From add421bb81335cd64cd4da640e0348af6b6a7c30 Mon Sep 17 00:00:00 2001 From: "Trez.One" Date: Fri, 13 Jun 2025 21:52:09 -0400 Subject: [PATCH] Adding Jinja macro for Vault lookup. --- .../adguardhome/AdGuardHome.yaml.j2 | 3 ++- ansible/app-configs/apprise/apprise.yml.j2 | 5 ++-- .../app-configs/authelia/configuration.yml.j2 | 19 +++++++------- ansible/app-configs/cloudflared/config.yml.j2 | 1 + ansible/app-configs/crowdsec/acquis.yaml.j2 | 1 + ansible/app-configs/crowdsec/config.yaml.j2 | 1 + .../crowdsec/local-api-credentials.yaml.j2 | 3 ++- .../crowdsec/online-api-credentials.yaml.j2 | 5 ++-- ansible/app-configs/crowdsec/profiles.yaml.j2 | 1 + .../ghost/ghost_config.production.json.j2 | 7 +++--- .../gitea/act-runner/config.yaml.j2 | 3 +++ ansible/app-configs/gitea/app.ini.j2 | 11 ++++---- .../gitea/gitea-sonarqube-bot/config.yaml.j2 | 9 ++++--- .../grafana/alloy/alloy_endpoints.json.j2 | 1 + .../app-configs/grafana/beyla/beyla.yml.j2 | 1 + .../app-configs/grafana/mimir/mimir.yaml.j2 | 1 + .../grafana/pyroscope/config.yaml.j2 | 5 ++-- .../app-configs/grafana/tempo/config.yml.j2 | 1 + .../app-configs/grafana/tempo/tempo.yaml.j2 | 5 ++-- .../app-configs/homepage/bookmarks.yaml.j2 | 1 + ansible/app-configs/homepage/docker.yaml.j2 | 1 + .../app-configs/homepage/kubernetes.yaml.j2 | 1 + ansible/app-configs/homepage/services.yaml.j2 | 3 ++- ansible/app-configs/homepage/settings.yaml.j2 | 3 ++- ansible/app-configs/homepage/widgets.yaml.j2 | 1 + ansible/app-configs/invidious/config.yml.j2 | 9 ++++--- .../invoice-ninja/invoice-ninja.env.j2 | 9 ++++--- .../app-configs/librechat/librechat.env.j2 | 23 +++++++++-------- .../app-configs/librechat/librechat.yaml.j2 | 1 + ansible/app-configs/lidarr/config.xml.j2 | 3 ++- ansible/app-configs/lidify/config.json.j2 | 13 +++++----- ansible/app-configs/loggifly/config.yaml.j2 | 3 ++- ansible/app-configs/mirotalk/src/config.js.j2 | 1 + .../multi-scrobbler/config.json.j2 | 23 +++++++++-------- .../app-configs/netbird/management.json.j2 | 25 ++++++++++--------- .../netbird/openid-configuration.json.j2 | 1 + .../app-configs/netbird/turnserver.conf.j2 | 3 ++- .../plausible/clickhouse-config.xml.j2 | 1 + ansible/app-configs/postal/postal.yml.j2 | 9 ++++--- ansible/app-configs/prowlarr/config.xml.j2 | 3 ++- ansible/app-configs/radarec/config.json.j2 | 5 ++-- ansible/app-configs/radarr/config.xml.j2 | 3 ++- ansible/app-configs/readarr/config.xml.j2 | 3 ++- ansible/app-configs/romm/config.yml.j2 | 1 + ansible/app-configs/sabnzbdvpn/sabnzbd.ini.j2 | 9 ++++--- .../scrutiny/config/config.yaml.j2 | 1 + ansible/app-configs/searxng/settings.yml.j2 | 3 ++- ansible/app-configs/searxng/uwsgi.ini.j2 | 1 + .../signoz/clickhouse/cluster.ha.xml.j2 | 1 + .../signoz/clickhouse/cluster.xml.j2 | 1 + .../signoz/clickhouse/config.xml.j2 | 1 + .../signoz/clickhouse/custom-function.xml.j2 | 1 + .../signoz/clickhouse/storage.xml.j2 | 1 + .../signoz/clickhouse/users.xml.j2 | 1 + .../signoz/otel/otel-collector-config.yaml.j2 | 1 + .../otel/otel-collector-opamp-config.yaml.j2 | 1 + ansible/app-configs/signoz/prometheus.yml.j2 | 1 + ansible/app-configs/sonarr/config.xml.j2 | 3 ++- ansible/app-configs/sonashow/config.json.j2 | 5 ++-- ansible/app-configs/soularr/config.ini.j2 | 5 ++-- ansible/app-configs/soulseek/slskd.yml.j2 | 7 +++--- ansible/app-configs/sourcebot/config.json.j2 | 3 ++- ansible/app-configs/traccar/traccar.xml.j2 | 3 ++- ansible/app-configs/unmanic/settings.json.j2 | 1 + ansible/app-configs/vector/vector.yaml.j2 | 3 ++- ansible/app-configs/wazuh/certs.yml.j2 | 1 + .../app-configs/wazuh/wazuh.indexer.yml.j2 | 1 + ansible/app-configs/wazuh/wazuh.yml.j2 | 3 ++- ansible/app-configs/youtubedl/config.yml.j2 | 1 + ansible/app-configs/zitadel/config.yaml.j2 | 5 ++-- .../app-configs/zitadel/init-steps.yaml.j2 | 1 + ansible/app-configs/zitadel/secrets.yaml.j2 | 5 ++-- ansible/macros/rinoa-macros.j2 | 3 +++ 73 files changed, 191 insertions(+), 114 deletions(-) create mode 100644 ansible/macros/rinoa-macros.j2 diff --git a/ansible/app-configs/adguardhome/AdGuardHome.yaml.j2 b/ansible/app-configs/adguardhome/AdGuardHome.yaml.j2 index 8265074b..58dc4a49 100644 --- a/ansible/app-configs/adguardhome/AdGuardHome.yaml.j2 +++ b/ansible/app-configs/adguardhome/AdGuardHome.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -9,7 +10,7 @@ http: session_ttl: 720h users: - name: admin - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ADGUARD_BCRYPT'] }} + password: {{ vault.vault_secret('env', 'ADGUARD_BCRYPT') }} auth_attempts: 5 block_auth_min: 15 http_proxy: "" diff --git a/ansible/app-configs/apprise/apprise.yml.j2 b/ansible/app-configs/apprise/apprise.yml.j2 index 5b0bfa5c..cea00840 100644 --- a/ansible/app-configs/apprise/apprise.yml.j2 +++ b/ansible/app-configs/apprise/apprise.yml.j2 @@ -1,6 +1,7 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} urls: - - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }} - - mailto://{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf \ No newline at end of file + - gotify://gotify/{{ vault.vault_secret('env', 'APPRISE_GOTIFY_TOKEN') }} + - mailto://{{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_USER') }}:{{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_PASSWORD') }}@trez.wtf25?smtp=postal-smtp&from=noreply@trez.wtf \ No newline at end of file diff --git a/ansible/app-configs/authelia/configuration.yml.j2 b/ansible/app-configs/authelia/configuration.yml.j2 index 48764283..3b9b49e1 100644 --- a/ansible/app-configs/authelia/configuration.yml.j2 +++ b/ansible/app-configs/authelia/configuration.yml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -64,11 +65,11 @@ authentication_backend: mail: mail display_name: displayName user: uid=authelia,ou=people,dc=trez,dc=wtf - password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}' + password: '{{ vault.vault_secret('env', 'AUTHELIA_AUTH_BIND_LDAP_PASSWORD') }}' refresh_interval: 5m identity_validation: reset_password: - jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}' + jwt_secret: '{{ vault.vault_secret('env', 'AUTHELIA_JWT_SECRET') }}' password_policy: standard: enabled: true @@ -104,7 +105,7 @@ access_control: - ['user:the.trezured.one'] session: name: authelia_session - secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}' + secret: '{{ vault.vault_secret('env', 'AUTHELIA_SESSION_SECRET') }}' expiration: 1h inactivity: 5m remember_me: 1M @@ -115,12 +116,12 @@ session: host: redis port: 6379 storage: - encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}' + encryption_key: '{{ vault.vault_secret('env', 'AUTHELIA_STORAGE_ENCRYPTION_KEY') }}' postgres: address: 'tcp://authelia-pg:5432' database: authelia username: authelia - password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}' + password: '{{ vault.vault_secret('env', 