41 files changed, 100 insertions(+), 187 deletions(-)

D group_vars/all/hetzner.yml
D group_vars/all/srht.yml
D group_vars/all/vars.yml
D group_vars/all/vault_croc.yml
D group_vars/all/vault_email.yml
D group_vars/all/vault_hetzner.yml
D group_vars/all/vault_minio.yml
D group_vars/all/vault_srht.yml
D group_vars/all/vault_vault.yml
M roles/certbot/tasks/main.yml
M roles/certbot/templates/hetzner.ini.j2
M roles/croc/tasks/main.yml
M roles/croc/templates/croc.service.j2
M roles/croc/templates/receive.json.j2
M roles/croc/templates/send.json.j2
M roles/mailcow/tasks/main.yml
M roles/mailcow/templates/update_tlsa.py.j2
M roles/minio/tasks/main.yml
M roles/minio/templates/config.json.j2
M roles/minio/templates/minio.conf.j2
M roles/minio/templates/s3cfg.j2
M roles/nextcloud/tasks/main.yml
M roles/nextcloud/templates/config.php.j2
M roles/peertube/tasks/main.yml
M roles/peertube/templates/production.yaml.j2
M roles/prometheus/tasks/main.yml
M roles/prometheus/templates/alertmanager.yml.j2
M roles/srht/tasks/main.yml
M roles/srht/templates/builds.ini.j2
M roles/srht/templates/config.ini.j2
M roles/srht/templates/git.ini.j2
M roles/srht/templates/hub.ini.j2
M roles/srht/templates/lists.ini.j2
M roles/srht/templates/man.ini.j2
M roles/srht/templates/meta.ini.j2
M roles/srht/templates/paste.ini.j2
M roles/srht/templates/todo.ini.j2
M roles/vault/tasks/main.yml
M roles/vault/templates/vault.hcl.j2
M roles/vaultwarden/tasks/main.yml
M roles/vaultwarden/templates/vaultwarden.env.j2

@@ 1,3 0,0 @@
----
-hetzner_dns_key: "{{ vault_hetzner_dns_key }}"
-hetzner_cloud_key: "{{ vault_hetzner_cloud_ket }}"

@@ 1,19 0,0 @@
----
-srht_builds_id: "{{ vault_srht_builds_id }}"
-srht_builds_secret: "{{ vault_srht_builds_secret }}"
-srht_git_id: "{{ vault_srht_git_id }}"
-srht_git_secret: "{{ vault_srht_git_secret }}"
-srht_hub_id: "{{ vault_srht_hub_id }}"
-srht_hub_secret: "{{ vault_srht_hub_secret }}"
-srht_lists_id: "{{ vault_srht_lists_id }}"
-srht_lists_secret: "{{ vault_srht_lists_secret }}"
-srht_man_id: "{{ vault_srht_man_id }}"
-srht_man_secret: "{{ vault_srht_man_secret }}"
-srht_network_key: "{{ vault_srht_network_key }}"
-srht_paste_id: "{{ vault_srht_paste_id }}"
-srht_paste_secret: "{{ vault_srht_paste_secret }}"
-srht_psql_password: "{{ vault_srht_psql_password }}"
-srht_service_key: "{{ vault_srht_service_key }}"
-srht_todo_id: "{{ vault_srht_todo_id }}"
-srht_todo_secret: "{{ vault_srht_todo_secret }}"
-srht_webhook_key: "{{ vault_srht_webhook_key }}"

@@ 1,7 0,0 @@
----
-croc_password: "{{ vault_croc_password }}"
-email_noreply_mail: "{{ vault_email_noreply_mail }}"
-email_noreply_password: "{{ vault_email_noreply_password }}"
-minio_access_key: "{{ vault_minio_access_key }}"
-minio_secret_key: "{{ vault_minio_secret_key }}"
-vault_psql_password: "{{ vault_vault_psql_password }}"

