diff --git a/.cache_ggshield b/.cache_ggshield new file mode 100644 index 00000000..957891a4 --- /dev/null +++ b/.cache_ggshield @@ -0,0 +1 @@ +{"last_found_secrets": [{"name": "Generic Password - /home/charish/app-configs/searxng_settings.yml.j2", "match": "6e0d657eb1f0fbc40cf0b8f3c3873ef627cc9cb7c4108d1c07d979c04bc8a4bb"}]} \ No newline at end of file diff --git a/ansible/app-configs/cloudflared_config.yml.j2 b/ansible/app-configs/cloudflared_config.yml.j2 index e33e71d2..a02e5104 100644 --- a/ansible/app-configs/cloudflared_config.yml.j2 +++ b/ansible/app-configs/cloudflared_config.yml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} tunnel: 52bdee6e-8ccb-47be-ba9e-f8010b905e41 credentials-file: /etc/cloudflared/52bdee6e-8ccb-47be-ba9e-f8010b905e41.json diff --git a/ansible/app-configs/grafana_beyla.yml.j2 b/ansible/app-configs/grafana_beyla.yml.j2 index 74c4d7d1..5fa9bfa4 100644 --- a/ansible/app-configs/grafana_beyla.yml.j2 +++ b/ansible/app-configs/grafana_beyla.yml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} routes: patterns: diff --git a/ansible/app-configs/grafana_mimir.yaml.j2 b/ansible/app-configs/grafana_mimir.yaml.j2 index fb4ef603..80825a17 100644 --- a/ansible/app-configs/grafana_mimir.yaml.j2 +++ b/ansible/app-configs/grafana_mimir.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} multitenancy_enabled: false no_auth_tenant: rinoa_mimir diff --git a/ansible/app-configs/grafana_pyroscope_config.yaml.j2 b/ansible/app-configs/grafana_pyroscope_config.yaml.j2 index c41338cf..fe8066be 100644 --- a/ansible/app-configs/grafana_pyroscope_config.yaml.j2 +++ b/ansible/app-configs/grafana_pyroscope_config.yaml.j2 @@ -1,14 +1,11 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} - storage: backend: s3 s3: bucket_name: pyroscope endpoint: minio:9000 region: us-east-fh-pln - access_key_id: "{{ lookup('community.hashi_vault.hashi_vault', secrets_path + '/access_key_id', url=vault_addr) }}" - secret_access_key: "{{ lookup('community.hashi_vault.hashi_vault', secrets_path + '/secret_access_key', url=vault_addr) }}" + access_key_id: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }} + secret_access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }} insecure: true analytics: diff --git a/ansible/app-configs/grafana_tempo_config.yml.j2 b/ansible/app-configs/grafana_tempo_config.yml.j2 index 0a568ab1..690b60bd 100644 --- a/ansible/app-configs/grafana_tempo_config.yml.j2 +++ b/ansible/app-configs/grafana_tempo_config.yml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} target: all http_api_prefix: "" diff --git a/ansible/app-configs/homepage_bookmarks.yaml.j2 b/ansible/app-configs/homepage_bookmarks.yaml.j2 index 409257b3..3213604c 100644 --- a/ansible/app-configs/homepage_bookmarks.yaml.j2 +++ b/ansible/app-configs/homepage_bookmarks.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} --- diff --git a/ansible/app-configs/homepage_docker.yaml.j2 b/ansible/app-configs/homepage_docker.yaml.j2 index cb9b9a54..58f2932a 100644 --- a/ansible/app-configs/homepage_docker.yaml.j2 +++ b/ansible/app-configs/homepage_docker.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} --- diff --git a/ansible/app-configs/homepage_kubernetes.yaml.j2 b/ansible/app-configs/homepage_kubernetes.yaml.j2 index 4dc63246..edc81b18 100644 --- a/ansible/app-configs/homepage_kubernetes.yaml.j2 +++ b/ansible/app-configs/homepage_kubernetes.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} --- diff --git a/ansible/app-configs/homepage_services.yaml.j2 b/ansible/app-configs/homepage_services.yaml.j2 index ebc14d1d..ceaf0c87 100644 --- a/ansible/app-configs/homepage_services.yaml.j2 +++ b/ansible/app-configs/homepage_services.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} --- # For configuration options and examples, please see: diff --git a/ansible/app-configs/homepage_widgets.yaml.j2 b/ansible/app-configs/homepage_widgets.yaml.j2 index 6b24ffca..0e4f004c 100644 --- a/ansible/app-configs/homepage_widgets.yaml.j2 +++ b/ansible/app-configs/homepage_widgets.