port rest of fleet secrets to BitWarden

https://github.com/status-im/infra-docs/issues/9 Signed-off-by: Jakub Sokołowski <jakub@status.im>
2025-02-20 17:38:08 +00:00 · 2021-08-13 22:05:12 +02:00 · 2021-08-13 22:05:12 +02:00 · a21ac2fe8c
commit a21ac2fe8c
parent 5d36d3ad3e
10 changed files with 19 additions and 20 deletions
--- a/ansible/group_vars/log-dash.yml
+++ b/ansible/group_vars/log-dash.yml
@ -2,8 +2,8 @@
 # CloudFlare Origin certificates
 origin_certs:
  - domain: 'status.im'
-    crt: '{{lookup("passwordstore", "cloud/Cloudflare/status.im/origin.crt returnall=true")}}'
-    key: '{{lookup("passwordstore", "cloud/Cloudflare/status.im/origin.key returnall=true")}}'
+    crt: '{{lookup("bitwarden", "Cloudflare/status.im", file="origin.crt")}}'
+    key: '{{lookup("bitwarden", "Cloudflare/status.im", file="origin.key")}}'
    default: true

 # Kibana Dashboard
@ -19,9 +19,9 @@ oauth_upstream_cont: '{{ kibana_cont_name }}'
 oauth_upstream_port: '{{ kibana_cont_port }}'
 oauth_public_port: 443
 oauth_local_port: 8090
-oauth_cookie_secret: '{{ lookup("passwordstore", "services/cookie-secret") }}'
-oauth_id: '{{ lookup("passwordstore", "services/nimbus-kibana/oauth-id") }}'
-oauth_secret: '{{ lookup("passwordstore", "services/nimbus-kibana/oauth-secret") }}'
+oauth_cookie_secret: '{{ lookup("bitwarden", "cookie-secret", field="secret") }}'
+oauth_id: '{{ lookup("bitwarden", "nimbus/kibana/oauth", field="client-id") }}'
+oauth_secret: '{{ lookup("bitwarden", "nimbus/kibana/oauth", field="secret") }}'

 # ElasticSearch Load Balancer
 es_lb_image: 'docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2'
--- a/ansible/group_vars/log-store.yml
+++ b/ansible/group_vars/log-store.yml
@ -2,8 +2,8 @@
 # CloudFlare Origin certificates
 origin_certs:
  - domain: 'status.im'
-    crt: '{{lookup("passwordstore", "cloud/Cloudflare/status.im/origin.crt returnall=true")}}'
-    key: '{{lookup("passwordstore", "cloud/Cloudflare/status.im/origin.key returnall=true")}}'
+    crt: '{{lookup("bitwarden", "Cloudflare/status.im", file="origin.crt")}}'
+    key: '{{lookup("bitwarden", "Cloudflare/status.im", file="origin.key")}}'
    default: true

 # Syncing can use a lot of mamory
@ -49,10 +49,9 @@ oauth_upstream_cont: '{{ es_hq_cont_name }}'
 oauth_upstream_port: '{{ es_hq_cont_port }}'
 oauth_public_port: 443
 oauth_local_port: 8090
-oauth_cookie_secret: '{{ lookup("passwordstore", "services/cookie-secret") }}'
-oauth_id: '{{ lookup("passwordstore", "services/elastic-hq-nimbus/oauth-id") }}'
-oauth_secret: '{{ lookup("passwordstore", "services/elastic-hq-nimbus/oauth-secret") }}'
-
+oauth_cookie_secret: '{{ lookup("bitwarden", "cookie-secret", field="secret") }}'
+oauth_id: '{{ lookup("bitwarden", "nimbus/elastic-hq/oauth", field="client-id") }}'
+oauth_secret: '{{ lookup("bitwarden", "nimbus/elastic-hq/oauth", field="secret") }}'

 # Open Ports
 open_ports_default_comment: 'ElasticSearch'
--- a/ansible/group_vars/nimbus-geth-goerli.yml
+++ b/ansible/group_vars/nimbus-geth-goerli.yml
@ -9,7 +9,7 @@ geth_sync_mode: 'full'
 geth_log_level_name: info
 geth_websocket_enabled: true
 # Geth auth
-geth_account_pass: '{{lookup("passwordstore", "services/Nimbus-Geth/password")}}'
+geth_account_pass: '{{lookup("bitwarden", "nimbus/geth", field="password")}}'
 # Allow connections from our VPN
 geth_websocket_origins: '*'
 # Memory settings
--- a/ansible/group_vars/nimbus-geth-mainnet.yml
+++ b/ansible/group_vars/nimbus-geth-mainnet.yml
@ -11,7 +11,7 @@ geth_sync_mode: 'fast'
 geth_log_level_name: info
 geth_websocket_enabled: true
 # Geth auth
-geth_account_pass: '{{lookup("passwordstore", "services/Nimbus-Geth/password")}}'
+geth_account_pass: '{{lookup("bitwarden", "nimbus/geth", field="password")}}'
 # Allow connections from our VPN
 geth_websocket_origins: '*'
 # Memory settings
--- a/ansible/group_vars/nimbus.mainnet.yml
+++ b/ansible/group_vars/nimbus.mainnet.yml
@ -3,7 +3,7 @@ beacon_node_network: 'mainnet'
 beacon_node_cont_tag: 'stable-small'

