From 89e5f6b498f01dc2d54416bf00f0f46cf4629ea2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorben=20G=C3=BCnther?= Date: Mon, 5 Jul 2021 17:28:48 +0200 Subject: [PATCH] Move last ansible vaults to hc vault Only the sourcehut GPG private key and the api token are still encrypted by ansible. --- group_vars/all/hetzner.yml | 3 -- group_vars/all/srht.yml | 19 ------- group_vars/all/vars.yml | 7 --- group_vars/all/vault_croc.yml | 9 ---- group_vars/all/vault_email.yml | 10 ---- group_vars/all/vault_hetzner.yml | 13 ----- group_vars/all/vault_minio.yml | 12 ----- group_vars/all/vault_srht.yml | 53 ------------------- group_vars/all/vault_vault.yml | 9 ---- roles/certbot/tasks/main.yml | 4 ++ roles/certbot/templates/hetzner.ini.j2 | 2 +- roles/croc/tasks/main.yml | 4 ++ roles/croc/templates/croc.service.j2 | 2 +- roles/croc/templates/receive.json.j2 | 2 +- roles/croc/templates/send.json.j2 | 2 +- roles/mailcow/tasks/main.yml | 4 ++ roles/mailcow/templates/update_tlsa.py.j2 | 2 +- roles/minio/tasks/main.yml | 4 ++ roles/minio/templates/config.json.j2 | 4 +- roles/minio/templates/minio.conf.j2 | 4 +- roles/minio/templates/s3cfg.j2 | 4 +- roles/nextcloud/tasks/main.yml | 4 ++ roles/nextcloud/templates/config.php.j2 | 4 +- roles/peertube/tasks/main.yml | 4 ++ roles/peertube/templates/production.yaml.j2 | 4 +- roles/prometheus/tasks/main.yml | 4 ++ .../prometheus/templates/alertmanager.yml.j2 | 4 +- roles/srht/tasks/main.yml | 14 ++++- roles/srht/templates/builds.ini.j2 | 6 +-- roles/srht/templates/config.ini.j2 | 14 ++--- roles/srht/templates/git.ini.j2 | 6 +-- roles/srht/templates/hub.ini.j2 | 6 +-- roles/srht/templates/lists.ini.j2 | 6 +-- roles/srht/templates/man.ini.j2 | 6 +-- roles/srht/templates/meta.ini.j2 | 2 +- roles/srht/templates/paste.ini.j2 | 6 +-- roles/srht/templates/todo.ini.j2 | 6 +-- roles/vault/tasks/main.yml | 8 ++- roles/vault/templates/vault.hcl.j2 | 2 +- roles/vaultwarden/tasks/main.yml | 4 ++ .../vaultwarden/templates/vaultwarden.env.j2 | 4 +- 41 files changed, 100 insertions(+), 187 deletions(-) delete mode 100644 group_vars/all/hetzner.yml delete mode 100644 group_vars/all/srht.yml delete mode 100644 group_vars/all/vars.yml delete mode 100644 group_vars/all/vault_croc.yml delete mode 100644 group_vars/all/vault_email.yml delete mode 100644 group_vars/all/vault_hetzner.yml delete mode 100644 group_vars/all/vault_minio.yml delete mode 100644 group_vars/all/vault_srht.yml delete mode 100644 group_vars/all/vault_vault.yml diff --git a/group_vars/all/hetzner.yml b/group_vars/all/hetzner.yml deleted file mode 100644 index d8f18b2..0000000 --- a/group_vars/all/hetzner.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -hetzner_dns_key: "{{ vault_hetzner_dns_key }}" -hetzner_cloud_key: "{{ vault_hetzner_cloud_ket }}" diff --git a/group_vars/all/srht.yml b/group_vars/all/srht.yml deleted file mode 100644 index 818a04c..0000000 --- a/group_vars/all/srht.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -srht_builds_id: "{{ vault_srht_builds_id }}" -srht_builds_secret: "{{ vault_srht_builds_secret }}" -srht_git_id: "{{ vault_srht_git_id }}" -srht_git_secret: "{{ vault_srht_git_secret }}" -srht_hub_id: "{{ vault_srht_hub_id }}" -srht_hub_secret: "{{ vault_srht_hub_secret }}" -srht_lists_id: "{{ vault_srht_lists_id }}" -srht_lists_secret: "{{ vault_srht_lists_secret }}" -srht_man_id: "{{ vault_srht_man_id }}" -srht_man_secret: "{{ vault_srht_man_secret }}" -srht_network_key: "{{ vault_srht_network_key }}" -srht_paste_id: "{{ vault_srht_paste_id }}" -srht_paste_secret: "{{ vault_srht_paste_secret }}" -srht_psql_password: "{{ vault_srht_psql_password }}" -srht_service_key: "{{ vault_srht_service_key }}" -srht_todo_id: "{{ vault_srht_todo_id }}" -srht_todo_secret: "{{ vault_srht_todo_secret }}" -srht_webhook_key: "{{ vault_srht_webhook_key }}" diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml deleted file mode 100644 index 4a3a3d4..0000000 --- a/group_vars/all/vars.