cyclane/kovalhome
1
1
Fork 0
Code Issues 7 Pull Requests 1 Actions Packages Projects 3 Releases Activity

Secrets VM: v2 (#50)
Some checks failed
Infrastructure / Check and run Ansbile playbooks (push) Failing after 4m34s
Details

Browse Source 
Closes #44. We'll do a manual migration for stability and simplicity.

Reviewed-on: #50
This commit is contained in:
Gleb Koval
2024-03-29 15:24:57 +00:00
parent da90d463de
commit 20b72f085f
5 changed files with 38 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/infra.yaml vendored
View File

@@ -75,7 +75,6 @@ jobs:
SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }} SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
INFISICAL_ENCRYPTION_KEY: ${{ secrets.INFISICAL_ENCRYPTION_KEY }} INFISICAL_ENCRYPTION_KEY: ${{ secrets.INFISICAL_ENCRYPTION_KEY }}
INFISICAL_AUTH_SECRET: ${{ secrets.INFISICAL_AUTH_SECRET }} INFISICAL_AUTH_SECRET: ${{ secrets.INFISICAL_AUTH_SECRET }}
INFISICAL_MONGO_PASSWORD: ${{ secrets.INFISICAL_MONGO_PASSWORD }}
INFISICAL_TOKEN: ${{ secrets.INFISICAL_TOKEN }} INFISICAL_TOKEN: ${{ secrets.INFISICAL_TOKEN }}
INFISICAL_URL: https://secrets.koval.net INFISICAL_URL: https://secrets.koval.net
run: ansible-playbook --inventory ./inventory ${{ steps.playbooks.outputs.to_run }} -vv run: ansible-playbook --inventory ./inventory ${{ steps.playbooks.outputs.to_run }} -vv

2
infra/secrets/0000_proxmox_playbook.yaml
View File

@@ -9,7 +9,7 @@
api_token_secret: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_SECRET') }}" api_token_secret: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_SECRET') }}"
ssh_public: "{{ lookup('ansible.builtin.env', 'SSH_PUBLIC') }}" ssh_public: "{{ lookup('ansible.builtin.env', 'SSH_PUBLIC') }}"
vmname: "{{ inventory_hostname | regex_replace('^([^\\.]+)\\..+$', '\\1') }}" vmname: "{{ inventory_hostname | regex_replace('^([^\\.]+)\\..+$', '\\1') }}"
node: pve node: pve2
module_defaults: module_defaults:
community.general.proxmox_kvm: community.general.proxmox_kvm:
api_user: "{{ api_user }}" api_user: "{{ api_user }}"

5
infra/secrets/0003_infiscal_playbook.yaml
View File

@@ -32,11 +32,6 @@
path: "{{ user.home }}/{{ app }}/.env" path: "{{ user.home }}/{{ app }}/.env"
regexp: "AUTH_SECRET_VALUE" regexp: "AUTH_SECRET_VALUE"
replace: "{{ lookup('ansible.builtin.env', 'INFISICAL_AUTH_SECRET') }}" replace: "{{ lookup('ansible.builtin.env', 'INFISICAL_AUTH_SECRET') }}"
- name: Replace Mongo Password secret
ansible.builtin.replace:
path: "{{ user.home }}/{{ app }}/.env"
regexp: "MONGO_PASSWORD_VALUE"
replace: "{{ lookup('ansible.builtin.env', 'INFISICAL_MONGO_PASSWORD') }}"
- name: Replace SMTP Password secret - name: Replace SMTP Password secret
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ user.home }}/{{ app }}/.env" path: "{{ user.home }}/{{ app }}/.env"

14
infra/secrets/infisical/.env
View File

@@ -8,19 +8,17 @@ ENCRYPTION_KEY=ENCRYPTION_KEY_VALUE
# THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION # THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
AUTH_SECRET=AUTH_SECRET_VALUE AUTH_SECRET=AUTH_SECRET_VALUE
# MongoDB # Postgres creds
# Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref POSTGRES_PASSWORD=infisical
# to the MongoDB container instance or Mongo Cloud POSTGRES_USER=infisical
POSTGRES_DB=infisical
# Required # Required
MONGO_URL=mongodb://root:MONGO_PASSWORD_VALUE@mongo:27017/?authSource=admin DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
# Redis # Redis
REDIS_URL=redis://redis:6379 REDIS_URL=redis://redis:6379
# Optional credentials for MongoDB container instance and Mongo-Express
MONGO_USERNAME=root
MONGO_PASSWORD=MONGO_PASSWORD_VALUE
# Website URL # Website URL
# Required # Required
SITE_URL=https://secrets.koval.net SITE_URL=https://secrets.koval.net

39
infra/secrets/infisical/docker-compose.yml
View File

@@ -1,11 +1,28 @@
version: "3" version: "3"
services: services:
db-migration:
depends_on:
db:
condition: service_healthy
image: infisical/infisical:latest-postgres
env_file: .env
command: npm run migration:latest
pull_policy: always
networks:
- infisical
backend: backend:
restart: unless-stopped restart: unless-stopped
depends_on: depends_on:
- mongo db:
image: infisical/infisical:latest condition: service_healthy
redis:
condition: service_started
db-migration:
condition: service_completed_successfully
image: infisical/infisical:latest-postgres
pull_policy: always
env_file: .env env_file: .env
ports: ports:
- 80:8080 - 80:8080
@@ -20,14 +37,18 @@ services:
ports: ports:
- 6379:6379 - 6379:6379
volumes: volumes:
- /mnt/nvme/redis-data:/data - /mnt/nvme/redis_data:/data
mongo: db:
image: mongo image: postgres:14-alpine
restart: always restart: always
env_file: .env env_file: .env
environment:
- MONGO_INITDB_ROOT_USERNAME=${MONGO_USERNAME}
- MONGO_INITDB_ROOT_PASSWORD=${MONGO_PASSWORD}
volumes: volumes:
- /mnt/nvme/mongo-data:/data/db - /mnt/nvme/pg_data:/var/lib/postgresql/data
networks:
- infisical
healthcheck:
test: "pg_isready --username=${POSTGRES_USER} && psql --username=${POSTGRES_USER} --list"
interval: 5s
timeout: 10s
retries: 10