serguzim/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactor the vault/secrets

Browse source
This commit is contained in:
Tobias Reisinger 2026-02-06 21:41:42 +01:00
parent 11c339ce92
commit 28f2e9a33a
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
32 changed files with 144 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

4
playbooks/filter_plugins/gatus.py
View file

@ -2,7 +2,7 @@ class FilterModule(object):
def filters(self):
return {
'hosts_to_gatus': self.hosts_to_gatus,
'vault_hosts_backup_to_gatus': self.vault_hosts_backup_to_gatus,
'hosts_backup_to_gatus': self.hosts_backup_to_gatus,
'services_to_gatus': self.services_to_gatus,
}
@ -31,7 +31,7 @@ class FilterModule(object):
})
return result
def vault_hosts_backup_to_gatus(self, hostvars):
def hosts_backup_to_gatus(self, hostvars):
result = []
backup_alerts = []
for a in self.default_alerts:

4
playbooks/roles/authentik/defaults/main.yml
View file

@ -1,4 +1,6 @@
---
authentik_secret_key: "{{ undef() }}"
authentik_svc:
domain: "{{ all_services | service_get_domain(role_name) }}"
port: 9000
@ -11,7 +13,7 @@ authentik_svc:
database: "{{ opentofu.postgresql_data.authentik.database }}"
authentik_env:
AUTHENTIK_SECRET_KEY: "{{ vault_authentik.secret_key }}"
AUTHENTIK_SECRET_KEY: "{{ authentik_secret_key | mandatory }}"
AUTHENTIK_EMAIL__HOST: "{{ mailer.host }}"
AUTHENTIK_EMAIL__PORT: "{{ mailer.port }}"

10
playbooks/roles/backup/defaults/main.yml
View file

@ -2,6 +2,8 @@
backup_list: "{{ host_services | services_get_attr('backup') | flatten }}"
backup_list_all: "{{ all_services | services_get_attr('backup') | flatten }}"
backup_backends: {}
backup_msg_start: "Backup started"
backup_msg_fail: "Backup failed"
backup_msg_fail_location: "Backup failed for location: "
@ -42,17 +44,17 @@ backup_global:
backup_yml:
version: 2
backends: "{{ vault_backup.backends }}"
backends: "{{ backup_backends | mandatory }}"
locations: "{{ backup_list | map_backup_locations(vault_backup.backends, backup_default_hooks) }}"
locations: "{{ backup_list | map_backup_locations(backup_backends | mandatory, backup_default_hooks) }}"
global: "{{ backup_global }}"
backup_yml_all:
version: 2
backends: "{{ vault_backup.backends }}"
backends: "{{ backup_backends | mandatory }}"
locations: "{{ backup_list_all | map_backup_locations(vault_backup.backends, backup_default_hooks) }}"
locations: "{{ backup_list_all | map_backup_locations(backup_backends | mandatory, backup_default_hooks) }}"
global: "{{ backup_global }}"

12
playbooks/roles/caddy/defaults/main.yml
View file

@ -1,7 +1,7 @@
---
caddy_acmedns_user: "{{ vault_caddy.acmedns.user }}"
caddy_acmedns_pass: "{{ vault_caddy.acmedns.pass }}"
caddy_acmedns_subd: "{{ vault_caddy.acmedns.subd }}"
caddy_acmedns_user: "{{ undef() }}"
caddy_acmedns_pass: "{{ undef() }}"
caddy_acmedns_subd: "{{ undef() }}"
caddy_acmedns_url: "https://{{ acme_dns.host }}"
caddy_ports: "{{ host_services | services_get_attr('ports') | flatten | services_ports_to_docker('reverse_proxy') }}"
@ -9,9 +9,9 @@ caddy_ports: "{{ host_services | services_get_attr('ports') | flatten | services
caddy_env:
CADDY_ADMIN: unix//run/caddy-admin.sock
ACMEDNS_USER: "{{ caddy_acmedns_user }}"
ACMEDNS_PASS: "{{ caddy_acmedns_pass }}"
ACMEDNS_SUBD: "{{ caddy_acmedns_subd }}"
ACMEDNS_USER: "{{ caddy_acmedns_user | mandatory }}"
ACMEDNS_PASS: "{{ caddy_acmedns_pass | mandatory }}"
ACMEDNS_SUBD: "{{ caddy_acmedns_subd | mandatory }}"
ACMEDNS_URL: "{{ caddy_acmedns_url }}"
caddy_compose:

4
playbooks/roles/deploy/defaults/main.yml
View file

@ -1,4 +1,6 @@
---
deploy_reitanlage_oranienburg_token: "{{ undef() }}"
deploy_svc:
domain: "{{ all_services | service_get_domain(role_name) }}"
port: 9000
@ -16,7 +18,7 @@ deploy_yml:
and:
- match:
type: value
value: "{{ vault_deploy.reitanlage_oranienburg_token }}"
value: "{{ deploy_reitanlage_oranienburg_token | mandatory }}"
parameter:
source: header
name: X-Webhook-Token

17
playbooks/roles/emgauwa/defaults/main.yml
View file

@ -1,18 +1,23 @@
---
emgauwa_server_port: 4419
emgauwa_server_token: "{{ vault_emgauwa.token }}"
emgauwa_server_token: "{{ undef() }}"
emgauwa_acmedns_user: "{{ undef() }}"
emgauwa_acmedns_pass: "{{ undef() }}"
emgauwa_acmedns_subd: "{{ undef() }}"
emgauwa_acmedns_url: "https://{{ acme_dns.host }}"
emgauwa_env:
ACMEDNS_USER: "{{ vault_emgauwa.acme_dns.user }}"
ACMEDNS_PASS: "{{ vault_emgauwa.acme_dns.pass }}"
ACMEDNS_SUBD: "{{ vault_emgauwa.acme_dns.subd }}"
ACMEDNS_URL: "{{ vault_emgauwa.acme_dns.url }}"
ACMEDNS_USER: "{{ emgauwa_acmedns_user | mandatory }}"
ACMEDNS_PASS: "{{ emgauwa_acmedns_pass | mandatory }}"
ACMEDNS_SUBD: "{{ emgauwa_acmedns_subd | mandatory }}"
ACMEDNS_URL: "{{ emgauwa_acmedns_url }}"
emgauwa_core_yml:
server:
host: 0.0.0.0
port: "{{ emgauwa_server_port }}"
token: "{{ emgauwa_server_token }}"
token: "{{ emgauwa_server_token | mandatory }}"
database: sqlite:///data/core.sqlite
emgauwa_controller_yml:

2
playbooks/roles/extra_services/defaults/main.yml
View file

@ -1,3 +1,3 @@
---
extra_services_svc:
extra_svcs: "{{ vault_extra_services }}"
extra_svcs: []

14
playbooks/roles/factorio/defaults/main.yml
View file

@ -1,12 +1,16 @@
---
factorio_port: 34197
factorio_username: "{{ undef() }}"
factorio_token: "{{ undef() }}"
factorio_game_password: "{{ undef() }}"
factorio_uid: 845
factorio_gid: 845
factorio_env:
PORT: "{{ factorio_port }}"
USERNAME: "{{ vault_factorio.username }}"
TOKEN: "{{ vault_factorio.token }}"
USERNAME: "{{ factorio_username | mandatory }}"
TOKEN: "{{ factorio_token | mandatory }}"
factorio_json:
name: "StammtischOnAutomation"
@ -18,11 +22,11 @@ factorio_json:
public: true
lan: true
username: "{{ vault_factorio.username }}"
username: "{{ factorio_username | mandatory }}"
password: ""
token: "{{ vault_factorio.token }}"
token: "{{ factorio_token | mandatory }}"
game_password: "{{ vault_factorio.game_password }}"
game_password: "{{ factorio_game_password | mandatory }}"
require_user_verification: true
max_upload_in_kilobytes_per_second: 0