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} --- # For configuration options and examples, please see: @@ -15,9 +15,9 @@ - resources: label: Storage expanded: true - disk: + disk: - / - - /rinoa-storage + - /rinoa-storage - search: provider: custom @@ -30,4 +30,4 @@ longitude: -73.85 units: imperial provider: openweathermap - cache: 10 \ No newline at end of file + cache: 10 \ No newline at end of file diff --git a/ansible/app-configs/hugo_frontmatter.json.j2 b/ansible/app-configs/hugo_frontmatter.json.j2 deleted file mode 100644 index 41570405..00000000 --- a/ansible/app-configs/hugo_frontmatter.json.j2 +++ /dev/null @@ -1,87 +0,0 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} - -{ - "$schema": "https://frontmatter.codes/frontmatter.schema.json", - "frontMatter.framework.id": "hugo", - "frontMatter.content.pageFolders": [ - { - "title": "content", - "path": "[[workspace]]/it-services/content" - } - ], - "frontMatter.content.publicFolder": "static", - "frontMatter.preview.host": "http://192.168.1.254:1313", - "frontMatter.website.host": "https://it-services.trez.wtf", - "frontMatter.taxonomy.contentTypes": [ - { - "name": "default", - "pageBundle": false, - "fields": [ - { - "title": "Title", - "name": "title", - "type": "string" - }, - { - "title": "Description", - "name": "description", - "type": "string" - }, - { - "title": "Publishing date", - "name": "date", - "type": "datetime", - "default": "{{now}}", - "isPublishDate": true - }, - { - "title": "Content preview", - "name": "preview", - "type": "image" - }, - { - "title": "Is in draft", - "name": "draft", - "type": "boolean" - }, - { - "title": "Tags", - "name": "tags", - "type": "tags" - }, - { - "title": "Categories", - "name": "categories", - "type": "categories" - }, - { - "title": "layout", - "name": "layout", - "type": "string" - } - ] - }, - { - "name": "plain", - "pageBundle": true, - "fields": [ - { - "title": "title", - "name": "title", - "type": "string" - }, - { - "title": "draft", - "name": "draft", - "type": "draft" - }, - { - "title": "layout", - "name": "layout", - "type": "string" - } - ] - } - ] -} \ No newline at end of file diff --git a/ansible/app-configs/plausible_clickhouse-config.xml.j2 b/ansible/app-configs/plausible_clickhouse-config.xml.j2 index 566b35e3..87e82195 100644 --- a/ansible/app-configs/plausible_clickhouse-config.xml.j2 +++ b/ansible/app-configs/plausible_clickhouse-config.xml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/radarec_settings_config.json.j2 b/ansible/app-configs/radarec_settings_config.json.j2 index 3ae5d397..a35180cc 100644 --- a/ansible/app-configs/radarec_settings_config.json.j2 +++ b/ansible/app-configs/radarec_settings_config.json.j2 @@ -1,11 +1,11 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} { "radarr_address": "http://radarr:7878", - "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='RADARR_API_KEY') }}", + "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}", "root_folder_path": "/data/media/movies", - "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='TMDB_API_KEY') }}", + "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}", "fallback_to_top_result": false, "radarr_api_timeout": 120.0, "quality_profile_id": 1, diff --git a/ansible/app-configs/sabnzbd.ini.j2 b/ansible/app-configs/sabnzbd.ini.j2 index e567e6ed..4c010cc3 100644 --- a/ansible/app-configs/sabnzbd.ini.j2 +++ b/ansible/app-configs/sabnzbd.ini.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} __version__ = 19 __encoding__ = utf-8 @@ -22,7 +22,7 @@ host = 0.0.0.0 port = 8080 https_port = 8090 username = thetrezuredone -password = {{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='SABNZBDVPN_PASSWORD') }} +password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_PASSWORD'] }} bandwidth_max = 1000M cache_limit = 1G web_dir = Glitter @@ -33,7 +33,7 @@ https_chain = "" enable_https = 1 inet_exposure = 0 local_ranges = , -api_key = {{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='SABNZBDVPN_API_KEY') }} +api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_API_KEY'] }} nzb_key = 3c0fa874bb2748b58c1bd7512e649946 permissions = 775 download_dir = /storage/downloads/incomplete @@ -342,7 +342,7 @@ host = news.newshosting.com