~xenrox/ansible

89e5f6b498f01dc2d54416bf00f0f46cf4629ea2 — Thorben Günther 2 months ago 7e9c4ce
Move last ansible vaults to hc vault

Only the sourcehut GPG private key and the api token are still encrypted
by ansible.
D group_vars/all/hetzner.yml => group_vars/all/hetzner.yml +0 -3
@@ 1,3 0,0 @@
---
hetzner_dns_key: "{{ vault_hetzner_dns_key }}"
hetzner_cloud_key: "{{ vault_hetzner_cloud_ket }}"

D group_vars/all/srht.yml => group_vars/all/srht.yml +0 -19
@@ 1,19 0,0 @@
---
srht_builds_id: "{{ vault_srht_builds_id }}"
srht_builds_secret: "{{ vault_srht_builds_secret }}"
srht_git_id: "{{ vault_srht_git_id }}"
srht_git_secret: "{{ vault_srht_git_secret }}"
srht_hub_id: "{{ vault_srht_hub_id }}"
srht_hub_secret: "{{ vault_srht_hub_secret }}"
srht_lists_id: "{{ vault_srht_lists_id }}"
srht_lists_secret: "{{ vault_srht_lists_secret }}"
srht_man_id: "{{ vault_srht_man_id }}"
srht_man_secret: "{{ vault_srht_man_secret }}"
srht_network_key: "{{ vault_srht_network_key }}"
srht_paste_id: "{{ vault_srht_paste_id }}"
srht_paste_secret: "{{ vault_srht_paste_secret }}"
srht_psql_password: "{{ vault_srht_psql_password }}"
srht_service_key: "{{ vault_srht_service_key }}"
srht_todo_id: "{{ vault_srht_todo_id }}"
srht_todo_secret: "{{ vault_srht_todo_secret }}"
srht_webhook_key: "{{ vault_srht_webhook_key }}"

D group_vars/all/vars.yml => group_vars/all/vars.yml +0 -7
@@ 1,7 0,0 @@
---
croc_password: "{{ vault_croc_password }}"
email_noreply_mail: "{{ vault_email_noreply_mail }}"
email_noreply_password: "{{ vault_email_noreply_password }}"
minio_access_key: "{{ vault_minio_access_key }}"
minio_secret_key: "{{ vault_minio_secret_key }}"
vault_psql_password: "{{ vault_vault_psql_password }}"

D group_vars/all/vault_croc.yml => group_vars/all/vault_croc.yml +0 -9
@@ 1,9 0,0 @@
$ANSIBLE_VAULT;1.1;AES256
32343163366635383231373766373035613032376138303339656161363736333733326361383437
6562623763323336323538363436373165323364393638330a343930613730303039666663373437
37633163623662666566333331323331346136383832633761363632613835303461626633623633
3465386533613738640a626439653731393137316238313536306662633266656434386138373563
31316537346135646365383736343562366465386264336234306639336236653962313264616530
66313138623964393537626335343266366163656663363535306564383863666466373137363635
37353137643838663339373832303563643336383236336232353237313537386238333936316161
63333639323065643736

D group_vars/all/vault_email.yml => group_vars/all/vault_email.yml +0 -10
@@ 1,10 0,0 @@
$ANSIBLE_VAULT;1.1;AES256
63356635336136356130386535356534646532333566613862353263343332386330326339373665
3662326562363564373261363632333761376632633161640a643764333434613338373363613863
65323464303364393063316336386564363661316430323163643433393665653838633261383536
6164336430396663330a373133623630383831333731613964343464613730303830396661303836
33383833643561363962353632623963626265393830633336333230376139383338373665313936
33316635633730316631656532303064633062363534653139616363646265326535663432316338
30396466663637336435623466383731666463633430386135613464636138643164373562373436
32356366343434316534376535363730393064626164396636373266656637313035336165383437
32333930373139396361643939663534346364376335643837613966343261333633