16
playbooks/roles/forgejo/defaults/main.yml
View file

@ -1,4 +1,10 @@
---
forgejo_server_lfs_jwt_secret: "{{ undef() }}"
forgejo_security_internal_token: "{{ undef() }}"
forgejo_security_secret_key: "{{ undef() }}"
forgejo_oauth2_jwt_secret: "{{ undef() }}"
forgejo_umami: "{{ undef() }}"
forgejo_svc:
domain: "{{ all_services | service_get_domain(role_name) }}"
port: 3000
@ -37,13 +43,13 @@ forgejo_ini:
SSH_PORT: "{{ svc.ssh_port }}"
ROOT_URL: https://{{ svc.domain }}
OFFLINE_MODE: true
LFS_JWT_SECRET: "{{ vault_forgejo.server_lfs_jwt_secret }}"
LFS_JWT_SECRET: "{{ forgejo_server_lfs_jwt_secret | mandatory }}"
LFS_START_SERVER: true
security:
INSTALL_LOCK: true
INTERNAL_TOKEN: "{{ vault_forgejo.security_internal_token }}"
SECRET_KEY: "{{ vault_forgejo.security_secret_key }}"
INTERNAL_TOKEN: "{{ forgejo_security_internal_token | mandatory }}"
SECRET_KEY: "{{ forgejo_security_secret_key | mandatory }}"
openid:
ENABLE_OPENID_SIGNUP: true
@ -75,14 +81,14 @@ forgejo_ini:
MAX_FILES: 10
oauth2:
JWT_SECRET: "{{ vault_forgejo.oauth2_jwt_secret }}"
JWT_SECRET: "{{ forgejo_oauth2_jwt_secret | mandatory }}"
log.console:
FLAGS: "level,medfile,shortfuncname"
metrics:
ENABLED: true
TOKEN: "{{ vault_metrics_token }}"
TOKEN: "{{ metrics_token | mandatory }}"
actions:
ENABLED: true

2
playbooks/roles/forgejo/templates/footer.tmpl.j2
View file

@ -1,2 +1,2 @@
<script async src="/_a/script.js" data-website-id="{{ vault_forgejo.umami }}"></script>
<script async src="/_a/script.js" data-website-id="{{ forgejo_umami | mandatory }}"></script>
<script async src="/_a/track-external.js"></script>

16
playbooks/roles/gatus/defaults/main.yml
View file

@ -1,9 +1,5 @@
---
gatus_svc:
domain: "{{ all_services | service_get_domain(role_name) }}"
port: 8080
gatus_external_endpoints_backups: "{{ hostvars | vault_hosts_backup_to_gatus() }}"
gatus_external_endpoints_backups: "{{ hostvars | hosts_backup_to_gatus() }}"
gatus_endpoints_hosts: "{{ opentofu.hosts | hosts_to_gatus() }}"
gatus_endpoints_services: "{{ all_services | services_to_gatus() }}"
@ -34,6 +30,12 @@ gatus_endpoints_other:
ui:
hide-url: true
gatus_alerting: "{{ undef() }}"
gatus_svc:
domain: "{{ all_services | service_get_domain(role_name) }}"
port: 8080
gatus_yml:
storage:
type: sqlite
@ -49,9 +51,7 @@ gatus_yml:
- name: Matrix Federation Tester
link: "{{ gatus_federation_tester }}"
alerting:
email: "{{ vault_gatus.alerting.email }}"
ntfy: "{{ vault_gatus.alerting.ntfy }}"
alerting: "{{ gatus_alerting | mandatory }}"
metrics: true