port = 563 timeout = 60 username = thetrezuredone -password = "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='SLSKD_PASSWORD') }}" +password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_PASSWORD'] }} connections = 8 ssl = 1 ssl_verify = 3 @@ -363,7 +363,7 @@ host = news.easynews.com port = 443 timeout = 60 username = TrezOne -password = "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='SABNZBDVPN_EASYNEWS_PASSWORD') }}" +password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_EASYNEWS_PASSWORD'] }} connections = 60 ssl = 0 ssl_verify = 3 diff --git a/ansible/app-configs/scrutiny_config.yaml.j2 b/ansible/app-configs/scrutiny_config.yaml.j2 index 4ec375d3..e192a936 100644 --- a/ansible/app-configs/scrutiny_config.yaml.j2 +++ b/ansible/app-configs/scrutiny_config.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} bolt-path: /opt/scrutiny/influxdb/influxd.bolt engine-path: /opt/scrutiny/influxdb/engine diff --git a/ansible/app-configs/searxng_settings.yml.j2 b/ansible/app-configs/searxng_settings.yml.j2 index b321a8e7..5f1301eb 100644 --- a/ansible/app-configs/searxng_settings.yml.j2 +++ b/ansible/app-configs/searxng_settings.yml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} general: # Debug mode, only for development. Is overwritten by ${SEARXNG_DEBUG} @@ -82,7 +82,7 @@ server: # If your instance owns a /etc/searxng/settings.yml file, then set the following # values there. - secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='SEARXNG_SECRET_KEY') }}" # Is overwritten by ${SEARXNG_SECRET} + secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SEARXNG_SECRET_KEY'] }} # Is overwritten by ${SEARXNG_SECRET} # Proxying image results through searx image_proxy: true # 1.0 and 1.1 are supported @@ -1278,7 +1278,7 @@ engines: url: https://thepiratebay.org/ timeout: 3.0 - # Required dependency: psychopg2 + {# # Required dependency: psychopg2 # - name: postgresql # engine: postgresql # database: postgres @@ -1286,7 +1286,7 @@ engines: # password: postgres # limit: 10 # query_str: 'SELECT * from my_table WHERE my_column = %(query)s' - # shortcut : psql + # shortcut : psql #} - name: pub.dev engine: xpath @@ -1362,7 +1362,7 @@ engines: categories: [videos, web] network: qwant - # - name: library + {# # - name: library # engine: recoll # shortcut: lib # base_url: 'https://recoll.example.org/' @@ -1382,7 +1382,7 @@ engines: # shortcut: libr # timeout: 30.0 # categories: files - # disabled: true + # disabled: true #} - name: radio browser engine: radio_browser @@ -1393,7 +1393,7 @@ engines: shortcut: re page_size: 25 - # Required dependency: redis + {# # Required dependency: redis # - name: myredis # shortcut : rds # engine: redis_server @@ -1408,7 +1408,7 @@ engines: # - name: scanr structures # shortcut: scs # engine: scanr_structures - # disabled: true + # disabled: true #} - name: sepiasearch engine: sepiasearch @@ -1451,20 +1451,20 @@ engines: shortcut: frl disabled: true - # - name: searx + {# # - name: searx # engine: searx_engine # shortcut: se # instance_urls : # - http://127.0.0.1:8888/ # - ... - # disabled: true + # disabled: true #} - name: semantic scholar engine: semantic_scholar disabled: true shortcut: se - # Spotify needs API credentials + {# # Spotify needs API credentials # - name: spotify # engine: spotify # shortcut: stf @@ -1488,7 +1488,7 @@ engines: # # working API key, for test & debug: "a69685087d07eca9f13db62f65b8f601" # api_key: 'unset' # shortcut: springer - # timeout: 15.0 + # timeout: 15.0 #} - name: startpage engine: startpage @@ -2151,84 +2151,84 @@ engines: use_official_api: false require_api_key: false results: HTML +{# +Doku engine lets you access to any Doku wiki instance: +A public one or a privete/corporate one. + - name: ubuntuwiki + engine: doku + shortcut: uw + base_url: 'https://doc.ubuntu-fr.org' -# Doku engine lets you access to any Doku wiki instance: -# A public one or a privete/corporate one. -# - name: ubuntuwiki -# engine: doku -# shortcut: uw -# base_url: 'https://doc.ubuntu-fr.org' +Be careful when enabling this engine if you are +running a public instance. Do not expose any