'AUTHELIA_STORAGE_POSTGRES_PASSWORD') }}' timeout: '5s' regulation: max_retries: 3 @@ -131,8 +132,8 @@ notifier: smtp: address: 'smtp://postal-smtp:25' timeout: '5s' - username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}' - password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}' + username: '{{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_USER') }}' + password: '{{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_PASSWORD') }}' sender: "Authelia " identifier: 'localhost' subject: "[Authelia] {title}" @@ -142,7 +143,7 @@ notifier: disable_html_emails: false identity_providers: oidc: - hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}' + hmac_secret: '{{ vault.vault_secret('env', 'AUTHELIA_OIDC_HMAC_SECRET') }}' jwks: - key: | {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }} @@ -157,7 +158,7 @@ identity_providers: clients: - client_id: 'netbird' client_name: 'NetBird' - client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}' + client_secret: '{{ vault.vault_secret('env', 'AUTHELIA_NETBIRD_CLIENT_SECRET') }}' public: false authorization_policy: 'two_factor' redirect_uris: diff --git a/ansible/app-configs/cloudflared/config.yml.j2 b/ansible/app-configs/cloudflared/config.yml.j2 index a02e5104..dae37148 100644 --- a/ansible/app-configs/cloudflared/config.yml.j2 +++ b/ansible/app-configs/cloudflared/config.yml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/crowdsec/acquis.yaml.j2 b/ansible/app-configs/crowdsec/acquis.yaml.j2 index a2b7fc1e..6aeb1d5c 100644 --- a/ansible/app-configs/crowdsec/acquis.yaml.j2 +++ b/ansible/app-configs/crowdsec/acquis.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} source: journalctl diff --git a/ansible/app-configs/crowdsec/config.yaml.j2 b/ansible/app-configs/crowdsec/config.yaml.j2 index 46a4e811..38bd4b06 100644 --- a/ansible/app-configs/crowdsec/config.yaml.j2 +++ b/ansible/app-configs/crowdsec/config.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} common: diff --git a/ansible/app-configs/crowdsec/local-api-credentials.yaml.j2 b/ansible/app-configs/crowdsec/local-api-credentials.yaml.j2 index 5335296f..ac032f2d 100644 --- a/ansible/app-configs/crowdsec/local-api-credentials.yaml.j2 +++ b/ansible/app-configs/crowdsec/local-api-credentials.yaml.j2 @@ -1,6 +1,7 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} url: http://0.0.0.0:8080 login: localhost -password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_LOCAL_API_KEY'] }} \ No newline at end of file +password: {{ vault.vault_secret('env', 'CROWDSEC_LOCAL_API_KEY') }} \ No newline at end of file diff --git a/ansible/app-configs/crowdsec/online-api-credentials.yaml.j2 b/ansible/app-configs/crowdsec/online-api-credentials.yaml.j2 index 3f7aeafb..96923b05 100644 --- a/ansible/app-configs/crowdsec/online-api-credentials.yaml.j2 +++ b/ansible/app-configs/crowdsec/online-api-credentials.yaml.j2 @@ -1,6 +1,7 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} url: https://api.crowdsec.net/ -login: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }} -password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['CROWDSEC_ONLINE_PASSWORD'] }} \ No newline at end of file +login: {{ vault.vault_secret('env', 'CROWDSEC_ONLINE_PASSWORD') }} +password: {{ vault.vault_secret('env', 'CROWDSEC_ONLINE_PASSWORD') }} \ No newline at end of file diff --git a/ansible/app-configs/crowdsec/profiles.yaml.j2 b/ansible/app-configs/crowdsec/profiles.yaml.j2 index 0dfb52c6..65dfb1a2 100644 --- a/ansible/app-configs/crowdsec/profiles.yaml.j2 +++ b/ansible/app-configs/crowdsec/profiles.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/ghost/ghost_config.production.json.j2 b/ansible/app-configs/ghost/ghost_config.production.json.j2 index 40e0dd14..f5485125 100644 --- a/ansible/app-configs/ghost/ghost_config.production.json.j2 +++ b/ansible/app-configs/ghost/ghost_config.production.json.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -9,7 +10,7 @@ "host" : "mariadb", "port" : 3306, "user" : "ghost", - "password" : "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GHOST_DB_PASSWORD'] }}", + "password" : "{{ vault.vault_secret('env', 'GHOST_DB_PASSWORD') }}", "database" : "ghost_db" } }, @@ -21,8 +22,8 @@ "port": 25, "secure": false, "auth": { - "user": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}", - "pass": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}" + "user": "{{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_USER') }}", + "pass": "{{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_PASSWORD') }}" } } }, diff --git a/ansible/app-configs/gitea/act-runner/config.yaml.j2 b/ansible/app-configs/gitea/act-runner/config.yaml.j2 index f7882a24..5adc355c 100644 --- a/ansible/app-configs/gitea/act-runner/config.yaml.j2 +++ b/ansible/app-configs/gitea/act-runner/config.yaml.j2 @@ -1,3 +1,6 @@ +{% import '../macros/rinoa-macros.j2' as vault %} +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} # Example configuration file, it's safe to copy this as the default config file without any modification. # You don't have to copy this file to your instance, diff --git a/ansible/app-configs/gitea/app.ini.j2 b/ansible/app-configs/gitea/app.ini.j2 index bc4e810b..ab70529b 100644 --- a/ansible/app-configs/gitea/app.ini.j2 +++ b/ansible/app-configs/gitea/app.ini.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -27,7 +28,7 @@ DISABLE_SSH = false SSH_PORT = 22 SSH_LISTEN_PORT = 22 LFS_START_SERVER = true -LFS_JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_LFS_JWT_SECRET'] }} +LFS_JWT_SECRET = {{ vault.vault_secret('env', 'GITEA_LFS_JWT_SECRET') }} OFFLINE_MODE = true [database] @@ -36,7 +37,7 @@ DB_TYPE = postgres HOST = gitea-db:5432 NAME = gitea USER = gitea -PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_PG_DB_PASSWORD'] }} +PASSWD = {{ vault.vault_secret('env', 'GITEA_PG_DB_PASSWORD') }} LOG_SQL = false SCHEMA = SSL_MODE = disable @@ -70,7 +71,7 @@ INSTALL_LOCK = true SECRET_KEY = REVERSE_PROXY_LIMIT = 1 REVERSE_PROXY_TRUSTED_PROXIES = * -INTERNAL_TOKEN = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_INTERNAL_TOKEN'] }} +INTERNAL_TOKEN = {{ vault.vault_secret('env', 'GITEA_INTERNAL_TOKEN') }} PASSWORD_HASH_ALGO = pbkdf2 [service] @@ -89,7 +90,7 @@ NO_REPLY_ADDRESS = noreply@trez.wtf PATH = /data/git/lfs [mailer] -PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }} +PASSWD = {{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_PASSWORD') }} PROTOCOL = smtp ENABLED = true FROM = '"Gitea" ' @@ -112,7 +113,7 @@ DEFAULT_MERGE_STYLE = merge DEFAULT_TRUST_MODEL = committer [oauth2] -JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_OAUTH2_JWT_SECRET'] }} +JWT_SECRET = {{ vault.vault_secret('env', 'GITEA_OAUTH2_JWT_SECRET') }} [ui] THEMES = diff --git a/ansible/app-configs/gitea/gitea-sonarqube-bot/config.yaml.j2 b/ansible/app-configs/gitea/gitea-sonarqube-bot/config.yaml.j2 index 90b9fb69..e96a64dc 100644 --- a/ansible/app-configs/gitea/gitea-sonarqube-bot/config.yaml.j2 +++ b/ansible/app-configs/gitea/gitea-sonarqube-bot/config.