Move secrets into credentials dir
This commit is contained in:
parent
31b13dc09b
commit
19b1425c98
5 changed files with 63 additions and 27 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
|
@ -14,4 +14,3 @@ pubkey
|
||||||
.s3_id
|
.s3_id
|
||||||
.s3_secret
|
.s3_secret
|
||||||
ansible/credentials
|
ansible/credentials
|
||||||
ansible/mastodon_secrets.yaml
|
|
||||||
|
|
|
||||||
3
Makefile
3
Makefile
|
|
@ -21,6 +21,9 @@ terraform: config.mk
|
||||||
ssh: config.mk
|
ssh: config.mk
|
||||||
$(MAKE) -C ansible ssh
|
$(MAKE) -C ansible ssh
|
||||||
|
|
||||||
|
reboot: config.mk
|
||||||
|
$(MAKE) -C ansible reboot
|
||||||
|
|
||||||
#ansible:
|
#ansible:
|
||||||
# @$(MAKE) -C ansible
|
# @$(MAKE) -C ansible
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,12 +10,18 @@ SSH := ssh -o "StrictHostKeyChecking=no" -o UserKnownHostsFile=/dev/null -o Prox
|
||||||
default: ansible
|
default: ansible
|
||||||
|
|
||||||
ansible: toolcheck inventory.yaml
|
ansible: toolcheck inventory.yaml
|
||||||
|
@echo
|
||||||
|
@echo Attempting to configure to the target host. This might take a few tries the first time.
|
||||||
|
@echo
|
||||||
timeout --foreground 300 bash -c -- 'until $(SSH) $(INSTANCE_ID) "/bin/true"; do sleep 0.5; done'
|
timeout --foreground 300 bash -c -- 'until $(SSH) $(INSTANCE_ID) "/bin/true"; do sleep 0.5; done'
|
||||||
export ANSIBLE_NOCOWS=1; ansible-playbook -i inventory.yaml --private-key ../terraform/privkey -l social site.yaml
|
export ANSIBLE_NOCOWS=1; ansible-playbook -i inventory.yaml --private-key ../terraform/privkey -l social site.yaml
|
||||||
|
|
||||||
ssh: inventory.yaml
|
ssh: inventory.yaml
|
||||||
$(SSH) $(INSTANCE_ID)
|
$(SSH) $(INSTANCE_ID)
|
||||||
|
|
||||||
|
reboot: inventory.yaml
|
||||||
|
aws --region $(AWS_REGION) ec2 reboot-instances --instance-ids $(INSTANCE_ID)
|
||||||
|
|
||||||
inventory.yaml: inventory.tmpl.yaml sedline
|
inventory.yaml: inventory.tmpl.yaml sedline
|
||||||
sed $(SEDLINE) inventory.tmpl.yaml > inventory.yaml
|
sed $(SEDLINE) inventory.tmpl.yaml > inventory.yaml
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -24,15 +24,27 @@
|
||||||
dest: /srv/mastodon/docker-compose.yaml
|
dest: /srv/mastodon/docker-compose.yaml
|
||||||
register: compose
|
register: compose
|
||||||
|
|
||||||
## generate a secrets file if we need one
|
## generate secrets if they're needed
|
||||||
# FIXME: what's in the mastodon_secrets.yaml file should be in credential lookup like db_password is
|
- name: check secret_key_base
|
||||||
|
|
||||||
- name: check mastodon secrets var file
|
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
become: false
|
become: false
|
||||||
stat:
|
stat:
|
||||||
path: mastodon_secrets.yaml
|
path: credentials/mastodon/secret_key_base
|
||||||
register: mastosecrets
|
register: secret_key_base_file
|
||||||
|
|
||||||
|
- name: check otp_secret
|
||||||
|
delegate_to: localhost
|
||||||
|
become: false
|
||||||
|
stat:
|
||||||
|
path: credentials/mastodon/otp_secret
|
||||||
|
register: otp_secret_file
|
||||||
|
|
||||||
|
- name: check vapid_secrets
|
||||||
|
delegate_to: localhost
|
||||||
|
become: false
|
||||||
|
stat:
|
||||||
|
path: credentials/mastodon/vapid_secrets
|
||||||
|
register: vapid_secrets_file
|
||||||
|
|
||||||
- name: env file stub
|
- name: env file stub
|
||||||
template:
|
template:
|
||||||
|
|
@ -41,42 +53,52 @@
|
||||||
vars:
|
vars:
|
||||||
db_password: "{{ lookup('ansible.builtin.password', 'credentials/mastodon/postgres', length=15) }}"
|
db_password: "{{ lookup('ansible.builtin.password', 'credentials/mastodon/postgres', length=15) }}"
|
||||||
alternate_domains: "mastodon_web"
|
alternate_domains: "mastodon_web"
|
||||||
when: mastosecrets.stat.exists != true
|
when: secret_key_base_file.stat.exists != true or otp_secret_file.stat.exists != true or vapid_secrets_file.stat.exists != true
|
||||||
|
|
||||||
- name: get SECRET_KEY_BASE
|