 # WARNING: Since these are Eth 2 bootnodes we need to keep the keys and IPs unchanged.
-beacon_node_netkey: '{{lookup("passwordstore","services/Nimbus/netkey/"+hostname)}}'
+beacon_node_netkey: '{{lookup("bitwarden", "nimbus/netkey", field=hostname)}}'

 # Bootnodes should subscribe to all subnets
 beacon_node_subscribe_all: true
--- a/ansible/group_vars/nimbus.prater.yml
+++ b/ansible/group_vars/nimbus.prater.yml
@ -13,7 +13,7 @@ beacon_node_cont_tag: '{{ node_branch }}-{{ node_size }}'
 beacon_node_network: 'prater'

 # Windows service user
-beacon_node_service_user_pass: '{{lookup("passwordstore", "services/Nimbus/windows-pass")}}'
+beacon_node_service_user_pass: '{{lookup("bitwarden", "nimbus/windows", field="password")}}'

 # Split by hostname for more central location
 validators_layout:
--- a/ansible/group_vars/nimbus.rayonism.yml
+++ b/ansible/group_vars/nimbus.rayonism.yml
@ -5,7 +5,7 @@ geth_service_path: '{{ beacon_node_cont_vol }}'
 geth_compose_path: '{{ geth_service_path }}/docker-compose.geth.yml'
 geth_rpc_wrapper: '{{ geth_service_path }}/rpc.geth.sh'
 geth_cont_image: 'ethereum/client-go@sha256:82920663d5c2378d9d21c640f30c885154e5eca6d1dd7ccec83711f527aeddbf'
-geth_account_pass: '{{lookup("passwordstore", "services/Nimbus-Geth/password")}}'
+geth_account_pass: '{{lookup("bitwarden", "nimbus/geth", field="password")}}'
 geth_sync_mode: 'fast'
 geth_log_level_name: 'detail'
 # Enable consensus API
--- a/ansible/host_vars/stable-large-01.aws-eu-central-1a.nimbus.prater.yml
+++ b/ansible/host_vars/stable-large-01.aws-eu-central-1a.nimbus.prater.yml
@ -1,6 +1,6 @@
 ---
 # WARNING: Since these are Eth 2 bootnodes we need to keep the keys and IPs unchanged.
-beacon_node_netkey: '{{lookup("passwordstore","services/Nimbus/netkey/"+hostname)}}'
+beacon_node_netkey: '{{lookup("bitwarden", "nimbus/netkey", field=hostname)}}'

 # Bootnodes should subscribe to all subnets
 beacon_node_subscribe_all: true
--- a/ansible/host_vars/stable-large-02.aws-eu-central-1a.nimbus.prater.yml
+++ b/ansible/host_vars/stable-large-02.aws-eu-central-1a.nimbus.prater.yml
@ -1,5 +1,5 @@
 # WARNING: Since these are Eth 2 bootnodes we need to keep the keys and IPs unchanged.
-beacon_node_netkey: '{{lookup("passwordstore","services/Nimbus/netkey/"+hostname)}}'
+beacon_node_netkey: '{{lookup("bitwarden", "nimbus/netkey", field=hostname)}}'

 # Bootnodes should subscribe to all subnets
 beacon_node_subscribe_all: true
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@ -41,12 +41,12 @@

 - name: infra-role-beacon-node-docker
  src: git@github.com:status-im/infra-role-beacon-node-docker.git
-  version: 1edf2629a726b4fdce7bf536ac6f015f995ea725
+  version: cb69ed19f0e1d1e23c7cf66f389854082c157778
  scm: git

 - name: infra-role-beacon-node-linux
  src: git@github.com:status-im/infra-role-beacon-node-linux.git
-  version: d96c2548802977a66e3c7c5bfd842df28699743d
+  version: d19a71843f15386c424dc8bd9f3aa2bdff39541c
  scm: git

 - name: infra-role-beacon-node-windows