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -9,7 +10,7 @@ gitea: # Created access token for the user that shall be used as bot account. # User needs "Read project" permissions with access to "Pull Requests" token: - value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}" + value: "{{ vault.vault_secret('env', 'GITEA_SONARQUBE_BOT_GITEA_TOKEN') }}" # # or path to file containing the plain text secret # file: /path/to/gitea/token @@ -18,7 +19,7 @@ gitea: # The bot looks for `X-Gitea-Signature` header containing the sha256 hmac hash of the plain text secret. If the header # exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be validated. webhook: - secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}" + secret: "{{ vault.vault_secret('env', 'GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET') }}" # # or path to file containing the plain text secret # secretFile: /path/to/gitea/webhook/secret @@ -35,7 +36,7 @@ sonarqube: # Created access token for the user that shall be used as bot account. # User needs "Browse on project" permissions token: - value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}" + value: "{{ vault.vault_secret('env', 'GITEA_SONARQUBE_BOT_SQUBE_TOKEN') }}" # # or path to file containing the plain text secret # file: /path/to/sonarqube/token @@ -45,7 +46,7 @@ sonarqube: # If the header exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be # validated. webhook: - secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}" + secret: "{{ vault.vault_secret('env', 'GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET') }}" # # or path to file containing the plain text secret # secretFile: /path/to/sonarqube/webhook/secret diff --git a/ansible/app-configs/grafana/alloy/alloy_endpoints.json.j2 b/ansible/app-configs/grafana/alloy/alloy_endpoints.json.j2 index d50b71a4..ca64d14a 100644 --- a/ansible/app-configs/grafana/alloy/alloy_endpoints.json.j2 +++ b/ansible/app-configs/grafana/alloy/alloy_endpoints.json.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/grafana/beyla/beyla.yml.j2 b/ansible/app-configs/grafana/beyla/beyla.yml.j2 index 5fa9bfa4..eeb7768d 100644 --- a/ansible/app-configs/grafana/beyla/beyla.yml.j2 +++ b/ansible/app-configs/grafana/beyla/beyla.yml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/grafana/mimir/mimir.yaml.j2 b/ansible/app-configs/grafana/mimir/mimir.yaml.j2 index 80825a17..94264fab 100644 --- a/ansible/app-configs/grafana/mimir/mimir.yaml.j2 +++ b/ansible/app-configs/grafana/mimir/mimir.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/grafana/pyroscope/config.yaml.j2 b/ansible/app-configs/grafana/pyroscope/config.yaml.j2 index fe8066be..ccd3d61d 100644 --- a/ansible/app-configs/grafana/pyroscope/config.yaml.j2 +++ b/ansible/app-configs/grafana/pyroscope/config.yaml.j2 @@ -1,11 +1,12 @@ +{% import '../macros/rinoa-macros.j2' as vault %} storage: backend: s3 s3: bucket_name: pyroscope endpoint: minio:9000 region: us-east-fh-pln - access_key_id: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_ACCESS_KEY'] }} - secret_access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_PYROSCOPE_STORAGE_SECRET_KEY'] }} + access_key_id: {{ vault.vault_secret('env', 'MINIO_PYROSCOPE_STORAGE_ACCESS_KEY') }} + secret_access_key: {{ vault.vault_secret('env', 'MINIO_PYROSCOPE_STORAGE_SECRET_KEY') }} insecure: true analytics: diff --git a/ansible/app-configs/grafana/tempo/config.yml.j2 b/ansible/app-configs/grafana/tempo/config.yml.j2 index 690b60bd..ba1c332e 100644 --- a/ansible/app-configs/grafana/tempo/config.yml.j2 +++ b/ansible/app-configs/grafana/tempo/config.yml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/grafana/tempo/tempo.yaml.j2 b/ansible/app-configs/grafana/tempo/tempo.yaml.j2 index fbfd0050..03f9f632 100644 --- a/ansible/app-configs/grafana/tempo/tempo.yaml.j2 +++ b/ansible/app-configs/grafana/tempo/tempo.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -46,8 +47,8 @@ storage: s3: bucket: tempo # how to store data in s3 endpoint: minio:9000 - access_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_ACCESS_KEY'] }} - secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MINIO_TEMPO_STORAGE_SECRET_KEY'] }} + access_key: {{ vault.vault_secret('env', 'MINIO_TEMPO_STORAGE_ACCESS_KEY') }} + secret_key: {{ vault.vault_secret('env', 'MINIO_TEMPO_STORAGE_SECRET_KEY') }} insecure: true usage_report: diff --git a/ansible/app-configs/homepage/bookmarks.yaml.j2 b/ansible/app-configs/homepage/bookmarks.yaml.j2 index 3213604c..675cc490 100644 --- a/ansible/app-configs/homepage/bookmarks.yaml.j2 +++ b/ansible/app-configs/homepage/bookmarks.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/homepage/docker.yaml.j2 b/ansible/app-configs/homepage/docker.yaml.j2 index 58f2932a..9b103436 100644 --- a/ansible/app-configs/homepage/docker.yaml.j2 +++ b/ansible/app-configs/homepage/docker.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/homepage/kubernetes.yaml.j2 b/ansible/app-configs/homepage/kubernetes.yaml.j2 index edc81b18..c0914431 100644 --- a/ansible/app-configs/homepage/kubernetes.yaml.j2 +++ b/ansible/app-configs/homepage/kubernetes.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/homepage/services.yaml.j2 b/ansible/app-configs/homepage/services.yaml.j2 index 7a610bbc..056ee2e6 100644 --- a/ansible/app-configs/homepage/services.yaml.j2 +++ b/ansible/app-configs/homepage/services.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -29,5 +30,5 @@ widget: type: homeassistant url: http://192.168.1.252:8123 - key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }} + key: {{ vault.vault_secret('env', 'HOMEPAGE_HOME_ASSISTANT_API_KEY') }} diff --git a/ansible/app-configs/homepage/settings.yaml.j2 b/ansible/app-configs/homepage/settings.yaml.j2 index 68393536..fe55aa9d 100644 --- a/ansible/app-configs/homepage/settings.yaml.j2 +++ b/ansible/app-configs/homepage/settings.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -6,7 +7,7 @@ # https://gethomepage.dev/en/configs/settings providers: - openweathermap: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }} + openweathermap: {{ vault.vault_secret('env', 'HOMEPAGE_OPENWEATHERMAP_API_KEY') }} # weatherapi: weatherapiapikey title: Rinoa Dashboard (trez.WTF) headerStyle: underlined diff --git a/ansible/app-configs/homepage/widgets.yaml.j2 b/ansible/app-configs/homepage/widgets.yaml.j2 index 0e4f004c..05670c60 100644 --- a/ansible/app-configs/homepage/widgets.yaml.j2 +++ b/ansible/app-configs/homepage/widgets.