Migrate Photos VM to read secrets from Infisical #25

Merged
cyclane merged 1 commits from photos-infisical-secrets into main 2024-01-04 13:09:17 +00:00
4 changed files with 6 additions and 33 deletions
Showing only changes of commit 3e9fb3d83a - Show all commits

View File

@ -29,7 +29,7 @@ jobs:
apt update apt update
apt install -y python3-pip apt install -y python3-pip
pip3 install -r requirements.txt pip3 install -r requirements.txt
ansible-galaxy collection install community.general ansible-galaxy collection install community.general infisical.vault
- name: Check playbooks - name: Check playbooks
run: | run: |
@ -76,4 +76,6 @@ jobs:
INFISICAL_ENCRYPTION_KEY: ${{ secrets.INFISICAL_ENCRYPTION_KEY }} INFISICAL_ENCRYPTION_KEY: ${{ secrets.INFISICAL_ENCRYPTION_KEY }}
INFISICAL_AUTH_SECRET: ${{ secrets.INFISICAL_AUTH_SECRET }} INFISICAL_AUTH_SECRET: ${{ secrets.INFISICAL_AUTH_SECRET }}
INFISICAL_MONGO_PASSWORD: ${{ secrets.INFISICAL_MONGO_PASSWORD }} INFISICAL_MONGO_PASSWORD: ${{ secrets.INFISICAL_MONGO_PASSWORD }}
INFISICAL_TOKEN: ${{ secrets.INFISICAL_TOKEN }}
INFISICAL_URL: https://secrets.koval.net
run: ansible-playbook --inventory ./inventory ${{ steps.playbooks.outputs.to_run }} -vv run: ansible-playbook --inventory ./inventory ${{ steps.playbooks.outputs.to_run }} -vv

View File

@ -25,12 +25,12 @@
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ user.home }}/{{ app }}/.env" path: "{{ user.home }}/{{ app }}/.env"
regexp: "TYPESENSE_API_KEY_VALUE" regexp: "TYPESENSE_API_KEY_VALUE"
replace: "{{ lookup('ansible.builtin.password', user.home + '/typesense_secret', length=64, chars=['ascii_letters', 'digits']) }}" replace: "{{ lookup('infisical_vault', env_slug='prod', path='/photos', secret_name='TYPESENSE_API_KEY') }}"
- name: Replace DB secret - name: Replace DB secret
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ user.home }}/{{ app }}/.env" path: "{{ user.home }}/{{ app }}/.env"
regexp: "DB_PASSWORD_VALUE" regexp: "DB_PASSWORD_VALUE"
replace: "{{ lookup('ansible.builtin.password', user.home + '/db_secret', length=64, chars=['ascii_letters', 'digits']) }}" replace: "{{ lookup('infisical_vault', env_slug='prod', path='/photos', secret_name='DB_PASSWORD') }}"
- name: Docker compose up -d - name: Docker compose up -d
ansible.builtin.command: docker compose up -d ansible.builtin.command: docker compose up -d
args: args:

View File

@ -1,30 +0,0 @@
- name: Deploy app
hosts: photos
gather_facts: false
vars:
app: immich
tasks:
- name: Wait for connection
ansible.builtin.wait_for_connection:
timeout: 300
- name: Get user
ansible.builtin.user:
name: debian
register: user
- name: Docker compose down
ansible.builtin.command: docker compose down
args:
chdir: "{{ user.home }}/{{ app }}"
- name: Copy project
ansible.builtin.copy:
src: "./{{ app }}/docker-compose.yml"
dest: "{{ user.home }}/{{ app }}/docker-compose.yml"
mode: "0644"
- name: Docker compose pull
ansible.builtin.command: docker compose pull
args:
chdir: "{{ user.home }}/{{ app }}"
- name: Docker compose up -d
ansible.builtin.command: docker compose up -d
args:
chdir: "{{ user.home }}/{{ app }}"

View File

@ -1,3 +1,4 @@
ansible ansible
proxmoxer proxmoxer
requests requests
infisical