D group_vars/all/hetzner.yml => group_vars/all/hetzner.yml +0 -3
@@ 1,3 0,0 @@
----
-hetzner_dns_key: "{{ vault_hetzner_dns_key }}"
-hetzner_cloud_key: "{{ vault_hetzner_cloud_ket }}"
D group_vars/all/srht.yml => group_vars/all/srht.yml +0 -19
@@ 1,19 0,0 @@
----
-srht_builds_id: "{{ vault_srht_builds_id }}"
-srht_builds_secret: "{{ vault_srht_builds_secret }}"
-srht_git_id: "{{ vault_srht_git_id }}"
-srht_git_secret: "{{ vault_srht_git_secret }}"
-srht_hub_id: "{{ vault_srht_hub_id }}"
-srht_hub_secret: "{{ vault_srht_hub_secret }}"
-srht_lists_id: "{{ vault_srht_lists_id }}"
-srht_lists_secret: "{{ vault_srht_lists_secret }}"
-srht_man_id: "{{ vault_srht_man_id }}"
-srht_man_secret: "{{ vault_srht_man_secret }}"
-srht_network_key: "{{ vault_srht_network_key }}"
-srht_paste_id: "{{ vault_srht_paste_id }}"
-srht_paste_secret: "{{ vault_srht_paste_secret }}"
-srht_psql_password: "{{ vault_srht_psql_password }}"
-srht_service_key: "{{ vault_srht_service_key }}"
-srht_todo_id: "{{ vault_srht_todo_id }}"
-srht_todo_secret: "{{ vault_srht_todo_secret }}"
-srht_webhook_key: "{{ vault_srht_webhook_key }}"
D group_vars/all/vars.yml => group_vars/all/vars.yml +0 -7
@@ 1,7 0,0 @@
----
-croc_password: "{{ vault_croc_password }}"
-email_noreply_mail: "{{ vault_email_noreply_mail }}"
-email_noreply_password: "{{ vault_email_noreply_password }}"
-minio_access_key: "{{ vault_minio_access_key }}"
-minio_secret_key: "{{ vault_minio_secret_key }}"
-vault_psql_password: "{{ vault_vault_psql_password }}"
D group_vars/all/vault_croc.yml => group_vars/all/vault_croc.yml +0 -9
@@ 1,9 0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-32343163366635383231373766373035613032376138303339656161363736333733326361383437
-6562623763323336323538363436373165323364393638330a343930613730303039666663373437
-37633163623662666566333331323331346136383832633761363632613835303461626633623633
-3465386533613738640a626439653731393137316238313536306662633266656434386138373563
-31316537346135646365383736343562366465386264336234306639336236653962313264616530
-66313138623964393537626335343266366163656663363535306564383863666466373137363635
-37353137643838663339373832303563643336383236336232353237313537386238333936316161
-63333639323065643736
D group_vars/all/vault_email.yml => group_vars/all/vault_email.yml +0 -10
@@ 1,10 0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-63356635336136356130386535356534646532333566613862353263343332386330326339373665
-3662326562363564373261363632333761376632633161640a643764333434613338373363613863
-65323464303364393063316336386564363661316430323163643433393665653838633261383536
-6164336430396663330a373133623630383831333731613964343464613730303830396661303836
-33383833643561363962353632623963626265393830633336333230376139383338373665313936
-33316635633730316631656532303064633062363534653139616363646265326535663432316338
-30396466663637336435623466383731666463633430386135613464636138643164373562373436
-32356366343434316534376535363730393064626164396636373266656637313035336165383437
-32333930373139396361643939663534346364376335643837613966343261333633
D group_vars/all/vault_hetzner.yml => group_vars/all/vault_hetzner.yml +0 -13
@@ 1,13 0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-33313031633030333961646461393566363530343430323164323335653263373932343038373331
-3039383662323839386539393934353865643036343332370a616134313764636539653162643438
-38386665386365666561346236386136633861313331333666616339393565303330623235643661
-3433356661316464310a623039656339383230386537393939366536373537613437623936323836
