ansible-taler-exchange

Ansible playbook to deploy a production Taler Exchange
Log | Files | Refs | Submodules | README | LICENSE
commit 0c3536bc3dec15d653a3d0213e71d9a37ca3191e
parent 583226ad38c9c0c77d76e01d5b18e536b4516d3b
Author: Christian Grothoff <christian@grothoff.org>
Date:   Thu, 30 Jan 2025 12:27:47 +0100

setup production secrets

Diffstat:

MREADME | 20+++++++++++++++-----


Mdeploy-tops.sh | 11+++++++++--


Aplaybooks/.gitignore | 1+


Aplaybooks/tops-secrets.yml.gpg | 0


4 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/README b/README
@@ -18,17 +18,27 @@ To run the main playbook (playbooks/setup.yml):
 $ ansible-playbook --verbose --inventory <host> --user root playbooks/setup.yml --extra-vars "@playbooks/test-secrets.yml"
 ```
 
+Instead of specifying the host(s) as arguments (note the trailing comma!)
+you can pass an inventory file. See `inventories/`, and update accordingly.
+
 For example, if you are root@taler-ops.ch, you may be able to:
 
 ```
-$ ansible-playbook --verbose --inventory inventories/tops --user root playbooks/setup.yml --extra-vars "@playbooks/test-secrets.yml"
+$ ./deploy-tops tops
 ```
 
-Instead of specifying the host(s) as arguments (note the trailing comma!)
-you can pass an inventory file. See `inventories/`, and update accordingly.
+For TOPS production, replace the "test" with "tops" to use the actual secrets
+for the deployment. For this, you first need to decrypt them:
+
+$ gpg -d playbooks/tops-secrets.yml.gpg > playbooks/tops-secrets.yml
+
+Make sure to NEVER commit the decrypted production secrets to Git.
+Instead, if you had to edit them, re-encrypt them to all admins:
 
-For production, replace the "test-secrets.yml" file with the actual secrets
-for your deployment.
+$ cat playbooks/tops-secrets.yml | gpg --encrypt \
+    --recipient grothoff@gnunet.org \
+    --recipient devan@taler.net \
+    --recipient me@fdold.eu > playbooks/tops-secrets.yml.gpg
 
 
 ## Setting up backups
diff --git a/deploy-tops.sh b/deploy-tops.sh
@@ -1,2 +1,10 @@
 #!/bin/sh
-ansible-playbook --verbose --inventory inventories/tops --user root playbooks/setup.yml --extra-vars "@playbooks/test-secrets.yml"
-\ No newline at end of file
+set -eu
+
+if [ -z ${1:-} ]
+then
+    echo "Call with 'test' or 'prod' to select which secrets to use"
+    exit 1
+fi
+
+ansible-playbook --verbose --inventory inventories/tops --user root playbooks/setup.yml --extra-vars "@playbooks/$1-secrets.yml"
diff --git a/playbooks/.gitignore b/playbooks/.gitignore
@@ -0,0 +1 @@
+tops-secrets.yml
diff --git a/playbooks/tops-secrets.yml.gpg b/playbooks/tops-secrets.yml.gpg
Binary files differ.