fix

adskyiproger · adskyiproger · commit 7d8a59ab5dd0 · 2025-08-15T18:15:39.000+03:00
diff --git a/infrastructure/server-setup/group_vars/all.yml b/infrastructure/server-setup/group_vars/all.yml
@@ -19,4 +19,5 @@ pod_network_cidr: "192.168.0.0/16"
 calico_version: "v3.26.1"
 backup_server_remote_target_directories:
 - /home/backup/prod
-- /home/backup/staging
+- /home/backup/staging
+backup_ssh_key_path: /home/backup/.ssh/id_ed25519
diff --git a/infrastructure/server-setup/k8s.yml b/infrastructure/server-setup/k8s.yml
@@ -91,10 +91,3 @@
   tasks:
     - name: Run UFW
       include_tasks: tasks/k8s/ufw.yml
-- name: Additional configuration
-  become: yes
-  hosts: master
-  tasks:
-    - name: Create backup secret
-      include_tasks: tasks/k8s/create-backup-server-secret.yml
-  tags: backup
diff --git a/infrastructure/server-setup/playbook.yml b/infrastructure/server-setup/playbook.yml
@@ -62,3 +62,32 @@
 - import_playbook: k8s.yml
 
 - import_playbook: backup.yml
+
+- name: Additional configuration
+  become: yes
+  hosts: backup
+  tasks:
+    - name: Create backup secret
+      include_tasks: tasks/k8s/create-backup-server-secret.yml
+  tags: backup
+
+
+- name: Create Kubernetes Secret for backup SSH key
+  hosts: master
+  gather_facts: no
+  tags: backup
+  tasks:
+    - name: Create the kube secret using local kubectl
+      # FIXME: remove hardcoded namespace
+      ansible.builtin.command: >
+        kubectl create secret generic backup-ssh-key --namespace opencrvs-demo
+        --from-file=id_ed25519=./id_ed25519_backup
+      args:
+        removes: backup-ssh-key
+      # If you want this to update the secret if it already exists, use kubectl apply or kubectl delete/create
+      register: kubectl_output
+      ignore_errors: true
+
+    - name: Print kubectl output
+      debug:
+        var: kubectl_output.stdout
diff --git a/infrastructure/server-setup/tasks/k8s/create-backup-server-secret.yml b/infrastructure/server-setup/tasks/k8s/create-backup-server-secret.yml
@@ -1,68 +1,41 @@
-- name: Generate SSH Keypair on Backup Server
-  hosts: backup
-  tags: backup
-  become: yes
-  vars:
-    ssh_key_path: /home/backup/.ssh/id_ed25519
-  tasks:
-    - name: Ensure .ssh directory exists
-      file:
-        path: /home/backup/.ssh
-        state: directory
-        mode: 0700
-        owner: backup
-        group: backup
+- name: Ensure .ssh directory exists
+  file:
+    path: /home/backup/.ssh
+    state: directory
+    mode: 0700
+    owner: backup
+    group: backup
 
-    - name: Generate an ed25519 SSH keypair for backup user if not present
-      openssh_keypair:
-        path: "{{ ssh_key_path }}"
-        type: ed25519
-        owner: backup
-        group: backup
-        mode: '0600'
-        force: false
+- name: Generate an ed25519 SSH keypair for backup user if not present
+  openssh_keypair:
+    path: "{{ backup_ssh_key_path }}"
+    type: ed25519
+    owner: backup
+    group: backup
+    mode: '0600'
+    force: false
 
-    - name: Set permissions for authorized_keys
-      file:
-        path: /home/backup/.ssh/authorized_keys
-        owner: backup
-        group: backup
-        mode: 0600
-        state: touch
+- name: Set permissions for authorized_keys
+  file:
+    path: /home/backup/.ssh/authorized_keys
+    owner: backup
+    group: backup
+    mode: 0600
+    state: touch
 
-    - name: Add public key to authorized_keys
-      ansible.builtin.lineinfile:
-        path: /home/backup/.ssh/authorized_keys
-        line: "{{ lookup('file', ssh_key_path + '.pub') }}"
-        create: yes
-        owner: backup
-        group: backup
-        mode: 0600
-      when: ssh_key_path is defined
+- name: Add public key to authorized_keys
+  ansible.builtin.lineinfile:
+    path: /home/backup/.ssh/authorized_keys
+    line: "{{ lookup('file', backup_ssh_key_path + '.pub') }}"
+    create: yes
+    owner: backup
+    group: backup
+    mode: 0600
+  when: backup_ssh_key_path is defined
 
-    - name: Copy private key from backup server to control node
-      fetch:
-        src: "{{ ssh_key_path }}"
-        dest: "./id_ed25519_backup"
-        flat: yes
-        mode: '0600'
-
-- name: Create Kubernetes Secret for backup SSH key
-  hosts: master
-  gather_facts: no
-  tags: backup
-  tasks:
-    - name: Create the kube secret using local kubectl
-      # FIXME: remove hardcoded namespace
-      ansible.builtin.command: >
-        kubectl create secret generic backup-ssh-key --namespace opencrvs-demo
-        --from-file=id_ed25519=./id_ed25519_backup
-      args:
-        removes: backup-ssh-key
-      # If you want this to update the secret if it already exists, use kubectl apply or kubectl delete/create
-      register: kubectl_output
-      ignore_errors: true
-
-    - name: Print kubectl output
-      debug:
-        var: kubectl_output.stdout
+- name: Copy private key from backup server to control node
+  fetch:
+    src: "{{ backup_ssh_key_path }}"
+    dest: "./id_ed25519_backup"
+    flat: yes
+    mode: '0600'
