gnunet-svn
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ansible-taler-exchange] 17/19: setup production secrets

From: gnunet
Subject: [ansible-taler-exchange] 17/19: setup production secrets
Date: Sat, 01 Feb 2025 19:52:58 +0100 
This is an automated email from the git hooks/post-receive script.

grothoff pushed a commit to branch master
in repository ansible-taler-exchange.

commit 0c3536bc3dec15d653a3d0213e71d9a37ca3191e
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Thu Jan 30 12:27:47 2025 +0100

    setup production secrets
---
 README                         |  20 +++++++++++++++-----
 deploy-tops.sh                 |  10 +++++++++-
 playbooks/.gitignore           |   1 +
 playbooks/tops-secrets.yml.gpg | Bin 0 -> 2344 bytes
 4 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/README b/README
index ea185c0..4cc2cdd 100644
--- a/README
+++ b/README
@@ -18,17 +18,27 @@ To run the main playbook (playbooks/setup.yml):
 $ ansible-playbook --verbose --inventory <host> --user root 
playbooks/setup.yml --extra-vars "@playbooks/test-secrets.yml"
 ```
 
+Instead of specifying the host(s) as arguments (note the trailing comma!)
+you can pass an inventory file. See `inventories/`, and update accordingly.
+
 For example, if you are root@taler-ops.ch, you may be able to:
 
 ```
-$ ansible-playbook --verbose --inventory inventories/tops --user root 
playbooks/setup.yml --extra-vars "@playbooks/test-secrets.yml"
+$ ./deploy-tops tops
 ```
 
-Instead of specifying the host(s) as arguments (note the trailing comma!)
-you can pass an inventory file. See `inventories/`, and update accordingly.
+For TOPS production, replace the "test" with "tops" to use the actual secrets
+for the deployment. For this, you first need to decrypt them:
+
+$ gpg -d playbooks/tops-secrets.yml.gpg > playbooks/tops-secrets.yml
+
+Make sure to NEVER commit the decrypted production secrets to Git.
+Instead, if you had to edit them, re-encrypt them to all admins:
 
-For production, replace the "test-secrets.yml" file with the actual secrets
-for your deployment.
+$ cat playbooks/tops-secrets.yml | gpg --encrypt \
+    --recipient grothoff@gnunet.org \
+    --recipient devan@taler.net \
+    --recipient me@fdold.eu > playbooks/tops-secrets.yml.gpg
 
 
 ## Setting up backups
diff --git a/deploy-tops.sh b/deploy-tops.sh
index efeeb4a..673adcc 100755
--- a/deploy-tops.sh
+++ b/deploy-tops.sh
@@ -1,2 +1,10 @@
 #!/bin/sh
-ansible-playbook --verbose --inventory inventories/tops --user root 
playbooks/setup.yml --extra-vars "@playbooks/test-secrets.yml"
\ No newline at end of file
+set -eu
+
+if [ -z ${1:-} ]
+then
+    echo "Call with 'test' or 'prod' to select which secrets to use"
+    exit 1
+fi
+
+ansible-playbook --verbose --inventory inventories/tops --user root 
playbooks/setup.yml --extra-vars "@playbooks/$1-secrets.yml"
diff --git a/playbooks/.gitignore b/playbooks/.gitignore
new file mode 100644
index 0000000..effa7aa
--- /dev/null
+++ b/playbooks/.gitignore
@@ -0,0 +1 @@
+tops-secrets.yml
diff --git a/playbooks/tops-secrets.yml.gpg b/playbooks/tops-secrets.yml.gpg
new file mode 100644
index 0000000..196d5ad
Binary files /dev/null and b/playbooks/tops-secrets.yml.gpg differ

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]