13
playbooks/roles/healthcheck/defaults/main.yml
View file

@ -1,4 +1,9 @@
---
healthcheck_matrix_token: "{{ undef() }}"
healthcheck_matrix_room: "{{ undef() }}"
healthcheck_mailer_user: "{{ undef() }}"
healthcheck_mailer_pass: "{{ undef() }}"
healthcheck_svc:
checks:
- mail
@ -10,11 +15,11 @@ healthcheck_env:
MATRIX_SERVER: https://matrix.serguzim.me
MATRIX_SERVER_FEDTESTER: msrg.cc
MATRIX_HC_URL: "{{ opentofu.healthchecksio.healthcheck.matrix.ping_url }}"
MATRIX_TOKEN: "{{ vault_healthcheck.matrix.token }}"
MATRIX_ROOM: "{{ vault_healthcheck.matrix.room }}"
MATRIX_TOKEN: "{{ healthcheck_matrix_token | mandatory }}"
MATRIX_ROOM: "{{ healthcheck_matrix_room | mandatory }}"
MAIL_HC_UID: "{{ opentofu.healthchecksio.healthcheck.mail.id }}"
MAIL_HOST: "{{ mailer.host }}"
MAIL_PORT: "{{ mailer.port }}"
MAIL_USER: "{{ vault_healthcheck.mailer.user }}"
MAIL_PASS: "{{ vault_healthcheck.mailer.pass }}"
MAIL_USER: "{{ healthcheck_mailer_user | mandatory }}"
MAIL_PASS: "{{ healthcheck_mailer_pass | mandatory }}"

12
playbooks/roles/immich/defaults/main.yml
View file

@ -1,8 +1,8 @@
---
immich_db_host: database
immich_db_db: immich
immich_db_user: "{{ vault_immich.db.user }}"
immich_db_pass: "{{ vault_immich.db.pass }}"
immich_db_user: "{{ undef() }}"
immich_db_pass: "{{ undef() }}"
immich_docker_tag: v2.3.1
@ -15,12 +15,12 @@ immich_env:
DB_HOSTNAME: "{{ immich_db_host }}"
DB_DATABASE_NAME: "{{ immich_db_db }}"
DB_USERNAME: "{{ immich_db_user }}"
DB_PASSWORD: "{{ immich_db_pass }}"
DB_USERNAME: "{{ immich_db_user | mandatory }}"
DB_PASSWORD: "{{ immich_db_pass | mandatory }}"
POSTGRES_DB: "{{ immich_db_db }}"
POSTGRES_USER: "{{ immich_db_user }}"
POSTGRES_PASSWORD: "{{ immich_db_pass }}"
POSTGRES_USER: "{{ immich_db_user | mandatory }}"
POSTGRES_PASSWORD: "{{ immich_db_pass | mandatory }}"
REDIS_HOSTNAME: redis

4
playbooks/roles/immich_worker/defaults/main.yml
View file

@ -1,8 +1,8 @@
---
immich_worker_db_host: "{{ }}"
immich_worker_db_db: immich
immich_worker_db_user: "{{ vault_immich.db.user }}"
immich_worker_db_pass: "{{ vault_immich.db.pass }}"
immich_worker_db_user: "{{ immich_db_user | mandatory }}"
immich_worker_db_pass: "{{ immich_db_pass | mandatory }}"
immich_worker_docker_tag: v2.3.1

6
playbooks/roles/jitsi/defaults/main.yml
View file

@ -1,5 +1,7 @@
---
jitsi_image_version: stable-10314
jitsi_jicofo_auth_password: "{{ undef() }}"
jitsi_jvb_auth_password: "{{ undef() }}"
jitsi_svc:
domain: "{{ all_services | service_get_domain(role_name) }}"
@ -17,8 +19,8 @@ jitsi_env:
ENABLE_AUTH: 0
ENABLE_GUESTS: 1
JICOFO_AUTH_PASSWORD: "{{ vault_jitsi.jicofo_auth_password }}"
JVB_AUTH_PASSWORD: "{{ vault_jitsi.jvb_auth_password }}"
JICOFO_AUTH_PASSWORD: "{{ jitsi_jicofo_auth_password | mandatory }}"
JVB_AUTH_PASSWORD: "{{ jitsi_jvb_auth_password | mandatory }}"
jitsi_compose:

