~xenrox/ansible

7e9c4cecc5c2f4fff482d80038daaca0c39143ed — Thorben Günther 2 months ago c1902a4
Move more secrets to hc vault
10 files changed, 18 insertions(+), 43 deletions(-)

M group_vars/all/vars.yml
D group_vars/all/vault_peertube.yml
D group_vars/all/vault_searx.yml
D group_vars/all/vault_vaultwarden.yml
M roles/peertube/tasks/main.yml
M roles/peertube/templates/production.yaml.j2
M roles/searx/tasks/main.yml
M roles/searx/templates/settings.yml.j2
M roles/vaultwarden/tasks/main.yml
M roles/vaultwarden/templates/vaultwarden.env.j2
M group_vars/all/vars.yml => group_vars/all/vars.yml +0 -4
@@ 4,8 4,4 @@ email_noreply_mail: "{{ vault_email_noreply_mail }}"
email_noreply_password: "{{ vault_email_noreply_password }}"
minio_access_key: "{{ vault_minio_access_key }}"
minio_secret_key: "{{ vault_minio_secret_key }}"
peertube_psql_password: "{{ vault_peertube_psql_password }}"
searx_key: "{{ vault_searx_key }}"
vault_psql_password: "{{ vault_vault_psql_password }}"
vaultwarden_admin_token: "{{ vault_vaultwarden_admin_token }}"
vaultwarden_psql_password: "{{ vault_vaultwarden_psql_password }}"

D group_vars/all/vault_peertube.yml => group_vars/all/vault_peertube.yml +0 -9
@@ 1,9 0,0 @@
$ANSIBLE_VAULT;1.1;AES256
64353763643031393332373539613236666465303935396432643633633563646366313734316561
6331613933306365363439313961326330646431353333350a626462336233663739353133653936
32363463653633343864326463616263636634663165333061383864623861366466663634653064
3964333766613031300a326233643161306433653565383538376233386433333561376335623933
61633230646561376362613261353063316461353536363637613966343532376562323061363238
34643834313532343763393932613038626661633536363930636134643633393931303935336539
30666664636533383162393565363134316239396465326566623966353738653035356561333836
38386233323330383265

D group_vars/all/vault_searx.yml => group_vars/all/vault_searx.yml +0 -10
@@ 1,10 0,0 @@
$ANSIBLE_VAULT;1.1;AES256
35653037653034353031653438653764313462303432613534333438393732303038336162393936
3765626662376663383433393834303065363966626665630a346662326438353731393764663732
30383136336133326462623766646266343161666635313531366639383861303530356166303732
3934626263383831380a376537386233633837373161366665343931643734363638313233363763
33396164336437643635306433613835653739346562663334636432316330616266323034633138
33643465366438333934306566363031343261386462663739383734613261306461633061383837
31363531306237616463663736353064636465393433636537363630363635363332666633613162
30633931363130633261323633373335376230333935653739313534636337336565613636623336
3738

D group_vars/all/vault_vaultwarden.yml => group_vars/all/vault_vaultwarden.yml +0 -14
@@ 1,14 0,0 @@
$ANSIBLE_VAULT;1.1;AES256
64373364333465313537363232336262616534326535343635303062383139303530633632343435
6235303863653262373336616566313337326330343837310a636330626433396361663763313233
36643237373666626333383961326663303862643737333539643332343937643837643737653130
6264383638313039660a613637306466366463633332316161613931303237306638636230363830
34666230393538353130653438306432396539353862356331396538343166653538663136376236
39366665396335393635636439613163663533306263666361306663373632393466353563663836
36346636613533623865326262386437666431366633336565313335393334656438623836663734
62343731666134343164383339353734623532656335666265303635323164343439333237303834
31333262633261366439323931333135666334653763313430326163336165303531643464363232
66376163356437383739633636643035366136633161356637306433386461353430613635316565
38303331396161613433303761313762386135623532386463666161383331633730643061303939
38393666656463373061366164326330663130353434613566393637636334613864363230393963
3864

M roles/peertube/tasks/main.yml => roles/peertube/tasks/main.yml +5 -1
@@ 1,4 1,8 @@
---
- name: Get secrets
  ansible.builtin.set_fact:
    peertube_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/peertube') }}"

- name: Install nodejs and yarn
  community.general.pacman:
    name: nodejs-lts-fermium,yarn


@@ 19,7 23,7 @@
  community.general.postgresql_user:
    db: peertube
    name: peertube
    password: "{{ peertube_psql_password }}"
    password: "{{ peertube_secrets['psql_password'] }}"
    priv: ALL
  become: true
  become_user: postgres

M roles/peertube/templates/production.yaml.j2 => roles/peertube/templates/production.yaml.j2 +1 -1
@@ 39,7 39,7 @@ database:
  ssl: false
  suffix: ""
  username: "peertube"
  password: "{{ peertube_psql_password }}"
  password: "{{ peertube_secrets['psql_password'] }}"
  pool:
    max: 5


M roles/searx/tasks/main.yml => roles/searx/tasks/main.yml +4 -0
@@ 1,4 1,8 @@
---
- name: Get secrets
  ansible.builtin.set_fact:
    searx_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/searx') }}"

- name: install
  community.general.pacman:
    name: searx

M roles/searx/templates/settings.yml.j2 => roles/searx/templates/settings.yml.j2 +1 -1
@@ 13,7 13,7 @@ search:
server:
  port: 8888
  bind_address: "127.0.0.1" # address to listen on
  secret_key: "{{ searx_key }}"
  secret_key: "{{ searx_secrets['secret_key'] }}"
  base_url: "https://search.xenrox.net" # Set custom base_url. Possible values: False or "https://your.custom.host/location/"
  image_proxy: True # Proxying image results through searx
  http_protocol_version: "1.0" # 1.0 and 1.1 are supported

M roles/vaultwarden/tasks/main.yml => roles/vaultwarden/tasks/main.yml +5 -1
@@ 1,4 1,8 @@
---
- name: Get secrets
  ansible.builtin.set_fact:
    vaultwarden_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/vaultwarden') }}"

- name: install
  community.general.pacman:
    name: "{{ vaultwarden_packages }}"


@@ 14,7 18,7 @@
  community.general.postgresql_user:
    db: vaultwarden
    name: vaultwarden
    password: "{{ vaultwarden_psql_password }}"
    password: "{{ vaultwarden_secrets['psql_password'] }}"
  become: true
  become_user: postgres
  no_log: true

M roles/vaultwarden/templates/vaultwarden.env.j2 => roles/vaultwarden/templates/vaultwarden.env.j2 +2 -2
@@ 18,7 18,7 @@ DATA_FOLDER=/var/lib/vaultwarden
## Details:
## - https://docs.diesel.rs/diesel/pg/struct.PgConnection.html
## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
DATABASE_URL=postgresql://vaultwarden:{{ vaultwarden_psql_password }}@127.0.0.1/vaultwarden
DATABASE_URL=postgresql://vaultwarden:{{ vaultwarden_secrets['psql_password'] }}@127.0.0.1/vaultwarden

## Database max connections
## Define the size of the connection pool used for connecting to the database.


@@ 183,7 183,7 @@ SIGNUPS_VERIFY=true
## Token for the admin interface, preferably use a long random string
## One option is to use 'openssl rand -base64 48'
## If not set, the admin panel is disabled
ADMIN_TOKEN={{ vaultwarden_admin_token }}
ADMIN_TOKEN={{ vaultwarden_secrets['admin_token'] }}

## Enable this to bypass the admin panel security. This option is only
## meant to be used with the use of a separate auth layer in front