diff --git a/ansible.cfg b/ansible.cfg index 293f6a0..f4e3058 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -4,3 +4,4 @@ collections_path = ./collections host_key_checking = False retry_files_enabled = False strategy_plugins = plugins/mitogen-0.3.44/ansible_mitogen/plugins/strategy +strategy = mitogen_free diff --git a/app-configs/_macros/hashivault_kv2.j2 b/app-configs/_macros/hashivault_kv2.j2 new file mode 100644 index 0000000..569820b --- /dev/null +++ b/app-configs/_macros/hashivault_kv2.j2 @@ -0,0 +1,7 @@ +{% macro kv2_field(term, field, mount_point) -%} +{{ lookup( + 'community.hashi_vault.vault_kv2_get', + term, + engine_mount_point=mount_point + )['secret'][field] }} +{%- endmacro %} \ No newline at end of file diff --git a/app-configs/aranea/dagu/dags/mariadb-backups.yaml.j2 b/app-configs/aranea/dagu/dags/mariadb-backups.yaml.j2 index 953956f..92b0a62 100644 --- a/app-configs/aranea/dagu/dags/mariadb-backups.yaml.j2 +++ b/app-configs/aranea/dagu/dags/mariadb-backups.yaml.j2 @@ -1,11 +1,11 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + name: mariadb-backup description: "Backup of all databases from MariaDB container" schedule: "30 23 * * *" env: - MARIADB_ROOT_PASSWORD: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['MARIADB_ENVIRONMENT_MYSQL_ROOT_PASSWORD'] }} + MARIADB_ROOT_PASSWORD: \{\{ vault.kv2_field\('env', 'MARIADB_ENVIRONMENT_MYSQL_ROOT_PASSWORD', vault_engine_mount_point) }} steps: - name: list-all-databases diff --git a/app-configs/rikku/adguard/conf/AdGuardHome.yaml.j2 b/app-configs/rikku/adguard/conf/AdGuardHome.yaml.j2 index 320e641..a45f4c4 100644 --- a/app-configs/rikku/adguard/conf/AdGuardHome.yaml.j2 +++ b/app-configs/rikku/adguard/conf/AdGuardHome.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rikku-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + http: pprof: @@ -9,7 +9,7 @@ http: session_ttl: 720h users: - name: admin - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rikku-docker', url=vault_addr, token=vault_token)['secret']['ADGUARD_BCRYPT'] }} + password: \{\{ vault.kv2_field\('env', 'ADGUARD_BCRYPT', vault_engine_mount_point) }} auth_attempts: 5 block_auth_min: 15 http_proxy: "" diff --git a/app-configs/rinoa/adguardhome/conf/AdGuardHome.yaml.j2 b/app-configs/rinoa/adguardhome/conf/AdGuardHome.yaml.j2 index 50035dc..1be851c 100644 --- a/app-configs/rinoa/adguardhome/conf/AdGuardHome.yaml.j2 +++ b/app-configs/rinoa/adguardhome/conf/AdGuardHome.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + http: pprof: @@ -9,7 +9,7 @@ http: session_ttl: 720h users: - name: admin - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['ADGUARD_BCRYPT'] }} + password: \{\{ vault.kv2_field\('env', 'ADGUARD_BCRYPT', vault_engine_mount_point) }} auth_attempts: 5 block_auth_min: 15 http_proxy: "" diff --git a/app-configs/rinoa/apprise/conf/apprise.yml.j2 b/app-configs/rinoa/apprise/conf/apprise.yml.j2 index ac83b1a..7cd7e5d 100644 --- a/app-configs/rinoa/apprise/conf/apprise.yml.j2 +++ b/app-configs/rinoa/apprise/conf/apprise.yml.j2 @@ -1,6 +1,6 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + urls: - - gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['APPRISE_GOTIFY_TOKEN'] }} - - hassio://192.168.1.252/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['APPRISE_HA_TOKEN'] }} - - mailto://postal-smtp:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}@postal-smtp:25?from=noreply@trez.wtf \ No newline at end of file + - gotify://gotify/\{\{ vault.kv2_field\('env', 'APPRISE_GOTIFY_TOKEN', vault_engine_mount_point) }} + - hassio://192.168.1.252/\{\{ vault.kv2_field\('env', 'APPRISE_HA_TOKEN', vault_engine_mount_point) }} + - mailto://postal-smtp:\{\{ vault.kv2_field\('env', 'POSTAL_SMTP_AUTH_PASSWORD', vault_engine_mount_point) }}@postal-smtp:25?from=noreply@trez.wtf \ No newline at end of file diff --git a/app-configs/rinoa/authelia/configuration.yml.j2 b/app-configs/rinoa/authelia/configuration.yml.j2 index cdf7508..054a3c7 100644 --- a/app-configs/rinoa/authelia/configuration.yml.j2 +++ b/app-configs/rinoa/authelia/configuration.yml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + # yaml-language-server: $schema=https://www.authelia.com/schemas/latest/json-schema/configuration.json --- @@ -64,11 +64,11 @@ authentication_backend: mail: mail display_name: displayName user: uid=authelia,ou=people,dc=trez,dc=wtf - password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}' + password: "{{ vault.kv2_field('env', 'AUTHELIA_AUTH_BIND_LDAP_PASSWORD', vault_engine_mount_point) }}" refresh_interval: 5m identity_validation: reset_password: - jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['AUTHELIA_JWT_SECRET'] }}' + jwt_secret: "{{ vault.kv2_field('env', 'AUTHELIA_JWT_SECRET', vault_engine_mount_point) }}" password_policy: standard: enabled: true @@ -92,7 +92,7 @@ access_control: rules: - domain_regex: - '^trez.wtf$' - - ^www.trez.wtf$'' + - ^www.trez.wtf$' policy: bypass - domain: '*.trez.wtf' policy: bypass @@ -112,7 +112,7 @@ access_control: policy: bypass session: name: authelia_session - secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['AUTHELIA_SESSION_SECRET'] }}' + secret: "{{ vault.kv2_field('env', 'AUTHELIA_SESSION_SECRET', vault_engine_mount_point) }}" expiration: 1h inactivity: 5m remember_me: 1M @@ -124,12 +124,12 @@ session: port: 6379 database_index: 0 storage: - encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}' + encryption_key: "{{ vault.kv2_field('env', 'AUTHELIA_STORAGE_ENCRYPTION_KEY', vault_engine_mount_point) }}" postgres: address: 'tcp://authelia-pg:5432' database: authelia username: authelia - password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}' + password: "{{ vault.kv2_field('env', 'AUTHELIA_STORAGE_POSTGRES_PASSWORD', vault_engine_mount_point) }}" timeout: '5s' regulation: max_retries: 3 @@ -140,8 +140,8 @@ notifier: smtp: address: 'smtp://postal-smtp:25' timeout: '5s' - username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['POSTAL_SMTP_AUTH_USER'] }}' - password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}' + username: "{{ vault.kv2_field('env', 'POSTAL_SMTP_AUTH_USER', vault_engine_mount_point) }}" + password: "{{ vault.kv2_field('env', 'POSTAL_SMTP_AUTH_PASSWORD', vault_engine_mount_point) }}" sender: "Authelia " identifier: 'localhost' subject: "[Authelia] {title}" @@ -151,10 +151,10 @@ notifier: disable_html_emails: false identity_providers: oidc: - hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}' + hmac_secret: "{{ vault.kv2_field('env', 'AUTHELIA_OIDC_HMAC_SECRET', vault_engine_mount_point) }}" jwks: - key: | - {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }} + {{ vault.kv2_field('env', 'AUTHELIA_OIDC_JWKS_KEY', vault_engine_mount_point) | replace("\\n", "\n") | indent(10) }} cors: allowed_origins_from_client_redirect_uris: true endpoints: @@ -166,7 +166,7 @@ identity_providers: clients: - client_id: 'netbird' client_name: 'NetBird' - client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}' + client_secret: "{{ vault.kv2_field('env', 'AUTHELIA_NETBIRD_CLIENT_SECRET', vault_engine_mount_point) }}" public: false authorization_policy: 'two_factor' redirect_uris: diff --git a/app-configs/rinoa/crowdsec/acquis.yaml.j2 b/app-configs/rinoa/crowdsec/acquis.yaml.j2 index a2b7fc1..b69b1ca 100644 --- a/app-configs/rinoa/crowdsec/acquis.yaml.j2 +++ b/app-configs/rinoa/crowdsec/acquis.