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/invidious/config.yml.j2 b/ansible/app-configs/invidious/config.yml.j2 index 7aff109b..390e87fb 100644 --- a/ansible/app-configs/invidious/config.yml.j2 +++ b/ansible/app-configs/invidious/config.yml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -16,7 +17,7 @@ db: host: invidious-db port: 5432 dbname: invidious - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PG_DB_PASSWORD'] }} + password: {{ vault.vault_secret('env', 'INVID_PG_DB_PASSWORD') }} ## ## Database configuration using a single URI. This is an @@ -210,8 +211,8 @@ https_only: false ## Accepted values: String ## Default: ## -po_token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_PO_TOKEN'] }} -visitor_data: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_VISITOR_DATA'] }} +po_token: {{ vault.vault_secret('env', 'INVID_PO_TOKEN') }} +visitor_data: {{ vault.vault_secret('env', 'INVID_VISITOR_DATA') }} # ----------------------------- # Logging @@ -471,7 +472,7 @@ jobs: ## Accepted values: a string ## Default: ## -hmac_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['INVID_HMAC_KEY'] }} +hmac_key: {{ vault.vault_secret('env', 'INVID_HMAC_KEY') }} ## ## List of video IDs where the "download" widget must be diff --git a/ansible/app-configs/invoice-ninja/invoice-ninja.env.j2 b/ansible/app-configs/invoice-ninja/invoice-ninja.env.j2 index 2c8dc97a..cf6ec9ce 100644 --- a/ansible/app-configs/invoice-ninja/invoice-ninja.env.j2 +++ b/ansible/app-configs/invoice-ninja/invoice-ninja.env.j2 @@ -1,9 +1,10 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} # IN application vars IN_APP_URL=https://biz.trez.wtf -IN_APP_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_APP_KEY'] }} +IN_APP_KEY={{ vault.vault_secret('env', 'IN_APP_KEY') }} IN_APP_DEBUG=true IN_REQUIRE_HTTPS=false IN_PHANTOMJS_PDF_GENERATION=false @@ -18,7 +19,7 @@ IN_DB_HOST=mariadb IN_DB_PORT=3306 IN_DB_DATABASE=invoice_ninja IN_DB_USERNAME=ininja -IN_DB_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['IN_MYSQL_PASSWORD'] }} +IN_DB_PASSWORD={{ vault.vault_secret('env', 'IN_MYSQL_PASSWORD') }} # Create initial user # Default to these values if empty @@ -31,8 +32,8 @@ IN_PASSWORD= IN_MAIL_MAILER=log IN_MAIL_HOST=postal-smtp IN_MAIL_PORT=25 -IN_MAIL_USERNAME={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }} -IN_MAIL_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }} +IN_MAIL_USERNAME={{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_USER') }} +IN_MAIL_PASSWORD={{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_PASSWORD') }} IN_MAIL_ENCRYPTION=null IN_MAIL_FROM_ADDRESS='noreply@trez.wtf' IN_MAIL_FROM_NAME='Treasured IT' diff --git a/ansible/app-configs/librechat/librechat.env.j2 b/ansible/app-configs/librechat/librechat.env.j2 index 456f9bbc..1fd642d5 100644 --- a/ansible/app-configs/librechat/librechat.env.j2 +++ b/ansible/app-configs/librechat/librechat.env.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -17,7 +18,7 @@ HOST=localhost PORT=3080 -MONGO_URI=mongodb://librechat:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MONGODB_PASSWORD'] }}@mongodb:27017/librechat?replicaSet=rinoa +MONGO_URI=mongodb://librechat:{{ vault.vault_secret('env', 'LIBRECHAT_MONGODB_PASSWORD') }}@mongodb:27017/librechat?replicaSet=rinoa DOMAIN_CLIENT=https://ai.trez.wtf DOMAIN_SERVER=https://ai.trez.wtf @@ -73,12 +74,12 @@ PROXY= # ANYSCALE_API_KEY= # APIPIE_API_KEY= # COHERE_API_KEY= -DEEPSEEK_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_DEEPSEEK_API_KEY'] }} +DEEPSEEK_API_KEY={{ vault.vault_secret('env', 'LIBRECHAT_DEEPSEEK_API_KEY') }} # DATABRICKS_API_KEY= # FIREWORKS_API_KEY= # GROQ_API_KEY= # HUGGINGFACE_TOKEN= -MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_MISTRAL_API_KEY'] }} +MISTRAL_API_KEY={{ vault.vault_secret('env', 'LIBRECHAT_MISTRAL_API_KEY') }} # OPENROUTER_KEY= # PERPLEXITY_API_KEY= # SHUTTLEAI_API_KEY= @@ -90,7 +91,7 @@ MISTRAL_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_m # Anthropic # #============# -ANTHROPIC_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_ANTHROPIC_API_KEY'] }} +ANTHROPIC_API_KEY={{ vault.vault_secret('env', 'LIBRECHAT_ANTHROPIC_API_KEY') }} ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5-haiku-20241022,claude-3-5-sonnet-20241022,claude-3-5-sonnet-latest,claude-3-5-sonnet-20240620,claude-3-opus-20240229,claude-3-sonnet-20240229,claude-3-haiku-20240307,claude-2.1,claude-2,claude-1.2,claude-1,claude-1-100k,claude-instant-1,claude-instant-1-100k # ANTHROPIC_REVERSE_PROXY= @@ -177,7 +178,7 @@ ANTHROPIC_MODELS=claude-3-7-sonnet-latest,claude-3-7-sonnet-20250219,claude-3-5- # OpenAI # #============# -OPENAI_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_OPENAI_API_KEY'] }} +OPENAI_API_KEY={{ vault.vault_secret('env', 'LIBRECHAT_OPENAI_API_KEY') }} OPENAI_MODELS=o1,o1-mini,o1-preview,gpt-4o,chatgpt-4o-latest,gpt-4o-mini,gpt-3.5-turbo-0125,gpt-3.5-turbo-0301,gpt-3.5-turbo,gpt-4,gpt-4-0613,gpt-4-vision-preview,gpt-3.5-turbo-0613,gpt-3.5-turbo-16k-0613,gpt-4-0125-preview,gpt-4-turbo-preview,gpt-4-1106-preview,gpt-3.5-turbo-1106,gpt-3.5-turbo-instruct,gpt-3.5-turbo-instruct-0914,gpt-3.5-turbo-16k DEBUG_OPENAI=false @@ -226,8 +227,8 @@ DEBUG_OPENAI=false # DEBUG_PLUGINS= -CREDS_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_KEY'] }} -CREDS_IV={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_CREDS_IV'] }} +CREDS_KEY={{ vault.vault_secret('env', 'LIBRECHAT_CREDS_KEY') }} +CREDS_IV={{ vault.vault_secret('env', 'LIBRECHAT_CREDS_IV') }} # Azure AI Search #----------------- @@ -298,7 +299,7 @@ ZAPIER_NLA_API_KEY= SEARCH=true MEILI_NO_ANALYTICS=true MEILI_HOST=http://meilisearch:7700 -MEILI_MASTER_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MEILISEARCH_MASTER_KEY'] }} +MEILI_MASTER_KEY={{ vault.vault_secret('env', 'MEILISEARCH_MASTER_KEY') }} # Optional: Disable indexing, useful in a multi-node setup # where only one instance should perform an index sync. @@ -384,8 +385,8 @@ ALLOW_UNVERIFIED_EMAIL_LOGIN=true SESSION_EXPIRY=1000 * 60 * 15 REFRESH_TOKEN_EXPIRY=(1000 * 60 * 60 * 24) * 7 -JWT_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_SECRET'] }} -JWT_REFRESH_SECRET={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIBRECHAT_JWT_REFRESH_SECRET'] }} +JWT_SECRET={{ vault.vault_secret('env', 'LIBRECHAT_JWT_SECRET') }} +JWT_REFRESH_SECRET={{ vault.vault_secret('env', 'LIBRECHAT_JWT_REFRESH_SECRET') }} # Discord @@ -547,4 +548,4 @@ USE_REDIS=true #=====================================================# # OpenWeather # #=====================================================# -OPENWEATHER_API_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }} \ No newline at end of file +OPENWEATHER_API_KEY={{ vault.vault_secret('env', 'HOMEPAGE_OPENWEATHERMAP_API_KEY') }} \ No newline at end of file diff --git a/ansible/app-configs/librechat/librechat.yaml.j2 b/ansible/app-configs/librechat/librechat.yaml.j2 index 907e926f..bce10082 100644 --- a/ansible/app-configs/librechat/librechat.yaml.j2 +++ b/ansible/app-configs/librechat/librechat.