sensitive +information. You can restrict access by configuring a list +of access tokens under tokens. + - name: git grep + engine: command + command: ['git', 'grep', '{{QUERY}}'] + shortcut: gg + tokens: [] + disabled: true + delimiter: + chars: ':' + keys: ['filepath', 'code'] -# Be careful when enabling this engine if you are -# running a public instance. Do not expose any sensitive -# information. You can restrict access by configuring a list -# of access tokens under tokens. -# - name: git grep -# engine: command -# command: ['git', 'grep', '{{QUERY}}'] -# shortcut: gg -# tokens: [] -# disabled: true -# delimiter: -# chars: ':' -# keys: ['filepath', 'code'] +Be careful when enabling this engine if you are +running a public instance. Do not expose any sensitive +information. You can restrict access by configuring a list +of access tokens under tokens. + - name: locate + engine: command + command: ['locate', '{{QUERY}}'] + shortcut: loc + tokens: [] + disabled: true + delimiter: + chars: ' ' + keys: ['line'] -# Be careful when enabling this engine if you are -# running a public instance. Do not expose any sensitive -# information. You can restrict access by configuring a list -# of access tokens under tokens. -# - name: locate -# engine: command -# command: ['locate', '{{QUERY}}'] -# shortcut: loc -# tokens: [] -# disabled: true -# delimiter: -# chars: ' ' -# keys: ['line'] +Be careful when enabling this engine if you are +running a public instance. Do not expose any sensitive +information. You can restrict access by configuring a list +of access tokens under tokens. + - name: find + engine: command + command: ['find', '.', '-name', '{{QUERY}}'] + query_type: path + shortcut: fnd + tokens: [] + disabled: true + delimiter: + chars: ' ' + keys: ['line'] -# Be careful when enabling this engine if you are -# running a public instance. Do not expose any sensitive -# information. You can restrict access by configuring a list -# of access tokens under tokens. -# - name: find -# engine: command -# command: ['find', '.', '-name', '{{QUERY}}'] -# query_type: path -# shortcut: fnd -# tokens: [] -# disabled: true -# delimiter: -# chars: ' ' -# keys: ['line'] +Be careful when enabling this engine if you are +running a public instance. Do not expose any sensitive +information. You can restrict access by configuring a list +of access tokens under tokens. + - name: pattern search in files + engine: command + command: ['fgrep', '{{QUERY}}'] + shortcut: fgr + tokens: [] + disabled: true + delimiter: + chars: ' ' + keys: ['line'] -# Be careful when enabling this engine if you are -# running a public instance. Do not expose any sensitive -# information. You can restrict access by configuring a list -# of access tokens under tokens. -# - name: pattern search in files -# engine: command -# command: ['fgrep', '{{QUERY}}'] -# shortcut: fgr -# tokens: [] -# disabled: true -# delimiter: -# chars: ' ' -# keys: ['line'] - -# Be careful when enabling this engine if you are -# running a public instance. Do not expose any sensitive -# information. You can restrict access by configuring a list -# of access tokens under tokens. -# - name: regex search in files -# engine: command -# command: ['grep', '{{QUERY}}'] -# shortcut: gr -# tokens: [] -# disabled: true -# delimiter: -# chars: ' ' -# keys: ['line'] +Be careful when enabling this engine if you are +running a public instance. Do not expose any sensitive +information. You can restrict access by configuring a list +of access tokens under tokens. + - name: regex search in files + engine: command + command: ['grep', '{{QUERY}}'] + shortcut: gr + tokens: [] + disabled: true + delimiter: + chars: ' ' + keys: ['line'] #} doi_resolvers: oadoi.org: 'https://oadoi.org/' diff --git a/ansible/app-configs/searxng_uwsgi.ini.j2 b/ansible/app-configs/searxng_uwsgi.ini.j2 index edb583fd..0a01698e 100644 --- a/ansible/app-configs/searxng_uwsgi.ini.j2 +++ b/ansible/app-configs/searxng_uwsgi.ini.