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + source: journalctl journalctl_filter: - "--directory=/var/log/host/" diff --git a/app-configs/rinoa/crowdsec/config.yaml.j2 b/app-configs/rinoa/crowdsec/config.yaml.j2 index 46a4e81..cc032b4 100644 --- a/app-configs/rinoa/crowdsec/config.yaml.j2 +++ b/app-configs/rinoa/crowdsec/config.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + common: daemonize: false log_media: stdout diff --git a/app-configs/rinoa/crowdsec/local-api-credentials.yaml.j2 b/app-configs/rinoa/crowdsec/local-api-credentials.yaml.j2 index 726d372..63dcfb0 100644 --- a/app-configs/rinoa/crowdsec/local-api-credentials.yaml.j2 +++ b/app-configs/rinoa/crowdsec/local-api-credentials.yaml.j2 @@ -1,6 +1,6 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + url: http://0.0.0.0:8080 login: localhost -password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['CROWDSEC_LOCAL_API_KEY'] }} \ No newline at end of file +password: \{\{ vault.kv2_field\('env', 'CROWDSEC_LOCAL_API_KEY', vault_engine_mount_point) }} \ No newline at end of file diff --git a/app-configs/rinoa/crowdsec/online-api-credentials.yaml.j2 b/app-configs/rinoa/crowdsec/online-api-credentials.yaml.j2 index 36574e9..a7ade04 100644 --- a/app-configs/rinoa/crowdsec/online-api-credentials.yaml.j2 +++ b/app-configs/rinoa/crowdsec/online-api-credentials.yaml.j2 @@ -1,6 +1,6 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + url: https://api.crowdsec.net/ -login: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['CROWDSEC_ONLINE_PASSWORD'] }} -password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['CROWDSEC_ONLINE_PASSWORD'] }} \ No newline at end of file +login: \{\{ vault.kv2_field\('env', 'CROWDSEC_ONLINE_PASSWORD', vault_engine_mount_point) }} +password: \{\{ vault.kv2_field\('env', 'CROWDSEC_ONLINE_PASSWORD', vault_engine_mount_point) }} \ No newline at end of file diff --git a/app-configs/rinoa/crowdsec/profiles.yaml.j2 b/app-configs/rinoa/crowdsec/profiles.yaml.j2 index 0dfb52c..2cf69fd 100644 --- a/app-configs/rinoa/crowdsec/profiles.yaml.j2 +++ b/app-configs/rinoa/crowdsec/profiles.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + name: default_ip_remediation #debug: true diff --git a/app-configs/rinoa/explo/local.env.j2 b/app-configs/rinoa/explo/local.env.j2 index 81a8470..eca6a10 100644 --- a/app-configs/rinoa/explo/local.env.j2 +++ b/app-configs/rinoa/explo/local.env.j2 @@ -1,15 +1,15 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + EXPLO_SYSTEM: subsonic SYSTEM_URL: http://navidrome:4533 -SYSTEM_USERNAME: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['NAVIDROME_USERNAME'] }} -SYSTEM_PASSWORD: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['NAVIDROME_PASSWORD'] }} +SYSTEM_USERNAME: \{\{ vault.kv2_field\('env', 'NAVIDROME_USERNAME', vault_engine_mount_point) }} +SYSTEM_PASSWORD: \{\{ vault.kv2_field\('env', 'NAVIDROME_PASSWORD', vault_engine_mount_point) }} DOWNLOAD_DIR: /downloads PLAYLIST_DIR: /playlists LISTENBRAINZ_USER: Trez.One -YOUTUBE_API_KEY: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['YOUTUBE_DATA_API_V3_KEY'] }} +YOUTUBE_API_KEY: \{\{ vault.kv2_field\('env', 'YOUTUBE_DATA_API_V3_KEY', vault_engine_mount_point) }} SLSKD_URL: http://gluetun:5030 -SLSK_API_KEY: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['SLSKD_API_KEY'] }} +SLSK_API_KEY: \{\{ vault.kv2_field\('env', 'SLSKD_API_KEY', vault_engine_mount_point) }} DOWNLOAD_SERVICES: # Assign a custom path to yt-dlp # YTDLP_PATH= diff --git a/app-configs/rinoa/garage/garage.toml.j2 b/app-configs/rinoa/garage/garage.toml.j2 index e4b0371..ad83ade 100644 --- a/app-configs/rinoa/garage/garage.toml.j2 +++ b/app-configs/rinoa/garage/garage.toml.j2 @@ -9,7 +9,7 @@ compression_level = 10 rpc_bind_addr = "[::]:3901" rpc_public_addr = "localhost:3901" -rpc_secret = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['GARAGE_RPC_SECRET'] }}" +rpc_secret = "\{\{ vault.kv2_field\('env', 'GARAGE_RPC_SECRET', vault_engine_mount_point) }}" [s3_api] s3_region = "us-east-fh-pln" @@ -22,5 +22,5 @@ root_domain = ".garage.trez.wtf" [admin] api_bind_addr = "[::]:3903" -admin_token = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['GARAGE_ADMIN_TOKEN'] }}" -metrics_token = "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['GARAGE_METRICS_TOKEN'] }}" \ No newline at end of file +admin_token = "\{\{ vault.kv2_field\('env', 'GARAGE_ADMIN_TOKEN', vault_engine_mount_point) }}" +metrics_token = "\{\{ vault.kv2_field\('env', 'GARAGE_METRICS_TOKEN', vault_engine_mount_point) }}" \ No newline at end of file diff --git a/app-configs/rinoa/ghost/ghost_config.production.json.j2 b/app-configs/rinoa/ghost/ghost_config.production.json.j2 index 371e392..ddae414 100644 --- a/app-configs/rinoa/ghost/ghost_config.production.json.j2 +++ b/app-configs/rinoa/ghost/ghost_config.production.json.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + { "url": "blog.trez.wtf", @@ -9,7 +9,7 @@ "host" : "mariadb", "port" : 3306, "user" : "ghost", - "password" : "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['GHOST_DB_PASSWORD'] }}", + "password" : "\{\{ vault.kv2_field\('env', 'GHOST_DB_PASSWORD', vault_engine_mount_point) }}", "database" : "ghost_db" } }, @@ -21,8 +21,8 @@ "port": 25, "secure": false, "auth": { - "user": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['POSTAL_SMTP_AUTH_USER'] }}", - "pass": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}" + "user": "\{\{ vault.kv2_field\('env', 'POSTAL_SMTP_AUTH_USER', vault_engine_mount_point) }}", + "pass": "\{\{ vault.kv2_field\('env', 'POSTAL_SMTP_AUTH_PASSWORD', vault_engine_mount_point) }}" } } }, diff --git a/app-configs/rinoa/gitea/conf/app.ini.j2 b/app-configs/rinoa/gitea/conf/app.ini.j2 index 8bcf80f..ce94981 100644 --- a/app-configs/rinoa/gitea/conf/app.ini.j2 +++ b/app-configs/rinoa/gitea/conf/app.ini.