tweak secrets management

main
Alpha Chen 2 years ago
parent e5a2d3b7bb
commit c005dfa87f
Signed by: alpha
SSH Key Fingerprint: SHA256:3fOT8fiYQG/aK9ntivV3Bqtg8AYQ7q4nV6ZgihOA20g

@ -0,0 +1,5 @@
# frozen_string_literal: true
source "https://rubygems.org"
gem "rake"

@ -0,0 +1,13 @@
GEM
remote: https://rubygems.org/
specs:
rake (13.0.6)
PLATFORMS
arm64-darwin-22
DEPENDENCIES
rake
BUNDLED WITH
2.4.1

@ -0,0 +1,2 @@
terraform.tfvars
vars.yml

@ -0,0 +1,25 @@
require "yaml"
DOMAIN = ENV.fetch("LOTUS_LAND_STORY_DOMAIN")
task terraform: "terraform.tfvars" do
sh "terraform apply"
end
task ansible: "vars.yml" do
sh "ansible-playbook main.yml"
end
task "terraform.tfvars" do |t|
File.write(t.name, "domain = \"#{DOMAIN}\"")
end
task "vars.yml" do |t|
miniflux_password = `op read op://Private/Miniflux/password`.strip
File.write(t.name, YAML.dump({
"domain" => DOMAIN,
"miniflux_password" => miniflux_password,
}))
end
task default: %i[ terraform ansible ]

@ -1,12 +1,9 @@
- name: Set up lotus-land-story
hosts: lotus-land-story
vars_files:
- vars.yml
tasks:
- name: Set facts from environment variables
ansible.builtin.set_fact:
domain: "{{ lookup('ansible.builtin.env', 'TF_VAR_domain') }}"
miniflux_password: "{{ lookup('ansible.builtin.env', 'MINIFLUX_PASSWORD') }}"
# https://wiki.debian.org/PostgreSql
- name: Install postgres
ansible.builtin.apt:
@ -21,10 +18,11 @@
line: /dev/disk/by-id/scsi-0Linode_Volume_lotus-land-story /mnt/lotus-land-story ext4 defaults,noatime,nofail 0 2
state: present
- name: Make /mnt/lotus-land-story/postgresql
file:
ansible.builtin.file:
path: /mnt/lotus-land-story/postgresql
state: directory
owner: postgres
mode: "0755"
- name: Set data directory to volume
ansible.builtin.lineinfile:
dest: "/etc/postgresql/13/main/postgresql.conf"
@ -53,23 +51,27 @@
- gnupg
state: present
- name: Make /etc/apt/keyrings
file:
ansible.builtin.file:
path: /etc/apt/keyrings
state: directory
mode: 0755
mode: "0755"
- name: Download Docker GPG key
ansible.builtin.shell: curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
ansible.builtin.shell: |
set -o pipefail
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
args:
creates: /etc/apt/keyrings/docker.gpg
- name: Get architecture
command: dpkg --print-architecture
ansible.builtin.command: dpkg --print-architecture
register: arch
changed_when: arch.rc != 0
- name: Set up docker repository
ansible.builtin.template:
src: templates/docker.list
dest: /etc/apt/sources.list.d/docker.list
mode: "0644"
- name: Install docker
apt:
ansible.builtin.apt:
pkg:
- docker-ce
- docker-ce-cli
@ -84,8 +86,11 @@
block:
- name: Get docker0 IP address
ansible.builtin.shell: ip -4 -o addr show docker0 | awk '{print $4}'
ansible.builtin.shell: ip -4 -o addr show docker0 | awk '{print $4}' # noqa: risky-shell-pipe
vars:
executable: /usr/bin/bash
register: docker_ip
changed_when: docker_ip.rc != 0
- name: Listen on docker0 interface
ansible.builtin.lineinfile:
dest: "/etc/postgresql/13/main/conf.d/listen.conf"
@ -93,6 +98,7 @@
line: "listen_addresses='localhost,{{ docker_ip.stdout | ansible.utils.ipaddr('address') }}'"
state: present
create: true
mode: "0644"
notify: Restart postgres
- name: Set up postgres for miniflux
@ -147,9 +153,10 @@
- "host.docker.internal:host-gateway"
- name: Make /mnt/lotus-land-story/caddy
file:
ansible.builtin.file:
path: /mnt/lotus-land-story/{{ item }}
state: directory
mode: "0755"
loop:
- caddy
- caddy/data
@ -158,6 +165,7 @@
ansible.builtin.template:
src: templates/Caddyfile
dest: /mnt/lotus-land-story/caddy/Caddyfile
mode: "0644"
- name: Run caddy
community.docker.docker_compose:
project_name: caddy
@ -182,3 +190,5 @@
ansible.builtin.service:
name: postgresql
state: restarted
# vim: ft=yaml.ansible

Loading…
Cancel
Save