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} [uwsgi] # Who will run the code diff --git a/ansible/app-configs/sonashow_settings_config.json.j2 b/ansible/app-configs/sonashow_settings_config.json.j2 index 61089251..5441e156 100644 --- a/ansible/app-configs/sonashow_settings_config.json.j2 +++ b/ansible/app-configs/sonashow_settings_config.json.j2 @@ -1,12 +1,12 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} { "sonarr_address": "http://192.168.1.2:8989", - "sonarr_api_key": "", + "sonarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}", "root_folder_path": "/data/media/shows", "tvdb_api_key": "", - "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='TMDB_API_KEY') }}", + "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}", "fallback_to_top_result": false, "sonarr_api_timeout": 120.0, "quality_profile_id": 1, diff --git a/ansible/app-configs/soulseek_slskd.yml.j2 b/ansible/app-configs/soulseek_slskd.yml.j2 index 733ef5d2..802fb1e1 100644 --- a/ansible/app-configs/soulseek_slskd.yml.j2 +++ b/ansible/app-configs/soulseek_slskd.yml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} # debug: false # remote_configuration: false diff --git a/ansible/app-configs/traccar_traccar.xml.j2 b/ansible/app-configs/traccar_traccar.xml.j2 index 48de81fd..8d1f9bc5 100644 --- a/ansible/app-configs/traccar_traccar.xml.j2 +++ b/ansible/app-configs/traccar_traccar.xml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} @@ -24,6 +24,6 @@ org.postgresql.Driver jdbc:postgresql://traccar-pg:5432/traccar-db traccar - "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='WAZUH_API_PASSWORD') }}" + {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }} diff --git a/ansible/app-configs/unmanic_settings.json.j2 b/ansible/app-configs/unmanic_settings.json.j2 index b232c057..3780f978 100644 --- a/ansible/app-configs/unmanic_settings.json.j2 +++ b/ansible/app-configs/unmanic_settings.json.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} { "always_keep_failed_tasks": true, diff --git a/ansible/app-configs/wazuh_certs.yml.j2 b/ansible/app-configs/wazuh_certs.yml.j2 index af0f9ce9..ee3ee970 100644 --- a/ansible/app-configs/wazuh_certs.yml.j2 +++ b/ansible/app-configs/wazuh_certs.yml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} nodes: # Wazuh indexer server nodes diff --git a/ansible/app-configs/wazuh_wazuh.indexer.yml.j2 b/ansible/app-configs/wazuh_wazuh.indexer.yml.j2 index 22bcbcf6..7bff9be1 100644 --- a/ansible/app-configs/wazuh_wazuh.indexer.yml.j2 +++ b/ansible/app-configs/wazuh_wazuh.indexer.yml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} network.host: "0.0.0.0" node.name: "wazuh.indexer" diff --git a/ansible/app-configs/wazuh_wazuh.yml.j2 b/ansible/app-configs/wazuh_wazuh.yml.j2 index f0523628..bb1995c8 100644 --- a/ansible/app-configs/wazuh_wazuh.yml.j2 +++ b/ansible/app-configs/wazuh_wazuh.yml.j2 @@ -1,10 +1,10 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} hosts: - 1513629884013: url: "https://wazuh.manager" port: 55000 username: wazuh-wui - password: "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='WAZUH_API_PASSWORD') }}" + password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }} run_as: false diff --git a/ansible/app-configs/youtubedl_config.yml.j2 b/ansible/app-configs/youtubedl_config.yml.j2 index 29a39bb1..cead77f8 100644 --- a/ansible/app-configs/youtubedl_config.yml.j2 +++ b/ansible/app-configs/youtubedl_config.yml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} ydl_server: # youtube-dl-server specific settings port: 8080 # Port youtube-dl-server should listen on diff --git a/ansible/app-configs/zitadel_config.yaml.j2 b/ansible/app-configs/zitadel_config.yaml.j2 index 2cacf206..708a5a64 100644 --- a/ansible/app-configs/zitadel_config.yaml.j2 +++ b/ansible/app-configs/zitadel_config.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} # All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml Log: @@ -37,7 +37,7 @@ SMTPConfiguration: SMTP: # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525 Host: 'postal-smtp:25' - User: "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='POSTAL_SMTP_AUTH_USER') }}" - Password: "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='POSTAL_SMTP_AUTH_PASSWORD') }}" + User: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }} + Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }} From: 'noreply@trez.wtf' FromName: 'Zitadel @ Rinoa' \ No newline at end of file diff --git a/ansible/app-configs/zitadel_init-steps.yaml.j2 b/ansible/app-configs/zitadel_init-steps.yaml.j2 index 696aaf17..e89ac851 100644 --- a/ansible/app-configs/zitadel_init-steps.yaml.j2 +++ b/ansible/app-configs/zitadel_init-steps.