From ab5d357c4d4b211ac0cb5cff472682735fda62ae Mon Sep 17 00:00:00 2001 From: Sam Al-Sapti Date: Sat, 4 Nov 2023 00:38:08 +0100 Subject: [PATCH] Add secrets to vault files --- group_vars/appservers/vars.yml | 12 +++++++++ group_vars/production/vars.yml | 4 +-- group_vars/production/vault.yml | 27 +++++++++++++++++++ group_vars/staging/vars.yml | 4 +-- group_vars/staging/vault.yml | 26 ++++++++++++++++++ roles/apps/defaults/main.yml | 1 - .../templates/compose-files/restic.yml.j2 | 12 ++++----- 7 files changed, 75 insertions(+), 11 deletions(-) create mode 100644 group_vars/production/vault.yml create mode 100644 group_vars/staging/vault.yml diff --git a/group_vars/appservers/vars.yml b/group_vars/appservers/vars.yml index 222bac4..e4fca84 100644 --- a/group_vars/appservers/vars.yml +++ b/group_vars/appservers/vars.yml @@ -6,3 +6,15 @@ apps_base_domain: "{{ base_domain }}" apps_local_domain: "{{ local_domain }}" docker_data_root: "{{ encrypted_fs }}/docker" + +redis_passwords: + nextcloud: "{{ vault_redis_passwords.nextcloud }}" + +restic: + b2: + bucket: "{{ vault_restic.b2.bucket }}" + id: "{{ vault_restic.b2.id }}" + key: "{{ vault_restic.b2.key }}" + repo: + path: /restic + password: "{{ vault_restic.repo.password }}" diff --git a/group_vars/production/vars.yml b/group_vars/production/vars.yml index a1beef9..d771d9b 100644 --- a/group_vars/production/vars.yml +++ b/group_vars/production/vars.yml @@ -4,5 +4,5 @@ base_domain: sapti.me local_domain: local.{{ base_domain }} -db_passwords: "{{ vault_db_passwords }}" -redis_passwords: "{{ vault_redis_passwords }}" +db_passwords: + nextcloud: "{{ vault_db_passwords.nextcloud }}" diff --git a/group_vars/production/vault.yml b/group_vars/production/vault.yml new file mode 100644 index 0000000..5e02b31 --- /dev/null +++ b/group_vars/production/vault.yml @@ -0,0 +1,27 @@ +$ANSIBLE_VAULT;1.1;AES256 +33343239393262363334393363663539336235373661646163306638653262633930333531356166 +3263663133323230633231333035393035633665316437640a363839633338616630376463666633 +36303231383139346336336664373966643564316238626365303234373862333332653364323838 +3761326330363730610a386236386464323636313339346366356264303038316138616661623239 +37666266326662653764353038343661376235303732303633333565663865326335303661383064 +34616136613064346238623632366136333237346462633762326334393637393437636237313665 +38303336313232323230336461363537653831356161393130306161333264353662396636616362 +65636631333738633630393432356333333339306535616534666334356236376137333335383066 +36323963346436326638386337653164313763653734323532656637613737383638646430663462 +64663664313639393931613135396662363337366162653631326563613964666430393163316532 +61323137383462633865356534336163306530303235386637663535393032623062303661633664 +65336461336531363131666638303030623565616439356133396631363631306664323432363132 +63663866346566373963386434333738336466656564323865316265363937616136626536313733 +38653736336132353663633963653064613432393461376561656338636133316330663662383662 +31643965373062353061623934376138643838346339346661396134643839643434613561326562 +35656632373234326136353763386337343633356632613265653138653736373766333861396562 +61353264643332356134346163313334333632353638633334356265623963376636323639323265 +39353864653732616366306263363937313263373032343636303734396362633236373033626265 +30366661373638363963643866306634373339353161303166636265666533356239643863393961 +37663565643832336264366363316432663761326435313963643933656230363831303761346534 +63303037626139633431643438366431316166383332303333353062356661343036303466663031 +32366238653863636461353165666630646537356463623637643063383635376235373139366466 +35613663303633303237363662323930636431626462623831376534626434626531363031333462 +65656662316233616432336161363630663561653132306365333166643734303838353030323630 +66323133613638366632326162643532343362393833346630326434323034313634633535393038 +6534623536626636303766356130303563636531343563616163 diff --git a/group_vars/staging/vars.yml b/group_vars/staging/vars.yml index 7ee2cb4..7ed21cb 100644 --- a/group_vars/staging/vars.yml +++ b/group_vars/staging/vars.yml @@ -4,5 +4,5 @@ base_domain: staging.sapti.me local_domain: local.