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} version: 1.0.0 endpoints: custom: diff --git a/ansible/app-configs/lidarr/config.xml.j2 b/ansible/app-configs/lidarr/config.xml.j2 index 7ff4318b..536279f0 100644 --- a/ansible/app-configs/lidarr/config.xml.j2 +++ b/ansible/app-configs/lidarr/config.xml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -7,7 +8,7 @@ 6868 False True - {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }} + {{ vault.vault_secret('env', 'LIDARR_API_KEY') }} Forms master trace diff --git a/ansible/app-configs/lidify/config.json.j2 b/ansible/app-configs/lidify/config.json.j2 index cc87a3b6..d5edcbab 100644 --- a/ansible/app-configs/lidify/config.json.j2 +++ b/ansible/app-configs/lidify/config.json.j2 @@ -1,13 +1,14 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} { "lidarr_address": "http://lidarr:8686", - "lidarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }}", - "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}", + "lidarr_api_key": "{{ vault.vault_secret('env', 'LIDARR_API_KEY') }}", + "spotify_client_secret": "{{ vault.vault_secret('env', 'YOUR_SPOTIFY_SECRET') }}", "root_folder_path": "/data/media/music", - "spotify_client_id": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}", - "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}", + "spotify_client_id": "{{ vault.vault_secret('env', 'YOUR_SPOTIFY_ID') }}", + "spotify_client_secret": "{{ vault.vault_secret('env', 'YOUR_SPOTIFY_SECRET') }}", "fallback_to_top_result": false, "lidarr_api_timeout": 120.0, "quality_profile_id": 1, @@ -17,8 +18,8 @@ "app_name": "lidify", "app_rev": "0.09", "app_url": "lidify.trez.wtf", - "last_fm_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}", - "last_fm_api_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}", + "last_fm_api_key": "{{ vault.vault_secret('env', 'LASTFM_API_KEY') }}", + "last_fm_api_secret": "{{ vault.vault_secret('env', 'LASTFM_API_SECRET') }}", "mode": "LastFM", "auto_start": false, "auto_start_delay": 60 diff --git a/ansible/app-configs/loggifly/config.yaml.j2 b/ansible/app-configs/loggifly/config.yaml.j2 index d567b316..ca5a3d7c 100644 --- a/ansible/app-configs/loggifly/config.yaml.j2 +++ b/ansible/app-configs/loggifly/config.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -20,7 +21,7 @@ global_keywords: - fatal notifications: apprise: - url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['APPRISE_GOTIFY_TOKEN'] }} # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki) + url: gotify://gotify/{{ vault.vault_secret('env', 'APPRISE_GOTIFY_TOKEN') }} # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki) # settings are optional because they all have default values settings: log_level: INFO # DEBUG, INFO, WARNING, ERROR diff --git a/ansible/app-configs/mirotalk/src/config.js.j2 b/ansible/app-configs/mirotalk/src/config.js.j2 index 7753ab37..09f100c4 100644 --- a/ansible/app-configs/mirotalk/src/config.js.j2 +++ b/ansible/app-configs/mirotalk/src/config.js.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} 'use strict'; const packageJson = require('../../package.json'); diff --git a/ansible/app-configs/multi-scrobbler/config.json.j2 b/ansible/app-configs/multi-scrobbler/config.json.j2 index 697a0cd5..faec1a4a 100644 --- a/ansible/app-configs/multi-scrobbler/config.json.j2 +++ b/ansible/app-configs/multi-scrobbler/config.json.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -27,8 +28,8 @@ "clients": [], "name": "spotify", "data": { - "clientId": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_ID'] }}", - "clientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['YOUR_SPOTIFY_SECRET'] }}", + "clientId": "{{ vault.vault_secret('env', 'YOUR_SPOTIFY_ID') }}", + "clientSecret": "{{ vault.vault_secret('env', 'YOUR_SPOTIFY_SECRET') }}", "redirectUri": "http://localhost:9078/callback" } }, @@ -38,8 +39,8 @@ "clients": [], "name": "lastfm", "data": { - "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}", - "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}", + "apiKey": "{{ vault.vault_secret('env', 'LASTFM_API_KEY') }}", + "secret": "{{ vault.vault_secret('env', 'LASTFM_API_SECRET') }}", "redirectUri": "http://localhost:9078/lastfm/callback" } }, @@ -49,7 +50,7 @@ "clients": [], "name": "listenBrainz", "data": { - "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}", + "token": "{{ vault.vault_secret('env', 'MALOJA_LISTENBRAINZ_TOKEN') }}", "username": "Trez.One" } }, @@ -61,7 +62,7 @@ "data": { "url": "http://navidrome:4533", "user": "admin", - "password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NAVIDROME_PASSWORD'] }}" + "password": "{{ vault.vault_secret('env', 'NAVIDROME_PASSWORD') }}" } } ], @@ -71,8 +72,8 @@ "enable": true, "name": "lastFmClient", "data": { - "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_KEY'] }}", - "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LASTFM_API_SECRET'] }}", + "apiKey": "{{ vault.vault_secret('env', 'LASTFM_API_KEY') }}", + "secret": "{{ vault.vault_secret('env', 'LASTFM_API_SECRET') }}", "redirectUri": "http://localhost:9078/lastfm/callback" } }, @@ -81,7 +82,7 @@ "enable": true, "name": "ListenBrainzClient", "data": { - "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}", + "token": "{{ vault.vault_secret('env', 'MALOJA_LISTENBRAINZ_TOKEN') }}", "username": "Trez.One" } }, @@ -91,7 +92,7 @@ "name": "maloja", "data": { "url": "http://maloja:42010", - "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MALOJA_API_KEY'] }}" + "apiKey": "{{ vault.vault_secret('env', 'MALOJA_API_KEY') }}" } } ], @@ -100,7 +101,7 @@ "name": "Gotify", "type": "gotify", "url": "http://gotify", - "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}", + "token": "{{ vault.vault_secret('env', 'MULTI_SCROBBLER_GOTIFY_TOKEN') }}", "priorities": { "info": 5, "warn": 7, diff --git a/ansible/app-configs/netbird/management.json.j2 b/ansible/app-configs/netbird/management.json.j2 index 80d2bb29..6ec9e94b 100644 --- a/ansible/app-configs/netbird/management.json.j2 +++ b/ansible/app-configs/netbird/management.json.j2 @@ -1,8 +1,9 @@ +{% import '../macros/rinoa-macros.j2' as vault %} { "Stuns": [ { "Proto": "udp", - "URI": "stun:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478", + "URI": "stun:netbird.{{ vault.vault_secret('env', 'MY_TLD') }}:3478", "Username": "", "Password": null } @@ -11,9 +12,9 @@ "Turns": [ { "Proto": "udp", - "URI": "turn:netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:3478", + "URI": "turn:netbird.