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} # All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/setup/steps.yaml FirstInstance: @@ -8,6 +8,6 @@ FirstInstance: # use the loginname root@my-org.my.domain Username: 'root' Password: 'RootPassword1!' - Email: + Email: Address: 'charish.patel@trez.wtf' Verified: true \ No newline at end of file diff --git a/ansible/app-configs/zitadel_secrets.yaml.j2 b/ansible/app-configs/zitadel_secrets.yaml.j2 index 733105f1..201034c8 100644 --- a/ansible/app-configs/zitadel_secrets.yaml.j2 +++ b/ansible/app-configs/zitadel_secrets.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = https://vault.trez.wtf %} -{% set secrets_path = rinoa-docker/env %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} # If not using the docker compose example, adjust these values for connecting ZITADEL to your PostgreSQL Database: @@ -7,7 +7,7 @@ Database: User: # If the user doesn't exist already, it is created Username: 'zitadel' - Password: "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='ZITADEL_DB_PASSWORD') }}" + Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_PASSWORD'] }} Admin: Username: 'root' - Password: "{{ lookup('community.hashi_vault.vault_kv2_get', token=token, url=vault_url, mount_point=secrets_path, key='ZITADEL_DB_ADMIN_PASSWORD') }}" \ No newline at end of file + Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_ADMIN_PASSWORD'] }} \ No newline at end of file diff --git a/ansible/docker_config_deploy.yml b/ansible/docker_config_deploy.yml index 34bfc811..c968be4d 100644 --- a/ansible/docker_config_deploy.yml +++ b/ansible/docker_config_deploy.yml @@ -1,34 +1,20 @@ --- - name: Deploy config templates and trigger GitHub workflow - hosts: rinoa + hosts: all vars: - appdata_base_path: "/home/charish/.docker/config/appdata" + appdata_base_path: "~/.docker/config/appdata" + tasks: - name: Ensure target directories exist ansible.builtin.file: - path: "{{ appdata_base_path }}/{{ item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') | regex_replace('/[^/]+$', '') }}" + path: "{{ appdata_base_path }}/{{ (item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') | regex_replace('/[^/]+$', '')) }}" state: directory mode: '0755' - loop: "{{ lookup('fileglob', 'app-configs/*.j2') }}" + loop: "{{ query('fileglob', 'app-configs/*.j2') }}" - name: Deploy configuration templates ansible.builtin.template: src: "{{ item }}" dest: "{{ appdata_base_path }}/{{ item | basename | regex_replace('\\.j2$', '') | regex_replace('_', '/') }}" mode: '0644' - loop: "{{ lookup('fileglob', 'app-configs/*.j2') }}" - - # - name: Trigger GitHub workflow - # uri: - # url: "https://api.github.com/repos///actions/workflows//dispatches" - # method: POST - # headers: - # Authorization: "Bearer {{ github_token }}" - # Accept: "application/vnd.github.v3+json" - # body: - # ref: "main" - # body_format: json - # vars: - # github_token: "YOUR_GITHUB_PERSONAL_ACCESS_TOKEN" - # # Replace , , and with actual values - # delegate_to: localhost + loop: "{{ query('fileglob', 'app-configs/*.j2') }}" diff --git a/ansible/secrets.yml b/ansible/secrets.yml deleted file mode 100644 index be045155..00000000 --- a/ansible/secrets.yml +++ /dev/null @@ -1,7 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -38346631616139316365316566386362396661323163306339303635646331373061323531626431 -3435373031363739356261656239633835393963636663370a613166653463656337666366633639 -37373637326633363430633336646165343764303063663636313835326130663532323037663331 -6332353339656134370a353435396532663932313535646636333262353238386331313764633635 -63383065623930653134666261353439366535646661383434386261393232373432353937636535 -3432336137393737643735346665303832653630316439333565