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + APP_NAME = Gitea: Git with a cup of tea RUN_MODE = prod @@ -27,7 +27,7 @@ DISABLE_SSH = false SSH_PORT = 22 SSH_LISTEN_PORT = 22 LFS_START_SERVER = true -LFS_JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['GITEA_LFS_JWT_SECRET'] }} +LFS_JWT_SECRET = \{\{ vault.kv2_field\('env', 'GITEA_LFS_JWT_SECRET', vault_engine_mount_point) }} OFFLINE_MODE = true [database] @@ -36,7 +36,7 @@ DB_TYPE = postgres HOST = gitea-db:5432 NAME = gitea USER = gitea -PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['GITEA_PG_DB_PASSWORD'] }} +PASSWD = \{\{ vault.kv2_field\('env', 'GITEA_PG_DB_PASSWORD', vault_engine_mount_point) }} LOG_SQL = false SCHEMA = SSL_MODE = disable @@ -70,7 +70,7 @@ INSTALL_LOCK = true SECRET_KEY = REVERSE_PROXY_LIMIT = 1 REVERSE_PROXY_TRUSTED_PROXIES = * -INTERNAL_TOKEN = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['GITEA_INTERNAL_TOKEN'] }} +INTERNAL_TOKEN = \{\{ vault.kv2_field\('env', 'GITEA_INTERNAL_TOKEN', vault_engine_mount_point) }} PASSWORD_HASH_ALGO = pbkdf2 [service] @@ -89,7 +89,7 @@ NO_REPLY_ADDRESS = noreply@trez.wtf PATH = /data/git/lfs [mailer] -PASSWD = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }} +PASSWD = \{\{ vault.kv2_field\('env', 'POSTAL_SMTP_AUTH_PASSWORD', vault_engine_mount_point) }} PROTOCOL = smtp ENABLED = true FROM = '"Gitea" ' @@ -112,7 +112,7 @@ DEFAULT_MERGE_STYLE = merge DEFAULT_TRUST_MODEL = committer [oauth2] -JWT_SECRET = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['GITEA_OAUTH2_JWT_SECRET'] }} +JWT_SECRET = \{\{ vault.kv2_field\('env', 'GITEA_OAUTH2_JWT_SECRET', vault_engine_mount_point) }} [ui] THEMES = gitea-auto,catppuccin-blue-auto,catppuccin-flamingo-auto,catppuccin-green-auto,catppuccin-lavender-auto,catppuccin-mauve-auto,catppuccin-peach-auto,catppuccin-pink-auto,catppuccin-red-auto,catppuccin-rosewater-auto,catppuccin-sapphire-auto,catppuccin-sky-auto,catppuccin-teal-auto,catppuccin-yellow-auto,catppuccin-maroon-auto diff --git a/app-configs/rinoa/gitea/gitea-sonarqube-bot/config.yaml.j2 b/app-configs/rinoa/gitea/gitea-sonarqube-bot/config.yaml.j2 index 00b5c88..938e747 100644 --- a/app-configs/rinoa/gitea/gitea-sonarqube-bot/config.yaml.j2 +++ b/app-configs/rinoa/gitea/gitea-sonarqube-bot/config.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + # Gitea related configuration. Necessary for adding/updating comments on repository pull requests gitea: @@ -9,7 +9,7 @@ gitea: # Created access token for the user that shall be used as bot account. # User needs "Read project" permissions with access to "Pull Requests" token: - value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['GITEA_SONARQUBE_BOT_GITEA_TOKEN'] }}" + value: "\{\{ vault.kv2_field\('env', 'GITEA_SONARQUBE_BOT_GITEA_TOKEN', vault_engine_mount_point) }}" # # or path to file containing the plain text secret # file: /path/to/gitea/token @@ -18,7 +18,7 @@ gitea: # The bot looks for `X-Gitea-Signature` header containing the sha256 hmac hash of the plain text secret. If the header # exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be validated. webhook: - secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET'] }}" + secret: "\{\{ vault.kv2_field\('env', 'GITEA_SONARQUBE_BOT_GITEA_WEBHOOK_SECRET', vault_engine_mount_point) }}" # # or path to file containing the plain text secret # secretFile: /path/to/gitea/webhook/secret @@ -35,7 +35,7 @@ sonarqube: # Created access token for the user that shall be used as bot account. # User needs "Browse on project" permissions token: - value: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['GITEA_SONARQUBE_BOT_SQUBE_TOKEN'] }}" + value: "\{\{ vault.kv2_field\('env', 'GITEA_SONARQUBE_BOT_SQUBE_TOKEN', vault_engine_mount_point) }}" # # or path to file containing the plain text secret # file: /path/to/sonarqube/token @@ -45,7 +45,7 @@ sonarqube: # If the header exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be # validated. webhook: - secret: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET'] }}" + secret: "\{\{ vault.kv2_field\('env', 'GITEA_SONARQUBE_BOT_SQUBE_WEBHOOK_SECRET', vault_engine_mount_point) }}" # # or path to file containing the plain text secret # secretFile: /path/to/sonarqube/webhook/secret diff --git a/app-configs/rinoa/homepage/bookmarks.yaml.j2 b/app-configs/rinoa/homepage/bookmarks.yaml.j2 index 3213604..91d51eb 100644 --- a/app-configs/rinoa/homepage/bookmarks.yaml.j2 +++ b/app-configs/rinoa/homepage/bookmarks.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + --- diff --git a/app-configs/rinoa/homepage/docker.yaml.j2 b/app-configs/rinoa/homepage/docker.yaml.j2 index 58f2932..04c4909 100644 --- a/app-configs/rinoa/homepage/docker.yaml.j2 +++ b/app-configs/rinoa/homepage/docker.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + --- diff --git a/app-configs/rinoa/homepage/kubernetes.yaml.j2 b/app-configs/rinoa/homepage/kubernetes.yaml.j2 index edc81b1..d00e2de 100644 --- a/app-configs/rinoa/homepage/kubernetes.yaml.j2 +++ b/app-configs/rinoa/homepage/kubernetes.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + --- diff --git a/app-configs/rinoa/homepage/services.yaml.j2 b/app-configs/rinoa/homepage/services.yaml.j2 index 2161e4c..2a23e73 100644 --- a/app-configs/rinoa/homepage/services.yaml.j2 +++ b/app-configs/rinoa/homepage/services.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + --- # For configuration options and examples, please see: @@ -20,6 +20,25 @@ # href: http://localhost/ # description: Homepage is 😎 +- System Administration: + - PatchMon + href: https://patch.trez.wtf + description: Patch management for *NIX and Windows + icon: patchmon.svg + weight: 0 + widget: + type: customapi + url: http://192.168.1.252:3000/api/v1/gethomepage/stats + headers: + Authorization: Basic \{\{ vault.kv2_field\('env', 'PATCHMON_API_BASE64_CREDS', vault_engine_mount_point) }} + mappings: + - field: total_hosts + label: Total Hosts + - field: hosts_needing_updates + label: Needs Updates + - field: security_updates + label: Security Updates + - Automation: - Home Assistant (Rikku): href: https://ha.trez.wtf @@ -29,7 +48,7 @@ widget: type: homeassistant url: http://192.168.1.252:8123 - key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['HOMEPAGE_HOME_ASSISTANT_API_KEY'] }} + key: \{\{ vault.kv2_field\('env', 'HOMEPAGE_HOME_ASSISTANT_API_KEY', vault_engine_mount_point) }} - Media Library: - Audiomuse: diff --git a/app-configs/rinoa/homepage/settings.yaml.j2 b/app-configs/rinoa/homepage/settings.yaml.j2 index a8f27f2..ba8d590 100644 --- a/app-configs/rinoa/homepage/settings.yaml.j2 +++ b/app-configs/rinoa/homepage/settings.yaml.j2 @@ -1,12 +1,12 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + --- # For configuration options and examples, please see: # https://gethomepage.dev/en/configs/settings providers: - openweathermap: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['HOMEPAGE_OPENWEATHERMAP_API_KEY'] }} + openweathermap: \{\{ vault.kv2_field\('env', 'HOMEPAGE_OPENWEATHERMAP_API_KEY', vault_engine_mount_point) }} # weatherapi: weatherapiapikey title: Rinoa Dashboard (trez.WTF) headerStyle: underlined @@ -23,7 +23,7 @@ provider: duckduckgo layout: System Administration: style: row - columns: 5 + columns: 4 Infrastructure/App Performance Monitoring: style: row columns: 5 diff --git a/app-configs/rinoa/homepage/widgets.yaml.j2 b/app-configs/rinoa/homepage/widgets.yaml.j2 index 0e4f004..afefff9 100644 --- a/app-configs/rinoa/homepage/widgets.yaml.j2 +++ b/app-configs/rinoa/homepage/widgets.