-34653130633535333632343164363333636162373435626435326536333264653534623462393662
-62353735333065626662373734333532313863386232336635633739616362333533356163386433
-65643337666331666237373439363339656663646639343634613030623932643064336562313330
-62346239336339613633383763623562393165363861623439333038353836366165313233343339
-65643930373465623062643937343832396538383438326239343338396637636137383835626530
-31373336363234363239663633393131393131306432653038383863636333333531366432313437
-37333562613631393731646537376530373636316663306163633235646365333239336635343035
-34326533613639343330
D group_vars/all/vault_minio.yml => group_vars/all/vault_minio.yml +0 -12
@@ 1,12 0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-30633665643864346562303265313362303132636630653131386635613662366433633637613162
-6265613461626265373437383432666165643637626539360a333932396263633032316631623037
-36666531353866376230653266363039633637396635343965643232393838323861626435303534
-6431626339313336610a633734373530346135666362623030346134633265313432396564326165
-64653433356536616337623863306436323265383935663439646235653332333838633162633931
-66653361366465316439306364333238343132343434323931653136373836383461303632363664
-63616635623439343765356434626666633632646666343739303061393663643439646139613935
-64366132613135323339363335636537613263613539333535373862393835633964323231353239
-61346131373430336364396164303639653964313266643732663138626639663536643738346266
-33626133333363663938626236326566663333663432316333633561646232396230393564633863
-343961393532363165653831363735653838
D group_vars/all/vault_srht.yml => group_vars/all/vault_srht.yml +0 -53
@@ 1,53 0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-38393938633362313265323362366135313333646466396433306134616531663837343736396631
-6233353830323636316264666432306662613332353236370a366138313338383932346434646532
-39646263633363353562323539643964383965393332353538383339623036376466323863333862
-3932396539653034390a303036646632646135623932363131343038393966393133666438333563
-35326464633338353935383539353730326464636664373766663734633365653861313161333136
-62626439323730383162313235333737316131393136396637646630353465306539643462633935
-64333538623835373062373130633165356534356466333338333361653934346133633065366265
-30373539633030376539353333653835623031326166363564323138636636653462363465623039
-35616537663762333831336439613363376464333231353031356461613233343363346164393539
-33396538323839353766633935303265343137373064646561303839326531663966303331623338
-35613761363835613061363161396132316239623464316436336163366531383039333537373534
-34333166316234613863633836623431653434356331623661356134613165326462643561333934
-63633739383062636261633030386663356661356235346466353734343235323064366363623062
-63303136396462343530313038353837626132636164386264396165373535623161356661373631
-37323833656631316266366364613461343565386539363830323265653038313634343262653234
-66323661363332643331613832653538396533333562363532323839653662346533323366343266
-65316262653830383839383534356462343061306462643332633838633234316265643234633663
-65313431396666363261306530623930346239623234346637356263336562646538653739366430
-35656666326563386232636535363737653362396566383164663435653639663766386562636233
-65393961646666616364633034353338333339663331623039633131313366663931643132626334
-33383238643966666534333163653061613332363635623266306233633862353835376132383230
-63366631633731343532363334386238656432356130323262336331646431653330303863353732
-39303264626537656534666530663962326232386635363165623765623763356263363061633936
