michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5a79646daf80311329b67a93b62f0d42a7e2b821
michaelschiemer/deployment/ansible/playbooks/setup-production-secrets.yml

93 lines
2.5 KiB
YAML
Raw Blame History

---
- name: Setup Production Secrets
hosts: production
gather_facts: yes
become: yes
vars:
vault_file: "{{ playbook_dir }}/../secrets/production.vault.yml"
pre_tasks:
- name: Verify vault file exists
stat:
path: "{{ vault_file }}"
register: vault_stat
delegate_to: localhost
become: no
- name: Fail if vault file missing
fail:
msg: "Vault file not found at {{ vault_file }}"
when: not vault_stat.stat.exists
tasks:
- name: Detect Docker Swarm mode
shell: docker info -f '{{ "{{" }}.Swarm.LocalNodeState{{ "}}" }}'
register: swarm_state
changed_when: false
- name: Set fact if swarm is active
set_fact:
swarm_active: "{{ swarm_state.stdout | lower == 'active' }}"
- name: Load encrypted secrets
include_vars:
file: "{{ vault_file }}"
no_log: yes
- name: Ensure secrets directory exists
file:
path: "{{ secrets_path }}"
state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0700'
- name: Create .env.production file
template:
src: "{{ playbook_dir }}/../templates/.env.production.j2"
dest: "{{ secrets_path }}/.env.production"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0600'
no_log: yes
- name: Create Docker secrets from vault (disabled for compose-only deployment)
docker_secret:
name: "{{ item.name }}"
data: "{{ item.value }}"
state: present
loop:
- name: db_password
value: "{{ vault_db_password }}"
- name: redis_password
value: "{{ vault_redis_password }}"
- name: app_key
value: "{{ vault_app_key }}"
- name: jwt_secret
value: "{{ vault_jwt_secret }}"
- name: mail_password
value: "{{ vault_mail_password }}"
no_log: yes
when: false
- name: Set secure permissions on secrets directory
file:
path: "{{ secrets_path }}"
state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0700'
recurse: yes
- name: Verify Docker secrets (skipped)
command: docker secret ls --format '{{ "{{" }}.Name{{ "}}" }}'
register: docker_secrets
changed_when: false
when: false
- name: Display deployed Docker secrets (skipped)
debug:
msg: "Deployed secrets: {{ docker_secrets.stdout_lines | default([]) }}"
when: false
Reference in New Issue View Git Blame Copy Permalink