58 lines
1.9 KiB
YAML
58 lines
1.9 KiB
YAML
---
|
|
# Ansible Playbook: Setup Production Secrets
|
|
# Purpose: Deploy Docker Secrets and environment configuration to production
|
|
# Usage: ansible-playbook -i inventory/production.yml playbooks/setup-production-secrets.yml --ask-vault-pass
|
|
|
|
- name: Setup Production Secrets and Environment
|
|
hosts: production_server
|
|
become: no
|
|
vars_files:
|
|
- ../secrets/production-vault.yml # Encrypted with ansible-vault
|
|
|
|
tasks:
|
|
- name: Ensure secrets directory exists
|
|
file:
|
|
path: /home/deploy/secrets
|
|
state: directory
|
|
mode: '0700'
|
|
owner: deploy
|
|
group: deploy
|
|
|
|
- name: Deploy environment file from vault
|
|
template:
|
|
src: ../templates/production.env.j2
|
|
dest: /home/deploy/secrets/.env.production
|
|
mode: '0600'
|
|
owner: deploy
|
|
group: deploy
|
|
notify: Restart services
|
|
|
|
- name: Create Docker secrets (if swarm is initialized)
|
|
docker_secret:
|
|
name: "{{ item.name }}"
|
|
data: "{{ item.value }}"
|
|
state: present
|
|
loop:
|
|
- { name: "db_password", value: "{{ vault_db_password }}" }
|
|
- { name: "redis_password", value: "{{ vault_redis_password }}" }
|
|
- { name: "app_key", value: "{{ vault_app_key }}" }
|
|
- { name: "jwt_secret", value: "{{ vault_jwt_secret }}" }
|
|
- { name: "registry_password", value: "{{ vault_registry_password }}" }
|
|
no_log: true # Don't log secrets
|
|
|
|
- name: Verify secrets are accessible
|
|
shell: docker secret ls
|
|
register: secret_list
|
|
changed_when: false
|
|
|
|
- name: Display deployed secrets (names only)
|
|
debug:
|
|
msg: "Deployed secrets: {{ secret_list.stdout_lines }}"
|
|
|
|
handlers:
|
|
- name: Restart services
|
|
shell: |
|
|
docker service update --force framework_web
|
|
docker service update --force framework_queue-worker
|
|
when: ansible_check_mode is not defined
|