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -croc_password: "{{ vault_croc_password }}" -email_noreply_mail: "{{ vault_email_noreply_mail }}" -email_noreply_password: "{{ vault_email_noreply_password }}" -minio_access_key: "{{ vault_minio_access_key }}" -minio_secret_key: "{{ vault_minio_secret_key }}" -vault_psql_password: "{{ vault_vault_psql_password }}" diff --git a/group_vars/all/vault_croc.yml b/group_vars/all/vault_croc.yml deleted file mode 100644 index 10a7e34..0000000 --- a/group_vars/all/vault_croc.yml +++ /dev/null @@ -1,9 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -32343163366635383231373766373035613032376138303339656161363736333733326361383437 -6562623763323336323538363436373165323364393638330a343930613730303039666663373437 -37633163623662666566333331323331346136383832633761363632613835303461626633623633 -3465386533613738640a626439653731393137316238313536306662633266656434386138373563 -31316537346135646365383736343562366465386264336234306639336236653962313264616530 -66313138623964393537626335343266366163656663363535306564383863666466373137363635 -37353137643838663339373832303563643336383236336232353237313537386238333936316161 -63333639323065643736 diff --git a/group_vars/all/vault_email.yml b/group_vars/all/vault_email.yml deleted file mode 100644 index c6358f1..0000000 --- a/group_vars/all/vault_email.yml +++ /dev/null @@ -1,10 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -63356635336136356130386535356534646532333566613862353263343332386330326339373665 -3662326562363564373261363632333761376632633161640a643764333434613338373363613863 -65323464303364393063316336386564363661316430323163643433393665653838633261383536 -6164336430396663330a373133623630383831333731613964343464613730303830396661303836 -33383833643561363962353632623963626265393830633336333230376139383338373665313936 -33316635633730316631656532303064633062363534653139616363646265326535663432316338 -30396466663637336435623466383731666463633430386135613464636138643164373562373436 -32356366343434316534376535363730393064626164396636373266656637313035336165383437 -32333930373139396361643939663534346364376335643837613966343261333633 diff --git a/group_vars/all/vault_hetzner.yml b/group_vars/all/vault_hetzner.yml deleted file mode 100644 index a7d5af8..0000000 --- a/group_vars/all/vault_hetzner.yml +++ /dev/null @@ -1,13 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -33313031633030333961646461393566363530343430323164323335653263373932343038373331 -3039383662323839386539393934353865643036343332370a616134313764636539653162643438 -38386665386365666561346236386136633861313331333666616339393565303330623235643661 -3433356661316464310a623039656339383230386537393939366536373537613437623936323836 -34653130633535333632343164363333636162373435626435326536333264653534623462393662 -62353735333065626662373734333532313863386232336635633739616362333533356163386433 -65643337666331666237373439363339656663646639343634613030623932643064336562313330 -62346239336339613633383763623562393165363861623439333038353836366165313233343339 -65643930373465623062643937343832396538383438326239343338396637636137383835626530 -31373336363234363239663633393131393131306432653038383863636333333531366432313437 -37333562613631393731646537376530373636316663306163633235646365333239336635343035 -34326533613639343330 diff --git a/group_vars/all/vault_minio.yml b/group_vars/all/vault_minio.yml deleted file mode 100644 index f99ff41..0000000 --- a/group_vars/all/vault_minio.yml +++ /dev/null @@ -1,12 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -30633665643864346562303265313362303132636630653131386635613662366433633637613162 -6265613461626265373437383432666165643637626539360a333932396263633032316631623037 -36666531353866376230653266363039633637396635343965643232393838323861626435303534 -6431626339313336610a633734373530346135666362623030346134633265313432396564326165 -64653433356536616337623863306436323265383935663439646235653332333838633162633931 -66653361366465316439306364333238343132343434323931653136373836383461303632363664 -63616635623439343765356434626666633632646666343739303061393663643439646139613935 -64366132613135323339363335636537613263613539333535373862393835633964323231353239 -61346131373430336364396164303639653964313266643732663138626639663536643738346266 -33626133333363663938626236326566663333663432316333633561646232396230393564633863 -343961393532363165653831363735653838 diff --git a/group_vars/all/vault_srht.yml b/group_vars/all/vault_srht.yml deleted file mode 100644 index ace9cc3..0000000 --- a/group_vars/all/vault_srht.yml +++ /dev/null @@ -1,53 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -38393938633362313265323362366135313333646466396433306134616531663837343736396631 -6233353830323636316264666432306662613332353236370a366138313338383932346434646532 -39646263633363353562323539643964383965393332353538383339623036376466323863333862 -3932396539653034390a303036646632646135623932363131343038393966393133666438333563 -35326464633338353935383539353730326464636664373766663734633365653861313161333136 -62626439323730383162313235333737316131393136396637646630353465306539643462633935 -64333538623835373062373130633165356534356466333338333361653934346133633065366265 -30373539633030376539353333653835623031326166363564323138636636653462363465623039 -35616537663762333831336439613363376464333231353031356461613233343363346164393539 -33396538323839353766633935303265343137373064646561303839326531663966303331623338 -35613761363835613061363161396132316239623464316436336163366531383039333537373534 -34333166316234613863633836623431653434356331623661356134613165326462643561333934 -63633739383062636261633030386663356661356235346466353734343235323064366363623062 -63303136396462343530313038353837626132636164386264396165373535623161356661373631 -37323833656631316266366364613461343565386539363830323265653038313634343262653234 -66323661363332643331613832653538396533333562363532323839653662346533323366343266 -65316262653830383839383534356462343061306462643332633838633234316265643234633663 -65313431396666363261306530623930346239623234346637356263336562646538653739366430 -35656666326563386232636535363737653362396566383164663435653639663766386562636233 -65393961646666616364633034353338333339663331623039633131313366663931643132626334 -33383238643966666534333163653061613332363635623266306233633862353835376132383230 -63366631633731343532363334386238656432356130323262336331646431653330303863353732 -39303264626537656534666530663962326232386635363165623765623763356263363061633936 -62656638346233323130616435636533666537373763656431383735363866373031306661336234 -38306131343530336136646137646565646339633161323566656532376337376434633564353764 -34653163376639373530636434356635656539643833396364396239346231306161653637616433 -65356232633430353732353830393138356537333465666562383730353962303665343834393366 -31326263613931666536376537666462323038646666626161373038633332653838343837666565 -31666231663666613539653338646236323066626238303938373930666364616333636565336263 -38336235623638613430643634333530363034373562666565633866383039646132373833373731 -38653262393730353461313131343239313531363436616265376435656339326434616632363465 -64353534333633373733313865663336643338336161643139323232346461626634306265383033 -36663963653733316662316565633764343837313466373836313034366238643637353066643736 -35646539336434336237393662356135366362313439333466376433326263653639326237626439 -39636563326238376565393932373565663536313739303634323764646137653837363563623037 -34393336626661343838623338316239333266376265373834326534343938303930323236383332 -37333965633131353561396563363764383334623035663061383833346133386436303066333066 -30326439653165323035613837653437383163663639613139623932313330643061313034376564 -30353462366639346337303362323736353764396566663336373533616262333464313238666233 -37646531333334313234366538643562393130666166623139333865343464356233623764616138 -36366665383564643461343434366536656563313836663765373763623138313138623633323466 -65366233663737363637333061316562643030323035326361323631373636356431383463323538 -38376263333038366136363332376336366135623032353962366638653539383735383330646166 -63356164333533333662326630303762383732316230393839343136623863646163303736633232 -32313833316564383031373034373730366636306430316565393962326435643262333066393431 -66623933363063613435366231663631323635656366666532663730383838303531373166653863 -33643031346139623234616633306537383035663034303664333331653361356437313665373135 -31376336663338386235313231623735633835343839626461633261346362366436383430306639 -37346234366532326331396530366135386239313365383062613939316161616233363232623432 -32323463343632613732343164353735623334643465623261616338666665373165666563343333 -39383465626639646263353461636232366233383336613633616661343332383337376235643432 -37363064623362623834 diff --git a/group_vars/all/vault_vault.yml b/group_vars/all/vault_vault.yml deleted file mode 100644 index 26284ea..0000000 --- a/group_vars/all/vault_vault.yml +++ /dev/null @@ -1,9 