Move secrets into credentials dir
This commit is contained in:
parent
31b13dc09b
commit
19b1425c98
5 changed files with 63 additions and 27 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
|
@ -14,4 +14,3 @@ pubkey
|
|||
.s3_id
|
||||
.s3_secret
|
||||
ansible/credentials
|
||||
ansible/mastodon_secrets.yaml
|
||||
|
|
|
|||
3
Makefile
3
Makefile
|
|
@ -21,6 +21,9 @@ terraform: config.mk
|
|||
ssh: config.mk
|
||||
$(MAKE) -C ansible ssh
|
||||
|
||||
reboot: config.mk
|
||||
$(MAKE) -C ansible reboot
|
||||
|
||||
#ansible:
|
||||
# @$(MAKE) -C ansible
|
||||
|
||||
|
|
|
|||
|
|
@ -10,12 +10,18 @@ SSH := ssh -o "StrictHostKeyChecking=no" -o UserKnownHostsFile=/dev/null -o Prox
|
|||
default: ansible
|
||||
|
||||
ansible: toolcheck inventory.yaml
|
||||
@echo
|
||||
@echo Attempting to configure to the target host. This might take a few tries the first time.
|
||||
@echo
|
||||
timeout --foreground 300 bash -c -- 'until $(SSH) $(INSTANCE_ID) "/bin/true"; do sleep 0.5; done'
|
||||
export ANSIBLE_NOCOWS=1; ansible-playbook -i inventory.yaml --private-key ../terraform/privkey -l social site.yaml
|
||||
|
||||
ssh: inventory.yaml
|
||||
$(SSH) $(INSTANCE_ID)
|
||||
|
||||
reboot: inventory.yaml
|
||||
aws --region $(AWS_REGION) ec2 reboot-instances --instance-ids $(INSTANCE_ID)
|
||||
|
||||
inventory.yaml: inventory.tmpl.yaml sedline
|
||||
sed $(SEDLINE) inventory.tmpl.yaml > inventory.yaml
|
||||
|
||||
|
|
|
|||
|
|
@ -24,15 +24,27 @@
|
|||
dest: /srv/mastodon/docker-compose.yaml
|
||||
register: compose
|
||||
|
||||
## generate a secrets file if we need one
|
||||
# FIXME: what's in the mastodon_secrets.yaml file should be in credential lookup like db_password is
|
||||
|
||||
- name: check mastodon secrets var file
|
||||
## generate secrets if they're needed
|
||||
- name: check secret_key_base
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
stat:
|
||||
path: mastodon_secrets.yaml
|
||||
register: mastosecrets
|
||||
path: credentials/mastodon/secret_key_base
|
||||
register: secret_key_base_file
|
||||
|
||||
- name: check otp_secret
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
stat:
|
||||
path: credentials/mastodon/otp_secret
|
||||
register: otp_secret_file
|
||||
|
||||
- name: check vapid_secrets
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
stat:
|
||||
path: credentials/mastodon/vapid_secrets
|
||||
register: vapid_secrets_file
|
||||
|
||||
- name: env file stub
|
||||
template:
|
||||
|
|
@ -41,42 +53,52 @@
|
|||
vars:
|
||||
db_password: "{{ lookup('ansible.builtin.password', 'credentials/mastodon/postgres', length=15) }}"
|
||||
alternate_domains: "mastodon_web"
|
||||
when: mastosecrets.stat.exists != true
|
||||
when: secret_key_base_file.stat.exists != true or otp_secret_file.stat.exists != true or vapid_secrets_file.stat.exists != true
|
||||
|
||||
- name: get SECRET_KEY_BASE
|
||||
shell: docker compose run --rm mastodon_web rake secret 2>/dev/null | tail -1
|
||||
args:
|
||||
chdir: /srv/mastodon
|
||||
register: skb
|
||||
when: mastosecrets.stat.exists != true
|
||||
when: secret_key_base_file.stat.exists != true
|
||||
|
||||
- name: store SECRET_KEY_BASE
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
copy:
|
||||
dest: credentials/mastodon/secret_key_base
|
||||
content: "{{skb.stdout}}"
|
||||
when: secret_key_base_file.stat.exists != true
|
||||
|
||||
- name: get OTP_SECRET
|
||||
shell: docker compose run --rm mastodon_web rake secret 2>/dev/null | tail -1
|
||||
args:
|
||||
chdir: /srv/mastodon
|
||||
register: otp
|
||||
when: mastosecrets.stat.exists != true
|
||||
when: otp_secret_file.stat.exists != true
|
||||
|
||||
- name: store OTP_SECRET
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
copy:
|
||||
dest: credentials/mastodon/otp_secret
|
||||
content: "{{otp.stdout}}"
|
||||
when: secret_key_base_file.stat.exists != true
|
||||
|
||||
- name: get vapid secrets
|
||||
command: docker compose run --rm mastodon_web rake mastodon:webpush:generate_vapid_key
|
||||
args:
|
||||
chdir: /srv/mastodon
|
||||
register: vapid
|
||||
when: mastosecrets.stat.exists != true
|
||||
when: vapid_secrets_file.stat.exists != true
|
||||
|
||||
- name: create mastodon secrets file
|
||||
- name: store vapid secrets
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
template:
|
||||
src: templates/mastodon_secrets.yaml
|
||||
dest: mastodon_secrets.yaml
|
||||
when: mastosecrets.stat.exists != true
|
||||
|
||||
## now that we have a secrets file, read it in and make the env file again
|
||||
|
||||
- name: read env secret vars
|
||||
include_vars:
|
||||
file: mastodon_secrets.yaml
|
||||
copy:
|
||||
dest: credentials/mastodon/vapid_secrets
|
||||
content: "{{vapid.stdout}}"
|
||||
when: vapid_secrets_file.stat.exists != true
|
||||
|
||||
- name: env file
|
||||
template:
|
||||
|
|
@ -84,6 +106,9 @@
|
|||
dest: /srv/mastodon/.env.production
|
||||
vars:
|
||||
db_password: "{{ lookup('ansible.builtin.password', 'credentials/mastodon/postgres', length=15) }}"
|
||||
secret_key_base: "{{ lookup('ansible.builtin.file', 'credentials/mastodon/secret_key_base') }}"
|
||||
otp_secret: "{{ lookup('ansible.builtin.file', 'credentials/mastodon/otp_secret') }}"
|
||||
vapid_secrets: "{{ lookup('ansible.builtin.file', 'credentials/mastodon/vapid_secrets') }}"
|
||||
alternate_domains: "mastodon_web"
|
||||
register: envfile
|
||||
|
||||
|
|
@ -101,3 +126,11 @@
|
|||
when: envfile.changed or compose.changed
|
||||
|
||||
|
||||
|
||||
## ---
|
||||
|
||||
- name: clean up docker
|
||||
command: docker system prune -f
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
secret_key_base: {{skb.stdout}}
|
||||
otp_secret: {{otp.stdout}}
|
||||
vapid_secrets: |
|
||||
{{vapid.stdout | indent(2)}}
|
||||
Loading…
Reference in a new issue