D group_vars/all/vault_hetzner.yml => group_vars/all/vault_hetzner.yml +0 -13
@@ 1,13 0,0 @@
$ANSIBLE_VAULT;1.1;AES256
33313031633030333961646461393566363530343430323164323335653263373932343038373331
3039383662323839386539393934353865643036343332370a616134313764636539653162643438
38386665386365666561346236386136633861313331333666616339393565303330623235643661
3433356661316464310a623039656339383230386537393939366536373537613437623936323836
34653130633535333632343164363333636162373435626435326536333264653534623462393662
62353735333065626662373734333532313863386232336635633739616362333533356163386433
65643337666331666237373439363339656663646639343634613030623932643064336562313330
62346239336339613633383763623562393165363861623439333038353836366165313233343339
65643930373465623062643937343832396538383438326239343338396637636137383835626530
31373336363234363239663633393131393131306432653038383863636333333531366432313437
37333562613631393731646537376530373636316663306163633235646365333239336635343035
34326533613639343330

D group_vars/all/vault_minio.yml => group_vars/all/vault_minio.yml +0 -12
@@ 1,12 0,0 @@
$ANSIBLE_VAULT;1.1;AES256
30633665643864346562303265313362303132636630653131386635613662366433633637613162
6265613461626265373437383432666165643637626539360a333932396263633032316631623037
36666531353866376230653266363039633637396635343965643232393838323861626435303534
6431626339313336610a633734373530346135666362623030346134633265313432396564326165
64653433356536616337623863306436323265383935663439646235653332333838633162633931
66653361366465316439306364333238343132343434323931653136373836383461303632363664
63616635623439343765356434626666633632646666343739303061393663643439646139613935
64366132613135323339363335636537613263613539333535373862393835633964323231353239
61346131373430336364396164303639653964313266643732663138626639663536643738346266
33626133333363663938626236326566663333663432316333633561646232396230393564633863
343961393532363165653831363735653838

D group_vars/all/vault_srht.yml => group_vars/all/vault_srht.yml +0 -53
@@ 1,53 0,0 @@
$ANSIBLE_VAULT;1.1;AES256
38393938633362313265323362366135313333646466396433306134616531663837343736396631
6233353830323636316264666432306662613332353236370a366138313338383932346434646532
39646263633363353562323539643964383965393332353538383339623036376466323863333862
3932396539653034390a303036646632646135623932363131343038393966393133666438333563
35326464633338353935383539353730326464636664373766663734633365653861313161333136
62626439323730383162313235333737316131393136396637646630353465306539643462633935
64333538623835373062373130633165356534356466333338333361653934346133633065366265
30373539633030376539353333653835623031326166363564323138636636653462363465623039
35616537663762333831336439613363376464333231353031356461613233343363346164393539
33396538323839353766633935303265343137373064646561303839326531663966303331623338
35613761363835613061363161396132316239623464316436336163366531383039333537373534
34333166316234613863633836623431653434356331623661356134613165326462643561333934
63633739383062636261633030386663356661356235346466353734343235323064366363623062
63303136396462343530313038353837626132636164386264396165373535623161356661373631
37323833656631316266366364613461343565386539363830323265653038313634343262653234
66323661363332643331613832653538396533333562363532323839653662346533323366343266
65316262653830383839383534356462343061306462643332633838633234316265643234633663
65313431396666363261306530623930346239623234346637356263336562646538653739366430
35656666326563386232636535363737653362396566383164663435653639663766386562636233
65393961646666616364633034353338333339663331623039633131313366663931643132626334
33383238643966666534333163653061613332363635623266306233633862353835376132383230
63366631633731343532363334386238656432356130323262336331646431653330303863353732
39303264626537656534666530663962326232386635363165623765623763356263363061633936
62656638346233323130616435636533666537373763656431383735363866373031306661336234
38306131343530336136646137646565646339633161323566656532376337376434633564353764
34653163376639373530636434356635656539643833396364396239346231306161653637616433
65356232633430353732353830393138356537333465666562383730353962303665343834393366
31326263613931666536376537666462323038646666626161373038633332653838343837666565
31666231663666613539653338646236323066626238303938373930666364616333636565336263
38336235623638613430643634333530363034373562666565633866383039646132373833373731
38653262393730353461313131343239313531363436616265376435656339326434616632363465
64353534333633373733313865663336643338336161643139323232346461626634306265383033
36663963653733316662316565633764343837313466373836313034366238643637353066643736
35646539336434336237393662356135366362313439333466376433326263653639326237626439
39636563326238376565393932373565663536313739303634323764646137653837363563623037
34393336626661343838623338316239333266376265373834326534343938303930323236383332
37333965633131353561396563363764383334623035663061383833346133386436303066333066
30326439653165323035613837653437383163663639613139623932313330643061313034376564
30353462366639346337303362323736353764396566663336373533616262333464313238666233
37646531333334313234366538643562393130666166623139333865343464356233623764616138
36366665383564643461343434366536656563313836663765373763623138313138623633323466
65366233663737363637333061316562643030323035326361323631373636356431383463323538
38376263333038366136363332376336366135623032353962366638653539383735383330646166
63356164333533333662326630303762383732316230393839343136623863646163303736633232
32313833316564383031373034373730366636306430316565393962326435643262333066393431
66623933363063613435366231663631323635656366666532663730383838303531373166653863
33643031346139623234616633306537383035663034303664333331653361356437313665373135
31376336663338386235313231623735633835343839626461633261346362366436383430306639
37346234366532326331396530366135386239313365383062613939316161616233363232623432
32323463343632613732343164353735623334643465623261616338666665373165666563343333
39383465626639646263353461636232366233383336613633616661343332383337376235643432
37363064623362623834