1
playbooks/roles/lego/defaults/main.yml
View file

@ -1,5 +1,6 @@
---
lego_host_certificates: "{{ host_services | services_get_attr('certificates') | flatten }}"
lego_acmedns_registered: "{{ undef() }}"
lego_env:
ACME_DNS_API_BASE: https://{{ acme_dns.host }}

2
playbooks/roles/lego/tasks/config.yml
View file

@ -10,7 +10,7 @@
- name: Create the acme-dns-accounts
ansible.builtin.copy:
dest: "{{ (lego_config_path, 'acme-dns-accounts.json') | path_join }}"
content: '{{ vault_acmedns_registered | acmedns_to_lego | to_json }}'
content: '{{ lego_acmedns_registered | acmedns_to_lego | to_json }}'
mode: "0644"
- name: Copy the hook script
ansible.builtin.copy:

4
playbooks/roles/lgtm_stack/defaults/main.yml
View file

@ -6,6 +6,8 @@ lgtm_stack_loki_domain: "{{ all_services | service_get_domain('loki') }}"
lgtm_stack_alloy_jobs: "{{ all_services | services_to_alloy() }}"
lgtm_stack_grafana_secret_key: "{{ undef() }}"
lgtm_stack_svc:
domain: "{{ lgtm_stack_domain }}"
@ -35,7 +37,7 @@ lgtm_stack_env:
GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION: true
GF_SECURITY_ADMIN_USER: "{{ admin_email }}"
GF_SECURITY_SECRET_KEY: "{{ vault_lgtm_stack.grafana.secret_key }}"
GF_SECURITY_SECRET_KEY: "{{ lgtm_stack_grafana_secret_key | mandatory }}"
GF_SECURITY_COOKIE_SECURE: true
GF_SECURITY_COOKIE_SAMESITE: "strict"

4
playbooks/roles/mailcowdockerized/defaults/main.yml
View file

@ -1,6 +1,8 @@
---
mailcowdockerized_domains: "{{ undef }}"
mailcowdockerized_svc:
domain: "{{ all_services | service_get_domain(role_name) }}"
docker_host: host.docker.internal
port: 3004
additional_domains: "{{ ['autodiscover', 'autoconfig'] | product(vault_mailcowdockerized.domains) | map('join', '.') }}"
additional_domains: "{{ ['autodiscover', 'autoconfig'] | product(mailcowdockerized_domains | mandatory) | map('join', '.') }}"

10
playbooks/roles/minecraft_2/defaults/main.yml
View file

@ -1,4 +1,8 @@
---
minecraft_2_seed: "{{ undef() }}"
minecraft_2_ops: "{{ undef() }}"
minecraft_2_whitelist: "{{ undef() }}"
minecraft_2_env:
ALLOW_FLIGHT: true
ALLOW_NETHER: true
@ -40,16 +44,16 @@ minecraft_2_env:
TYPE: PAPER
ONLINE_MODE: true
OP_PERMISSION_LEVEL: 4
OPS: "{{ vault_minecraft_2.ops }}"
OPS: "{{ minecraft_2_ops | mandatory }}"
OVERRIDE_ICON: true
OVERRIDE_SERVER_PROPERTIES: true
PLAYER_IDLE_TIMEOUT: 0
PREVENT_PROXY_CONNECTIONS: false
SEED: "{{ vault_minecraft_2.seed }}"
SEED: "{{ minecraft_2_seed | mandatory }}"
USE_NATIVE_TRANSPORT: true
VERSION: LATEST
VIEW_DISTANCE: 10
WHITELIST: "{{ vault_minecraft_2.whitelist }}"
WHITELIST: "{{ minecraft_2_whitelist | mandatory }}"
minecraft_2_compose:
watchtower: false

