michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
72757954dc768297af4fd72e035357b9a761552c
michaelschiemer/deployment/ansible/playbooks/setup-production-secrets.yml
Michael Schiemer 24cbbccf4c feat: update deployment configuration and encrypted env loader 
- Update Ansible playbooks and roles for application deployment
- Add new Gitea/Traefik troubleshooting playbooks
- Update Docker Compose configurations (base, local, staging, production)
- Enhance EncryptedEnvLoader with improved error handling
- Add deployment scripts (autossh setup, migration, secret testing)
- Update CI/CD workflows and documentation
- Add Semaphore stack configuration
2025-11-02 20:38:06 +01:00

85 lines
2.4 KiB
YAML
Raw Blame History

---
- name: Setup Production Secrets
hosts: production
gather_facts: yes
become: yes
vars:
vault_file: "{{ playbook_dir }}/../secrets/production.vault.yml"
pre_tasks:
- name: Verify vault file exists
stat:
path: "{{ vault_file }}"
register: vault_stat
delegate_to: localhost
become: no
- name: Fail if vault file missing
fail:
msg: "Vault file not found at {{ vault_file }}"
when: not vault_stat.stat.exists
tasks:
- name: Detect Docker Swarm mode
shell: docker info -f '{{ "{{" }}.Swarm.LocalNodeState{{ "}}" }}'
register: swarm_state
changed_when: false
- name: Set fact if swarm is active
set_fact:
swarm_active: "{{ swarm_state.stdout | lower == 'active' }}"
- name: Load encrypted secrets
include_vars:
file: "{{ vault_file }}"
no_log: yes
- name: Ensure secrets directory exists for Docker Compose secrets
file:
path: "{{ app_stack_path }}/secrets"
state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0700'
- name: Create Docker Compose secret files from vault
copy:
content: "{{ item.value }}"
dest: "{{ app_stack_path }}/secrets/{{ item.name }}.txt"
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0600'
loop:
- name: db_user_password
value: "{{ vault_db_password }}"
- name: redis_password
value: "{{ vault_redis_password }}"
- name: app_key
value: "{{ vault_app_key }}"
- name: vault_encryption_key
value: "{{ vault_encryption_key | default(vault_app_key) }}"
- name: git_token
value: "{{ vault_git_token | default('') }}"
no_log: yes
- name: Set secure permissions on secrets directory
file:
path: "{{ app_stack_path }}/secrets"
state: directory
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
mode: '0700'
recurse: yes
- name: Verify Docker secrets (skipped)
command: docker secret ls --format '{{ "{{" }}.Name{{ "}}" }}'
register: docker_secrets
changed_when: false
when: false
- name: Display deployed Docker secrets (skipped)
debug:
msg: "Deployed secrets: {{ docker_secrets.stdout_lines | default([]) }}"
when: false
Reference in New Issue View Git Blame Copy Permalink