-62656638346233323130616435636533666537373763656431383735363866373031306661336234
-38306131343530336136646137646565646339633161323566656532376337376434633564353764
-34653163376639373530636434356635656539643833396364396239346231306161653637616433
-65356232633430353732353830393138356537333465666562383730353962303665343834393366
-31326263613931666536376537666462323038646666626161373038633332653838343837666565
-31666231663666613539653338646236323066626238303938373930666364616333636565336263
-38336235623638613430643634333530363034373562666565633866383039646132373833373731
-38653262393730353461313131343239313531363436616265376435656339326434616632363465
-64353534333633373733313865663336643338336161643139323232346461626634306265383033
-36663963653733316662316565633764343837313466373836313034366238643637353066643736
-35646539336434336237393662356135366362313439333466376433326263653639326237626439
-39636563326238376565393932373565663536313739303634323764646137653837363563623037
-34393336626661343838623338316239333266376265373834326534343938303930323236383332
-37333965633131353561396563363764383334623035663061383833346133386436303066333066
-30326439653165323035613837653437383163663639613139623932313330643061313034376564
-30353462366639346337303362323736353764396566663336373533616262333464313238666233
-37646531333334313234366538643562393130666166623139333865343464356233623764616138
-36366665383564643461343434366536656563313836663765373763623138313138623633323466
-65366233663737363637333061316562643030323035326361323631373636356431383463323538
-38376263333038366136363332376336366135623032353962366638653539383735383330646166
-63356164333533333662326630303762383732316230393839343136623863646163303736633232
-32313833316564383031373034373730366636306430316565393962326435643262333066393431
-66623933363063613435366231663631323635656366666532663730383838303531373166653863
-33643031346139623234616633306537383035663034303664333331653361356437313665373135
-31376336663338386235313231623735633835343839626461633261346362366436383430306639
-37346234366532326331396530366135386239313365383062613939316161616233363232623432
-32323463343632613732343164353735623334643465623261616338666665373165666563343333
-39383465626639646263353461636232366233383336613633616661343332383337376235643432
-37363064623362623834
D group_vars/all/vault_vault.yml => group_vars/all/vault_vault.yml +0 -9
@@ 1,9 0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-61633130383866316533303038383263313632363965316363383761613364643564616433326666
-3161613962303262383961336662633066623132306636650a616330666338346662396139363138
-63343237343163376133323338643832663136343234663934633361336237363961643463613435
-3735373739633036330a356130336366353830383638636366326664643332363439333533343135
-37623764653031333964663033616663343637656163666534663664636134306338353832323236
-39663432666663333131323637396566383466316162646639366239323765343461326164613336
-31373930303732343661623565636339633965303765393031323766653865663762346562666633
-39386231386538653834
M roles/certbot/tasks/main.yml => roles/certbot/tasks/main.yml +4 -0
@@ 1,4 1,8 @@
---
+- name: Get hetzner secrets
+ ansible.builtin.set_fact:
+ hetzner_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/hetzner') }}"
+
- name: Install
community.general.pacman:
name: certbot-dns-hetzner
M roles/certbot/templates/hetzner.ini.j2 => roles/certbot/templates/hetzner.ini.j2 +1 -1
@@ 1,1 1,1 @@
-dns_hetzner_api_token = "{{ hetzner_dns_key }}"
+dns_hetzner_api_token = "{{ hetzner_secrets['dns_key'] }}"
M roles/croc/tasks/main.yml => roles/croc/tasks/main.yml +4 -0