@@ 1,9 0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-32343163366635383231373766373035613032376138303339656161363736333733326361383437
-6562623763323336323538363436373165323364393638330a343930613730303039666663373437
-37633163623662666566333331323331346136383832633761363632613835303461626633623633
-3465386533613738640a626439653731393137316238313536306662633266656434386138373563
-31316537346135646365383736343562366465386264336234306639336236653962313264616530
-66313138623964393537626335343266366163656663363535306564383863666466373137363635
-37353137643838663339373832303563643336383236336232353237313537386238333936316161
-63333639323065643736

@@ 1,10 0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-63356635336136356130386535356534646532333566613862353263343332386330326339373665
-3662326562363564373261363632333761376632633161640a643764333434613338373363613863
-65323464303364393063316336386564363661316430323163643433393665653838633261383536
-6164336430396663330a373133623630383831333731613964343464613730303830396661303836
-33383833643561363962353632623963626265393830633336333230376139383338373665313936
-33316635633730316631656532303064633062363534653139616363646265326535663432316338
-30396466663637336435623466383731666463633430386135613464636138643164373562373436
-32356366343434316534376535363730393064626164396636373266656637313035336165383437
-32333930373139396361643939663534346364376335643837613966343261333633

@@ 1,13 0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-33313031633030333961646461393566363530343430323164323335653263373932343038373331
-3039383662323839386539393934353865643036343332370a616134313764636539653162643438
-38386665386365666561346236386136633861313331333666616339393565303330623235643661
-3433356661316464310a623039656339383230386537393939366536373537613437623936323836
-34653130633535333632343164363333636162373435626435326536333264653534623462393662
-62353735333065626662373734333532313863386232336635633739616362333533356163386433
-65643337666331666237373439363339656663646639343634613030623932643064336562313330
-62346239336339613633383763623562393165363861623439333038353836366165313233343339
-65643930373465623062643937343832396538383438326239343338396637636137383835626530
-31373336363234363239663633393131393131306432653038383863636333333531366432313437
-37333562613631393731646537376530373636316663306163633235646365333239336635343035
-34326533613639343330

@@ 1,12 0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-30633665643864346562303265313362303132636630653131386635613662366433633637613162
-6265613461626265373437383432666165643637626539360a333932396263633032316631623037
-36666531353866376230653266363039633637396635343965643232393838323861626435303534
-6431626339313336610a633734373530346135666362623030346134633265313432396564326165
-64653433356536616337623863306436323265383935663439646235653332333838633162633931
-66653361366465316439306364333238343132343434323931653136373836383461303632363664
-63616635623439343765356434626666633632646666343739303061393663643439646139613935
-64366132613135323339363335636537613263613539333535373862393835633964323231353239
-61346131373430336364396164303639653964313266643732663138626639663536643738346266
-33626133333363663938626236326566663333663432316333633561646232396230393564633863
-343961393532363165653831363735653838

