michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1963b107496bcd1f05adbd6e5ecd8eed83dc7299
michaelschiemer/deployment/ansible/playbooks/setup-local-secrets.yml
Michael Schiemer 02e4dc9338 feat(local-secrets): introduce unified local secrets management and documentation 
- Add example secret files for `app_key`, `db_user_password`, and `redis_password`.
- Introduce `local.vault.yml.example` for Ansible Vault encryption of local secrets.
- Create migration and setup scripts for transitioning from `.env.local` to secrets files.
- Update `docker-compose.local.yml` to adopt Docker Secrets and `_FILE` pattern for local configurations.
- Add deployment playbooks and enhanced logging configurations for local development.
2025-11-04 11:06:21 +01:00

81 lines
2.5 KiB
YAML
Raw Blame History

---
- name: Setup Local Development Secrets
hosts: local
gather_facts: yes
become: no
connection: local
vars:
vault_file: "{{ playbook_dir }}/../secrets/local.vault.yml"
pre_tasks:
- name: Get repository root path
shell: |
cd "{{ playbook_dir }}/../../.."
pwd
register: repo_root
changed_when: false
delegate_to: localhost
become: no
- name: Set repository root as fact
set_fact:
app_stack_path: "{{ repo_root.stdout }}"
- name: Verify vault file exists
stat:
path: "{{ vault_file }}"
register: vault_stat
delegate_to: localhost
become: no
- name: Fail if vault file missing
fail:
msg: "Vault file not found at {{ vault_file }}. Please create it from local.vault.yml.example"
when: not vault_stat.stat.exists
tasks:
- name: Load encrypted secrets
include_vars:
file: "{{ vault_file }}"
no_log: yes
- name: Ensure secrets directory exists for Docker Compose secrets
file:
path: "{{ app_stack_path }}/secrets"
state: directory
owner: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
group: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
mode: '0700'
- name: Create Docker Compose secret files from vault
copy:
content: "{{ item.value }}"
dest: "{{ app_stack_path }}/secrets/{{ item.name }}.txt"
owner: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
group: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
mode: '0600'
loop:
- name: db_user_password
value: "{{ vault_db_password }}"
- name: redis_password
value: "{{ vault_redis_password }}"
- name: app_key
value: "{{ vault_app_key }}"
- name: vault_encryption_key
value: "{{ vault_encryption_key | default(vault_app_key) }}"
no_log: yes
- name: Set secure permissions on secrets directory
file:
path: "{{ app_stack_path }}/secrets"
state: directory
owner: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
group: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
mode: '0700'
recurse: yes
- name: Display secrets setup summary
debug:
msg: "? Local secrets created in {{ app_stack_path }}/secrets/"
Reference in New Issue View Git Blame Copy Permalink