Migrate Photos VM to read secrets from Infisical (#25)
Some checks failed
Infrastructure / Check and run Ansbile playbooks (push) Failing after 2m3s
Some checks failed
Infrastructure / Check and run Ansbile playbooks (push) Failing after 2m3s
#21 provisioned an Infisical service (https://secrets.koval.net/). We can use this instead of the hacky solution that can explode. Contributes to and closes #16. Reviewed-on: #25
This commit is contained in:
4
.github/workflows/infra.yaml
vendored
4
.github/workflows/infra.yaml
vendored
@@ -29,7 +29,7 @@ jobs:
|
||||
apt update
|
||||
apt install -y python3-pip
|
||||
pip3 install -r requirements.txt
|
||||
ansible-galaxy collection install community.general
|
||||
ansible-galaxy collection install community.general infisical.vault
|
||||
|
||||
- name: Check playbooks
|
||||
run: |
|
||||
@@ -76,4 +76,6 @@ jobs:
|
||||
INFISICAL_ENCRYPTION_KEY: ${{ secrets.INFISICAL_ENCRYPTION_KEY }}
|
||||
INFISICAL_AUTH_SECRET: ${{ secrets.INFISICAL_AUTH_SECRET }}
|
||||
INFISICAL_MONGO_PASSWORD: ${{ secrets.INFISICAL_MONGO_PASSWORD }}
|
||||
INFISICAL_TOKEN: ${{ secrets.INFISICAL_TOKEN }}
|
||||
INFISICAL_URL: https://secrets.koval.net
|
||||
run: ansible-playbook --inventory ./inventory ${{ steps.playbooks.outputs.to_run }} -vv
|
||||
|
||||
@@ -25,12 +25,12 @@
|
||||
ansible.builtin.replace:
|
||||
path: "{{ user.home }}/{{ app }}/.env"
|
||||
regexp: "TYPESENSE_API_KEY_VALUE"
|
||||
replace: "{{ lookup('ansible.builtin.password', user.home + '/typesense_secret', length=64, chars=['ascii_letters', 'digits']) }}"
|
||||
replace: "{{ lookup('infisical_vault', env_slug='prod', path='/photos', secret_name='TYPESENSE_API_KEY') }}"
|
||||
- name: Replace DB secret
|
||||
ansible.builtin.replace:
|
||||
path: "{{ user.home }}/{{ app }}/.env"
|
||||
regexp: "DB_PASSWORD_VALUE"
|
||||
replace: "{{ lookup('ansible.builtin.password', user.home + '/db_secret', length=64, chars=['ascii_letters', 'digits']) }}"
|
||||
replace: "{{ lookup('infisical_vault', env_slug='prod', path='/photos', secret_name='DB_PASSWORD') }}"
|
||||
- name: Docker compose up -d
|
||||
ansible.builtin.command: docker compose up -d
|
||||
args:
|
||||
|
||||
@@ -1,30 +0,0 @@
|
||||
- name: Deploy app
|
||||
hosts: photos
|
||||
gather_facts: false
|
||||
vars:
|
||||
app: immich
|
||||
tasks:
|
||||
- name: Wait for connection
|
||||
ansible.builtin.wait_for_connection:
|
||||
timeout: 300
|
||||
- name: Get user
|
||||
ansible.builtin.user:
|
||||
name: debian
|
||||
register: user
|
||||
- name: Docker compose down
|
||||
ansible.builtin.command: docker compose down
|
||||
args:
|
||||
chdir: "{{ user.home }}/{{ app }}"
|
||||
- name: Copy project
|
||||
ansible.builtin.copy:
|
||||
src: "./{{ app }}/docker-compose.yml"
|
||||
dest: "{{ user.home }}/{{ app }}/docker-compose.yml"
|
||||
mode: "0644"
|
||||
- name: Docker compose pull
|
||||
ansible.builtin.command: docker compose pull
|
||||
args:
|
||||
chdir: "{{ user.home }}/{{ app }}"
|
||||
- name: Docker compose up -d
|
||||
ansible.builtin.command: docker compose up -d
|
||||
args:
|
||||
chdir: "{{ user.home }}/{{ app }}"
|
||||
@@ -1,3 +1,4 @@
|
||||
ansible
|
||||
proxmoxer
|
||||
requests
|
||||
infisical
|
||||
|
||||
Reference in New Issue
Block a user