@@ 1,53 0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-38393938633362313265323362366135313333646466396433306134616531663837343736396631
-6233353830323636316264666432306662613332353236370a366138313338383932346434646532
-39646263633363353562323539643964383965393332353538383339623036376466323863333862
-3932396539653034390a303036646632646135623932363131343038393966393133666438333563
-35326464633338353935383539353730326464636664373766663734633365653861313161333136
-62626439323730383162313235333737316131393136396637646630353465306539643462633935
-64333538623835373062373130633165356534356466333338333361653934346133633065366265
-30373539633030376539353333653835623031326166363564323138636636653462363465623039
-35616537663762333831336439613363376464333231353031356461613233343363346164393539
-33396538323839353766633935303265343137373064646561303839326531663966303331623338
-35613761363835613061363161396132316239623464316436336163366531383039333537373534
-34333166316234613863633836623431653434356331623661356134613165326462643561333934
-63633739383062636261633030386663356661356235346466353734343235323064366363623062
-63303136396462343530313038353837626132636164386264396165373535623161356661373631
-37323833656631316266366364613461343565386539363830323265653038313634343262653234
-66323661363332643331613832653538396533333562363532323839653662346533323366343266
-65316262653830383839383534356462343061306462643332633838633234316265643234633663
-65313431396666363261306530623930346239623234346637356263336562646538653739366430
-35656666326563386232636535363737653362396566383164663435653639663766386562636233
-65393961646666616364633034353338333339663331623039633131313366663931643132626334
-33383238643966666534333163653061613332363635623266306233633862353835376132383230
-63366631633731343532363334386238656432356130323262336331646431653330303863353732
-39303264626537656534666530663962326232386635363165623765623763356263363061633936
-62656638346233323130616435636533666537373763656431383735363866373031306661336234
-38306131343530336136646137646565646339633161323566656532376337376434633564353764
-34653163376639373530636434356635656539643833396364396239346231306161653637616433
-65356232633430353732353830393138356537333465666562383730353962303665343834393366
-31326263613931666536376537666462323038646666626161373038633332653838343837666565
-31666231663666613539653338646236323066626238303938373930666364616333636565336263
-38336235623638613430643634333530363034373562666565633866383039646132373833373731
-38653262393730353461313131343239313531363436616265376435656339326434616632363465
-64353534333633373733313865663336643338336161643139323232346461626634306265383033
-36663963653733316662316565633764343837313466373836313034366238643637353066643736
-35646539336434336237393662356135366362313439333466376433326263653639326237626439
-39636563326238376565393932373565663536313739303634323764646137653837363563623037
-34393336626661343838623338316239333266376265373834326534343938303930323236383332
-37333965633131353561396563363764383334623035663061383833346133386436303066333066
-30326439653165323035613837653437383163663639613139623932313330643061313034376564
-30353462366639346337303362323736353764396566663336373533616262333464313238666233
-37646531333334313234366538643562393130666166623139333865343464356233623764616138
-36366665383564643461343434366536656563313836663765373763623138313138623633323466
-65366233663737363637333061316562643030323035326361323631373636356431383463323538
-38376263333038366136363332376336366135623032353962366638653539383735383330646166
-63356164333533333662326630303762383732316230393839343136623863646163303736633232
-32313833316564383031373034373730366636306430316565393962326435643262333066393431
-66623933363063613435366231663631323635656366666532663730383838303531373166653863
-33643031346139623234616633306537383035663034303664333331653361356437313665373135
-31376336663338386235313231623735633835343839626461633261346362366436383430306639
-37346234366532326331396530366135386239313365383062613939316161616233363232623432
-32323463343632613732343164353735623334643465623261616338666665373165666563343333
-39383465626639646263353461636232366233383336613633616661343332383337376235643432
-37363064623362623834

@@ 1,9 0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-61633130383866316533303038383263313632363965316363383761613364643564616433326666
-3161613962303262383961336662633066623132306636650a616330666338346662396139363138
-63343237343163376133323338643832663136343234663934633361336237363961643463613435
-3735373739633036330a356130336366353830383638636366326664643332363439333533343135
-37623764653031333964663033616663343637656163666534663664636134306338353832323236
-39663432666663333131323637396566383466316162646639366239323765343461326164613336
-31373930303732343661623565636339633965303765393031323766653865663762346562666633
-39386231386538653834

@@ 1,4 1,8 @@
 ---
+- name: Get hetzner secrets
+  ansible.builtin.set_fact:
+    hetzner_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/hetzner') }}"
+
 - name: Install
   community.general.pacman:
     name: certbot-dns-hetzner

@@ 1,1 1,1 @@
-dns_hetzner_api_token = "{{ hetzner_dns_key }}"
+dns_hetzner_api_token = "{{ hetzner_secrets['dns_key'] }}"

@@ 1,4 1,8 @@
 ---
+- name: Get secrets
+  ansible.builtin.set_fact:
+    croc_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/croc') }}"
+
 - name: install croc
   ansible.builtin.package:
     name: croc

@@ 1,3 1,3 @@
 [Service]
 ExecStart=
-ExecStart=/usr/bin/croc --pass "{{ croc_password }}" relay
+ExecStart=/usr/bin/croc --pass "{{ croc_secrets['password'] }}" relay