{{ vault.vault_secret('env', 'MY_TLD') }}:3478", "Username": "self", - "Password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }}" + "Password": "{{ vault.vault_secret('env', 'NETBIRD_TURN_PASSWORD') }}" } ], "CredentialsTTL": "12h", @@ -22,14 +23,14 @@ }, "Relay": { "Addresses": [ - "rel://netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:33080" + "rel://netbird.{{ vault.vault_secret('env', 'MY_TLD') }}:33080" ], "CredentialsTTL": "24h", - "Secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_RELAY_AUTH_SECRET'] }}" + "Secret": "{{ vault.vault_secret('env', 'NETBIRD_RELAY_AUTH_SECRET') }}" }, "Signal": { "Proto": "https", - "URI": "netbird.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}:10001", + "URI": "netbird.{{ vault.vault_secret('env', 'MY_TLD') }}:10001", "Username": "", "Password": null }, @@ -47,14 +48,14 @@ }, "HttpConfig": { "Address": "0.0.0.0:33073", - "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}", + "AuthIssuer": "https://auth.{{ vault.vault_secret('env', 'MY_TLD') }}", "AuthAudience": "netbird", - "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json", + "AuthKeysLocation": "https://auth.{{ vault.vault_secret('env', 'MY_TLD') }}/jwks.json", "AuthUserIDClaim": "", "CertFile": "", "CertKey": "", "IdpSignKeyRefreshEnabled": true, - "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration" + "OIDCConfigEndpoint": "https://auth.{{ vault.vault_secret('env', 'MY_TLD') }}/.well-known/openid-configuration" }, "IdpManagerConfig": {}, "DeviceAuthorizationFlow": {}, @@ -62,10 +63,10 @@ "ProviderConfig": { "Audience": "netbird", "ClientID": "netbird", - "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}", + "ClientSecret": "{{ vault.vault_secret('env', 'AUTHELIA_NETBIRD_CLIENT_SECRET') }}", "Domain": "", - "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization", - "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token", + "AuthorizationEndpoint": "https://auth.{{ vault.vault_secret('env', 'MY_TLD') }}/api/oidc/authorization", + "TokenEndpoint": "https://auth.{{ vault.vault_secret('env', 'MY_TLD') }}/api/oidc/token", "Scope": "openid profile email offline_access api", "RedirectURLs": [ "http://localhost:53000" diff --git a/ansible/app-configs/netbird/openid-configuration.json.j2 b/ansible/app-configs/netbird/openid-configuration.json.j2 index e233e3ee..492f7c80 100644 --- a/ansible/app-configs/netbird/openid-configuration.json.j2 +++ b/ansible/app-configs/netbird/openid-configuration.json.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} { "issuer": "https://id.trez.wtf", "authorization_endpoint": "https://id.trez.wtf/oauth/v2/authorize", diff --git a/ansible/app-configs/netbird/turnserver.conf.j2 b/ansible/app-configs/netbird/turnserver.conf.j2 index 97030f7a..7641c67d 100644 --- a/ansible/app-configs/netbird/turnserver.conf.j2 +++ b/ansible/app-configs/netbird/turnserver.conf.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} # Coturn TURN SERVER configuration file # # Boolean values note: where a boolean value is supposed to be used, @@ -250,7 +251,7 @@ lt-cred-mech #user=username1:key1 #user=username2:key2 # OR: -user=self:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_TURN_PASSWORD'] }} +user=self:{{ vault.vault_secret('env', 'NETBIRD_TURN_PASSWORD') }} #user=username2:password2 # # Keys must be generated by turnadmin utility. The key value depends diff --git a/ansible/app-configs/plausible/clickhouse-config.xml.j2 b/ansible/app-configs/plausible/clickhouse-config.xml.j2 index 87e82195..14d78613 100644 --- a/ansible/app-configs/plausible/clickhouse-config.xml.j2 +++ b/ansible/app-configs/plausible/clickhouse-config.xml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/postal/postal.yml.j2 b/ansible/app-configs/postal/postal.yml.j2 index b365f101..a4a2df59 100644 --- a/ansible/app-configs/postal/postal.yml.j2 +++ b/ansible/app-configs/postal/postal.yml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -18,13 +19,13 @@ web_server: main_db: host: mariadb username: postal - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }} + password: {{ vault.vault_secret('env', 'POSTAL_MYSQL_PASSWORD') }} database: postal message_db: host: mariadb username: postal - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_MYSQL_PASSWORD'] }} + password: {{ vault.vault_secret('env', 'POSTAL_MYSQL_PASSWORD') }} prefix: postal smtp_server: @@ -52,11 +53,11 @@ smtp: host: postal-smtp port: 25 username: rinoa/postal-smtp - password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}" + password: "{{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_PASSWORD') }}" from_name: Postal @ Rinoa from_address: noreply@trez.wtf rails: # This is generated automatically by the config initialization. It should be a random # string unique to your installation. - secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_RAILS_SECRET_KEY'] }}" + secret_key: "{{ vault.vault_secret('env', 'POSTAL_RAILS_SECRET_KEY') }}" diff --git a/ansible/app-configs/prowlarr/config.xml.j2 b/ansible/app-configs/prowlarr/config.xml.j2 index f45b8eea..dd40491c 100644 --- a/ansible/app-configs/prowlarr/config.xml.j2 +++ b/ansible/app-configs/prowlarr/config.xml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -7,7 +8,7 @@ 6969 False True - {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PROWLARR_API_KEY'] }} + {{ vault.vault_secret('env', 'PROWLARR_API_KEY') }} Forms Enabled master diff --git a/ansible/app-configs/radarec/config.json.j2 b/ansible/app-configs/radarec/config.json.j2 index a35180cc..4e1ef4b0 100644 --- a/ansible/app-configs/radarec/config.json.j2 +++ b/ansible/app-configs/radarec/config.json.j2 @@ -1,11 +1,12 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} { "radarr_address": "http://radarr:7878", - "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }}", + "radarr_api_key": "{{ vault.vault_secret('env', 'RADARR_API_KEY') }}", "root_folder_path": "/data/media/movies", - "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}", + "tmdb_api_key": "{{ vault.vault_secret('env', 'TMDB_API_KEY') }}", "fallback_to_top_result": false, "radarr_api_timeout": 120.0, "quality_profile_id": 1, diff --git a/ansible/app-configs/radarr/config.xml.j2 b/ansible/app-configs/radarr/config.xml.j2 index e9a9baaa..5cec19fe 100644 --- a/ansible/app-configs/radarr/config.xml.j2 +++ b/ansible/app-configs/radarr/config.xml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -8,7 +9,7 @@ 7878 - {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['RADARR_API_KEY'] }} + {{ vault.vault_secret('env', 'RADARR_API_KEY') }} Forms Docker 9898 diff --git a/ansible/app-configs/readarr/config.xml.j2 b/ansible/app-configs/readarr/config.xml.j2 index 5eec003e..bb805e99 100644 --- a/ansible/app-configs/readarr/config.xml.j2 +++ b/ansible/app-configs/readarr/config.xml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -7,7 +8,7 @@ 6868 False True - {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['READARR_API_KEY'] }} + {{ vault.vault_secret('env', 'READARR_API_KEY') }} Forms develop info diff --git a/ansible/app-configs/romm/config.yml.j2 b/ansible/app-configs/romm/config.yml.j2 index 6503c7e3..00ae0781 100644 --- a/ansible/app-configs/romm/config.yml.j2 +++ b/ansible/app-configs/romm/config.yml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} # This is a generic example of a configuration file # Rename this file to `config.yml`, copy it to a `config` folder, and mount that folder as per the docker-compose.example.yml # Only uncomment the lines you want to use/modify, or add new ones where needed diff --git a/ansible/app-configs/sabnzbdvpn/sabnzbd.ini.j2 b/ansible/app-configs/sabnzbdvpn/sabnzbd.ini.j2 index f9e2f6e7..71c46cab 100644 --- a/ansible/app-configs/sabnzbdvpn/sabnzbd.ini.j2 +++ b/ansible/app-configs/sabnzbdvpn/sabnzbd.ini.