From ebfb7ad7992893f2d2dc04282b2583b606f660e5 Mon Sep 17 00:00:00 2001 From: Alexis Pentori Date: Thu, 26 Sep 2024 18:14:56 +0200 Subject: [PATCH] all: change secret location Signed-off-by: Alexis Pentori --- ansible/group_vars/all.yml | 24 +++++++++++++----------- ansible/group_vars/node-db.yml | 4 ++-- ansible/group_vars/node.yml | 10 +++++----- 3 files changed, 20 insertions(+), 18 deletions(-) diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 01a2f17..7c472ca 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -1,17 +1,19 @@ --- # Root password -bootstrap__root_pass: '{{lookup("vault", "hosts/config", field="root-pass")}}' -bootstrap__firewall_nftables: true - # Consul -bootstrap__consul_encryption_key: '{{lookup("vault", "hosts/config", field="consul-encryption-key")}}' -bootstarp__consul_agent_acl_token: '{{lookup("vault", "hosts/consul/acl-tokens", field="agent-default")}}' -bootstrap__consul_certs_ca_crt: '{{lookup("vault", "hosts/consul/certs", field="ca.pem")}}' -bootstrap__consul_certs_client_crt: '{{lookup("vault", "hosts/consul/certs", field="client.pem")}}' -bootstrap__consul_certs_client_key: '{{lookup("vault", "hosts/consul/certs", field="client-key.pem")}}' +bootstrap__root_pass: '{{lookup("vault", "hosts", field="root-pass", stage="all", env="all")}}' +# Consul +bootstrap__consul_encryption_key: '{{lookup("vault", "consul/config", field="encryption-key", stage="all", env="all")}}' +bootstarp__consul_agent_acl_token: '{{lookup("vault", "consul/acl-tokens", field="agent-default", stage="all", env="all")}}' +bootstrap__consul_certs_ca_crt: '{{lookup("vault", "consul/certs", field="ca.pem", stage="all", env="all")}}' +bootstrap__consul_certs_client_crt: '{{lookup("vault", "consul/certs", field="client.pem", stage="all", env="all")}}' +bootstrap__consul_certs_client_key: '{{lookup("vault", "consul/certs", field="client-key.pem", stage="all", env="all")}}' # SSHGuard -bootstrap__sshguard_whitelist_extra: ['{{lookup("vault", "hosts/sshguard/whitelist", field="jakubgs-home")}}'] +bootstrap__sshguard_whitelist_extra: ['{{lookup("vault", "sshguard/whitelist", field="jakubgs-home", stage="all", env="all")}}'] # Wireguard -wireguard_consul_acl_token: '{{lookup("vault", "hosts/consul/acl-tokens", field="wireguard")}}' +wireguard_consul_acl_token: '{{lookup("vault", "consul/acl-tokens", field="wireguard", stage="all", env="all")}}' + +# Firewall +bootstrap__firewall_nftables: true # Volume of Trace level logs is too high and fills up ES cluster. bootstrap__rsyslog_filter_rules: ['TRC'] @@ -20,7 +22,7 @@ bootstrap__rsyslog_filter_rules: ['TRC'] bootstrap__docker_registries: - url: 'https://harbor.status.im' username: 'robot$wakuorg+infra-waku' - password: '{{ lookup("vault", "hosts/config/harbor-robot", field="robot$wakuorg+infra-waku") }}' + password: '{{ lookup("vault", "robot", field="robot$wakuorg+infra-waku", env="ci", stage="harbor")}}' # Custom SSH accounts for Nimbus fleet, should start from UID 8000. bootstrap__active_extra_users: diff --git a/ansible/group_vars/node-db.yml b/ansible/group_vars/node-db.yml index efb9a90..22ad1a5 100644 --- a/ansible/group_vars/node-db.yml +++ b/ansible/group_vars/node-db.yml @@ -8,12 +8,12 @@ postgres_ha_replica_enabled: false postgres_ha_replica_allowed_addresses: [] postgres_ha_admin_user: 'postgres' -postgres_ha_admin_pass: '{{lookup("vault", "waku/" + env + "-" + stage+"/config", field="db-admin-password")}}' +postgres_ha_admin_pass: '{{lookup("vault", "database", field="db-admin-password")}}' postgres_ha_databases: - name: 'nim-waku' user: 'nim-waku' - pass: '{{lookup("vault", "waku/"+ env + "-" +stage+"/config", field="db-password")}}' + pass: '{{lookup("vault", "database", field="db-password")}}' postgres_ha_backup: false diff --git a/ansible/group_vars/node.yml b/ansible/group_vars/node.yml index 555742b..1805ab7 100644 --- a/ansible/group_vars/node.yml +++ b/ansible/group_vars/node.yml @@ -9,7 +9,7 @@ nim_waku_log_level: 'debug' nim_waku_protocols_enabled: ['relay', 'rln-relay', 'store', 'filter', 'lightpush', 'peer-exchange'] nim_waku_disc_v5_enabled: true nim_waku_dns4_domain_name: '{{ dns_entry }}' -nim_waku_node_key: '{{lookup("vault", "waku/"+env+"-"+stage+"/config", field=hostname)}}' +nim_waku_node_key: '{{lookup("vault", "config", field=hostname)}}' nim_waku_cluster_id: 1 nim_waku_relay_shard_manager: true @@ -39,7 +39,7 @@ nim_waku_max_relay_peers: '{{ nim_waku_p2p_max_connections - 100 }}' # Store nim_waku_store_message_db_name: 'nim-waku' nim_waku_store_message_db_user: 'nim-waku' -nim_waku_store_message_db_pass: '{{lookup("vault", "waku/"+env+"-"+stage+"/config", field="db-password")}}' +nim_waku_store_message_db_pass: '{{lookup("vault", "database", field="db-password")}}' nim_waku_store_message_db_url: 'postgres://{{ nim_waku_store_message_db_user}}:{{ nim_waku_store_message_db_pass}}@node-db-01.{{ ansible_domain }}.wg:5432/{{nim_waku_store_message_db_name}}' nim_waku_store_message_retention_policy: 'size:50GB' nim_waku_store_vacuum: true @@ -65,9 +65,9 @@ nim_waku_rln_relay_dynamic: true nim_waku_rln_relay_eth_contract_address: '0xCB33Aa5B38d79E3D9Fa8B10afF38AA201399a7e3' nim_waku_rln_relay_eth_client_address: 'http://linux-01.ih-eu-mda1.nimbus.sepolia.wg:8556' nim_waku_rln_relay_tree_path: '/data/rln_relay_tree' -nim_waku_rln_keystore_active: true -nim_waku_rln_cred_password: '{{ lookup("vault", "waku/" + env + "-" + stage + "/config", field="keystore-password")}}' -nim_waku_rln_account_key: '{{ lookup("vault", "waku/" + env + "-" + stage + "/config", field="account-private-key")}}' +nim_waku_rln_keystore_active: true +nim_waku_rln_cred_password: '{{ lookup("vault", "config", field="keystore-password")}}' +nim_waku_rln_account_key: '{{ lookup("vault", "config", field="account-private-key")}}' # Consul Service nim_waku_consul_success_before_passing: 5