@@ 4,7 4,7 @@
   "Debug": false,
   "RelayAddress": "xenrox.net",
   "RelayPorts": ["9009", "9010", "9011", "9012", "9013"],
-  "RelayPassword": "{{ croc_password }}",
+  "RelayPassword": "{{ croc_secrets['password'] }}",
   "Stdout": false,
   "NoPrompt": false,
   "NoMultiplexing": false,

@@ 4,7 4,7 @@
   "Debug": false,
   "RelayAddress": "xenrox.net",
   "RelayPorts": ["9009", "9010", "9011", "9012", "9013"],
-  "RelayPassword": "{{ croc_password }}",
+  "RelayPassword": "{{ croc_secrets['password'] }}",
   "Stdout": false,
   "NoPrompt": false,
   "NoMultiplexing": false,

@@ 1,4 1,8 @@
 ---
+- name: Get hetzner secrets
+  ansible.builtin.set_fact:
+    hetzner_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/hetzner') }}"
+
 - name: Install docker/docker-compose
   community.general.pacman:
     name: docker,docker-compose

@@ 26,7 26,7 @@ def send_request(hash, id, name):
             url="https://dns.hetzner.com/api/v1/records/{}".format(id),
             headers={
                 "Content-Type": "application/json",
-                "Auth-API-Token": "{{ hetzner_dns_key }}",
+                "Auth-API-Token": "{{ hetzner_secrets['dns_key'] }}",
             },
             data=json.dumps(
                 {

@@ 1,4 1,8 @@
 ---
+- name: Get secrets
+  ansible.builtin.set_fact:
+    minio_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/minio') }}"
+
 - name: setup minio host
   import_tasks: host.yml
   when: minio_host is defined and minio_host

@@ 3,8 3,8 @@
   "aliases": {
     "xenrox": {
       "url": "https://minio.xenrox.net",
-      "accessKey": "{{ minio_access_key }}",
-      "secretKey": "{{ minio_secret_key }}",
+      "accessKey": "{{ minio_secrets['access_key'] }}",
+      "secretKey": "{{ minio_secrets['secret_key'] }}",
       "api": "s3v4",
       "path": "auto"
     }

@@ 1,8 1,8 @@
 # Local export path.
 MINIO_VOLUMES="/srv/minio/data/"
 # Access Key of the server.
-MINIO_ACCESS_KEY={{ minio_access_key }}
+MINIO_ACCESS_KEY={{ minio_secrets['access_key'] }}
 # Secret key of the server.
-MINIO_SECRET_KEY={{ minio_secret_key }}
+MINIO_SECRET_KEY={{ minio_secrets['secret_key'] }}
 # Use if you want to run Minio on a custom port.
 MINIO_OPTS="--address 127.0.0.1:9001"

@@ 2,6 2,6 @@
 host_base = minio.xenrox.net
 host_bucket = minio.xenrox.net
 use_https = true
-access_key = {{ minio_access_key }}
-secret_key = {{ minio_secret_key }}
+access_key = {{ minio_secrets['access_key'] }}
+secret_key = {{ minio_secrets['secret_key'] }}
 signature_v2 = False

@@ 3,6 3,10 @@
   ansible.builtin.set_fact:
     nextcloud_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/nextcloud') }}"
 
+- name: Get email secrets
+  ansible.builtin.set_fact:
+    email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"
+
 - name: Install nextcloud packages
   community.general.pacman:
     name: "{{ nextcloud_packages }}"

@@ 43,8 43,8 @@ $CONFIG = array (
   'mail_smtphost' => 'mail.xenrox.net',
   'mail_smtpport' => '465',
   'mail_smtpauthtype' => 'PLAIN',
-  'mail_smtpname' => '{{ email_noreply_mail }}',
-  'mail_smtppassword' => '{{ email_noreply_password }}',
+  'mail_smtpname' => '{{ email_secrets['noreply_user'] }}',
+  'mail_smtppassword' => '{{ email_secrets['noreply_password'] }}',
   'mail_smtpsecure' => 'ssl',
   'memcache.local' => '\OC\Memcache\APCu',
   'redis' => [