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -61633130383866316533303038383263313632363965316363383761613364643564616433326666 -3161613962303262383961336662633066623132306636650a616330666338346662396139363138 -63343237343163376133323338643832663136343234663934633361336237363961643463613435 -3735373739633036330a356130336366353830383638636366326664643332363439333533343135 -37623764653031333964663033616663343637656163666534663664636134306338353832323236 -39663432666663333131323637396566383466316162646639366239323765343461326164613336 -31373930303732343661623565636339633965303765393031323766653865663762346562666633 -39386231386538653834 diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index c06c13d..38fea1d 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Get hetzner secrets + ansible.builtin.set_fact: + hetzner_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/hetzner') }}" + - name: Install community.general.pacman: name: certbot-dns-hetzner diff --git a/roles/certbot/templates/hetzner.ini.j2 b/roles/certbot/templates/hetzner.ini.j2 index 00adea6..00013e4 100644 --- a/roles/certbot/templates/hetzner.ini.j2 +++ b/roles/certbot/templates/hetzner.ini.j2 @@ -1 +1 @@ -dns_hetzner_api_token = "{{ hetzner_dns_key }}" +dns_hetzner_api_token = "{{ hetzner_secrets['dns_key'] }}" diff --git a/roles/croc/tasks/main.yml b/roles/croc/tasks/main.yml index 430ab04..965b5f8 100644 --- a/roles/croc/tasks/main.yml +++ b/roles/croc/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Get secrets + ansible.builtin.set_fact: + croc_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/croc') }}" + - name: install croc ansible.builtin.package: name: croc diff --git a/roles/croc/templates/croc.service.j2 b/roles/croc/templates/croc.service.j2 index 4ed1970..5ec65de 100644 --- a/roles/croc/templates/croc.service.j2 +++ b/roles/croc/templates/croc.service.j2 @@ -1,3 +1,3 @@ [Service] ExecStart= -ExecStart=/usr/bin/croc --pass "{{ croc_password }}" relay +ExecStart=/usr/bin/croc --pass "{{ croc_secrets['password'] }}" relay diff --git a/roles/croc/templates/receive.json.j2 b/roles/croc/templates/receive.json.j2 index e8f9645..c25217b 100644 --- a/roles/croc/templates/receive.json.j2 +++ b/roles/croc/templates/receive.json.j2 @@ -4,7 +4,7 @@ "Debug": false, "RelayAddress": "xenrox.net", "RelayPorts": ["9009", "9010", "9011", "9012", "9013"], - "RelayPassword": "{{ croc_password }}", + "RelayPassword": "{{ croc_secrets['password'] }}", "Stdout": false, "NoPrompt": false, "NoMultiplexing": false, diff --git a/roles/croc/templates/send.json.j2 b/roles/croc/templates/send.json.j2 index fc89dc3..c3d37b0 100644 --- a/roles/croc/templates/send.json.j2 +++ b/roles/croc/templates/send.json.j2 @@ -4,7 +4,7 @@ "Debug": false, "RelayAddress": "xenrox.net", "RelayPorts": ["9009", "9010", "9011", "9012", "9013"], - "RelayPassword": "{{ croc_password }}", + "RelayPassword": "{{ croc_secrets['password'] }}", "Stdout": false, "NoPrompt": false, "NoMultiplexing": false, diff --git a/roles/mailcow/tasks/main.yml b/roles/mailcow/tasks/main.yml index 26bde4a..0db8e0a 100644 --- a/roles/mailcow/tasks/main.yml +++ b/roles/mailcow/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Get hetzner secrets + ansible.builtin.set_fact: + hetzner_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/hetzner') }}" + - name: Install docker/docker-compose community.general.pacman: name: docker,docker-compose diff --git a/roles/mailcow/templates/update_tlsa.py.j2 b/roles/mailcow/templates/update_tlsa.py.j2 index f8a9981..4c1037a 100755 --- a/roles/mailcow/templates/update_tlsa.py.j2 +++ b/roles/mailcow/templates/update_tlsa.py.j2 @@ -26,7 +26,7 @@ def send_request(hash, id, name): url="https://dns.hetzner.com/api/v1/records/{}".format(id), headers={ "Content-Type": "application/json", - "Auth-API-Token": "{{ hetzner_dns_key }}", + "Auth-API-Token": "{{ hetzner_secrets['dns_key'] }}", }, data=json.dumps( { diff --git a/roles/minio/tasks/main.yml b/roles/minio/tasks/main.yml index c2812ed..b741a80 100644 --- a/roles/minio/tasks/main.yml +++ b/roles/minio/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Get secrets + ansible.builtin.set_fact: + minio_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/minio') }}" + - name: setup minio host import_tasks: host.yml when: minio_host is defined and minio_host diff --git a/roles/minio/templates/config.json.j2 