10
playbooks/roles/minecraft_3/defaults/main.yml
View file

@ -1,4 +1,8 @@
---
minecraft_3_seed: "{{ undef() }}"
minecraft_3_ops: "{{ undef() }}"
minecraft_3_whitelist: "{{ undef() }}"
minecraft_3_env:
ALLOW_FLIGHT: true
ALLOW_NETHER: true
@ -40,16 +44,16 @@ minecraft_3_env:
TYPE: VANILLA
ONLINE_MODE: true
OP_PERMISSION_LEVEL: 4
OPS: "{{ vault_minecraft_3.ops }}"
OPS: "{{ minecraft_3_ops | mandatory }}"
OVERRIDE_ICON: true
OVERRIDE_SERVER_PROPERTIES: true
PLAYER_IDLE_TIMEOUT: 0
PREVENT_PROXY_CONNECTIONS: false
SEED: "{{ vault_minecraft_3.seed }}"
SEED: "{{ minecraft_3_seed | mandatory }}"
USE_NATIVE_TRANSPORT: true
VERSION: LATEST
VIEW_DISTANCE: 10
WHITELIST: "{{ vault_minecraft_3.whitelist }}"
WHITELIST: "{{ minecraft_3_whitelist | mandatory }}"
minecraft_3_compose:
watchtower: false

7
playbooks/roles/minio/defaults/main.yml
View file

@ -1,4 +1,7 @@
---
minio_user: "{{ undef() }}"
minio_pass: "{{ undef() }}"
minio_svc:
domain: "{{ all_services | service_get_domain(role_name) }}"
port: 9000
@ -17,8 +20,8 @@ minio_env:
MINIO_BROWSER_REDIRECT_URL: https://console.{{ svc.domain }}
MINIO_VOLUMES: /data
MINIO_ROOT_USER: "{{ vault_minio.user }}"
MINIO_ROOT_PASSWORD: "{{ vault_minio.pass }}"
MINIO_ROOT_USER: "{{ minio_user | mandatory }}"
MINIO_ROOT_PASSWORD: "{{ minio_pass | mandatory }}"
minio_compose:

4
playbooks/roles/paperless/defaults/main.yml
View file

@ -2,6 +2,8 @@
paperless_uid: 1000
paperless_gid: 1000
paperless_secret_key: "{{ undef() }}"
paperless_svc:
domain: "{{ all_services | service_get_domain(role_name) }}"
port: 8000
@ -11,7 +13,7 @@ paperless_env:
USERMAP_GID: "{{ paperless_gid }}"
PAPERLESS_URL: "https://{{ paperless_svc.domain }}"
PAPERLESS_SECRET_KEY: "{{ vault_paperless.secret_key }}"
PAPERLESS_SECRET_KEY: "{{ paperless_secret_key | mandatory }}"
PAPERLESS_TIME_ZONE: "{{ timezone }}"
PAPERLESS_OCR_LANGUAGE: deu

8
playbooks/roles/phpvms/defaults/main.yml
View file

@ -2,6 +2,8 @@
phpvms_version: 7.0.5
phpvms_docker_image: ghcr.io/phpvms/phpvms:{{ phpvms_version }}-gd
phpvms_db_password: "{{ undef() }}"
phpvms_uid: 1000
phpvms_gid: 1000
@ -35,7 +37,7 @@ phpvms_env:
DB_PORT: 3306
DB_DATABASE: phpvms
DB_USERNAME: phpvms
DB_PASSWORD: "{{ vault_phpvms.db.pass }}"
DB_PASSWORD: "{{ phpvms_db_pass | mandatory }}"
## CACHE SETTINGS
CACHE_DRIVER: redis
@ -82,10 +84,10 @@ phpvms_compose:
user: "${WWWUSER:-1000}:${WWWGROUP:-1000}"
image: "{{ phpvms_docker_image }}"
restart: always
command: sh -c sed -i
command: sh -c "sed -i
's/Paginator::useBootstrap();/Paginator::useBootstrap();
\\\\Illuminate\\\\Support\\\\Facades\\\\URL::forceScheme(\"https\");/'
app/Providers/AppServiceProvider.php && php-fpm
app/Providers/AppServiceProvider.php && php-fpm"
environment:
PHP_OPCACHE_ENABLE: 1
# some basic laravel stuff