@@ 1,4 1,8 @@
---
+- name: Get secrets
+ ansible.builtin.set_fact:
+ croc_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/croc') }}"
+
- name: install croc
ansible.builtin.package:
name: croc
M roles/croc/templates/croc.service.j2 => roles/croc/templates/croc.service.j2 +1 -1
@@ 1,3 1,3 @@
[Service]
ExecStart=
-ExecStart=/usr/bin/croc --pass "{{ croc_password }}" relay
+ExecStart=/usr/bin/croc --pass "{{ croc_secrets['password'] }}" relay
M roles/croc/templates/receive.json.j2 => roles/croc/templates/receive.json.j2 +1 -1
@@ 4,7 4,7 @@
"Debug": false,
"RelayAddress": "xenrox.net",
"RelayPorts": ["9009", "9010", "9011", "9012", "9013"],
- "RelayPassword": "{{ croc_password }}",
+ "RelayPassword": "{{ croc_secrets['password'] }}",
"Stdout": false,
"NoPrompt": false,
"NoMultiplexing": false,
M roles/croc/templates/send.json.j2 => roles/croc/templates/send.json.j2 +1 -1
@@ 4,7 4,7 @@
"Debug": false,
"RelayAddress": "xenrox.net",
"RelayPorts": ["9009", "9010", "9011", "9012", "9013"],
- "RelayPassword": "{{ croc_password }}",
+ "RelayPassword": "{{ croc_secrets['password'] }}",
"Stdout": false,
"NoPrompt": false,
"NoMultiplexing": false,
M roles/mailcow/tasks/main.yml => roles/mailcow/tasks/main.yml +4 -0
@@ 1,4 1,8 @@
---
+- name: Get hetzner secrets
+ ansible.builtin.set_fact:
+ hetzner_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/hetzner') }}"
+
- name: Install docker/docker-compose
community.general.pacman:
name: docker,docker-compose
M roles/mailcow/templates/update_tlsa.py.j2 => roles/mailcow/templates/update_tlsa.py.j2 +1 -1
@@ 26,7 26,7 @@ def send_request(hash, id, name):
url="https://dns.hetzner.com/api/v1/records/{}".format(id),
headers={
"Content-Type": "application/json",
- "Auth-API-Token": "{{ hetzner_dns_key }}",
+ "Auth-API-Token": "{{ hetzner_secrets['dns_key'] }}",
},
data=json.dumps(
{
M roles/minio/tasks/main.yml => roles/minio/tasks/main.yml +4 -0
@@ 1,4 1,8 @@
---
+- name: Get secrets
+ ansible.builtin.set_fact:
+ minio_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/minio') }}"
+
- name: setup minio host
import_tasks: host.yml
when: minio_host is defined and minio_host
M roles/minio/templates/config.json.j2 => roles/minio/templates/config.json.j2 +2 -2
@@ 3,8 3,8 @@
"aliases": {
"xenrox": {
"url": "https://minio.xenrox.net",
- "accessKey": "{{ minio_access_key }}",
- "secretKey": "{{ minio_secret_key }}",
+ "accessKey": "{{ minio_secrets['access_key'] }}",
+ "secretKey": "{{ minio_secrets['secret_key'] }}",
"api": "s3v4",
"path": "auto"
}
M roles/minio/templates/minio.conf.j2 => roles/minio/templates/minio.conf.j2 +2 -2
@@ 1,8 1,8 @@
# Local export path.
MINIO_VOLUMES="/srv/minio/data/"
# Access Key of the server.
-MINIO_ACCESS_KEY={{ minio_access_key }}
+MINIO_ACCESS_KEY={{ minio_secrets['access_key'] }}
# Secret key of the server.
-MINIO_SECRET_KEY={{ minio_secret_key }}
+MINIO_SECRET_KEY={{ minio_secrets['secret_key'] }}
# Use if you want to run Minio on a custom port.
MINIO_OPTS="--address 127.0.0.1:9001"
M roles/minio/templates/s3cfg.j2 => roles/minio/templates/s3cfg.j2 +2 -2
@@ 2,6 2,6 @@
host_base = minio.xenrox.net
host_bucket = minio.xenrox.net
use_https = true
-access_key = {{ minio_access_key }}
-secret_key = {{ minio_secret_key }}
+access_key = {{ minio_secrets['access_key'] }}
+secret_key = {{ minio_secrets['secret_key'] }}
signature_v2 = False
M roles/nextcloud/tasks/main.yml => roles/nextcloud/tasks/main.yml +4 -0
@@ 3,6 3,10 @@
ansible.builtin.set_fact:
nextcloud_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/nextcloud') }}"
+- name: Get email secrets
