Move secrets into credentials dir

This commit is contained in:
Erik Stambaugh 2024-01-18 19:54:44 -08:00
parent 31b13dc09b
commit 19b1425c98
5 changed files with 63 additions and 27 deletions

1
.gitignore vendored
View file

@ -14,4 +14,3 @@ pubkey
.s3_id
.s3_secret
ansible/credentials
ansible/mastodon_secrets.yaml

View file

@ -21,6 +21,9 @@ terraform: config.mk
ssh: config.mk
$(MAKE) -C ansible ssh
reboot: config.mk
$(MAKE) -C ansible reboot
#ansible:
# @$(MAKE) -C ansible

View file

@ -10,12 +10,18 @@ SSH := ssh -o "StrictHostKeyChecking=no" -o UserKnownHostsFile=/dev/null -o Prox
default: ansible
ansible: toolcheck inventory.yaml
@echo
@echo Attempting to configure to the target host. This might take a few tries the first time.
@echo
timeout --foreground 300 bash -c -- 'until $(SSH) $(INSTANCE_ID) "/bin/true"; do sleep 0.5; done'
export ANSIBLE_NOCOWS=1; ansible-playbook -i inventory.yaml --private-key ../terraform/privkey -l social site.yaml
ssh: inventory.yaml
$(SSH) $(INSTANCE_ID)
reboot: inventory.yaml
aws --region $(AWS_REGION) ec2 reboot-instances --instance-ids $(INSTANCE_ID)
inventory.yaml: inventory.tmpl.yaml sedline
sed $(SEDLINE) inventory.tmpl.yaml > inventory.yaml

View file

@ -24,15 +24,27 @@
dest: /srv/mastodon/docker-compose.yaml
register: compose
## generate a secrets file if we need one
# FIXME: what's in the mastodon_secrets.yaml file should be in credential lookup like db_password is
- name: check mastodon secrets var file
## generate secrets if they're needed
- name: check secret_key_base
delegate_to: localhost
become: false
stat:
path: mastodon_secrets.yaml
register: mastosecrets
path: credentials/mastodon/secret_key_base
register: secret_key_base_file
- name: check otp_secret
delegate_to: localhost
become: false
stat:
path: credentials/mastodon/otp_secret
register: otp_secret_file
- name: check vapid_secrets
delegate_to: localhost
become: false
stat:
path: credentials/mastodon/vapid_secrets
register: vapid_secrets_file
- name: env file stub
template:
@ -41,42 +53,52 @@
vars:
db_password: "{{ lookup('ansible.builtin.password', 'credentials/mastodon/postgres', length=15) }}"
alternate_domains: "mastodon_web"
when: mastosecrets.stat.exists != true
when: secret_key_base_file.stat.exists != true or otp_secret_file.stat.exists != true or vapid_secrets_file.stat.exists != true
- name: get SECRET_KEY_BASE
shell: docker compose run --rm mastodon_web rake secret 2>/dev/null | tail -1
args:
chdir: /srv/mastodon
register: skb
when: mastosecrets.stat.exists != true
when: secret_key_base_file.stat.exists != true
- name: store SECRET_KEY_BASE
delegate_to: localhost
become: false
copy:
dest: credentials/mastodon/secret_key_base
content: "{{skb.stdout}}"
when: secret_key_base_file.stat.exists != true
- name: get OTP_SECRET
shell: docker compose run --rm mastodon_web rake secret 2>/dev/null | tail -1
args:
chdir: /srv/mastodon
register: otp
when: mastosecrets.stat.exists != true
when: otp_secret_file.stat.exists != true
- name: store OTP_SECRET
delegate_to: localhost
become: false
copy:
dest: credentials/mastodon/otp_secret
content: "{{otp.stdout}}"
when: secret_key_base_file.stat.exists != true
- name: get vapid secrets
command: docker compose run --rm mastodon_web rake mastodon:webpush:generate_vapid_key
args:
chdir: /srv/mastodon
register: vapid
when: mastosecrets.stat.exists != true
when: vapid_secrets_file.stat.exists != true
- name: create mastodon secrets file
- name: store vapid secrets
delegate_to: localhost
become: false
template:
src: templates/mastodon_secrets.yaml
dest: mastodon_secrets.yaml
when: mastosecrets.stat.exists != true
## now that we have a secrets file, read it in and make the env file again
- name: read env secret vars
include_vars:
file: mastodon_secrets.yaml
copy:
dest: credentials/mastodon/vapid_secrets
content: "{{vapid.stdout}}"
when: vapid_secrets_file.stat.exists != true
- name: env file
template:
@ -84,6 +106,9 @@
dest: /srv/mastodon/.env.production
vars:
db_password: "{{ lookup('ansible.builtin.password', 'credentials/mastodon/postgres', length=15) }}"
secret_key_base: "{{ lookup('ansible.builtin.file', 'credentials/mastodon/secret_key_base') }}"
otp_secret: "{{ lookup('ansible.builtin.file', 'credentials/mastodon/otp_secret') }}"
vapid_secrets: "{{ lookup('ansible.builtin.file', 'credentials/mastodon/vapid_secrets') }}"
alternate_domains: "mastodon_web"
register: envfile
@ -101,3 +126,11 @@
when: envfile.changed or compose.changed
## ---
- name: clean up docker
command: docker system prune -f

View file

@ -1,5 +0,0 @@
---
secret_key_base: {{skb.stdout}}
otp_secret: {{otp.stdout}}
vapid_secrets: |
{{vapid.stdout | indent(2)}}