4
playbooks/roles/shlink/defaults/main.yml
View file

@ -1,4 +1,6 @@
---
shlink_geolite_key: "{{ undef() }}"
shlink_svc:
domain: "{{ all_services | service_get_domain(role_name) }}"
additional_domains:
@ -23,7 +25,7 @@ shlink_env:
DB_USER: "{{ opentofu.postgresql_data.shlink.user }}"
DB_PASSWORD: "{{ opentofu.postgresql_data.shlink.pass }}"
GEOLITE_LICENSE_KEY: "{{ vault_shlink.geolite_key }}"
GEOLITE_LICENSE_KEY: "{{ shlink_geolite_key | mandatory }}"
shlink_compose:
watchtower: update

8
playbooks/roles/synapse/defaults/main.yml
View file

@ -1,4 +1,8 @@
---
synapse_macaroon_secret_key: "{{ undef() }}"
synapse_form_secret: "{{ undef() }}"
synapse_signing_key: "{{ undef() }}"
synapse_svc:
domain: "{{ all_services | service_get_domain(role_name) }}"
docker_host: synapse-admin
@ -66,8 +70,8 @@ synapse_yml:
enable_metrics: true
report_stats: true
macaroon_secret_key: "{{ vault_synapse.macaroon_secret_key }}"
form_secret: "{{ vault_synapse.form_secret }}"
macaroon_secret_key: "{{ synapse_macaroon_secret_key | mandatory }}"
form_secret: "{{ synapse_form_secret | mandatory }}"
signing_key_path: "{{ (svc.config_path, 'msrg.cc.signing.key') | path_join }}"
trusted_key_servers:

2
playbooks/roles/synapse/tasks/main.yml
View file

@ -37,7 +37,7 @@
- name: Copy the signing key
ansible.builtin.copy:
content: "{{ vault_synapse.signing_key }}"
content: "{{ synapse_signing_key | mandatory }}"
dest: "{{ (synapse_config_path, 'msrg.cc.signing.key') | path_join }}"
mode: "0644"
notify: Restart service {{ role_name }}

3
playbooks/roles/tandoor/defaults/main.yml
View file

@ -1,4 +1,5 @@
---
tandoor_secret_key: "{{ undef() }}"
tandoor_svc:
domain: "{{ all_services | service_get_domain(role_name) }}"
port: 80
@ -14,7 +15,7 @@ tandoor_env:
SQL_DEBUG: 0
ALLOWED_HOSTS: recipes.serguzim.me
SECRET_KEY: "{{ vault_tandoor.secret_key }}"
SECRET_KEY: "{{ tandoor_secret_key | mandatory }}"
TZ: "{{ timezone }}"
DB_ENGINE: django.db.backends.postgresql

4
playbooks/roles/teamspeak_fallback/defaults/main.yml
View file

@ -2,7 +2,7 @@
teamspeak_fallback_check_server: ts.sneiso.eu
teamspeak_fallback_check_port: 30033
teamspeak_fallback_webhook_token: "{{ vault_teamspeak_fallback.webhook_token }}"
teamspeak_fallback_webhook_token: "{{ undef() }}"
teamspeak_fallback_user: 9987
teamspeak_fallback_group: 9987
@ -28,7 +28,7 @@ teamspeak_fallback_yml:
and:
- match:
type: value
value: "{{ teamspeak_fallback_webhook_token }}"
value: "{{ teamspeak_fallback_webhook_token | mandatory }}"
parameter:
source: header
name: X-Webhook-Token