b/roles/minio/templates/config.json.j2 index 118b494..6cfea5a 100644 --- a/roles/minio/templates/config.json.j2 +++ b/roles/minio/templates/config.json.j2 @@ -3,8 +3,8 @@ "aliases": { "xenrox": { "url": "https://minio.xenrox.net", - "accessKey": "{{ minio_access_key }}", - "secretKey": "{{ minio_secret_key }}", + "accessKey": "{{ minio_secrets['access_key'] }}", + "secretKey": "{{ minio_secrets['secret_key'] }}", "api": "s3v4", "path": "auto" } diff --git a/roles/minio/templates/minio.conf.j2 b/roles/minio/templates/minio.conf.j2 index 4959a1f..22461d9 100644 --- a/roles/minio/templates/minio.conf.j2 +++ b/roles/minio/templates/minio.conf.j2 @@ -1,8 +1,8 @@ # Local export path. MINIO_VOLUMES="/srv/minio/data/" # Access Key of the server. -MINIO_ACCESS_KEY={{ minio_access_key }} +MINIO_ACCESS_KEY={{ minio_secrets['access_key'] }} # Secret key of the server. -MINIO_SECRET_KEY={{ minio_secret_key }} +MINIO_SECRET_KEY={{ minio_secrets['secret_key'] }} # Use if you want to run Minio on a custom port. MINIO_OPTS="--address 127.0.0.1:9001" diff --git a/roles/minio/templates/s3cfg.j2 b/roles/minio/templates/s3cfg.j2 index 4e1af92..c82f9f1 100644 --- a/roles/minio/templates/s3cfg.j2 +++ b/roles/minio/templates/s3cfg.j2 @@ -2,6 +2,6 @@ host_base = minio.xenrox.net host_bucket = minio.xenrox.net use_https = true -access_key = {{ minio_access_key }} -secret_key = {{ minio_secret_key }} +access_key = {{ minio_secrets['access_key'] }} +secret_key = {{ minio_secrets['secret_key'] }} signature_v2 = False diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index cdbb69c..68bbe44 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -3,6 +3,10 @@ ansible.builtin.set_fact: nextcloud_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/nextcloud') }}" +- name: Get email secrets + ansible.builtin.set_fact: + email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}" + - name: Install nextcloud packages community.general.pacman: name: "{{ nextcloud_packages }}" diff --git a/roles/nextcloud/templates/config.php.j2 b/roles/nextcloud/templates/config.php.j2 index 793748e..3e292c3 100644 --- a/roles/nextcloud/templates/config.php.j2 +++ b/roles/nextcloud/templates/config.php.j2 @@ -43,8 +43,8 @@ $CONFIG = array ( 'mail_smtphost' => 'mail.xenrox.net', 'mail_smtpport' => '465', 'mail_smtpauthtype' => 'PLAIN', - 'mail_smtpname' => '{{ email_noreply_mail }}', - 'mail_smtppassword' => '{{ email_noreply_password }}', + 'mail_smtpname' => '{{ email_secrets['noreply_user'] }}', + 'mail_smtppassword' => '{{ email_secrets['noreply_password'] }}', 'mail_smtpsecure' => 'ssl', 'memcache.local' => '\OC\Memcache\APCu', 'redis' => [ diff --git a/roles/peertube/tasks/main.yml b/roles/peertube/tasks/main.yml index 4329980..8e42699 100644 --- a/roles/peertube/tasks/main.yml +++ b/roles/peertube/tasks/main.yml @@ -3,6 +3,10 @@ ansible.builtin.set_fact: peertube_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/peertube') }}" +- name: Get email secrets + ansible.builtin.set_fact: + email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}" + - name: Install nodejs and yarn community.general.pacman: name: nodejs-lts-fermium,yarn diff --git a/roles/peertube/templates/production.yaml.j2 b/roles/peertube/templates/production.yaml.j2 index 6d17409..dbf0446 100644 --- a/roles/peertube/templates/production.yaml.j2 +++ b/roles/peertube/templates/production.yaml.j2 @@ -60,8 +60,8 @@ smtp: sendmail: null hostname: mail.xenrox.net port: 465 # If you use StartTLS: 587 - username: "{{ email_noreply_mail }}" - password: "{{ email_noreply_password }}" + username: "{{ email_secrets['noreply_user'] }}" + password: "{{ email_secrets['noreply_password'] }}" tls: true # If you use StartTLS: false disable_starttls: false ca_file: null # Used for self signed certificates diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index f20b257..b52661c 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -3,6 +3,10 @@ ansible.builtin.set_fact: ejabberd_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/ejabberd') }}" +- name: Get email secrets + ansible.builtin.set_fact: + email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}" + - name: install community.general.pacman: name: "{{ prometheus_packages }}" diff --git a/roles/prometheus/templates/alertmanager.yml.j2 b/roles/prometheus/templates/alertmanager.yml.j2 