tweak secrets management

2 years ago · c005dfa87f
parent e5a2d3b7bb
commit c005dfa87f
6 changed files with 72 additions and 16 deletions
--- a/.ruby-version
+++ b/.ruby-version
@ -0,0 +1 @@
 3.2
--- a/5
+++ b/5
@ -0,0 +1,5 @@
 # frozen_string_literal: true
 source "https://rubygems.org"
 gem "rake"
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -0,0 +1,13 @@
 GEM
  remote: https://rubygems.org/
  specs:
    rake (13.0.6)
 PLATFORMS
  arm64-darwin-22
 DEPENDENCIES
  rake
 BUNDLED WITH
   2.4.1
--- a/lotus-land-story/.gitignore
+++ b/lotus-land-story/.gitignore
@ -0,0 +1,2 @@
 terraform.tfvars
 vars.yml
--- a/lotus-land-story/Rakefile
+++ b/lotus-land-story/Rakefile
@ -0,0 +1,25 @@
 require "yaml"
 DOMAIN = ENV.fetch("LOTUS_LAND_STORY_DOMAIN")
 task terraform: "terraform.tfvars" do
  sh "terraform apply"
 end
 task ansible: "vars.yml" do
  sh "ansible-playbook main.yml"
 end
 task "terraform.tfvars" do |t|
  File.write(t.name, "domain = \"#{DOMAIN}\"")
 end
 task "vars.yml" do |t|
  miniflux_password = `op read op://Private/Miniflux/password`.strip
  File.write(t.name, YAML.dump({
    "domain" => DOMAIN,
    "miniflux_password" => miniflux_password,
  }))
 end
 task default: %i[ terraform ansible ]
--- a/lotus-land-story/main.yml
+++ b/lotus-land-story/main.yml
@ -1,12 +1,9 @@
 - name: Set up lotus-land-story
  hosts: lotus-land-story
  vars_files:
    - vars.yml
  tasks:
    - name: Set facts from environment variables
      ansible.builtin.set_fact:
        domain: "{{ lookup('ansible.builtin.env', 'TF_VAR_domain') }}"
        miniflux_password: "{{ lookup('ansible.builtin.env', 'MINIFLUX_PASSWORD') }}"
    # https://wiki.debian.org/PostgreSql
    - name: Install postgres
      ansible.builtin.apt:
@ -21,10 +18,11 @@
        line: /dev/disk/by-id/scsi-0Linode_Volume_lotus-land-story /mnt/lotus-land-story ext4 defaults,noatime,nofail 0 2
        state: present
    - name: Make /mnt/lotus-land-story/postgresql
-      file:
+      ansible.builtin.file:
        path: /mnt/lotus-land-story/postgresql
        state: directory
        owner: postgres
        mode: "0755"
    - name: Set data directory to volume
      ansible.builtin.lineinfile:
        dest: "/etc/postgresql/13/main/postgresql.conf"
@ -53,23 +51,27 @@
              - gnupg
            state: present
        - name: Make /etc/apt/keyrings
-          file:
+          ansible.builtin.file:
            path: /etc/apt/keyrings
            state: directory
-            mode: 0755
+            mode: "0755"
        - name: Download Docker GPG key
-          ansible.builtin.shell: curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+          ansible.builtin.shell: |
            set -o pipefail
            curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
          args:
            creates: /etc/apt/keyrings/docker.gpg
        - name: Get architecture
-          command: dpkg --print-architecture
+          ansible.builtin.command: dpkg --print-architecture
          register: arch
          changed_when: arch.rc != 0
        - name: Set up docker repository
          ansible.builtin.template:
            src: templates/docker.list
            dest: /etc/apt/sources.list.d/docker.list
            mode: "0644"
        - name: Install docker
-          apt:
+          ansible.builtin.apt:
            pkg:
              - docker-ce
              - docker-ce-cli
@ -84,8 +86,11 @@
      block:
        - name: Get docker0 IP address
-          ansible.builtin.shell: ip -4 -o addr show docker0 | awk '{print $4}'
+          ansible.builtin.shell: ip -4 -o addr show docker0 | awk '{print $4}' # noqa: risky-shell-pipe
          vars:
            executable: /usr/bin/bash
          register: docker_ip
          changed_when: docker_ip.rc != 0
        - name: Listen on docker0 interface
          ansible.builtin.lineinfile:
            dest: "/etc/postgresql/13/main/conf.d/listen.conf"
@ -93,6 +98,7 @@
            line: "listen_addresses='localhost,{{ docker_ip.stdout | ansible.utils.ipaddr('address') }}'"
            state: present
            create: true
            mode: "0644"
          notify: Restart postgres
    - name: Set up postgres for miniflux
@ -147,17 +153,19 @@
                - "host.docker.internal:host-gateway"
    - name: Make /mnt/lotus-land-story/caddy
-      file:
+      ansible.builtin.file:
        path: /mnt/lotus-land-story/{{ item }}
        state: directory
        mode: "0755"
      loop:
-         - caddy
+        - caddy
-         - caddy/data
+        - caddy/data
-         - caddy/config
+        - caddy/config
    - name: Set up Caddyfile
      ansible.builtin.template:
        src: templates/Caddyfile
        dest: /mnt/lotus-land-story/caddy/Caddyfile
        mode: "0644"
    - name: Run caddy
      community.docker.docker_compose:
        project_name: caddy
@ -182,3 +190,5 @@
      ansible.builtin.service:
        name: postgresql
        state: restarted
 # vim: ft=yaml.ansible