D group_vars/all/vault_vault.yml => group_vars/all/vault_vault.yml +0 -9
@@ 1,9 0,0 @@
$ANSIBLE_VAULT;1.1;AES256
61633130383866316533303038383263313632363965316363383761613364643564616433326666
3161613962303262383961336662633066623132306636650a616330666338346662396139363138
63343237343163376133323338643832663136343234663934633361336237363961643463613435
3735373739633036330a356130336366353830383638636366326664643332363439333533343135
37623764653031333964663033616663343637656163666534663664636134306338353832323236
39663432666663333131323637396566383466316162646639366239323765343461326164613336
31373930303732343661623565636339633965303765393031323766653865663762346562666633
39386231386538653834

M roles/certbot/tasks/main.yml => roles/certbot/tasks/main.yml +4 -0
@@ 1,4 1,8 @@
---
- name: Get hetzner secrets
  ansible.builtin.set_fact:
    hetzner_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/hetzner') }}"

- name: Install
  community.general.pacman:
    name: certbot-dns-hetzner

M roles/certbot/templates/hetzner.ini.j2 => roles/certbot/templates/hetzner.ini.j2 +1 -1
@@ 1,1 1,1 @@
dns_hetzner_api_token = "{{ hetzner_dns_key }}"
dns_hetzner_api_token = "{{ hetzner_secrets['dns_key'] }}"

M roles/croc/tasks/main.yml => roles/croc/tasks/main.yml +4 -0
@@ 1,4 1,8 @@
---
- name: Get secrets
  ansible.builtin.set_fact:
    croc_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/croc') }}"

- name: install croc
  ansible.builtin.package:
    name: croc

M roles/croc/templates/croc.service.j2 => roles/croc/templates/croc.service.j2 +1 -1
@@ 1,3 1,3 @@
[Service]
ExecStart=
ExecStart=/usr/bin/croc --pass "{{ croc_password }}" relay
ExecStart=/usr/bin/croc --pass "{{ croc_secrets['password'] }}" relay

M roles/croc/templates/receive.json.j2 => roles/croc/templates/receive.json.j2 +1 -1
@@ 4,7 4,7 @@
  "Debug": false,
  "RelayAddress": "xenrox.net",
  "RelayPorts": ["9009", "9010", "9011", "9012", "9013"],
  "RelayPassword": "{{ croc_password }}",
  "RelayPassword": "{{ croc_secrets['password'] }}",
  "Stdout": false,
  "NoPrompt": false,
  "NoMultiplexing": false,

