| Mohammed Naser | 206e5f8 | 2022-03-16 20:21:14 -0400 | [diff] [blame] | 1 | --- |
| 2 | - hosts: localhost |
| 3 | gather_facts: false |
| 4 | tasks: |
| 5 | - name: Ensure the secrets file exists |
| 6 | ansible.builtin.file: |
| 7 | path: "{{ secrets_path }}" |
| 8 | state: touch |
| 9 | |
| 10 | - name: Load the current secrets into a variable |
| 11 | ansible.builtin.include_vars: |
| 12 | file: "{{ secrets_path }}" |
| 13 | name: secrets |
| 14 | |
| 15 | - name: Generate secrets for missing variables |
| 16 | ansible.builtin.set_fact: |
| 17 | secrets: "{{ secrets| default({}) | combine({item: lookup('password', '/dev/null chars=ascii_lowercase,ascii_uppercase,digits length=32')}) }}" |
| 18 | # NOTE(mnaser): We don't want to override existing secrets, so we generate |
| 19 | # a new one if and only if it doesn't exist |
| 20 | when: item not in secrets |
| 21 | # NOTE(mnaser): This is absolutely hideous but there's no clean way of |
| 22 | # doing this using `with_fileglob` or `with_filetree` |
| 23 | with_lines: > |
| 24 | ls {{ playbook_dir }}/../roles/*/defaults/main.yml | |
| 25 | xargs grep undef | |
| 26 | egrep -v '(_host|region_name)' | |
| 27 | cut -d':' -f2 |
| 28 | |
| 29 | - name: Write new secrets file to disk |
| 30 | ansible.builtin.copy: |
| 31 | content: "{{ secrets | to_nice_yaml }}" |
| 32 | dest: "{{ secrets_path }}" |
| Mohammed Naser | 498593a | 2022-03-17 21:13:14 -0400 | [diff] [blame^] | 33 | |
| 34 | - name: Encrypt secrets file with Vault password |
| 35 | ansible.builtin.shell: |
| 36 | ansible-vault encrypt --vault-password-file {{ secrets_vault_password_file }} {{ secrets_path }} |
| 37 | when: |
| 38 | - secrets_vault_password_file is defined |