Skip to content

Commit 53154e6

Browse files
committed
Add encrypted variable from gh secrets to the service
1 parent 0991427 commit 53154e6

File tree

4 files changed

+38
-15
lines changed

4 files changed

+38
-15
lines changed

.github/workflows/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,8 @@ jobs:
8989
uses: dawidd6/action-ansible-playbook@v2.8.0
9090
env:
9191
ANSIBLE_TIMEOUT: 60
92+
DO_SPACES_ACCESS_ID: ${{ secrets.DO_SPACES_ACCESS_ID }}
93+
DO_SPACES_ACCESS_KEY: ${{ secrets.DO_SPACES_ACCESS_KEY }}
9294
with:
9395
playbook: setup.yaml
9496
directory: ansible
Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,14 @@
11
#!/usr/bin/env bash
22

3-
mongodump --gzip --archive=dump.gz
3+
filename="dump-$(date '+%Y%m%d%H%M%S').gz"
44

5+
mongodump --gzip --archive="${filename}"
6+
7+
export AWS_ACCESS_KEY_ID=$(jq -r '.id' < "${CREDENTIALS_DIRECTORY}/do_access_secret)"
8+
export AWS_SECRET_ACCESS_KEY=$(jq -r '.key' < "${CREDENTIALS_DIRECTORY}/do_access_secret")
9+
10+
s3cmd --host="fra1.digitaloceanspaces.com" \
11+
--host-bucket="%(bucket)s.fra1.digitaloceanspaces.com" \
12+
put dump.gz s3://backups-roadmapsh-kzwolenik95/
13+
14+
rm "${filename}"

ansible/roles/mongo-backup-service/tasks/main.yaml

Lines changed: 23 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,15 @@
33
name: s3cmd
44
state: present
55

6-
# - name: Encrypt secret
7-
# community.general.systemd_creds_encrypt:
8-
# name: do_access_key
9-
# not_after: +48hr
10-
# secret: "{{ do_access_key }}"
11-
# register: encrypted_secret
6+
- name: Encrypt secret
7+
community.general.systemd_creds_encrypt:
8+
name: do_access_secret
9+
secret: |
10+
{
11+
"id": {{ lookup('ansible.builtin.env', 'DO_SPACES_ACCESS_ID') }},
12+
"key": {{ lookup('ansible.builtin.env', 'DO_SPACES_ACCESS_KEY') }}
13+
}
14+
register: do_access_secret
1215

1316
- name: Copy script to remote server
1417
ansible.builtin.copy:
@@ -17,14 +20,23 @@
1720
owner: ubuntu
1821
mode: "0700"
1922

20-
- name: Copy python scripts to remote server
23+
- name: Create service unit
24+
ansible.builtin.template:
25+
src: templates/mongo-backup.service.j2
26+
dest: /etc/systemd/system/mongo-backup.service
27+
owner: root
28+
group: root
29+
mode: "0644"
30+
vars:
31+
s3-secret: "{{ do_access_secret }}"
32+
33+
- name: Create timer unit
2134
ansible.builtin.copy:
22-
src: "{{ item }}"
35+
src: mongo-backup.timer
2336
dest: /etc/systemd/system/
24-
owner: ubuntu
37+
owner: root
38+
group: root
2539
mode: "0644"
26-
with_fileglob:
27-
- "files/mongo-backup*"
2840

2941
- name: Enable mongo-backup.service
3042
ansible.builtin.systemd_service:

ansible/roles/mongo-backup-service/files/mongo-backup.service renamed to ansible/roles/mongo-backup-service/templates/mongo-backup.service.j2

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,9 @@ Description=Mongodb backup
33

44
[Service]
55
Type=oneshot
6-
LoadCredentialEncrypted=do_access_key:/etc/secrets/do_access_key.cred
7-
ExecStart=/usr/local/bin/mongo-backup/backup-to-digitalocean-bucket.py
6+
{{ s3-secret }}
7+
ExecStart=/usr/local/bin/mongo-backup/backup-to-digitalocean-bucket.sh
88
WorkingDirectory=/usr/local/bin/mongo-backup/
9-
RemainAfterExit=yes
109

1110
[Install]
1211
WantedBy=multi-user.target

0 commit comments

Comments
 (0)