M roles/croc/templates/send.json.j2 => roles/croc/templates/send.json.j2 +1 -1
@@ 4,7 4,7 @@
  "Debug": false,
  "RelayAddress": "xenrox.net",
  "RelayPorts": ["9009", "9010", "9011", "9012", "9013"],
  "RelayPassword": "{{ croc_password }}",
  "RelayPassword": "{{ croc_secrets['password'] }}",
  "Stdout": false,
  "NoPrompt": false,
  "NoMultiplexing": false,

M roles/mailcow/tasks/main.yml => roles/mailcow/tasks/main.yml +4 -0
@@ 1,4 1,8 @@
---
- name: Get hetzner secrets
  ansible.builtin.set_fact:
    hetzner_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/hetzner') }}"

- name: Install docker/docker-compose
  community.general.pacman:
    name: docker,docker-compose

M roles/mailcow/templates/update_tlsa.py.j2 => roles/mailcow/templates/update_tlsa.py.j2 +1 -1
@@ 26,7 26,7 @@ def send_request(hash, id, name):
            url="https://dns.hetzner.com/api/v1/records/{}".format(id),
            headers={
                "Content-Type": "application/json",
                "Auth-API-Token": "{{ hetzner_dns_key }}",
                "Auth-API-Token": "{{ hetzner_secrets['dns_key'] }}",
            },
            data=json.dumps(
                {

M roles/minio/tasks/main.yml => roles/minio/tasks/main.yml +4 -0
@@ 1,4 1,8 @@
---
- name: Get secrets
  ansible.builtin.set_fact:
    minio_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/minio') }}"

- name: setup minio host
  import_tasks: host.yml
  when: minio_host is defined and minio_host

M roles/minio/templates/config.json.j2 => roles/minio/templates/config.json.j2 +2 -2
@@ 3,8 3,8 @@
  "aliases": {
    "xenrox": {
      "url": "https://minio.xenrox.net",
      "accessKey": "{{ minio_access_key }}",
      "secretKey": "{{ minio_secret_key }}",
      "accessKey": "{{ minio_secrets['access_key'] }}",
      "secretKey": "{{ minio_secrets['secret_key'] }}",
      "api": "s3v4",
      "path": "auto"
    }

M roles/minio/templates/minio.conf.j2 => roles/minio/templates/minio.conf.j2 +2 -2
@@ 1,8 1,8 @@
# Local export path.
MINIO_VOLUMES="/srv/minio/data/"
# Access Key of the server.
MINIO_ACCESS_KEY={{ minio_access_key }}
MINIO_ACCESS_KEY={{ minio_secrets['access_key'] }}
# Secret key of the server.
MINIO_SECRET_KEY={{ minio_secret_key }}
MINIO_SECRET_KEY={{ minio_secrets['secret_key'] }}
# Use if you want to run Minio on a custom port.
MINIO_OPTS="--address 127.0.0.1:9001"

M roles/minio/templates/s3cfg.j2 => roles/minio/templates/s3cfg.j2 +2 -2
@@ 2,6 2,6 @@
host_base = minio.xenrox.net
host_bucket = minio.xenrox.net
use_https = true
access_key = {{ minio_access_key }}
secret_key = {{ minio_secret_key }}
access_key = {{ minio_secrets['access_key'] }}
secret_key = {{ minio_secrets['secret_key'] }}
signature_v2 = False

M roles/nextcloud/tasks/main.yml => roles/nextcloud/tasks/main.yml +4 -0
@@ 3,6 3,10 @@
  ansible.builtin.set_fact:
    nextcloud_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/nextcloud') }}"

- name: Get email secrets
  ansible.builtin.set_fact:
    email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"

- name: Install nextcloud packages
  community.general.pacman:
    name: "{{ nextcloud_packages }}"