index 6de20dc..d2e13a9 100644 --- a/roles/prometheus/templates/alertmanager.yml.j2 +++ b/roles/prometheus/templates/alertmanager.yml.j2 @@ -2,8 +2,8 @@ global: resolve_timeout: 5m smtp_smarthost: "mail.xenrox.net:587" smtp_from: "alertmanager " - smtp_auth_username: {{ email_noreply_mail }} - smtp_auth_password: {{ email_noreply_password }} + smtp_auth_username: {{ email_secrets['noreply_user'] }} + smtp_auth_password: {{ email_secrets['noreply_password'] }} route: group_by: ["instance", "severity"] diff --git a/roles/srht/tasks/main.yml b/roles/srht/tasks/main.yml index 1a7f435..c82a8c1 100644 --- a/roles/srht/tasks/main.yml +++ b/roles/srht/tasks/main.yml @@ -1,4 +1,16 @@ --- +- name: Get secrets + ansible.builtin.set_fact: + srht_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/srht') }}" + +- name: Get minio secrets + ansible.builtin.set_fact: + minio_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/minio') }}" + +- name: Get email secrets + ansible.builtin.set_fact: + email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}" + - name: install srht packages community.general.pacman: name: "{{ srht_packages }}" @@ -59,7 +71,7 @@ - name: Create db user community.general.postgresql_user: name: srht - password: "{{ srht_psql_password }}" + password: "{{ srht_secrets['psql_password'] }}" become: true become_user: postgres no_log: true diff --git a/roles/srht/templates/builds.ini.j2 b/roles/srht/templates/builds.ini.j2 index ea33476..29ed9a9 100644 --- a/roles/srht/templates/builds.ini.j2 +++ b/roles/srht/templates/builds.ini.j2 @@ -8,7 +8,7 @@ debug-host=0.0.0.0 debug-port=5002 # # Configures the SQLAlchemy connection string for the database. -connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-builds?sslmode=disable +connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-builds?sslmode=disable # # Set to "yes" to automatically run migrations on package upgrade. migrate-on-upgrade=yes @@ -19,8 +19,8 @@ redis=redis://localhost:6379/4 # # builds.sr.ht's OAuth client ID and secret for meta.sr.ht # Register your client at meta.example.org/oauth -oauth-client-id={{ srht_builds_id }} -oauth-client-secret={{ srht_builds_secret }} +oauth-client-id={{ srht_secrets['builds_id'] }} +oauth-client-secret={{ srht_secrets['builds_secret'] }} # # Script used to launch on ssh connnection. /usr/bin/master-shell on master, # /usr/bin/runner-shell for workers. diff --git a/roles/srht/templates/config.ini.j2 b/roles/srht/templates/config.ini.j2 index c92888c..1dd063b 100644 --- a/roles/srht/templates/config.ini.j2 +++ b/roles/srht/templates/config.ini.j2 @@ -29,11 +29,11 @@ privacy-policy= # service (e.g. git1.sr.ht and git2.sr.ht), but different services may use # different keys. If you configure all of your services with the same # config.ini, you may use the same service-key for all of them. -service-key={{ srht_service_key }} +service-key={{ srht_secrets['service_key'] }} # # A secret key to encrypt internal messages with. Use `srht-keygen network` to # generate this key. It must be consistent between all services and nodes. -network-key={{ srht_network_key }} +network-key={{ srht_secrets['network_key'] }} # # The redis host URL. This is used for caching and temporary storage, and must # be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be @@ -50,16 +50,16 @@ pushgateway= # # Minio is recommended as a FOSS solution over AWS: https://min.io s3-upstream=minio.xenrox.net -s3-access-key={{ minio_access_key }} -s3-secret-key={{ minio_secret_key }} +s3-access-key={{ minio_secrets['access_key'] }} +s3-secret-key={{ minio_secrets['secret_key'] }} [mail] # # Outgoing SMTP settings smtp-host=mail.xenrox.net smtp-port=587 -smtp-user={{ email_noreply_mail }} -smtp-password={{ email_noreply_password }} +smtp-user={{ email_secrets['noreply_user'] }} +smtp-password={{ email_secrets['noreply_password'] }} smtp-from=xenrox sourcehut # # Application exceptions are emailed to this address @@ -84,7 +84,7 @@ pgp-key-id=60A4 269D F622 7C99 04CF CFF7 55A4 316C 4697 1CC5 # Use the `srht-keygen webhook` command to generate this key. Put the private # key here and distribute the public key to anyone who would want to verify # webhook payloads from your service. -private-key={{ srht_webhook_key }} +private-key={{ srht_secrets['webhook_key'] }} {% include "git.ini.j2" %} diff --git