feat(local-secrets): introduce unified local secrets management and documentation

- Add example secret files for `app_key`, `db_user_password`, and `redis_password`. - Introduce `local.vault.yml.example` for Ansible Vault encryption of local secrets. - Create migration and setup scripts for transitioning from `.env.local` to secrets files. - Update `docker-compose.local.yml` to adopt Docker Secrets and `_FILE` pattern for local configurations. - Add deployment playbooks and enhanced logging configurations for local development.
2025-11-04 11:06:21 +01:00
parent 12afbe874d
commit 02e4dc9338
15 changed files with 1043 additions and 11 deletions
--- a/deployment/ansible/inventory/local.yml
+++ b/deployment/ansible/inventory/local.yml
@@ -5,3 +5,7 @@ all:
    localhost:
      ansible_connection: local
      ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  children:
+    local:
+      hosts:
+        localhost:
--- a/deployment/ansible/playbooks/setup-local-secrets.yml
+++ b/deployment/ansible/playbooks/setup-local-secrets.yml
@@ -0,0 +1,80 @@
+---
+- name: Setup Local Development Secrets
+  hosts: local
+  gather_facts: yes
+  become: no
+  connection: local
+
+  vars:
+    vault_file: "{{ playbook_dir }}/../secrets/local.vault.yml"
+
+  pre_tasks:
+    - name: Get repository root path
+      shell: |
+        cd "{{ playbook_dir }}/../../.."
+        pwd
+      register: repo_root
+      changed_when: false
+      delegate_to: localhost
+      become: no
+    
+    - name: Set repository root as fact
+      set_fact:
+        app_stack_path: "{{ repo_root.stdout }}"
+
+    - name: Verify vault file exists
+      stat:
+        path: "{{ vault_file }}"
+      register: vault_stat
+      delegate_to: localhost
+      become: no
+
+    - name: Fail if vault file missing
+      fail:
+        msg: "Vault file not found at {{ vault_file }}. Please create it from local.vault.yml.example"
+      when: not vault_stat.stat.exists
+
+  tasks:
+    - name: Load encrypted secrets
+      include_vars:
+        file: "{{ vault_file }}"
+      no_log: yes
+
+    - name: Ensure secrets directory exists for Docker Compose secrets
+      file:
+        path: "{{ app_stack_path }}/secrets"
+        state: directory
+        owner: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
+        group: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
+        mode: '0700'
+
+    - name: Create Docker Compose secret files from vault
+      copy:
+        content: "{{ item.value }}"
+        dest: "{{ app_stack_path }}/secrets/{{ item.name }}.txt"
+        owner: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
+        group: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
+        mode: '0600'
+      loop:
+        - name: db_user_password
+          value: "{{ vault_db_password }}"
+        - name: redis_password
+          value: "{{ vault_redis_password }}"
+        - name: app_key
+          value: "{{ vault_app_key }}"
+        - name: vault_encryption_key
+          value: "{{ vault_encryption_key | default(vault_app_key) }}"
+      no_log: yes
+
+    - name: Set secure permissions on secrets directory
+      file:
+        path: "{{ app_stack_path }}/secrets"
+        state: directory
+        owner: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
+        group: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
+        mode: '0700'
+        recurse: yes
+
+    - name: Display secrets setup summary
+      debug:
+        msg: "? Local secrets created in {{ app_stack_path }}/secrets/"
--- a/deployment/ansible/secrets/local.vault.yml.example
+++ b/deployment/ansible/secrets/local.vault.yml.example
@@ -0,0 +1,24 @@
+---
+# Local Development Vault Example
+# Copy this file to local.vault.yml and encrypt with:
+# ansible-vault encrypt local.vault.yml
+#
+# Or use plain text for local development (not recommended for shared machines):
+# ansible-vault encrypt local.vault.yml --vault-password-file ~/.ansible/vault_pass_local.txt
+#
+# For local development, you can also keep it unencrypted if you prefer:
+# cp local.vault.yml.example local.vault.yml
+# # Edit local.vault.yml with your local development secrets
+
+# Database Credentials (Local Development)
+vault_db_password: "local-dev-db-password-change-me"
+
+# Redis Password (Local Development)
+vault_redis_password: "local-dev-redis-password-change-me"
+
+# Application Secrets (Local Development)
+# Generate with: php -r "echo 'base64:' . base64_encode(random_bytes(32));"
+vault_app_key: "base64:local-dev-app-key-change-me-base64-encoded-32-byte-key"
+
+# Optional: Encryption Key (defaults to app_key if not set)
+vault_encryption_key: "base64:local-dev-encryption-key-change-me"