M roles/nextcloud/templates/config.php.j2 => roles/nextcloud/templates/config.php.j2 +2 -2
@@ 43,8 43,8 @@ $CONFIG = array (
  'mail_smtphost' => 'mail.xenrox.net',
  'mail_smtpport' => '465',
  'mail_smtpauthtype' => 'PLAIN',
  'mail_smtpname' => '{{ email_noreply_mail }}',
  'mail_smtppassword' => '{{ email_noreply_password }}',
  'mail_smtpname' => '{{ email_secrets['noreply_user'] }}',
  'mail_smtppassword' => '{{ email_secrets['noreply_password'] }}',
  'mail_smtpsecure' => 'ssl',
  'memcache.local' => '\OC\Memcache\APCu',
  'redis' => [

M roles/peertube/tasks/main.yml => roles/peertube/tasks/main.yml +4 -0
@@ 3,6 3,10 @@
  ansible.builtin.set_fact:
    peertube_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/peertube') }}"

- name: Get email secrets
  ansible.builtin.set_fact:
    email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"

- name: Install nodejs and yarn
  community.general.pacman:
    name: nodejs-lts-fermium,yarn

M roles/peertube/templates/production.yaml.j2 => roles/peertube/templates/production.yaml.j2 +2 -2
@@ 60,8 60,8 @@ smtp:
  sendmail: null
  hostname: mail.xenrox.net
  port: 465 # If you use StartTLS: 587
  username: "{{ email_noreply_mail }}"
  password: "{{ email_noreply_password }}"
  username: "{{ email_secrets['noreply_user'] }}"
  password: "{{ email_secrets['noreply_password'] }}"
  tls: true # If you use StartTLS: false
  disable_starttls: false
  ca_file: null # Used for self signed certificates

M roles/prometheus/tasks/main.yml => roles/prometheus/tasks/main.yml +4 -0
@@ 3,6 3,10 @@
  ansible.builtin.set_fact:
    ejabberd_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/ejabberd') }}"

- name: Get email secrets
  ansible.builtin.set_fact:
    email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"

- name: install
  community.general.pacman:
    name: "{{ prometheus_packages }}"

M roles/prometheus/templates/alertmanager.yml.j2 => roles/prometheus/templates/alertmanager.yml.j2 +2 -2
@@ 2,8 2,8 @@ global:
  resolve_timeout: 5m
  smtp_smarthost: "mail.xenrox.net:587"
  smtp_from: "alertmanager <noreply@xenrox.net>"
  smtp_auth_username: {{ email_noreply_mail }}
  smtp_auth_password: {{ email_noreply_password }}
  smtp_auth_username: {{ email_secrets['noreply_user'] }}
  smtp_auth_password: {{ email_secrets['noreply_password'] }}

route:
  group_by: ["instance", "severity"]

M roles/srht/tasks/main.yml => roles/srht/tasks/main.yml +13 -1
@@ 1,4 1,16 @@
---
- name: Get secrets
  ansible.builtin.set_fact:
    srht_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/srht') }}"

- name: Get minio secrets
  ansible.builtin.set_fact:
    minio_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/minio') }}"

- name: Get email secrets
  ansible.builtin.set_fact:
    email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"

- name: install srht packages
  community.general.pacman:
    name: "{{ srht_packages }}"


@@ 59,7 71,7 @@
- name: Create db user
  community.general.postgresql_user:
    name: srht
    password: "{{ srht_psql_password }}"
    password: "{{ srht_secrets['psql_password'] }}"
  become: true
  become_user: postgres
  no_log: true

M roles/srht/templates/builds.ini.j2 => roles/srht/templates/builds.ini.j2 +3 -3
@@ 8,7 8,7 @@ debug-host=0.0.0.0
debug-port=5002
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-builds?sslmode=disable
connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-builds?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes


@@ 19,8 19,8 @@ redis=redis://localhost:6379/4
#
# builds.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
oauth-client-id={{ srht_builds_id }}
oauth-client-secret={{ srht_builds_secret }}
oauth-client-id={{ srht_secrets['builds_id'] }}
oauth-client-secret={{ srht_secrets['builds_secret'] }}
#
# Script used to launch on ssh connnection. /usr/bin/master-shell on master,
# /usr/bin/runner-shell for workers.