+ ansible.builtin.set_fact:
+ email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"
+
- name: Install nextcloud packages
community.general.pacman:
name: "{{ nextcloud_packages }}"
M roles/nextcloud/templates/config.php.j2 => roles/nextcloud/templates/config.php.j2 +2 -2
@@ 43,8 43,8 @@ $CONFIG = array (
'mail_smtphost' => 'mail.xenrox.net',
'mail_smtpport' => '465',
'mail_smtpauthtype' => 'PLAIN',
- 'mail_smtpname' => '{{ email_noreply_mail }}',
- 'mail_smtppassword' => '{{ email_noreply_password }}',
+ 'mail_smtpname' => '{{ email_secrets['noreply_user'] }}',
+ 'mail_smtppassword' => '{{ email_secrets['noreply_password'] }}',
'mail_smtpsecure' => 'ssl',
'memcache.local' => '\OC\Memcache\APCu',
'redis' => [
M roles/peertube/tasks/main.yml => roles/peertube/tasks/main.yml +4 -0
@@ 3,6 3,10 @@
ansible.builtin.set_fact:
peertube_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/peertube') }}"
+- name: Get email secrets
+ ansible.builtin.set_fact:
+ email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"
+
- name: Install nodejs and yarn
community.general.pacman:
name: nodejs-lts-fermium,yarn
M roles/peertube/templates/production.yaml.j2 => roles/peertube/templates/production.yaml.j2 +2 -2
@@ 60,8 60,8 @@ smtp:
sendmail: null
hostname: mail.xenrox.net
port: 465 # If you use StartTLS: 587
- username: "{{ email_noreply_mail }}"
- password: "{{ email_noreply_password }}"
+ username: "{{ email_secrets['noreply_user'] }}"
+ password: "{{ email_secrets['noreply_password'] }}"
tls: true # If you use StartTLS: false
disable_starttls: false
ca_file: null # Used for self signed certificates
M roles/prometheus/tasks/main.yml => roles/prometheus/tasks/main.yml +4 -0
@@ 3,6 3,10 @@
ansible.builtin.set_fact:
ejabberd_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/ejabberd') }}"
+- name: Get email secrets
+ ansible.builtin.set_fact:
+ email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"
+
- name: install
community.general.pacman:
name: "{{ prometheus_packages }}"
M roles/prometheus/templates/alertmanager.yml.j2 => roles/prometheus/templates/alertmanager.yml.j2 +2 -2
@@ 2,8 2,8 @@ global:
resolve_timeout: 5m
smtp_smarthost: "mail.xenrox.net:587"
smtp_from: "alertmanager <noreply@xenrox.net>"
- smtp_auth_username: {{ email_noreply_mail }}
- smtp_auth_password: {{ email_noreply_password }}
+ smtp_auth_username: {{ email_secrets['noreply_user'] }}
+ smtp_auth_password: {{ email_secrets['noreply_password'] }}
route:
group_by: ["instance", "severity"]
M roles/srht/tasks/main.yml => roles/srht/tasks/main.yml +13 -1
@@ 1,4 1,16 @@
---
+- name: Get secrets
+ ansible.builtin.set_fact:
+ srht_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/srht') }}"
+
+- name: Get minio secrets
+ ansible.builtin.set_fact:
+ minio_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/minio') }}"
+
+- name: Get email secrets
+ ansible.builtin.set_fact:
+ email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"
+
- name: install srht packages
community.general.pacman:
name: "{{ srht_packages }}"
@@ 59,7 71,7 @@
- name: Create db user
community.general.postgresql_user:
name: srht
- password: "{{ srht_psql_password }}"
+ password: "{{ srht_secrets['psql_password'] }}"
become: true
become_user: postgres
no_log: true
M roles/srht/templates/builds.ini.j2 => roles/srht/templates/builds.ini.j2 +3 -3
@@ 8,7 8,7 @@ debug-host=0.0.0.0
debug-port=5002
#
# Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-builds?sslmode=disable
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-builds?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