- name: get SECRET_KEY_BASE
|
||||||
shell: docker compose run --rm mastodon_web rake secret 2>/dev/null | tail -1
|
shell: docker compose run --rm mastodon_web rake secret 2>/dev/null | tail -1
|
||||||
args:
|
args:
|
||||||
chdir: /srv/mastodon
|
chdir: /srv/mastodon
|
||||||
register: skb
|
register: skb
|
||||||
when: mastosecrets.stat.exists != true
|
when: secret_key_base_file.stat.exists != true
|
||||||
|
|
||||||
|
- name: store SECRET_KEY_BASE
|
||||||
|
delegate_to: localhost
|
||||||
|
become: false
|
||||||
|
copy:
|
||||||
|
dest: credentials/mastodon/secret_key_base
|
||||||
|
content: "{{skb.stdout}}"
|
||||||
|
when: secret_key_base_file.stat.exists != true
|
||||||
|
|
||||||
- name: get OTP_SECRET
|
- name: get OTP_SECRET
|
||||||
shell: docker compose run --rm mastodon_web rake secret 2>/dev/null | tail -1
|
shell: docker compose run --rm mastodon_web rake secret 2>/dev/null | tail -1
|
||||||
args:
|
args:
|
||||||
chdir: /srv/mastodon
|
chdir: /srv/mastodon
|
||||||
register: otp
|
register: otp
|
||||||
when: mastosecrets.stat.exists != true
|
when: otp_secret_file.stat.exists != true
|
||||||
|
|
||||||
|
- name: store OTP_SECRET
|
||||||
|
delegate_to: localhost
|
||||||
|
become: false
|
||||||
|
copy:
|
||||||
|
dest: credentials/mastodon/otp_secret
|
||||||
|
content: "{{otp.stdout}}"
|
||||||
|
when: secret_key_base_file.stat.exists != true
|
||||||
|
|
||||||
- name: get vapid secrets
|
- name: get vapid secrets
|
||||||
command: docker compose run --rm mastodon_web rake mastodon:webpush:generate_vapid_key
|
command: docker compose run --rm mastodon_web rake mastodon:webpush:generate_vapid_key
|
||||||
args:
|
args:
|
||||||
chdir: /srv/mastodon
|
chdir: /srv/mastodon
|
||||||
register: vapid
|
register: vapid
|
||||||
when: mastosecrets.stat.exists != true
|
when: vapid_secrets_file.stat.exists != true
|
||||||
|
|
||||||
- name: create mastodon secrets file
|
- name: store vapid secrets
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
become: false
|
become: false
|
||||||
template:
|
copy:
|
||||||
src: templates/mastodon_secrets.yaml
|
dest: credentials/mastodon/vapid_secrets
|
||||||
dest: mastodon_secrets.yaml
|
content: "{{vapid.stdout}}"
|
||||||
when: mastosecrets.stat.exists != true
|
when: vapid_secrets_file.stat.exists != true
|
||||||
|
|
||||||
## now that we have a secrets file, read it in and make the env file again
|
|
||||||
|
|
||||||
- name: read env secret vars
|
|
||||||
include_vars:
|
|
||||||
file: mastodon_secrets.yaml
|
|
||||||
|
|
||||||
- name: env file
|
- name: env file
|
||||||
template:
|
template:
|
||||||
|
|
@ -84,6 +106,9 @@
|
||||||
dest: /srv/mastodon/.env.production
|
dest: /srv/mastodon/.env.production
|
||||||
vars:
|
vars:
|
||||||
db_password: "{{ lookup('ansible.builtin.password', 'credentials/mastodon/postgres', length=15) }}"
|
db_password: "{{ lookup('ansible.builtin.password', 'credentials/mastodon/postgres', length=15) }}"
|
||||||
|
secret_key_base: "{{ lookup('ansible.builtin.file', 'credentials/mastodon/secret_key_base') }}"
|
||||||
|
otp_secret: "{{ lookup('ansible.builtin.file', 'credentials/mastodon/otp_secret') }}"
|
||||||
|
vapid_secrets: "{{ lookup('ansible.builtin.file', 'credentials/mastodon/vapid_secrets') }}"
|
||||||
alternate_domains: "mastodon_web"
|
alternate_domains: "mastodon_web"
|
||||||
register: envfile
|
register: envfile
|
||||||
|
|
||||||
|
|
@ -101,3 +126,11 @@
|
||||||
when: envfile.changed or compose.changed
|
when: envfile.changed or compose.changed
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## ---
|
||||||
|
|
||||||
|
- name: clean up docker
|
||||||
|
command: docker system prune -f
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,5 +0,0 @@
|
||||||
---
|
|
||||||
secret_key_base: {{skb.stdout}}
|
|
||||||
otp_secret: {{otp.stdout}}
|
|
||||||
vapid_secrets: |
|
|
||||||
{{vapid.stdout | indent(2)}}
|
|
||||||
Loading…
Reference in a new issue