M roles/srht/templates/config.ini.j2 => roles/srht/templates/config.ini.j2 +7 -7
@@ 29,11 29,11 @@ privacy-policy=
# service (e.g. git1.sr.ht and git2.sr.ht), but different services may use
# different keys. If you configure all of your services with the same
# config.ini, you may use the same service-key for all of them.
service-key={{ srht_service_key }}
service-key={{ srht_secrets['service_key'] }}
#
# A secret key to encrypt internal messages with. Use `srht-keygen network` to
# generate this key. It must be consistent between all services and nodes.
network-key={{ srht_network_key }}
network-key={{ srht_secrets['network_key'] }}
#
# The redis host URL. This is used for caching and temporary storage, and must
# be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be


@@ 50,16 50,16 @@ pushgateway=
#
# Minio is recommended as a FOSS solution over AWS: https://min.io
s3-upstream=minio.xenrox.net
s3-access-key={{ minio_access_key }}
s3-secret-key={{ minio_secret_key }}
s3-access-key={{ minio_secrets['access_key'] }}
s3-secret-key={{ minio_secrets['secret_key'] }}

[mail]
#
# Outgoing SMTP settings
smtp-host=mail.xenrox.net
smtp-port=587
smtp-user={{ email_noreply_mail }}
smtp-password={{ email_noreply_password }}
smtp-user={{ email_secrets['noreply_user'] }}
smtp-password={{ email_secrets['noreply_password'] }}
smtp-from=xenrox sourcehut <noreply@xenrox.net>
#
# Application exceptions are emailed to this address


@@ 84,7 84,7 @@ pgp-key-id=60A4 269D F622 7C99 04CF  CFF7 55A4 316C 4697 1CC5
# Use the `srht-keygen webhook` command to generate this key. Put the private
# key here and distribute the public key to anyone who would want to verify
# webhook payloads from your service.
private-key={{ srht_webhook_key }}
private-key={{ srht_secrets['webhook_key'] }}

{% include "git.ini.j2" %}


M roles/srht/templates/git.ini.j2 => roles/srht/templates/git.ini.j2 +3 -3
@@ 8,7 8,7 @@ debug-host=0.0.0.0
debug-port=5001
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-git?sslmode=disable
connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-git?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes


@@ 21,8 21,8 @@ post-update-script=/usr/bin/gitsrht-update-hook
#
# git.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
oauth-client-id={{ srht_git_id }}
oauth-client-secret={{ srht_git_secret }}
oauth-client-id={{ srht_secrets['git_id'] }}
oauth-client-secret={{ srht_secrets['git_secret'] }}
#
# Path to git repositories on disk
repos=/var/lib/git/

M roles/srht/templates/hub.ini.j2 => roles/srht/templates/hub.ini.j2 +3 -3
@@ 8,12 8,12 @@ debug-host=0.0.0.0
debug-port=5014
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-hub
connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-hub
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# hub.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
oauth-client-id={{ srht_hub_id }}
oauth-client-secret={{ srht_hub_secret }}
oauth-client-id={{ srht_secrets['hub_id'] }}
oauth-client-secret={{ srht_secrets['hub_secret'] }}

M roles/srht/templates/lists.ini.j2 => roles/srht/templates/lists.ini.j2 +3 -3
@@ 8,7 8,7 @@ debug-host=0.0.0.0
debug-port=5006
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-lists
connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-lists
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes


@@ 26,8 26,8 @@ posting-domain=lists.xenrox.net
#
# lists.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
oauth-client-id={{ srht_lists_id }}
oauth-client-secret={{ srht_lists_secret }}
oauth-client-id={{ srht_secrets['lists_id'] }}
oauth-client-secret={{ srht_secrets['lists_secret'] }}
#
# Trusted upstream SMTP server generating Authentication-Results header fields
msgauth-server=mail.xenrox.net

M roles/srht/templates/man.ini.j2 => roles/srht/templates/man.ini.j2 +3 -3
@@ 8,12 8,12 @@ debug-host=0.0.0.0
debug-port=5004
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-man
connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-man
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# man.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
oauth-client-id={{ srht_man_id }}
oauth-client-secret={{ srht_man_secret }}
oauth-client-id={{ srht_secrets['man_id'] }}
oauth-client-secret={{ srht_secrets['man_secret'] }}