@@ 19,8 19,8 @@ redis=redis://localhost:6379/4
#
# builds.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
-oauth-client-id={{ srht_builds_id }}
-oauth-client-secret={{ srht_builds_secret }}
+oauth-client-id={{ srht_secrets['builds_id'] }}
+oauth-client-secret={{ srht_secrets['builds_secret'] }}
#
# Script used to launch on ssh connnection. /usr/bin/master-shell on master,
# /usr/bin/runner-shell for workers.
M roles/srht/templates/config.ini.j2 => roles/srht/templates/config.ini.j2 +7 -7
@@ 29,11 29,11 @@ privacy-policy=
# service (e.g. git1.sr.ht and git2.sr.ht), but different services may use
# different keys. If you configure all of your services with the same
# config.ini, you may use the same service-key for all of them.
-service-key={{ srht_service_key }}
+service-key={{ srht_secrets['service_key'] }}
#
# A secret key to encrypt internal messages with. Use `srht-keygen network` to
# generate this key. It must be consistent between all services and nodes.
-network-key={{ srht_network_key }}
+network-key={{ srht_secrets['network_key'] }}
#
# The redis host URL. This is used for caching and temporary storage, and must
# be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be
@@ 50,16 50,16 @@ pushgateway=
#
# Minio is recommended as a FOSS solution over AWS: https://min.io
s3-upstream=minio.xenrox.net
-s3-access-key={{ minio_access_key }}
-s3-secret-key={{ minio_secret_key }}
+s3-access-key={{ minio_secrets['access_key'] }}
+s3-secret-key={{ minio_secrets['secret_key'] }}
[mail]
#
# Outgoing SMTP settings
smtp-host=mail.xenrox.net
smtp-port=587
-smtp-user={{ email_noreply_mail }}
-smtp-password={{ email_noreply_password }}
+smtp-user={{ email_secrets['noreply_user'] }}
+smtp-password={{ email_secrets['noreply_password'] }}
smtp-from=xenrox sourcehut <noreply@xenrox.net>
#
# Application exceptions are emailed to this address
@@ 84,7 84,7 @@ pgp-key-id=60A4 269D F622 7C99 04CF CFF7 55A4 316C 4697 1CC5
# Use the `srht-keygen webhook` command to generate this key. Put the private
# key here and distribute the public key to anyone who would want to verify
# webhook payloads from your service.
-private-key={{ srht_webhook_key }}
+private-key={{ srht_secrets['webhook_key'] }}
{% include "git.ini.j2" %}
M roles/srht/templates/git.ini.j2 => roles/srht/templates/git.ini.j2 +3 -3
@@ 8,7 8,7 @@ debug-host=0.0.0.0
debug-port=5001
#
# Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-git?sslmode=disable
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-git?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
@@ 21,8 21,8 @@ post-update-script=/usr/bin/gitsrht-update-hook
#
# git.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
-oauth-client-id={{ srht_git_id }}
-oauth-client-secret={{ srht_git_secret }}
+oauth-client-id={{ srht_secrets['git_id'] }}
+oauth-client-secret={{ srht_secrets['git_secret'] }}
#
# Path to git repositories on disk
repos=/var/lib/git/
M roles/srht/templates/hub.ini.j2 => roles/srht/templates/hub.ini.j2 +3 -3
@@ 8,12 8,12 @@ debug-host=0.0.0.0
debug-port=5014
#
# Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-hub
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-hub
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# hub.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
-oauth-client-id={{ srht_hub_id }}
-oauth-client-secret={{ srht_hub_secret }}
+oauth-client-id={{ srht_secrets['hub_id'] }}
+oauth-client-secret={{ srht_secrets['hub_secret'] }}
M roles/srht/templates/lists.ini.j2 => roles/srht/templates/lists.ini.j2 +3 -3
@@ 8,7 8,7 @@ debug-host=0.0.0.0
debug-port=5006
#
# Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-lists
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-lists
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
@@ 26,8 26,8 @@ posting-domain=lists.xenrox.net
#
# lists.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
-oauth-client-id={{ srht_lists_id }}
-oauth-client-secret={{ srht_lists_secret }}
+oauth-client-id={{ srht_secrets['lists_id'] }}
+oauth-client-secret={{ srht_secrets['lists_secret'] }}
#
# Trusted upstream SMTP server generating Authentication-Results header fields
msgauth-server=mail.xenrox.net
M roles/srht/templates/man.ini.j2 => roles/srht/templates/man.ini.j2 +3 -3
@@ 8,12 8,12 @@ debug-host=0.0.0.0