@@ 3,6 3,10 @@
   ansible.builtin.set_fact:
     peertube_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/peertube') }}"
 
+- name: Get email secrets
+  ansible.builtin.set_fact:
+    email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"
+
 - name: Install nodejs and yarn
   community.general.pacman:
     name: nodejs-lts-fermium,yarn

@@ 60,8 60,8 @@ smtp:
   sendmail: null
   hostname: mail.xenrox.net
   port: 465 # If you use StartTLS: 587
-  username: "{{ email_noreply_mail }}"
-  password: "{{ email_noreply_password }}"
+  username: "{{ email_secrets['noreply_user'] }}"
+  password: "{{ email_secrets['noreply_password'] }}"
   tls: true # If you use StartTLS: false
   disable_starttls: false
   ca_file: null # Used for self signed certificates

@@ 3,6 3,10 @@
   ansible.builtin.set_fact:
     ejabberd_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/ejabberd') }}"
 
+- name: Get email secrets
+  ansible.builtin.set_fact:
+    email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"
+
 - name: install
   community.general.pacman:
     name: "{{ prometheus_packages }}"

@@ 2,8 2,8 @@ global:
   resolve_timeout: 5m
   smtp_smarthost: "mail.xenrox.net:587"
   smtp_from: "alertmanager <noreply@xenrox.net>"
-  smtp_auth_username: {{ email_noreply_mail }}
-  smtp_auth_password: {{ email_noreply_password }}
+  smtp_auth_username: {{ email_secrets['noreply_user'] }}
+  smtp_auth_password: {{ email_secrets['noreply_password'] }}
 
 route:
   group_by: ["instance", "severity"]

@@ 1,4 1,16 @@
 ---
+- name: Get secrets
+  ansible.builtin.set_fact:
+    srht_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/srht') }}"
+
+- name: Get minio secrets
+  ansible.builtin.set_fact:
+    minio_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/minio') }}"
+
+- name: Get email secrets
+  ansible.builtin.set_fact:
+    email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"
+
 - name: install srht packages
   community.general.pacman:
     name: "{{ srht_packages }}"


@@ 59,7 71,7 @@
 - name: Create db user
   community.general.postgresql_user:
     name: srht
-    password: "{{ srht_psql_password }}"
+    password: "{{ srht_secrets['psql_password'] }}"
   become: true
   become_user: postgres
   no_log: true

@@ 8,7 8,7 @@ debug-host=0.0.0.0
 debug-port=5002
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-builds?sslmode=disable
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-builds?sslmode=disable
 #
 # Set to "yes" to automatically run migrations on package upgrade.
 migrate-on-upgrade=yes


@@ 19,8 19,8 @@ redis=redis://localhost:6379/4
 #
 # builds.sr.ht's OAuth client ID and secret for meta.sr.ht
 # Register your client at meta.example.org/oauth
-oauth-client-id={{ srht_builds_id }}
-oauth-client-secret={{ srht_builds_secret }}
+oauth-client-id={{ srht_secrets['builds_id'] }}
+oauth-client-secret={{ srht_secrets['builds_secret'] }}
 #
 # Script used to launch on ssh connnection. /usr/bin/master-shell on master,
 # /usr/bin/runner-shell for workers.

@@ 29,11 29,11 @@ privacy-policy=
 # service (e.g. git1.sr.ht and git2.sr.ht), but different services may use
 # different keys. If you configure all of your services with the same
 # config.ini, you may use the same service-key for all of them.
-service-key={{ srht_service_key }}
+service-key={{ srht_secrets['service_key'] }}
 #
 # A secret key to encrypt internal messages with. Use `srht-keygen network` to
 # generate this key. It must be consistent between all services and nodes.
-network-key={{ srht_network_key }}
+network-key={{ srht_secrets['network_key'] }}
 #
 # The redis host URL. This is used for caching and temporary storage, and must
 # be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be


