fix: remove various secrets

2025-12-06 07:51:35 +01:00 · 2024-12-22 21:47:59 +00:00
parent d83ba59fe3
commit 7928b24240
5 changed files with 12 additions and 6 deletions
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@@ -11,6 +11,12 @@ code_server_password: HISTORY_PURGED_SECRET

 atlantis_array_action_pw: jeanswochenendegeschichte

+money_balancer_jwt_secret: HISTORY_PURGED_SECRET
+
+hedgedoc_db_password: HISTORY_PURGED_SECRET
+
+paperless_secret_key: HISTORY_PURGED_SECRET
+
 tube_archivist_elasticsearch_password: HISTORY_PURGED_SECRET

 reactive_resume_postgres_password: HISTORY_PURGED_SECRET
--- a/roles/docker-deployments/templates/hedgedoc.yaml
+++ b/roles/docker-deployments/templates/hedgedoc.yaml
@@ -3,7 +3,7 @@ services:
    image: postgres:15-alpine
    environment:
      - POSTGRES_USER=hedgedoc
-      - POSTGRES_PASSWORD=HISTORY_PURGED_SECRET
+      - POSTGRES_PASSWORD={{ hedgedoc_db_password }}
      - POSTGRES_DB=hedgedoc
    volumes:
      - /data/hedgedoc/pgsql:/var/lib/postgresql/data
@@ -12,7 +12,7 @@ services:
    # Make sure to use the latest release from https://hedgedoc.org/latest-release
    image: quay.io/hedgedoc/hedgedoc:latest
    environment:
-      - CMD_DB_URL=postgres://hedgedoc:HISTORY_PURGED_SECRET@database:5432/hedgedoc
+      - CMD_DB_URL=postgres://hedgedoc:{{ hedgedoc_db_password }}@database:5432/hedgedoc
      - CMD_DOMAIN=hedgedoc.atlantishq.de
      - CMD_PROTOCOL_USESSL=true
      - CMD_ALLOW_ORIGIN=['hedgedoc.atlantishq.de']
@@ -22,7 +22,7 @@ services:
      - CMD_OAUTH2_TOKEN_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/token
      - CMD_OAUTH2_AUTHORIZATION_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/auth
      - CMD_OAUTH2_CLIENT_ID=z_hedgedoc
-      - CMD_OAUTH2_CLIENT_SECRET=HISTORY_PURGED_SECRET
+      - CMD_OAUTH2_CLIENT_SECRET={{ keycloak_clients['hedgedoc']['client_secret'] }}
      - CMD_OAUTH2_SCOPE=openid email profile
      - CMD_OAUTH2_ROLES_CLAIM=roles
      - CMD_OAUTH2_PROVIDERNAME=AtlantisHQ Auth
--- a/roles/docker-deployments/templates/money-balancer.yaml
+++ b/roles/docker-deployments/templates/money-balancer.yaml
@@ -7,7 +7,7 @@ services:
    volumes:
      - /data/money-balancer:/data
    environment:
-      - MONEYBALANCER_JWT_SECRET=HISTORY_PURGED_SECRET
+      - MONEYBALANCER_JWT_SECRET={{ money_balancer_jwt_secret }}
      - MONEYBALANCER_AUTH_LOCAL_ENABLED=false
      - MONEYBALANCER_AUTH_PROXY_ENABLED=true
      - MONEYBALANCER_AUTH_PROXY_HEADERS_USERNAME=x-forwarded-preferred-username
--- a/roles/openvpn/templates/atlantis-ip-gate.yaml
+++ b/roles/openvpn/templates/atlantis-ip-gate.yaml
@@ -8,7 +8,7 @@ services:
    volumes:
      - vpn-gate-data:/app/data/
    environment:
-      - APP_SECRET=jeanswochenendegeschichte
+      - APP_SECRET={{ atlantis_array_action_pw }}
  nginx:
    restart: always
    image: harbor-registry.atlantishq.de/atlantishq/atlantis-ip-gate-nginx:latest
--- a/roles/paperless/templates/docker-compose.env
+++ b/roles/paperless/templates/docker-compose.env
@@ -1,7 +1,7 @@
 PAPERLESS_URL=https://paperless.atlantishq.de
 PAPERLESS_TIME_ZONE=Europe/Berlin
 PAPERLESS_OCR_LANGUAGE=deu
-PAPERLESS_SECRET_KEY=HISTORY_PURGED_SECRET
+PAPERLESS_SECRET_KEY={{ paperless_secret_key }}
 PAPERLESS_ADMIN_USER=sheppy
 PAPERLESS_ADMIN_PASSWORD=Rxn5gbl6XR
 PAPERLESS_ENABLE_HTTP_REMOTE_USER=TRUE