4
playbooks/roles/umami/defaults/main.yml
View file

@ -4,7 +4,7 @@ umami_db_user: "{{ opentofu.postgresql_data.umami.user }}"
umami_db_pass: "{{ opentofu.postgresql_data.umami.pass }}"
umami_db_database: "{{ opentofu.postgresql_data.umami.database }}"
umami_hash_salt: "{{ vault_umami.hash_salt }}"
umami_hash_salt: "{{ undef() }}"
umami_docker_image: docker.umami.dev/umami-software/umami:3
@ -29,7 +29,7 @@ umami_svc:
umami_env:
DATABASE_URL: postgres://{{ umami_db_user }}:{{ umami_db_pass }}@{{ umami_db_host }}/{{ umami_db_database }}?sslmode=full-verify
HASH_SALT: "{{ umami_hash_salt }}"
HASH_SALT: "{{ umami_hash_salt | mandatory }}"
CLIENT_IP_HEADER: X-Analytics-IP
umami_compose:

4
playbooks/roles/vikunja/defaults/main.yml
View file

@ -1,4 +1,6 @@
---
vikunja_jwt_secret: "{{ undef() }}"
vikunja_svc:
domain: "{{ all_services | service_get_domain(role_name) }}"
port: 3456
@ -11,7 +13,7 @@ vikunja_svc:
vikunja_yml:
service:
JWTSecret: "{{ vault_vikunja.jwt_secret }}"
JWTSecret: "{{ vikunja_jwt_secret | mandatory }}"
publicurl: https://{{ svc.domain }}
enableregistration: false
timezone: "{{ timezone }}"

12
playbooks/roles/woodpecker/defaults/main.yml
View file

@ -1,4 +1,8 @@
---
woodpecker_agent_secret: "{{ undef() }}"
woodpecker_gitea_client: "{{ undef() }}"
woodpecker_gitea_secret: "{{ undef() }}"
woodpecker_svc:
domain: "{{ all_services | service_get_domain(role_name) }}"
port: 8000
@ -17,16 +21,16 @@ woodpecker_env:
WOODPECKER_OPEN: true
WOODPECKER_HOST: https://{{ svc.domain }}
WOODPECKER_ADMIN: serguzim
WOODPECKER_AGENT_SECRET: "{{ vault_woodpecker.agent_secret }}"
WOODPECKER_PROMETHEUS_AUTH_TOKEN: "{{ vault_metrics_token }}"
WOODPECKER_AGENT_SECRET: "{{ woodpecker_agent_secret | mandatory }}"
WOODPECKER_PROMETHEUS_AUTH_TOKEN: "{{ metrics_token | mandatory }}"
WOODPECKER_SERVER: "{{ svc.extra_svcs[0].domain }}:443"
WOODPECKER_GRPC_SECURE: true
WOODPECKER_GITEA: true
WOODPECKER_GITEA_URL: https://git.serguzim.me
WOODPECKER_GITEA_CLIENT: "{{ vault_woodpecker.gitea.client }}"
WOODPECKER_GITEA_SECRET: "{{ vault_woodpecker.gitea.secret }}"
WOODPECKER_GITEA_CLIENT: "{{ woodpecker_gitea_client | mandatory }}"
WOODPECKER_GITEA_SECRET: "{{ woodpecker_gitea_secret | mandatory }}"
WOODPECKER_DATABASE_DRIVER: postgres
WOODPECKER_DATABASE_DATASOURCE: postgres://{{ svc.db.user }}:{{ svc.db.pass }}@{{ svc.db.host }}:{{ svc.db.port }}/{{ svc.db.database }}?sslmode=verify-full