item.key }}-sync/known_hosts"

- name: install systemd units for whawty-auth store sync client
  template:
    src: "systemd.service.j2"
    dest: "/etc/systemd/system/whawty-auth-store-sync-{{ item.key }}.service"

- name: make sure whawty-auth store sync client is enabled and started
  systemd:
    daemon_reload: yes
    name: "whawty-auth-store-sync-{{ item.key }}.service"
    state: started
    enabled: yes