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -22,7 +23,7 @@ host = 0.0.0.0 port = 8080 https_port = 8090 username = thetrezuredone -password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_PASSWORD'] }} +password = {{ vault.vault_secret('env', 'SABNZBDVPN_PASSWORD') }} bandwidth_max = 1000M cache_limit = 1G web_dir = Glitter @@ -33,7 +34,7 @@ https_chain = "" enable_https = 1 inet_exposure = 0 local_ranges = , -api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_API_KEY'] }} +api_key = {{ vault.vault_secret('env', 'SABNZBDVPN_API_KEY') }} nzb_key = 3c0fa874bb2748b58c1bd7512e649946 permissions = 775 download_dir = /storage/downloads/incomplete @@ -342,7 +343,7 @@ host = news.newshosting.com port = 563 timeout = 60 username = thetrezuredone -password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }} +password = {{ vault.vault_secret('env', 'SLSK_USER_PASSWORD') }} connections = 8 ssl = 1 ssl_verify = 3 @@ -363,7 +364,7 @@ host = news.easynews.com port = 443 timeout = 60 username = TrezOne -password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SABNZBDVPN_EASYNEWS_PASSWORD'] }} +password = {{ vault.vault_secret('env', 'SABNZBDVPN_EASYNEWS_PASSWORD') }} connections = 60 ssl = 0 ssl_verify = 3 diff --git a/ansible/app-configs/scrutiny/config/config.yaml.j2 b/ansible/app-configs/scrutiny/config/config.yaml.j2 index e192a936..e075dccb 100644 --- a/ansible/app-configs/scrutiny/config/config.yaml.j2 +++ b/ansible/app-configs/scrutiny/config/config.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/searxng/settings.yml.j2 b/ansible/app-configs/searxng/settings.yml.j2 index a9c081c8..7dc863aa 100644 --- a/ansible/app-configs/searxng/settings.yml.j2 +++ b/ansible/app-configs/searxng/settings.yml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -82,7 +83,7 @@ server: # If your instance owns a /etc/searxng/settings.yml file, then set the following # values there. - secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SEARXNG_SECRET_KEY'] }} # Is overwritten by ${SEARXNG_SECRET} + secret_key: {{ vault.vault_secret('env', 'SEARXNG_SECRET_KEY') }} # Is overwritten by ${SEARXNG_SECRET} # Proxying image results through searx image_proxy: true # 1.0 and 1.1 are supported diff --git a/ansible/app-configs/searxng/uwsgi.ini.j2 b/ansible/app-configs/searxng/uwsgi.ini.j2 index 0a01698e..2fbefd4c 100644 --- a/ansible/app-configs/searxng/uwsgi.ini.j2 +++ b/ansible/app-configs/searxng/uwsgi.ini.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/signoz/clickhouse/cluster.ha.xml.j2 b/ansible/app-configs/signoz/clickhouse/cluster.ha.xml.j2 index c2d4368e..b3eede7e 100644 --- a/ansible/app-configs/signoz/clickhouse/cluster.ha.xml.j2 +++ b/ansible/app-configs/signoz/clickhouse/cluster.ha.xml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} diff --git a/ansible/app-configs/signoz/otel/otel-collector-config.yaml.j2 b/ansible/app-configs/signoz/otel/otel-collector-config.yaml.j2 index 9830a122..6f25c7cd 100644 --- a/ansible/app-configs/signoz/otel/otel-collector-config.yaml.j2 +++ b/ansible/app-configs/signoz/otel/otel-collector-config.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} receivers: otlp: protocols: diff --git a/ansible/app-configs/signoz/otel/otel-collector-opamp-config.yaml.j2 b/ansible/app-configs/signoz/otel/otel-collector-opamp-config.yaml.j2 index 72676077..e685c1ca 100644 --- a/ansible/app-configs/signoz/otel/otel-collector-opamp-config.yaml.j2 +++ b/ansible/app-configs/signoz/otel/otel-collector-opamp-config.yaml.j2 @@ -1 +1,2 @@ +{% import '../macros/rinoa-macros.j2' as vault %} server_endpoint: ws://signoz:4320/v1/opamp diff --git a/ansible/app-configs/signoz/prometheus.yml.j2 b/ansible/app-configs/signoz/prometheus.yml.j2 index 683e5e19..57b3f326 100644 --- a/ansible/app-configs/signoz/prometheus.yml.j2 +++ b/ansible/app-configs/signoz/prometheus.yml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} # my global config global: scrape_interval: 5s # Set the scrape interval to every 15 seconds. Default is every 1 minute. diff --git a/ansible/app-configs/sonarr/config.xml.j2 b/ansible/app-configs/sonarr/config.xml.j2 index cb4f0f35..cf310288 100644 --- a/ansible/app-configs/sonarr/config.xml.j2 +++ b/ansible/app-configs/sonarr/config.xml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -8,7 +9,7 @@ 9898 * - {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }} + {{ vault.vault_secret('env', 'SONARR_API_KEY') }} Forms Docker True diff --git a/ansible/app-configs/sonashow/config.json.j2 b/ansible/app-configs/sonashow/config.json.j2 index 5441e156..caecc991 100644 --- a/ansible/app-configs/sonashow/config.json.j2 +++ b/ansible/app-configs/sonashow/config.json.j2 @@ -1,12 +1,13 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} { "sonarr_address": "http://192.168.1.2:8989", - "sonarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SONARR_API_KEY'] }}", + "sonarr_api_key": "{{ vault.vault_secret('env', 'SONARR_API_KEY') }}", "root_folder_path": "/data/media/shows", "tvdb_api_key": "", - "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['TMDB_API_KEY'] }}", + "tmdb_api_key": "{{ vault.vault_secret('env', 'TMDB_API_KEY') }}", "fallback_to_top_result": false, "sonarr_api_timeout": 120.0, "quality_profile_id": 1, diff --git a/ansible/app-configs/soularr/config.ini.j2 b/ansible/app-configs/soularr/config.ini.j2 index 2de58ec5..073b6174 100644 --- a/ansible/app-configs/soularr/config.ini.j2 +++ b/ansible/app-configs/soularr/config.ini.j2 @@ -1,8 +1,9 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} [Lidarr] -api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['LIDARR_API_KEY'] }} +api_key = {{ vault.vault_secret('env', 'LIDARR_API_KEY') }} host_url = http://lidarr:8686 #This should be the path mounted in lidarr that points to your slskd download directory. #If Lidarr is not running