a/roles/srht/templates/git.ini.j2 b/roles/srht/templates/git.ini.j2 index de60c19..a8fa39f 100644 --- a/roles/srht/templates/git.ini.j2 +++ b/roles/srht/templates/git.ini.j2 @@ -8,7 +8,7 @@ debug-host=0.0.0.0 debug-port=5001 # # Configures the SQLAlchemy connection string for the database. -connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-git?sslmode=disable +connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-git?sslmode=disable # # Set to "yes" to automatically run migrations on package upgrade. migrate-on-upgrade=yes @@ -21,8 +21,8 @@ post-update-script=/usr/bin/gitsrht-update-hook # # git.sr.ht's OAuth client ID and secret for meta.sr.ht # Register your client at meta.example.org/oauth -oauth-client-id={{ srht_git_id }} -oauth-client-secret={{ srht_git_secret }} +oauth-client-id={{ srht_secrets['git_id'] }} +oauth-client-secret={{ srht_secrets['git_secret'] }} # # Path to git repositories on disk repos=/var/lib/git/ diff --git a/roles/srht/templates/hub.ini.j2 b/roles/srht/templates/hub.ini.j2 index fe22402..aded03a 100644 --- a/roles/srht/templates/hub.ini.j2 +++ b/roles/srht/templates/hub.ini.j2 @@ -8,12 +8,12 @@ debug-host=0.0.0.0 debug-port=5014 # # Configures the SQLAlchemy connection string for the database. -connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-hub +connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-hub # # Set to "yes" to automatically run migrations on package upgrade. migrate-on-upgrade=yes # # hub.sr.ht's OAuth client ID and secret for meta.sr.ht # Register your client at meta.example.org/oauth -oauth-client-id={{ srht_hub_id }} -oauth-client-secret={{ srht_hub_secret }} +oauth-client-id={{ srht_secrets['hub_id'] }} +oauth-client-secret={{ srht_secrets['hub_secret'] }} diff --git a/roles/srht/templates/lists.ini.j2 b/roles/srht/templates/lists.ini.j2 index 1ef75eb..dfe2618 100644 --- a/roles/srht/templates/lists.ini.j2 +++ b/roles/srht/templates/lists.ini.j2 @@ -8,7 +8,7 @@ debug-host=0.0.0.0 debug-port=5006 # # Configures the SQLAlchemy connection string for the database. -connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-lists +connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-lists # # Set to "yes" to automatically run migrations on package upgrade. migrate-on-upgrade=yes @@ -26,8 +26,8 @@ posting-domain=lists.xenrox.net # # lists.sr.ht's OAuth client ID and secret for meta.sr.ht # Register your client at meta.example.org/oauth -oauth-client-id={{ srht_lists_id }} -oauth-client-secret={{ srht_lists_secret }} +oauth-client-id={{ srht_secrets['lists_id'] }} +oauth-client-secret={{ srht_secrets['lists_secret'] }} # # Trusted upstream SMTP server generating Authentication-Results header fields msgauth-server=mail.xenrox.net diff --git a/roles/srht/templates/man.ini.j2 b/roles/srht/templates/man.ini.j2 index 76bbe6b..edce9b5 100644 --- a/roles/srht/templates/man.ini.j2 +++ b/roles/srht/templates/man.ini.j2 @@ -8,12 +8,12 @@ debug-host=0.0.0.0 debug-port=5004 # # Configures the SQLAlchemy connection string for the database. -connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-man +connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-man # # Set to "yes" to automatically run migrations on package upgrade. migrate-on-upgrade=yes # # man.sr.ht's OAuth client ID and secret for meta.sr.ht # Register your client at meta.example.org/oauth -oauth-client-id={{ srht_man_id }} -oauth-client-secret={{ srht_man_secret }} +oauth-client-id={{ srht_secrets['man_id'] }} +oauth-client-secret={{ srht_secrets['man_secret'] }} diff --git a/roles/srht/templates/meta.ini.j2 b/roles/srht/templates/meta.ini.j2 index 3ee7f1b..c30f61d 100644 --- a/roles/srht/templates/meta.ini.j2 +++ b/roles/srht/templates/meta.ini.j2 @@ -8,7 +8,7 @@ debug-host=0.0.0.0 debug-port=5000 # # Configures the SQLAlchemy connection string for the database. -connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-meta?sslmode=disable +connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-meta?sslmode=disable # # Set to "yes" to automatically run migrations on package upgrade. migrate-on-upgrade=yes diff --git a/roles/srht/templates/paste.ini.j2 b/roles/srht/templates/paste.ini.j2 index 54944b2..e274d24 100644 --- a/roles/srht/templates/paste.ini.j2 +++ b/roles/srht/templates/paste.ini.j2 @@ -8,12 +8,12 @@ debug-host=0.0.0.0 debug-port=5011 # # Configures the SQLAlchemy connection string for the database. -connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-paste +connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-paste # # Set to "yes" to automatically run migrations on package upgrade. migrate-on-upgrade=yes # # paste.sr.ht's OAuth client ID and secret for meta.sr.ht # Register your client at meta.example.org/oauth -oauth-client-id={{ srht_paste_id }} -oauth-client-secret={{ srht_paste_secret }} +oauth-client-id={{ srht_secrets['paste_id'] }} +oauth-client-secret={{ srht_secrets['paste_secret'] }} diff --git a/roles/srht/templates/todo.ini.j2 b/roles/srht/templates/todo.ini.j2 index da5aed0..71587d7 100644 --- a/roles/srht/templates/todo.ini.j2 +++ b/roles/srht/templates/todo.ini.j2 @@ -8,15 +8,15 @@ debug-host=0.0.0.0 debug-port=5003 # # Configures the SQLAlchemy connection string for the database. -connection-string=postgresql://srht:{{ srht_psql_password }}@localhost/srht-todo?sslmode=disable +connection-string=postgresql://srht:{{ srht_secrets['psql_password'] }}@localhost/srht-todo?sslmode=disable # # Set to "yes" to automatically run migrations on package upgrade. migrate-on-upgrade=yes # # todo.sr.ht's OAuth client ID and secret for meta.sr.ht # Register your client at meta.example.org/oauth -oauth-client-id={{ srht_todo_id }} -oauth-client-secret={{ srht_todo_secret }} +oauth-client-id={{ srht_secrets['todo_id'] }} +oauth-client-secret={{ srht_secrets['todo_secret'] }} # # Outgoing email for notifications generated by users notify-from=noreply@xenrox.net diff --git a/roles/vault/tasks/main.yml b/roles/vault/tasks/main.yml index 906d38f..06d68ab 100644 --- a/roles/vault/tasks/main.yml +++ b/roles/vault/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Get secrets + ansible.builtin.set_fact: + vault_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/vault') }}" + - name: Install community.general.pacman: name: vault @@ -7,7 +11,7 @@ - name: Create db user community.general.postgresql_user: name: vault - password: "{{ vault_psql_password }}" + password: "{{ vault_secrets['psql_password'] }}" become: true become_user: postgres no_log: true @@ -32,7 +36,7 @@ - name: Import DB schema community.general.postgresql_db: login_user: vault - login_password: "{{ vault_psql_password }}" + login_password: "{{ vault_secrets['psql_password'] }}" name: vault state: restore target: /tmp/vault_table.sql diff --git a/roles/vault/templates/vault.hcl.j2 b/roles/vault/templates/vault.hcl.j2 index 31488c8..fc6336d 100644 --- a/roles/vault/templates/vault.hcl.j2 +++ b/roles/vault/templates/vault.hcl.j2 @@ -1,7 +1,7 @@ ui = true storage "postgresql" { - connection_url = "postgres://vault:{{ vault_psql_password }}@127.0.0.1:5432/vault?sslmode=disable" + connection_url = "postgres://vault:{{ vault_secrets['psql_password'] }}@127.0.0.1:5432/vault?sslmode=disable" table = "vault_kv_store" } diff --git a/roles/vaultwarden/tasks/main.yml b/roles/vaultwarden/tasks/main.yml index 6afd56e..d2af166 100644 --- a/roles/vaultwarden/tasks/main.yml +++ b/roles/vaultwarden/tasks/main.yml @@ -3,6 +3,10 @@ ansible.builtin.set_fact: vaultwarden_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/vaultwarden') }}" +- name: Get email secrets + ansible.builtin.set_fact: + email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}" + - name: install community.general.pacman: name: "{{ vaultwarden_packages }}" diff --git a/roles/vaultwarden/templates/vaultwarden.env.j2 b/roles/vaultwarden/templates/vaultwarden.env.j2 index eb8d82b..009b95d 100644 --- a/roles/vaultwarden/templates/vaultwarden.env.j2 +++ b/roles/vaultwarden/templates/vaultwarden.env.j2 @@ -275,8 +275,8 @@ SMTP_FROM_NAME=Vaultwarden SMTP_PORT=587 # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and used with Implicit TLS. SMTP_SSL=true # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_TLS is set to true. Either port 587 or 25 are default. SMTP_EXPLICIT_TLS=true # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this option to work. Usually port 465 is used here. -SMTP_USERNAME={{ email_noreply_mail }} -SMTP_PASSWORD={{ email_noreply_password }} +SMTP_USERNAME={{ email_secrets['noreply_user'] }} +SMTP_PASSWORD={{ email_secrets['noreply_password'] }} # SMTP_TIMEOUT=15 ## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections. -- 2.44.0