{{ base_domain }} -db_passwords: "{{ vault_db_passwords }}" -redis_passwords: "{{ vault_redis_passwords }}" +db_passwords: + nextcloud: "{{ vault_db_passwords.nextcloud }}" diff --git a/group_vars/staging/vault.yml b/group_vars/staging/vault.yml new file mode 100644 index 0000000..fe8400d --- /dev/null +++ b/group_vars/staging/vault.yml @@ -0,0 +1,26 @@ +$ANSIBLE_VAULT;1.1;AES256 +66323863666335363963383237356566343539656432393166336436313763376634336463303666 +3861343530313939646466633165353564343062383864390a623464646530636165353838333562 +37393634643935373839366632383432353335633430613564663664323333643134616566336337 +6664353035626362380a306462643865326234336563306431626266393339396137336264393733 +65353139353031333161636333626661376466363433616561323338643065393064313934633236 +31396437643531313433343732306336633332396434313831396564666162636264343261336466 +30306134656161356338313838633834663566646530326463366266616434373037333737613063 +61623338663964316265386433666237326466623936306138663966623033376131333365636230 +35303163363538613435613262346233393462343763633135396261653335336337326237313739 +66613461643366663131353731636138666464636566336636646130633166323933306631613236 +65636633363331356664333934623638313161336632663263323031303836333661623262316562 +35663930303033356435373235356436356130326165636131346166346566343063633131303537 +38323033613132393639353666653563386663306364363363303961363563323536343930353463 +30333362393137313763656636323563363661343539343334386439636638333562326264393063 +61316363353231656230633464376164623462656333326139396563306334363634326634343034 +35323436633631396663646262376432663831333430636337333336623061373133313465323366 +35363434393930613633636139353461393631643032663438343564356565663739376436306564 +37646438626562393631333238613035643665333730636162616134363464303230393436626662 +30363038636163366334613464373761633130623338336265336632393437356133613362313235 +38366138313761386132383666363232643161636330396161323536643365663730386164316437 +30333463326530356438356364663638663833363366363739643934663665306238393166623839 +36626230363437646238386431373934396263633033303262626632323930313232636364646234 +33323264656237393235613230333534613030316361366638636663346533313539386138653331 +64396362613962323361633366366132666439626264643534663036343934646533656236616538 +62343161623865643332613039396234623238343532646336346563343131306335 diff --git a/roles/apps/defaults/main.yml b/roles/apps/defaults/main.yml index ea73171..0390146 100644 --- a/roles/apps/defaults/main.yml +++ b/roles/apps/defaults/main.yml @@ -46,7 +46,6 @@ apps_vars: version: latest restic: - repo: /restic extra_tasks: false version: '1.7.0' diff --git a/roles/apps/templates/compose-files/restic.yml.j2 b/roles/apps/templates/compose-files/restic.yml.j2 index ae31ea6..f83fda3 100644 --- a/roles/apps/templates/compose-files/restic.yml.j2 +++ b/roles/apps/templates/compose-files/restic.yml.j2 @@ -8,8 +8,8 @@ services: environment: RUN_ON_STARTUP: false BACKUP_CRON: 0 0 3 * * * - RESTIC_REPOSITORY: b2:{{ restic.b2.bucket }}:{{ restic.repo }} - RESTIC_PASSWORD: {{ restic.repo_password }} + RESTIC_REPOSITORY: b2:{{ restic.b2.bucket }}:{{ restic.repo.path }} + RESTIC_PASSWORD: {{ restic.repo.password }} RESTIC_BACKUP_SOURCES: /mnt/volumes RESTIC_BACKUP_ARGS: >- --tag docker-volumes @@ -36,8 +36,8 @@ services: environment: RUN_ON_STARTUP: false PRUNE_CRON: 0 0 4 * * * - RESTIC_REPOSITORY: b2:{{ restic.b2.bucket }}:{{ restic.repo }} - RESTIC_PASSWORD: {{ restic.repo_password }} + RESTIC_REPOSITORY: b2:{{ restic.b2.bucket }}:{{ restic.repo.path }} + RESTIC_PASSWORD: {{ restic.repo.password }} RESTIC_PRUNE_ARGS: >- --verbose B2_ACCOUNT_ID: {{ restic.b2.id }} @@ -50,8 +50,8 @@ services: environment: RUN_ON_STARTUP: false CHECK_CRON: 0 0 5 * * * - RESTIC_REPOSITORY: b2:{{ restic.b2.bucket }}:{{ restic.repo }} - RESTIC_PASSWORD: {{ restic.repo_password }} + RESTIC_REPOSITORY: b2:{{ restic.b2.bucket }}:{{ restic.repo.path }} + RESTIC_PASSWORD: {{ restic.repo.password }} RESTIC_CHECK_ARGS: >- --verbose B2_ACCOUNT_ID: {{ restic.b2.id }}