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + --- # For configuration options and examples, please see: diff --git a/app-configs/rinoa/invidious/config.yml.j2 b/app-configs/rinoa/invidious/config.yml.j2 index 81f5a12..204ffdb 100644 --- a/app-configs/rinoa/invidious/config.yml.j2 +++ b/app-configs/rinoa/invidious/config.yml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + ######################################### # # Database and other external servers @@ -15,7 +15,7 @@ db: host: invidious-db port: 5432 dbname: invidious - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['INVID_PG_DB_PASSWORD'] }} + password: \{\{ vault.kv2_field\('env', 'INVID_PG_DB_PASSWORD', vault_engine_mount_point) }} ## ## Database configuration using a single URI. This is an @@ -88,7 +88,7 @@ check_tables: true invidious_companion: - private_url: "http://invidious-companion:8282" # # Uncomment for advanced reverse proxy configuration (see above). - - public_url: https://invid.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['MY_TLD'] }}/companion + - public_url: https://invid.\{\{ vault.kv2_field\('env', 'MY_TLD', vault_engine_mount_point) }}/companion ## ## API key for Invidious companion, used for securing the communication @@ -103,7 +103,7 @@ invidious_companion: ## Accepted values: a string (of length 16) ## Default: ## -invidious_companion_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['INVID_COMPANION_KEY'] }} +invidious_companion_key: \{\{ vault.kv2_field\('env', 'INVID_COMPANION_KEY', vault_engine_mount_point) }} ######################################### # @@ -271,8 +271,8 @@ https_only: false ## Accepted values: String ## Default: ## -po_token: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['INVID_PO_TOKEN'] }} -visitor_data: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['INVID_VISITOR_DATA'] }} +po_token: \{\{ vault.kv2_field\('env', 'INVID_PO_TOKEN', vault_engine_mount_point) }} +visitor_data: \{\{ vault.kv2_field\('env', 'INVID_VISITOR_DATA', vault_engine_mount_point) }} # ----------------------------- # Logging @@ -532,7 +532,7 @@ jobs: ## Accepted values: a string ## Default: ## -hmac_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['INVID_HMAC_KEY'] }} +hmac_key: \{\{ vault.kv2_field\('env', 'INVID_HMAC_KEY', vault_engine_mount_point) }} ## ## List of video IDs where the "download" widget must be diff --git a/app-configs/rinoa/invoice-ninja/invoice-ninja.env.j2 b/app-configs/rinoa/invoice-ninja/invoice-ninja.env.j2 index 0ec469e..f01208d 100644 --- a/app-configs/rinoa/invoice-ninja/invoice-ninja.env.j2 +++ b/app-configs/rinoa/invoice-ninja/invoice-ninja.env.j2 @@ -1,9 +1,9 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + # IN application vars IN_APP_URL=https://biz.trez.wtf -IN_APP_KEY={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['IN_APP_KEY'] }} +IN_APP_KEY=\{\{ vault.kv2_field\('env', 'IN_APP_KEY', vault_engine_mount_point) }} IN_APP_DEBUG=true IN_REQUIRE_HTTPS=false IN_PHANTOMJS_PDF_GENERATION=false @@ -18,7 +18,7 @@ IN_DB_HOST=mariadb IN_DB_PORT=3306 IN_DB_DATABASE=invoice_ninja IN_DB_USERNAME=ininja -IN_DB_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['IN_MYSQL_PASSWORD'] }} +IN_DB_PASSWORD=\{\{ vault.kv2_field\('env', 'IN_MYSQL_PASSWORD', vault_engine_mount_point) }} # Create initial user # Default to these values if empty @@ -31,8 +31,8 @@ IN_PASSWORD= IN_MAIL_MAILER=log IN_MAIL_HOST=postal-smtp IN_MAIL_PORT=25 -IN_MAIL_USERNAME={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['POSTAL_SMTP_AUTH_USER'] }} -IN_MAIL_PASSWORD={{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }} +IN_MAIL_USERNAME=\{\{ vault.kv2_field\('env', 'POSTAL_SMTP_AUTH_USER', vault_engine_mount_point) }} +IN_MAIL_PASSWORD=\{\{ vault.kv2_field\('env', 'POSTAL_SMTP_AUTH_PASSWORD', vault_engine_mount_point) }} IN_MAIL_ENCRYPTION=null IN_MAIL_FROM_ADDRESS='noreply@trez.wtf' IN_MAIL_FROM_NAME='Treasured IT' diff --git a/app-configs/rinoa/lidarr/config.xml.j2 b/app-configs/rinoa/lidarr/config.xml.j2 index fcdc1af..8006a30 100644 --- a/app-configs/rinoa/lidarr/config.xml.j2 +++ b/app-configs/rinoa/lidarr/config.xml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + * @@ -7,7 +7,7 @@ 6868 False True - {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['LIDARR_API_KEY'] }} + \{\{ vault.kv2_field\('env', 'LIDARR_API_KEY', vault_engine_mount_point) }} Forms master trace diff --git a/app-configs/rinoa/lidify/config.json.j2 b/app-configs/rinoa/lidify/config.json.j2 index 6974589..0b10d16 100644 --- a/app-configs/rinoa/lidify/config.json.j2 +++ b/app-configs/rinoa/lidify/config.json.j2 @@ -1,13 +1,13 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + { "lidarr_address": "http://lidarr:8686", - "lidarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['LIDARR_API_KEY'] }}", - "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['YOUR_SPOTIFY_SECRET'] }}", + "lidarr_api_key": "\{\{ vault.kv2_field\('env', 'LIDARR_API_KEY', vault_engine_mount_point) }}", + "spotify_client_secret": "\{\{ vault.kv2_field\('env', 'YOUR_SPOTIFY_SECRET', vault_engine_mount_point) }}", "root_folder_path": "/data/media/music", - "spotify_client_id": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['YOUR_SPOTIFY_ID'] }}", - "spotify_client_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['YOUR_SPOTIFY_SECRET'] }}", + "spotify_client_id": "\{\{ vault.kv2_field\('env', 'YOUR_SPOTIFY_ID', vault_engine_mount_point) }}", + "spotify_client_secret": "\{\{ vault.kv2_field\('env', 'YOUR_SPOTIFY_SECRET', vault_engine_mount_point) }}", "fallback_to_top_result": false, "lidarr_api_timeout": 120.0, "quality_profile_id": 1, @@ -17,8 +17,8 @@ "app_name": "lidify", "app_rev": "0.09", "app_url": "lidify.trez.wtf", - "last_fm_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['LASTFM_API_KEY'] }}", - "last_fm_api_secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['LASTFM_API_SECRET'] }}", + "last_fm_api_key": "\{\{ vault.kv2_field\('env', 'LASTFM_API_KEY', vault_engine_mount_point) }}", + "last_fm_api_secret": "\{\{ vault.kv2_field\('env', 'LASTFM_API_SECRET', vault_engine_mount_point) }}", "mode": "LastFM", "auto_start": false, "auto_start_delay": 60 diff --git a/app-configs/rinoa/loggifly/config.yaml.j2 b/app-configs/rinoa/loggifly/config.yaml.j2 index cd69ed6..9a9b9aa 100644 --- a/app-configs/rinoa/loggifly/config.yaml.j2 +++ b/app-configs/rinoa/loggifly/config.