@@ 50,16 50,16 @@ pushgateway=
 #
 # Minio is recommended as a FOSS solution over AWS: https://min.io
 s3-upstream=minio.xenrox.net
-s3-access-key={{ minio_access_key }}
-s3-secret-key={{ minio_secret_key }}
+s3-access-key={{ minio_secrets['access_key'] }}
+s3-secret-key={{ minio_secrets['secret_key'] }}
 
 [mail]
 #
 # Outgoing SMTP settings
 smtp-host=mail.xenrox.net
 smtp-port=587
-smtp-user={{ email_noreply_mail }}
-smtp-password={{ email_noreply_password }}
+smtp-user={{ email_secrets['noreply_user'] }}
+smtp-password={{ email_secrets['noreply_password'] }}
 smtp-from=xenrox sourcehut <noreply@xenrox.net>
 #
 # Application exceptions are emailed to this address


@@ 84,7 84,7 @@ pgp-key-id=60A4 269D F622 7C99 04CF  CFF7 55A4 316C 4697 1CC5
 # Use the `srht-keygen webhook` command to generate this key. Put the private
 # key here and distribute the public key to anyone who would want to verify
 # webhook payloads from your service.
-private-key={{ srht_webhook_key }}
+private-key={{ srht_secrets['webhook_key'] }}
 
 {% include "git.ini.j2" %}
 

@@ 8,7 8,7 @@ debug-host=0.0.0.0
 debug-port=5001
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-git?sslmode=disable
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-git?sslmode=disable
 #
 # Set to "yes" to automatically run migrations on package upgrade.
 migrate-on-upgrade=yes


@@ 21,8 21,8 @@ post-update-script=/usr/bin/gitsrht-update-hook
 #
 # git.sr.ht's OAuth client ID and secret for meta.sr.ht
 # Register your client at meta.example.org/oauth
-oauth-client-id={{ srht_git_id }}
-oauth-client-secret={{ srht_git_secret }}
+oauth-client-id={{ srht_secrets['git_id'] }}
+oauth-client-secret={{ srht_secrets['git_secret'] }}
 #
 # Path to git repositories on disk
 repos=/var/lib/git/

@@ 8,12 8,12 @@ debug-host=0.0.0.0
 debug-port=5014
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-hub
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-hub
 #
 # Set to "yes" to automatically run migrations on package upgrade.
 migrate-on-upgrade=yes
 #
 # hub.sr.ht's OAuth client ID and secret for meta.sr.ht
 # Register your client at meta.example.org/oauth
-oauth-client-id={{ srht_hub_id }}
-oauth-client-secret={{ srht_hub_secret }}
+oauth-client-id={{ srht_secrets['hub_id'] }}
+oauth-client-secret={{ srht_secrets['hub_secret'] }}

@@ 8,7 8,7 @@ debug-host=0.0.0.0
 debug-port=5006
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-lists
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-lists
 #
 # Set to "yes" to automatically run migrations on package upgrade.
 migrate-on-upgrade=yes


@@ 26,8 26,8 @@ posting-domain=lists.xenrox.net
 #
 # lists.sr.ht's OAuth client ID and secret for meta.sr.ht
 # Register your client at meta.example.org/oauth
-oauth-client-id={{ srht_lists_id }}
-oauth-client-secret={{ srht_lists_secret }}
+oauth-client-id={{ srht_secrets['lists_id'] }}
+oauth-client-secret={{ srht_secrets['lists_secret'] }}
 #
 # Trusted upstream SMTP server generating Authentication-Results header fields
 msgauth-server=mail.xenrox.net

@@ 8,12 8,12 @@ debug-host=0.0.0.0
 debug-port=5004
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-man
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-man
 #
 # Set to "yes" to automatically run migrations on package upgrade.
 migrate-on-upgrade=yes
 #
 # man.sr.ht's OAuth client ID and secret for meta.sr.ht
 # Register your client at meta.example.org/oauth
-oauth-client-id={{ srht_man_id }}
-oauth-client-secret={{ srht_man_secret }}
+oauth-client-id={{ srht_secrets['man_id'] }}
+oauth-client-secret={{ srht_secrets['man_secret'] }}