M roles/srht/templates/meta.ini.j2 => roles/srht/templates/meta.ini.j2 +1 -1
@@ 8,7 8,7 @@ debug-host=0.0.0.0
debug-port=5000
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-meta?sslmode=disable
connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-meta?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes

M roles/srht/templates/paste.ini.j2 => roles/srht/templates/paste.ini.j2 +3 -3
@@ 8,12 8,12 @@ debug-host=0.0.0.0
debug-port=5011
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-paste
connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-paste
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# paste.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
oauth-client-id={{ srht_paste_id }}
oauth-client-secret={{ srht_paste_secret }}
oauth-client-id={{ srht_secrets['paste_id'] }}
oauth-client-secret={{ srht_secrets['paste_secret'] }}

M roles/srht/templates/todo.ini.j2 => roles/srht/templates/todo.ini.j2 +3 -3
@@ 8,15 8,15 @@ debug-host=0.0.0.0
debug-port=5003
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-todo?sslmode=disable
connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-todo?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# todo.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
oauth-client-id={{ srht_todo_id }}
oauth-client-secret={{ srht_todo_secret }}
oauth-client-id={{ srht_secrets['todo_id'] }}
oauth-client-secret={{ srht_secrets['todo_secret'] }}
#
# Outgoing email for notifications generated by users
notify-from=noreply@xenrox.net

M roles/vault/tasks/main.yml => roles/vault/tasks/main.yml +6 -2
@@ 1,4 1,8 @@
---
- name: Get secrets
  ansible.builtin.set_fact:
    vault_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/vault') }}"

- name: Install
  community.general.pacman:
    name: vault


@@ 7,7 11,7 @@
- name: Create db user
  community.general.postgresql_user:
    name: vault
    password: "{{ vault_psql_password }}"
    password: "{{ vault_secrets['psql_password'] }}"
  become: true
  become_user: postgres
  no_log: true


@@ 32,7 36,7 @@
- name: Import DB schema
  community.general.postgresql_db:
    login_user: vault
    login_password: "{{ vault_psql_password }}"
    login_password: "{{ vault_secrets['psql_password'] }}"
    name: vault
    state: restore
    target: /tmp/vault_table.sql

M roles/vault/templates/vault.hcl.j2 => roles/vault/templates/vault.hcl.j2 +1 -1
@@ 1,7 1,7 @@
ui = true

storage "postgresql" {
    connection_url = "postgres://vault:{{ vault_psql_password }}@127.0.0.1:5432/vault?sslmode=disable"
    connection_url = "postgres://vault:{{ vault_secrets['psql_password'] }}@127.0.0.1:5432/vault?sslmode=disable"
    table = "vault_kv_store"
}


M roles/vaultwarden/tasks/main.yml => roles/vaultwarden/tasks/main.yml +4 -0
@@ 3,6 3,10 @@
  ansible.builtin.set_fact:
    vaultwarden_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/vaultwarden') }}"

- name: Get email secrets
  ansible.builtin.set_fact:
    email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"

- name: install
  community.general.pacman:
    name: "{{ vaultwarden_packages }}"

M roles/vaultwarden/templates/vaultwarden.env.j2 => roles/vaultwarden/templates/vaultwarden.env.j2 +2 -2
@@ 275,8 275,8 @@ SMTP_FROM_NAME=Vaultwarden
SMTP_PORT=587          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and used with Implicit TLS.
SMTP_SSL=true          # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_TLS is set to true. Either port 587 or 25 are default.
SMTP_EXPLICIT_TLS=true # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this option to work. Usually port 465 is used here.
SMTP_USERNAME={{ email_noreply_mail }}
SMTP_PASSWORD={{ email_noreply_password }}
SMTP_USERNAME={{ email_secrets['noreply_user'] }}
SMTP_PASSWORD={{ email_secrets['noreply_password'] }}
# SMTP_TIMEOUT=15

## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.