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + containers: # adguard: # action_keywords: @@ -44,7 +44,7 @@ global_keywords: - fatal notifications: apprise: - url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['APPRISE_GOTIFY_TOKEN'] }} # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki) + url: gotify://gotify/\{\{ vault.kv2_field\('env', 'APPRISE_GOTIFY_TOKEN', vault_engine_mount_point) }} # Any Apprise-compatible URL (https://github.com/caronc/apprise/wiki) # settings are optional because they all have default values settings: log_level: INFO # DEBUG, INFO, WARNING, ERROR diff --git a/app-configs/rinoa/mgob/config/default_mbd_bkup.yaml.j2 b/app-configs/rinoa/mgob/config/default_mbd_bkup.yaml.j2 index f5fa9ef..f3ee0b5 100644 --- a/app-configs/rinoa/mgob/config/default_mbd_bkup.yaml.j2 +++ b/app-configs/rinoa/mgob/config/default_mbd_bkup.yaml.j2 @@ -1,11 +1,11 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + scheduler: cron: "45 23 * * *" # run every day at 6:00 and 18:00 UTC retention: 14 # Retains 14 local backups timeout: 60 # Operation timeout: 60 minutes target: - uri: mongodb://root:{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['MONGO_INITDB_ROOT_PASSWORD'] }}@mongodb:27017/admin?replicaSet=rinoa + uri: mongodb://root:\{\{ vault.kv2_field\('env', 'MONGO_INITDB_ROOT_PASSWORD', vault_engine_mount_point) }}@mongodb:27017/admin?replicaSet=rinoa noGzip: false # Disable gzip compression (false means compression is enabled) retry: @@ -23,8 +23,8 @@ validation: smtp: server: postal-stmp port: 25 - username: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['POSTAL_SMTP_AUTH_USER'] }} - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }} + username: \{\{ vault.kv2_field\('env', 'POSTAL_SMTP_AUTH_USER', vault_engine_mount_point) }} + password: \{\{ vault.kv2_field\('env', 'POSTAL_SMTP_AUTH_PASSWORD', vault_engine_mount_point) }} from: noreply@trez.wtf to: - charish.patel@trez.wtf diff --git a/app-configs/rinoa/mongodb/config/keyfile.j2 b/app-configs/rinoa/mongodb/config/keyfile.j2 index eca8822..511c281 100644 --- a/app-configs/rinoa/mongodb/config/keyfile.j2 +++ b/app-configs/rinoa/mongodb/config/keyfile.j2 @@ -1 +1 @@ -{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['MONGODB_REPLICA_SET_KEY'] }} \ No newline at end of file +\{\{ vault.kv2_field\('env', 'MONGODB_REPLICA_SET_KEY', vault_engine_mount_point) }} \ No newline at end of file diff --git a/app-configs/rinoa/multi-scrobbler/config.json.j2 b/app-configs/rinoa/multi-scrobbler/config.json.j2 index c17b1db..53ca43d 100644 --- a/app-configs/rinoa/multi-scrobbler/config.json.j2 +++ b/app-configs/rinoa/multi-scrobbler/config.json.j2 @@ -32,8 +32,8 @@ "name": "lastfmSource", "clients": ["ListenBrainzClient", "malojaClient"], "data": { - "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['LASTFM_API_KEY'] }}", - "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['LASTFM_API_SECRET'] }}", + "apiKey": "\{\{ vault.kv2_field\('env', 'LASTFM_API_KEY', vault_engine_mount_point) }}", + "secret": "\{\{ vault.kv2_field\('env', 'LASTFM_API_SECRET', vault_engine_mount_point) }}", "redirectUri": "https://scrobble.trez.wtf/lastfm/callback" } }, @@ -43,7 +43,7 @@ "name": "listenBrainzSource", "clients": ["lastFmClient", "malojaClient"], "data": { - "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}", + "token": "\{\{ vault.kv2_field\('env', 'MALOJA_LISTENBRAINZ_TOKEN', vault_engine_mount_point) }}", "username": "Trez.One" } }, @@ -55,7 +55,7 @@ "data": { "url": "http://navidrome:4533", "user": "admin", - "password": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['NAVIDROME_PASSWORD'] }}" + "password": "\{\{ vault.kv2_field\('env', 'NAVIDROME_PASSWORD', vault_engine_mount_point) }}" } } ], @@ -66,8 +66,8 @@ "enabled": true, "name": "lastFmClient", "data": { - "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['LASTFM_API_KEY'] }}", - "secret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['LASTFM_API_SECRET'] }}", + "apiKey": "\{\{ vault.kv2_field\('env', 'LASTFM_API_KEY', vault_engine_mount_point) }}", + "secret": "\{\{ vault.kv2_field\('env', 'LASTFM_API_SECRET', vault_engine_mount_point) }}", "redirectUri": "https://scrobble.trez.wtf/lastfm/callback" } }, @@ -76,7 +76,7 @@ "enabled": true, "name": "ListenBrainzClient", "data": { - "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['MALOJA_LISTENBRAINZ_TOKEN'] }}", + "token": "\{\{ vault.kv2_field\('env', 'MALOJA_LISTENBRAINZ_TOKEN', vault_engine_mount_point) }}", "username": "Trez.One" } }, @@ -86,7 +86,7 @@ "name": "malojaClient", "data": { "url": "http://maloja:42010", - "apiKey": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['MALOJA_API_KEY'] }}" + "apiKey": "\{\{ vault.kv2_field\('env', 'MALOJA_API_KEY', vault_engine_mount_point) }}" } } ], @@ -96,7 +96,7 @@ "name": "Gotify", "type": "gotify", "url": "http://gotify", - "token": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['MULTI_SCROBBLER_GOTIFY_TOKEN'] }}", + "token": "\{\{ vault.kv2_field\('env', 'MULTI_SCROBBLER_GOTIFY_TOKEN', vault_engine_mount_point) }}", "priorities": { "info": 5, "warn": 7, diff --git a/app-configs/rinoa/postal/postal.yml.j2 b/app-configs/rinoa/postal/postal.yml.j2 index 6ed36d6..2e1c10c 100644 --- a/app-configs/rinoa/postal/postal.yml.j2 +++ b/app-configs/rinoa/postal/postal.yml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + version: 2 @@ -18,13 +18,13 @@ web_server: main_db: host: mariadb username: postal - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['POSTAL_MYSQL_PASSWORD'] }} + password: \{\{ vault.kv2_field\('env', 'POSTAL_MYSQL_PASSWORD', vault_engine_mount_point) }} database: postal message_db: host: mariadb username: postal - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['POSTAL_MYSQL_PASSWORD'] }} + password: \{\{ vault.kv2_field\('env', 'POSTAL_MYSQL_PASSWORD', vault_engine_mount_point) }} prefix: postal smtp_server: @@ -52,11 +52,11 @@ smtp: host: postal-smtp port: 25 username: rinoa/postal-smtp - password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}" + password: "\{\{ vault.kv2_field\('env', 'POSTAL_SMTP_AUTH_PASSWORD', vault_engine_mount_point) }}" from_name: Postal @ Rinoa from_address: noreply@trez.wtf rails: # This is generated automatically by the config initialization. It should be a random # string unique to your installation. - secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['POSTAL_RAILS_SECRET_KEY'] }}" + secret_key: "\{\{ vault.kv2_field\('env', 'POSTAL_RAILS_SECRET_KEY', vault_engine_mount_point) }}" diff --git a/app-configs/rinoa/prowlarr/config.xml.j2 b/app-configs/rinoa/prowlarr/config.xml.j2 index 5b32ba3..5f41c58 100644 --- a/app-configs/rinoa/prowlarr/config.xml.j2 +++ b/app-configs/rinoa/prowlarr/config.xml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + * @@ -7,7 +7,7 @@ 6969 False True - {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['PROWLARR_API_KEY'] }} + \{\{ vault.kv2_field\('env', 'PROWLARR_API_KEY', vault_engine_mount_point) }} Forms Enabled master diff --git a/app-configs/rinoa/qbittorrent/qbit_manage/config.yml.j2 b/app-configs/rinoa/qbittorrent/qbit_manage/config.yml.j2 index ae7d3a3..2cb6303 100644 --- a/app-configs/rinoa/qbittorrent/qbit_manage/config.yml.j2 +++ b/app-configs/rinoa/qbittorrent/qbit_manage/config.yml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + # This is an example configuration file that documents all the options. # It will need to be modified for your specific use case. # These are not default values. You MUST review the config settings and properly configure this EXAMPLE file. @@ -25,7 +25,7 @@ qbt: # Pass environment variables to the config via !ENV tag host: qbittorrentvpn:8080 user: admin - pass: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['DELUGEVPN_PASSWORD'] }} + pass: \{\{ vault.kv2_field\('env', 'DELUGEVPN_PASSWORD', vault_engine_mount_point) }} settings: force_auto_tmm: False # Will force qBittorrent to enable Automatic Torrent Management for each torrent. @@ -222,4 +222,4 @@ apprise: # Mandatory to fill out the url of your apprise API endpoint api_url: http://apprise-api:8000 # Mandatory to fill out the notification url/urls based on the notification services provided by apprise. https://github.com/caronc/apprise/wiki - notify_url: gotify://gotify/{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['APPRISE_GOTIFY_TOKEN'] }} \ No newline at end of file + notify_url: gotify://gotify/\{\{ vault.kv2_field\('env', 'APPRISE_GOTIFY_TOKEN', vault_engine_mount_point) }} \ No newline at end of file diff --git a/app-configs/rinoa/radarec/config.json.j2 b/app-configs/rinoa/radarec/config.json.j2 index 185860f..8bce2ba 100644 --- a/app-configs/rinoa/radarec/config.json.j2 +++ b/app-configs/rinoa/radarec/config.json.j2 @@ -1,11 +1,11 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + { "radarr_address": "http://radarr:7878", - "radarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['RADARR_API_KEY'] }}", + "radarr_api_key": "\{\{ vault.kv2_field\('env', 'RADARR_API_KEY', vault_engine_mount_point) }}", "root_folder_path": "/data/media/movies", - "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['TMDB_API_KEY'] }}", + "tmdb_api_key": "\{\{ vault.kv2_field\('env', 'TMDB_API_KEY', vault_engine_mount_point) }}", "fallback_to_top_result": false, "radarr_api_timeout": 120.0, "quality_profile_id": 1, diff --git a/app-configs/rinoa/radarr/config.xml.j2 b/app-configs/rinoa/radarr/config.xml.j2 index 42674bf..b1a8bbb 100644 --- a/app-configs/rinoa/radarr/config.xml.j2 +++ b/app-configs/rinoa/radarr/config.xml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + info @@ -8,7 +8,7 @@ 7878 - {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['RADARR_API_KEY'] }} + \{\{ vault.kv2_field\('env', 'RADARR_API_KEY', vault_engine_mount_point) }} Forms Docker 9898 diff --git a/app-configs/rinoa/sabnzbdvpn/sabnzbd.ini.j2 b/app-configs/rinoa/sabnzbdvpn/sabnzbd.ini.j2 index 9e8e6ca..0958124 100644 --- a/app-configs/rinoa/sabnzbdvpn/sabnzbd.ini.j2 +++ b/app-configs/rinoa/sabnzbdvpn/sabnzbd.ini.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + __version__ = 19 __encoding__ = utf-8 @@ -22,7 +22,7 @@ host = 0.0.0.0 port = 8080 https_port = 8090 username = thetrezuredone -password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['SABNZBDVPN_PASSWORD'] }} +password = \{\{ vault.kv2_field\('env', 'SABNZBDVPN_PASSWORD', vault_engine_mount_point) }} bandwidth_max = 1000M cache_limit = 1G web_dir = Glitter @@ -33,7 +33,7 @@ https_chain = "" enable_https = 1 inet_exposure = 0 local_ranges = , -api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['SABNZBDVPN_API_KEY'] }} +api_key = \{\{ vault.kv2_field\('env', 'SABNZBDVPN_API_KEY', vault_engine_mount_point) }} nzb_key = 3c0fa874bb2748b58c1bd7512e649946 permissions = 775 download_dir = /storage/downloads/incomplete @@ -342,7 +342,7 @@ host = news.newshosting.com port = 563 timeout = 60 username = thetrezuredone -password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['SLSK_USER_PASSWORD'] }} +password = \{\{ vault.kv2_field\('env', 'SLSK_USER_PASSWORD', vault_engine_mount_point) }} connections = 8 ssl = 1 ssl_verify = 3 @@ -363,7 +363,7 @@ host = news.easynews.com port = 443 timeout = 60 username = TrezOne -password = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['SABNZBDVPN_EASYNEWS_PASSWORD'] }} +password = \{\{ vault.kv2_field\('env', 'SABNZBDVPN_EASYNEWS_PASSWORD', vault_engine_mount_point) }} connections = 60 ssl = 0 ssl_verify = 3 diff --git a/app-configs/rinoa/scrutiny/config/config.yaml.j2 b/app-configs/rinoa/scrutiny/config/config.yaml.j2 index e192a93..f37187c 100644 --- a/app-configs/rinoa/scrutiny/config/config.yaml.j2 +++ b/app-configs/rinoa/scrutiny/config/config.yaml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + bolt-path: /opt/scrutiny/influxdb/influxd.bolt engine-path: /opt/scrutiny/influxdb/engine diff --git a/app-configs/rinoa/searxng/settings.yml.j2 b/app-configs/rinoa/searxng/settings.yml.j2 index 9f89079..6410773 100644 --- a/app-configs/rinoa/searxng/settings.yml.j2 +++ b/app-configs/rinoa/searxng/settings.yml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + general: # Debug mode, only for development. Is overwritten by ${SEARXNG_DEBUG} @@ -51,7 +51,7 @@ server: limiter: false public_instance: false - secret_key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['SEARXNG_SECRET_KEY'] }} # Is overwritten by ${SEARXNG_SECRET} + secret_key: \{\{ vault.kv2_field\('env', 'SEARXNG_SECRET_KEY', vault_engine_mount_point) }} # Is overwritten by ${SEARXNG_SECRET} image_proxy: true http_protocol_version: "1.0" method: "POST" diff --git a/app-configs/rinoa/searxng/uwsgi.ini.j2 b/app-configs/rinoa/searxng/uwsgi.ini.j2 index d318c9e..ce65a2e 100644 --- a/app-configs/rinoa/searxng/uwsgi.ini.j2 +++ b/app-configs/rinoa/searxng/uwsgi.ini.