@@ 8,7 8,7 @@ debug-host=0.0.0.0
 debug-port=5000
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-meta?sslmode=disable
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-meta?sslmode=disable
 #
 # Set to "yes" to automatically run migrations on package upgrade.
 migrate-on-upgrade=yes

@@ 8,12 8,12 @@ debug-host=0.0.0.0
 debug-port=5011
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-paste
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-paste
 #
 # Set to "yes" to automatically run migrations on package upgrade.
 migrate-on-upgrade=yes
 #
 # paste.sr.ht's OAuth client ID and secret for meta.sr.ht
 # Register your client at meta.example.org/oauth
-oauth-client-id={{ srht_paste_id }}
-oauth-client-secret={{ srht_paste_secret }}
+oauth-client-id={{ srht_secrets['paste_id'] }}
+oauth-client-secret={{ srht_secrets['paste_secret'] }}

@@ 8,15 8,15 @@ debug-host=0.0.0.0
 debug-port=5003
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-todo?sslmode=disable
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-todo?sslmode=disable
 #
 # Set to "yes" to automatically run migrations on package upgrade.
 migrate-on-upgrade=yes
 #
 # todo.sr.ht's OAuth client ID and secret for meta.sr.ht
 # Register your client at meta.example.org/oauth
-oauth-client-id={{ srht_todo_id }}
-oauth-client-secret={{ srht_todo_secret }}
+oauth-client-id={{ srht_secrets['todo_id'] }}
+oauth-client-secret={{ srht_secrets['todo_secret'] }}
 #
 # Outgoing email for notifications generated by users
 notify-from=noreply@xenrox.net

@@ 1,4 1,8 @@
 ---
+- name: Get secrets
+  ansible.builtin.set_fact:
+    vault_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/vault') }}"
+
 - name: Install
   community.general.pacman:
     name: vault


@@ 7,7 11,7 @@
 - name: Create db user
   community.general.postgresql_user:
     name: vault
-    password: "{{ vault_psql_password }}"
+    password: "{{ vault_secrets['psql_password'] }}"
   become: true
   become_user: postgres
   no_log: true


@@ 32,7 36,7 @@
 - name: Import DB schema
   community.general.postgresql_db:
     login_user: vault
-    login_password: "{{ vault_psql_password }}"
+    login_password: "{{ vault_secrets['psql_password'] }}"
     name: vault
     state: restore
     target: /tmp/vault_table.sql

@@ 1,7 1,7 @@
 ui = true
 
 storage "postgresql" {
-    connection_url = "postgres://vault:{{ vault_psql_password }}@127.0.0.1:5432/vault?sslmode=disable"
+    connection_url = "postgres://vault:{{ vault_secrets['psql_password'] }}@127.0.0.1:5432/vault?sslmode=disable"
     table = "vault_kv_store"
 }
 

@@ 3,6 3,10 @@
   ansible.builtin.set_fact:
     vaultwarden_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/vaultwarden') }}"
 
+- name: Get email secrets
+  ansible.builtin.set_fact:
+    email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"
+
 - name: install
   community.general.pacman:
     name: "{{ vaultwarden_packages }}"

@@ 275,8 275,8 @@ SMTP_FROM_NAME=Vaultwarden
 SMTP_PORT=587          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and used with Implicit TLS.
 SMTP_SSL=true          # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_TLS is set to true. Either port 587 or 25 are default.
 SMTP_EXPLICIT_TLS=true # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this option to work. Usually port 465 is used here.
-SMTP_USERNAME={{ email_noreply_mail }}
-SMTP_PASSWORD={{ email_noreply_password }}
+SMTP_USERNAME={{ email_secrets['noreply_user'] }}
+SMTP_PASSWORD={{ email_secrets['noreply_password'] }}
 # SMTP_TIMEOUT=15
 
 ## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.