in Docker then this may just be the same dir as Slskd is using below. @@ -10,7 +11,7 @@ download_dir = /storage [Slskd] #Api key from Slskd. Need to set this up manually. See link to Slskd docs above. -api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }} +api_key = {{ vault.vault_secret('env', 'SLSKD_API_KEY') }} host_url = http://gluetun:5030 #Slskd download directory. Should have set it up when installing Slskd. download_dir = /app/downloads diff --git a/ansible/app-configs/soulseek/slskd.yml.j2 b/ansible/app-configs/soulseek/slskd.yml.j2 index 2890f689..4544f9e2 100644 --- a/ansible/app-configs/soulseek/slskd.yml.j2 +++ b/ansible/app-configs/soulseek/slskd.yml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -198,15 +199,15 @@ rooms: web: authentication: username: slskd - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_WEB_PASSSWORD'] }} + password: {{ vault.vault_secret('env', 'SLSKD_WEB_PASSSWORD') }} api_keys: my_api_key: - key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSKD_API_KEY'] }} + key: {{ vault.vault_secret('env', 'SLSKD_API_KEY') }} role: readwrite cidr: 0.0.0.0/0,::/0 soulseek: address: vps.slsknet.org port: 2271 username: Trez.One - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['SLSK_USER_PASSWORD'] }} + password: {{ vault.vault_secret('env', 'SLSK_USER_PASSWORD') }} diagnostic_level: Info diff --git a/ansible/app-configs/sourcebot/config.json.j2 b/ansible/app-configs/sourcebot/config.json.j2 index 5a522c03..70cc3c8b 100644 --- a/ansible/app-configs/sourcebot/config.json.j2 +++ b/ansible/app-configs/sourcebot/config.json.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -6,7 +7,7 @@ "repos": [ { "type": "gitea", - "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}", + "token": "{{ vault.vault_secret('env', 'GITEA_SONARQUBE_BOT_GITEA_TOKEN') }}", "url": "https://git.trez.wtf", "revisions": { "branches": [ diff --git a/ansible/app-configs/traccar/traccar.xml.j2 b/ansible/app-configs/traccar/traccar.xml.j2 index 8d1f9bc5..95b467ce 100644 --- a/ansible/app-configs/traccar/traccar.xml.j2 +++ b/ansible/app-configs/traccar/traccar.xml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -24,6 +25,6 @@ org.postgresql.Driver jdbc:postgresql://traccar-pg:5432/traccar-db traccar - {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }} + {{ vault.vault_secret('env', 'WAZUH_API_PASSWORD') }} diff --git a/ansible/app-configs/unmanic/settings.json.j2 b/ansible/app-configs/unmanic/settings.json.j2 index 3780f978..625f2057 100644 --- a/ansible/app-configs/unmanic/settings.json.j2 +++ b/ansible/app-configs/unmanic/settings.json.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/vector/vector.yaml.j2 b/ansible/app-configs/vector/vector.yaml.j2 index 45610c91..16c2296b 100644 --- a/ansible/app-configs/vector/vector.yaml.j2 +++ b/ansible/app-configs/vector/vector.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} sources: rinoa_docker_logs: type: docker_logs @@ -21,7 +22,7 @@ auth: strategy: basic user: admin - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['PARSEABLE_PASSWORD'] }} + password: {{ vault.vault_secret('env', 'PARSEABLE_PASSWORD') }} request: headers: X-P-Stream: rinoa-docker-logs diff --git a/ansible/app-configs/wazuh/certs.yml.j2 b/ansible/app-configs/wazuh/certs.yml.j2 index ee3ee970..73745870 100644 --- a/ansible/app-configs/wazuh/certs.yml.j2 +++ b/ansible/app-configs/wazuh/certs.yml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/wazuh/wazuh.indexer.yml.j2 b/ansible/app-configs/wazuh/wazuh.indexer.yml.j2 index 7bff9be1..12e6e7a4 100644 --- a/ansible/app-configs/wazuh/wazuh.indexer.yml.j2 +++ b/ansible/app-configs/wazuh/wazuh.indexer.yml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/wazuh/wazuh.yml.j2 b/ansible/app-configs/wazuh/wazuh.yml.j2 index bb1995c8..f6f7945a 100644 --- a/ansible/app-configs/wazuh/wazuh.yml.j2 +++ b/ansible/app-configs/wazuh/wazuh.yml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -6,5 +7,5 @@ hosts: url: "https://wazuh.manager" port: 55000 username: wazuh-wui - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['WAZUH_API_PASSWORD'] }} + password: {{ vault.vault_secret('env', 'WAZUH_API_PASSWORD') }} run_as: false diff --git a/ansible/app-configs/youtubedl/config.yml.j2 b/ansible/app-configs/youtubedl/config.yml.j2 index cead77f8..789185d6 100644 --- a/ansible/app-configs/youtubedl/config.yml.j2 +++ b/ansible/app-configs/youtubedl/config.yml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/zitadel/config.yaml.j2 b/ansible/app-configs/zitadel/config.yaml.j2 index 708a5a64..0663408a 100644 --- a/ansible/app-configs/zitadel/config.yaml.j2 +++ b/ansible/app-configs/zitadel/config.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -37,7 +38,7 @@ SMTPConfiguration: SMTP: # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525 Host: 'postal-smtp:25' - User: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }} - Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }} + User: {{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_USER') }} + Password: {{ vault.vault_secret('env', 'POSTAL_SMTP_AUTH_PASSWORD') }} From: 'noreply@trez.wtf' FromName: 'Zitadel @ Rinoa' \ No newline at end of file diff --git a/ansible/app-configs/zitadel/init-steps.yaml.j2 b/ansible/app-configs/zitadel/init-steps.yaml.j2 index e89ac851..ff750f98 100644 --- a/ansible/app-configs/zitadel/init-steps.yaml.j2 +++ b/ansible/app-configs/zitadel/init-steps.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} diff --git a/ansible/app-configs/zitadel/secrets.yaml.j2 b/ansible/app-configs/zitadel/secrets.yaml.j2 index 201034c8..97737b7a 100644 --- a/ansible/app-configs/zitadel/secrets.yaml.j2 +++ b/ansible/app-configs/zitadel/secrets.yaml.j2 @@ -1,3 +1,4 @@ +{% import '../macros/rinoa-macros.j2' as vault %} {% set vault_addr = 'https://vault.trez.wtf' %} {% set secrets_path = 'rinoa-docker/env' %} @@ -7,7 +8,7 @@ Database: User: # If the user doesn't exist already, it is created Username: 'zitadel' - Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_PASSWORD'] }} + Password: {{ vault.vault_secret('env', 'ZITADEL_DB_PASSWORD') }} Admin: Username: 'root' - Password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['ZITADEL_DB_ADMIN_PASSWORD'] }} \ No newline at end of file + Password: {{ vault.vault_secret('env', 'ZITADEL_DB_ADMIN_PASSWORD') }} \ No newline at end of file diff --git a/ansible/macros/rinoa-macros.j2 b/ansible/macros/rinoa-macros.j2 new file mode 100644 index 00000000..b1d8ec95 --- /dev/null +++ b/ansible/macros/rinoa-macros.j2 @@ -0,0 +1,3 @@ +{% macro vault_secret(secret_path, key) %} +{{ lookup('community.hashi_vault.vault_kv2_get', secret_path, engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret'][key] }} +{% endmacro %} \ No newline at end of file -- 2.52.0