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + [uwsgi] # Listening address # default value: [::]:8080 (see Dockerfile) diff --git a/app-configs/rinoa/signoz/common/clickhouse/cluster.ha.xml.j2 b/app-configs/rinoa/signoz/common/clickhouse/cluster.ha.xml.j2 index ec19431..bac8b8e 100644 --- a/app-configs/rinoa/signoz/common/clickhouse/cluster.ha.xml.j2 +++ b/app-configs/rinoa/signoz/common/clickhouse/cluster.ha.xml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + http://minio:9000/signoz/data - {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['SIGNOZ_S3_ACCESS_KEY'] }} - {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['SIGNOZ_S3_SECRET_KEY'] }} + \{\{ vault.kv2_field\('env', 'SIGNOZ_S3_ACCESS_KEY', vault_engine_mount_point) }} + \{\{ vault.kv2_field\('env', 'SIGNOZ_S3_SECRET_KEY', vault_engine_mount_point) }} diff --git a/app-configs/rinoa/signoz/common/clickhouse/users.xml.j2 b/app-configs/rinoa/signoz/common/clickhouse/users.xml.j2 index 799dcba..fcb9d13 100644 --- a/app-configs/rinoa/signoz/common/clickhouse/users.xml.j2 +++ b/app-configs/rinoa/signoz/common/clickhouse/users.xml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + diff --git a/app-configs/rinoa/sonarr/config.xml.j2 b/app-configs/rinoa/sonarr/config.xml.j2 index c875e5a..7e6907f 100644 --- a/app-configs/rinoa/sonarr/config.xml.j2 +++ b/app-configs/rinoa/sonarr/config.xml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + info @@ -8,7 +8,7 @@ 9898 * - {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['SONARR_API_KEY'] }} + \{\{ vault.kv2_field\('env', 'SONARR_API_KEY', vault_engine_mount_point) }} Forms Docker True diff --git a/app-configs/rinoa/sonashow/config.json.j2 b/app-configs/rinoa/sonashow/config.json.j2 index 238245b..c56624d 100644 --- a/app-configs/rinoa/sonashow/config.json.j2 +++ b/app-configs/rinoa/sonashow/config.json.j2 @@ -1,12 +1,12 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + { "sonarr_address": "http://192.168.1.2:8989", - "sonarr_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['SONARR_API_KEY'] }}", + "sonarr_api_key": "\{\{ vault.kv2_field\('env', 'SONARR_API_KEY', vault_engine_mount_point) }}", "root_folder_path": "/data/media/shows", "tvdb_api_key": "", - "tmdb_api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['TMDB_API_KEY'] }}", + "tmdb_api_key": "\{\{ vault.kv2_field\('env', 'TMDB_API_KEY', vault_engine_mount_point) }}", "fallback_to_top_result": false, "sonarr_api_timeout": 120.0, "quality_profile_id": 1, diff --git a/app-configs/rinoa/soularr/config.ini.j2 b/app-configs/rinoa/soularr/config.ini.j2 index f918f91..8043a28 100644 --- a/app-configs/rinoa/soularr/config.ini.j2 +++ b/app-configs/rinoa/soularr/config.ini.j2 @@ -1,8 +1,8 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + [Lidarr] -api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['LIDARR_API_KEY'] }} +api_key = \{\{ vault.kv2_field\('env', 'LIDARR_API_KEY', vault_engine_mount_point) }} host_url = http://lidarr:8686 #This should be the path mounted in lidarr that points to your slskd download directory. #If Lidarr is not running in Docker then this may just be the same dir as Slskd is using below. @@ -10,7 +10,7 @@ download_dir = /storage [Slskd] #Api key from Slskd. Need to set this up manually. See link to Slskd docs above. -api_key = {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['SLSKD_API_KEY'] }} +api_key = \{\{ vault.kv2_field\('env', 'SLSKD_API_KEY', vault_engine_mount_point) }} host_url = http://gluetun:5030 #Slskd download directory. Should have set it up when installing Slskd. download_dir = /app/downloads diff --git a/app-configs/rinoa/soulseek/slskd.yml.j2 b/app-configs/rinoa/soulseek/slskd.yml.j2 index e61edc3..f33c1dc 100644 --- a/app-configs/rinoa/soulseek/slskd.yml.j2 +++ b/app-configs/rinoa/soulseek/slskd.yml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + directories: incomplete: /app/incomplete @@ -198,15 +198,15 @@ rooms: web: authentication: username: slskd - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['SLSKD_WEB_PASSSWORD'] }} + password: \{\{ vault.kv2_field\('env', 'SLSKD_WEB_PASSSWORD', vault_engine_mount_point) }} api_keys: my_api_key: - key: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['SLSKD_API_KEY'] }} + key: \{\{ vault.kv2_field\('env', 'SLSKD_API_KEY', vault_engine_mount_point) }} role: readwrite cidr: 0.0.0.0/0,::/0 soulseek: address: vps.slsknet.org port: 2271 username: Trez.One - password: {{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token)['secret']['SLSK_USER_PASSWORD'] }} + password: \{\{ vault.kv2_field\('env', 'SLSK_USER_PASSWORD', vault_engine_mount_point) }} diagnostic_level: Info diff --git a/app-configs/rinoa/swag/nginx/proxy-confs/patchmon.subdomain.conf b/app-configs/rinoa/swag/nginx/proxy-confs/patchmon.subdomain.conf new file mode 100644 index 0000000..bde3dfc --- /dev/null +++ b/app-configs/rinoa/swag/nginx/proxy-confs/patchmon.subdomain.conf @@ -0,0 +1,47 @@ +## Version 2025/07/18 +# make sure that your container is named +# make sure that your dns has a cname set for + +server { + listen 443 ssl; + # listen 443 quic; + listen [::]:443 ssl; + # listen [::]:443 quic; + + server_name patch.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + # enable for ldap auth (requires ldap-location.conf in the location block) + #include /config/nginx/ldap-server.conf; + + # enable for Authelia (requires authelia-location.conf in the location block) + #include /config/nginx/authelia-server.conf; + # enable for Authentik (requires authentik-location.conf in the location block) + #include /config/nginx/authentik-server.conf; + # enable for Tinyauth (requires tinyauth-location.conf in the location block) + #include /config/nginx/tinyauth-server.conf; + location / { + # enable the next two lines for http auth + #auth_basic "Restricted"; + #auth_basic_user_file /config/nginx/.htpasswd; + + # enable for ldap auth (requires ldap-server.conf in the server block) + #include /config/nginx/ldap-location.conf; + + # enable for Authelia (requires authelia-server.conf in the server block) + #include /config/nginx/authelia-location.conf; + # enable for Authentik (requires authentik-server.conf in the server block) + #include /config/nginx/authentik-location.conf; + # enable for Tinyauth (requires tinyauth-server.conf in the server block) + #include /config/nginx/tinyauth-location.conf; + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app 192.168.1.252; + set $upstream_port 3000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/app-configs/rinoa/unmanic/settings.json.j2 b/app-configs/rinoa/unmanic/settings.json.j2 index 3780f97..57e4eb7 100644 --- a/app-configs/rinoa/unmanic/settings.json.j2 +++ b/app-configs/rinoa/unmanic/settings.json.