Improve group vars vault usage for archweb

95494a89 · Florian Pritz · a3a6dc24 · 95494a89 · 95494a89 · 95494a89
Commit 95494a89 authored Jun 07, 2018 by Florian Pritz
--- a/group_vars/all/vault_archweb.yml
+++ b/group_vars/all/vault_archweb.yml
 $ANSIBLE_VAULT;1.1;AES256
-65633636613766313863666361643338646438343264323039656632306337313666386261636539
-6436643237633235336163653733663630396238313337640a313939313062383462313066636338
-64326135396461336139343730313234623833643135323561626336623663366465663630326437
-3336383164623039620a626533376130633134613565383762653533333937333838363032646437
-32323235333661666332333030363630336435343966396261383466393831353230666538316533
-32613765373236313563666335653935646331623132363739393833343235643638356534376363
-36663634346135623836356265343462653933666231343434633561626136306435373266373735
-38333239313762396364383563653238373939313164613432353162303431396166646532366634
-31383731303436353731303739373038333633646165333735383531316638653463656166383739
-63333232313937313934373364336634363235656462613339666535626232333339396364613231
-32643438396630313033336532393837663538643339333733333134323632363965656333646137
-62343034613936393833316562366132343636363634306561363263376135353861653436613633
-33616462666662626264303066353535653634323565653033666265613662343666643530666535
-32613038663638356134616233343836393534386466656564363836626339373631663363333434
-61356134383265396335633236663261353137613037303363613635323265363663356366666364
-61323239306533373862646132623764336530646134626461346466363266646266383635366231
-35613835313661656163623364383162323234303265333636616133353732343866396632353538
-33656538383036626332623464366539613632343565393665333966636437663937633137663466
-363663343236636536353430313064663163
+66626631383238663762323361393430343261633334343136663961663830313561336466626332
+3633386335626464323163653434383564366136303833630a363031333566646164333963663430
+38623163373764393335333439393063306435366563656237393564383962303563613330623833
+3635313965323931340a663634633036346461656335633034366238326466326561386133373066
+34313462313939643136353636663033363436333664303632333731636666366262633464366564
+63653534353637666639643239383736663538306666333736303764626439336539396463643233
+32643336393732363631303637306663636165656463666363373166326633663434376134663535
+38366234306131316462303264316263353036386462376131313464623133313832336566616236
+62656562623964353739353133343236356536633739666466383038313534663262636663396361
+64393664336430313766643161396466373665303935313764356334306330666465633833313034
+38393963303039373731396235316136643533393566623732663461356434616232616435363031
+63386164636662656332343835316635616637336332626630326634303937643632323533346565
+36383530316537663064383733643632313630393565613737613563653862383532346330303436
+39376466393232613665393762666363663364646339303630356431343838653135613232353336
+64626466333361323439383837303661646239303334353831353265383263346431303062653435
+34313265616134306635626239376532323130383231373463313735636530386435656165353139
+63343730396362636235656161633039656533373931363431303733623933363439356634343738
+37643931363637306665663332306333393362323265646333613466383062623931623133343236
+30343063613636373963393530346661323835386133346262323832353162386165636362393038
+35353634336562666637336263656566343261376234646135653063366536383835333263363231
+6230
--- a/roles/archweb/tasks/main.yml
+++ b/roles/archweb/tasks/main.yml
@@ -63,10 +63,10 @@
  no_log: true
  when: archweb_site or archweb_services
  with_items:
-    - { user: "{{ archweb_db_site_user }}", password: "{{ archweb_db_site_password }}" }
-    - { user: "{{ archweb_db_services_user }}", password: "{{ archweb_db_services_password }}" }
-    - { user: "{{ archweb_db_dbscripts_user }}", password: "{{ archweb_db_dbscripts_password }}" }
-    - { user: "{{ archweb_db_backup_user }}", password: "{{ archweb_db_backup_password }}" }
+    - { user: "{{ archweb_db_site_user }}", password: "{{ vault_archweb_db_site_password }}" }
+    - { user: "{{ archweb_db_services_user }}", password: "{{ vault_archweb_db_services_password }}" }
+    - { user: "{{ archweb_db_dbscripts_user }}", password: "{{ vault_archweb_db_dbscripts_password }}" }
+    - { user: "{{ archweb_db_backup_user }}", password: "{{ vault_archweb_db_backup_password }}" }

 - name: create archweb db
  postgresql_db: name="{{ archweb_db }}" login_host="{{ archweb_db_host }}" login_password="{{ postgres_users.postgres }}" owner="{{ archweb_db_site_user }}"
@@ -80,7 +80,7 @@
  when: archweb_site and (db_created.changed or release.changed or config.changed or virtualenv.changed or archweb_forced_deploy)

 - name: db privileges for archweb users
-  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ archweb_db_site_password }}"
+  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
                    privs=CONNECT roles="{{ item }}" type=database
  when: archweb_site or archweb_services
  with_items:
@@ -89,7 +89,7 @@
    - "{{ archweb_db_backup_user }}"

 - name: table privileges for archweb users
-  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ archweb_db_site_password }}"
+  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
                    privs=SELECT roles="{{ item.user }}" type=table objs="{{ item.objs }}"
  when: archweb_site or archweb_services
  with_items:
@@ -98,7 +98,7 @@
    - { user: "{{ archweb_db_backup_user }}", objs: "{{ archweb_db_backup_table_objs }}" }

 - name: sequence privileges for archweb users
-  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ archweb_db_site_password }}"
+  postgresql_privs: database="{{ archweb_db }}" host="{{ archweb_db_host }}" login="{{ archweb_db_site_user }}" password="{{ vault_archweb_db_site_password }}"
                    privs=SELECT roles="{{ item.user }}" type=sequence objs="{{ item.objs }}"
  when: archweb_site or archweb_services
  with_items:

--- a/roles/archweb/templates/local_settings.py.j2
+++ b/roles/archweb/templates/local_settings.py.j2
@@ -28,7 +28,7 @@ DATABASES = {
 {% endif %}
        'NAME'    : '{{ archweb_db }}',
        'USER'    : '{{ archweb_db_site_user }}',
-        'PASSWORD': '{{ archweb_db_site_password }}',
+        'PASSWORD': '{{ vault_archweb_db_site_password }}',
        'OPTIONS' : {
            'application_name': 'archweb',
 {% if archweb_db_host != 'localhost' %}
@@ -61,7 +61,7 @@ MEDIA_ROOT = '{{ archweb_dir }}/media/img'
 MEDIA_URL = '/img/'

 # Make this unique, and don't share it with anybody.
-SECRET_KEY = '{{ archweb_secret_key }}'
+SECRET_KEY = '{{ vault_archweb_secret_key }}'

 # Hostnames we allow this site to be served under
 ALLOWED_HOSTS = ['{{ archweb_domain }}']

--- a/roles/dbscripts/templates/gen_rsyncd.conf.pl
+++ b/roles/dbscripts/templates/gen_rsyncd.conf.pl
@@ -7,7 +7,7 @@ use Data::Dumper;

 # TODO put these into credentials.ini and use Config::Simple to read it
 my $user = '{{ archweb_db_dbscripts_user }}';
-my $pass = '{{ archweb_db_dbscripts_password }}';
+my $pass = '{{ vault_archweb_db_dbscripts_password }}';
 my $db = 'DBI:Pg:dbname={{ archweb_db }};host={{ archweb_db_host }}{% if postgres_ssl == 'on' %};sslmode=require{% endif %}';

 my $scriptdir="/etc/rsyncd-conf-genscripts";