debug-port=5004
#
# Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-man
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-man
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# man.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
-oauth-client-id={{ srht_man_id }}
-oauth-client-secret={{ srht_man_secret }}
+oauth-client-id={{ srht_secrets['man_id'] }}
+oauth-client-secret={{ srht_secrets['man_secret'] }}
M roles/srht/templates/meta.ini.j2 => roles/srht/templates/meta.ini.j2 +1 -1
@@ 8,7 8,7 @@ debug-host=0.0.0.0
debug-port=5000
#
# Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-meta?sslmode=disable
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-meta?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
M roles/srht/templates/paste.ini.j2 => roles/srht/templates/paste.ini.j2 +3 -3
@@ 8,12 8,12 @@ debug-host=0.0.0.0
debug-port=5011
#
# Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-paste
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-paste
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# paste.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
-oauth-client-id={{ srht_paste_id }}
-oauth-client-secret={{ srht_paste_secret }}
+oauth-client-id={{ srht_secrets['paste_id'] }}
+oauth-client-secret={{ srht_secrets['paste_secret'] }}
M roles/srht/templates/todo.ini.j2 => roles/srht/templates/todo.ini.j2 +3 -3
@@ 8,15 8,15 @@ debug-host=0.0.0.0
debug-port=5003
#
# Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-todo?sslmode=disable
+connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-todo?sslmode=disable
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# todo.sr.ht's OAuth client ID and secret for meta.sr.ht
# Register your client at meta.example.org/oauth
-oauth-client-id={{ srht_todo_id }}
-oauth-client-secret={{ srht_todo_secret }}
+oauth-client-id={{ srht_secrets['todo_id'] }}
+oauth-client-secret={{ srht_secrets['todo_secret'] }}
#
# Outgoing email for notifications generated by users
notify-from=noreply@xenrox.net
M roles/vault/tasks/main.yml => roles/vault/tasks/main.yml +6 -2
@@ 1,4 1,8 @@
---
+- name: Get secrets
+ ansible.builtin.set_fact:
+ vault_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/vault') }}"
+
- name: Install
community.general.pacman:
name: vault
@@ 7,7 11,7 @@
- name: Create db user
community.general.postgresql_user:
name: vault
- password: "{{ vault_psql_password }}"
+ password: "{{ vault_secrets['psql_password'] }}"
become: true
become_user: postgres
no_log: true
@@ 32,7 36,7 @@
- name: Import DB schema
community.general.postgresql_db:
login_user: vault
- login_password: "{{ vault_psql_password }}"
+ login_password: "{{ vault_secrets['psql_password'] }}"
name: vault
state: restore
target: /tmp/vault_table.sql
M roles/vault/templates/vault.hcl.j2 => roles/vault/templates/vault.hcl.j2 +1 -1
@@ 1,7 1,7 @@
ui = true
storage "postgresql" {
- connection_url = "postgres://vault:{{ vault_psql_password }}@127.0.0.1:5432/vault?sslmode=disable"
+ connection_url = "postgres://vault:{{ vault_secrets['psql_password'] }}@127.0.0.1:5432/vault?sslmode=disable"
table = "vault_kv_store"
}
M roles/vaultwarden/tasks/main.yml => roles/vaultwarden/tasks/main.yml +4 -0
@@ 3,6 3,10 @@
ansible.builtin.set_fact:
vaultwarden_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/vaultwarden') }}"
+- name: Get email secrets
+ ansible.builtin.set_fact:
+ email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"
+
- name: install
community.general.pacman:
name: "{{ vaultwarden_packages }}"
M roles/vaultwarden/templates/vaultwarden.env.j2 => roles/vaultwarden/templates/vaultwarden.env.j2 +2 -2
@@ 275,8 275,8 @@ SMTP_FROM_NAME=Vaultwarden
SMTP_PORT=587 # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and used with Implicit TLS.
SMTP_SSL=true # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_TLS is set to true. Either port 587 or 25 are default.
SMTP_EXPLICIT_TLS=true # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this option to work. Usually port 465 is used here.
-SMTP_USERNAME={{ email_noreply_mail }}
-SMTP_PASSWORD={{ email_noreply_password }}
+SMTP_USERNAME={{ email_secrets['noreply_user'] }}
+SMTP_PASSWORD={{ email_secrets['noreply_password'] }}
# SMTP_TIMEOUT=15
## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.