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + { "always_keep_failed_tasks": true, diff --git a/app-configs/rinoa/youtubedl/config.yml.j2 b/app-configs/rinoa/youtubedl/config.yml.j2 index cead77f..00704dc 100644 --- a/app-configs/rinoa/youtubedl/config.yml.j2 +++ b/app-configs/rinoa/youtubedl/config.yml.j2 @@ -1,5 +1,5 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'rinoa-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + ydl_server: # youtube-dl-server specific settings port: 8080 # Port youtube-dl-server should listen on diff --git a/app-configs/ultima/ovos/skills/skill_homeassistant.oscillatelabsllc/settings.json.j2 b/app-configs/ultima/ovos/skills/skill_homeassistant.oscillatelabsllc/settings.json.j2 index ad42fd3..98a9117 100644 --- a/app-configs/ultima/ovos/skills/skill_homeassistant.oscillatelabsllc/settings.json.j2 +++ b/app-configs/ultima/ovos/skills/skill_homeassistant.oscillatelabsllc/settings.json.j2 @@ -1,7 +1,7 @@ -{% set vault_addr = 'https://vault.trez.wtf' %} -{% set secrets_path = 'benedikta-docker/env' %} +{% import 'app-configs/_macros/hashivault_kv2.j2' as vault %} + { - "api_key": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='benedikta-docker', url=vault_addr, token=vault_token)['secret']['HOME_ASSISTANT_LONG_LIVED_TOKEN'] }}", + "api_key": "{{ vault.kv2_field('env', 'HOME_ASSISTANT_LONG_LIVED_TOKEN', vault_engine_mount_point) }}", "host": "192.168.1.252:8123", "__mycroft_skill_firstrun": false } \ No newline at end of file diff --git a/group_vars/all.yml b/group_vars/all.yml index 471fa8f..29339a1 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -3,14 +3,22 @@ template_base_path: "{{ playbook_dir }}/app-configs" # Vault server address vault_addr: "https://vault.trez.wtf" -vault_token: !vault | +vault_env: "env" +ansible_hashi_vault_url: "https://vault.trez.wtf" +ansible_hashi_vault_auth_method: "approle" +ansible_hashi_vault_role_id: !vault | $ANSIBLE_VAULT;1.1;AES256 - 33356331366463343032656164363437313263623962303365306632336362353038653738336338 - 3261303838386531653661353231343361316566633531300a326637636135383832386466656235 - 32316564653863346336316331306130333739663832613536323264336530383834323461313064 - 6639383633643866310a343332616235343462346436373035636266636239346438346633303932 - 64383135616261326466643661356539346233633639343865303964366236373161393764353838 - 65633631346166323961393532393133353838393332663963383566663136613232383662626165 - 63643838306332373237393938326131633838613331363663653638623830633364373464376463 - 39623034306164393863343133313135653839363236613232663563346334303333313634333334 - 6635 \ No newline at end of file + 30363130386561646336636635623233636561653537343264396430646133653162633465656534 + 3530623161663966623438303363313361303833313030610a363831666334666633313437323965 + 33666235306361333935316330623830393561636361316635653036636632623637316334616536 + 3662346361333537340a323334386666353265623130343234396565646532303365646236636466 + 33393539336230373764363865313863373733313563313966376435383938336635666536643439 + 6531303137623765343263303534633562643435393864313662 +ansible_hashi_vault_secret_id: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65303663656662666661663939343535336163366537623261346332353130613664633261376131 + 6264313136653263333938383866626432633262313764330a393130353566626433333036313965 + 61666565633561383862373231646462353336316430613561663031383930313232646263623065 + 3033313738363866390a636539346337333066616434653633333339343961303935643766633034 + 61356234643138313330313466383462396338306238396230386139396230383131343766313830 + 3761346335636564373637353364333935653934393532373833 diff --git a/host_vars/aranea.yml b/host_vars/aranea.yml index 7464f83..9c9fd83 100644 --- a/host_vars/aranea.yml +++ b/host_vars/aranea.yml @@ -6,4 +6,4 @@ ansible_become_password: !vault | 39333338306565383435326465386366356164643834303431623961653731303139633332326133 6561653432656462330a303966633132366637633235316631353839383331333765336237353135 39363465623933393535643862316262303333363038636634326233316636396666 -secrets_path: aranea-docker/env +vault_engine_mount_point: aranea-docker/env diff --git a/host_vars/lunafreya.yml b/host_vars/lunafreya.yml index 8c65878..d66238b 100644 --- a/host_vars/lunafreya.yml +++ b/host_vars/lunafreya.yml @@ -6,4 +6,4 @@ ansible_become_password: !vault | 66376165623634653966313033613230306365393334663334363730653330313031326231383739 3036633032376133370a316463653162633566303363376631383033396234383366633737383066 35393931393132323062386262623966646139613838373536313631643330313761 -secrets_path: benedikta-docker/env +vault_engine_mount_point: benedikta-docker/env diff --git a/host_vars/rikku.yml b/host_vars/rikku.yml index a7e7604..cc0e0fa 100644 --- a/host_vars/rikku.yml +++ b/host_vars/rikku.yml @@ -1,2 +1,2 @@ appdata_base_path: /home/pi/.config/docker -secrets_path: rikku-docker/env +vault_engine_mount_point: rikku-docker/env diff --git a/host_vars/rinoa.yml b/host_vars/rinoa.yml index 449e6de..3fcb44a 100644 --- a/host_vars/rinoa.yml +++ b/host_vars/rinoa.yml @@ -6,7 +6,7 @@ ansible_become_password: !vault | 31623863633966303738643733643633353265396264613734333461643862663965663230663437 6136373035303834630a653263626365623838363236303931643565656232326536643239653238 64313034313663653332343464383565383964373438663661346538366636323162 -secrets_path: rinoa-docker/env +vault_engine_mount_point: rinoa-docker file_metadata: "hashicorp-vault/config/vault-config.hcl.j2": owner: "100" diff --git a/host_vars/ultima.yml b/host_vars/ultima.yml index ede2ff7..9710221 100644 --- a/host_vars/ultima.yml +++ b/host_vars/ultima.yml @@ -6,4 +6,4 @@ ansible_become_password: !vault | 64623239343238363763386466626632383230633062383263323433353634373539373861383038 3837383436363138330a653566653731653065343538363733353432646136336335643666376133 31623634636561636635396136636538613338313862396439376435613337373637 -secrets_path: ultima-docker/env +vault_engine_mount_point: ultima-docker diff --git a/tar-valon_config_deploy.yml b/tar-valon_config_deploy.yml index bbd329d..21948cd 100644 --- a/tar-valon_config_deploy.yml +++ b/tar-valon_config_deploy.yml @@ -117,6 +117,9 @@ loop_control: label: "{{ item }}" + - debug: + msg: "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker')['secret']['AUTHELIA_SESSION_SECRET'] }}" + - name: Deploy template files ansible.builtin.template: src: "{{ item.src }}"