From b24032b515736d4e1938119f6bbcbe3e18ac4494 Mon Sep 17 00:00:00 2001
From: Jerome Caucat <jerome.caucat@aerys.in>
Date: Thu, 3 Jun 2021 18:23:33 +0200
Subject: [PATCH] Split inventory into dev and prod and encrypt prod host vars
 (#18).

---
 .github/workflows/ansible-lint.yml            |  7 ++--
 Vagrantfile                                   |  2 +-
 .../host_vars/laprimaire_2022/main.yml        |  0
 .../{ => inventories/development}/hosts.yml   |  0
 .../host_vars/laprimaire_2022/main.yml        | 23 +++++++++++++
 .../host_vars/laprimaire_2022/vault_main.yml  | 34 +++++++++++++++++++
 provisioning/inventories/production/hosts.yml | 34 +++++++++++++++++++
 7 files changed, 97 insertions(+), 3 deletions(-)
 rename provisioning/{ => inventories/development}/host_vars/laprimaire_2022/main.yml (100%)
 rename provisioning/{ => inventories/development}/hosts.yml (100%)
 create mode 100644 provisioning/inventories/production/host_vars/laprimaire_2022/main.yml
 create mode 100644 provisioning/inventories/production/host_vars/laprimaire_2022/vault_main.yml
 create mode 100644 provisioning/inventories/production/hosts.yml

diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml
index 75a386f..525662f 100644
--- a/.github/workflows/ansible-lint.yml
+++ b/.github/workflows/ansible-lint.yml
@@ -39,8 +39,11 @@ jobs:
           provisioning/roles/laprimaire.blog/handlers/main.yml
           provisioning/roles/laprimaire.forum/tasks/main.yml
           provisioning/roles/laprimaire.forum/defaults/main.yml
-          provisioning/hosts.yml
-          provisioning/host_vars/laprimaire_2022/main.yml
+          provisioning/inventories/development/hosts_var/laprimaire_2022/main.yml
+          provisioning/inventories/development/hosts.yml
+          provisioning/inventories/production/hosts_var/laprimaire_2022/main.yml
+          provisioning/inventories/production/hosts_var/laprimaire_2022/vault_main.yml
+          provisioning/inventories/production/hosts.yml
           provisioning/group_vars/all/main.yml
         # FIXME
         # Fixing the version of ansible is broken at the moment:
diff --git a/Vagrantfile b/Vagrantfile
index 986585e..b559585 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -39,7 +39,7 @@ Vagrant.configure("2") do |config|
       ansible.raw_arguments = ENV['ANSIBLE_EXTRA_ARGS']
       ansible.config_file = "provisioning/ansible.cfg"
       ansible.playbook = "provisioning/playbook.yml"
-      ansible.inventory_path = "provisioning/hosts.yml"
+      ansible.inventory_path = "provisioning/inventories/development/hosts.yml"
       ansible.become = true
       ansible.playbook_command = "/vagrant/script/ansible-playbook.sh"
       ansible.extra_vars = {
diff --git a/provisioning/host_vars/laprimaire_2022/main.yml b/provisioning/inventories/development/host_vars/laprimaire_2022/main.yml
similarity index 100%
rename from provisioning/host_vars/laprimaire_2022/main.yml
rename to provisioning/inventories/development/host_vars/laprimaire_2022/main.yml
diff --git a/provisioning/hosts.yml b/provisioning/inventories/development/hosts.yml
similarity index 100%
rename from provisioning/hosts.yml
rename to provisioning/inventories/development/hosts.yml
diff --git a/provisioning/inventories/production/host_vars/laprimaire_2022/main.yml b/provisioning/inventories/production/host_vars/laprimaire_2022/main.yml
new file mode 100644
index 0000000..831997e
--- /dev/null
+++ b/provisioning/inventories/production/host_vars/laprimaire_2022/main.yml
@@ -0,0 +1,23 @@
+---
+
+discourse_postgresql_password: "{{ lookup('env', 'DISCOURSE_POSTGRESQL_PASSWORD') | default(vault_discourse_postgresql_password, true) }}"
+discourse_smtp_user: "{{ lookup('env', 'DISCOURSE_SMTP_USER') | default(vault_discourse_smtp_user, true) }}"
+discourse_smtp_password: "{{ lookup('env', 'DISCOURSE_SMTP_PASSWORD') | default(vault_discourse_smtp_password, true) }}"
+discourse_smtp_tls: "{{ lookup('env', 'DISCOURSE_SMTP_TLS') | default('true', true) }}"
+discourse_redis_password: "{{ lookup('env', 'DISCOURSE_REDIS_PASSWORD') | default(vault_discourse_redis_password, true) }}"
+
+ghost_database_user: "{{ lookup('env', 'GHOST_DATABASE_USER') | default(vault_ghost_database_user, true) }}"
+ghost_database_password: "{{ lookup('env', 'GHOST_DATABASE_PASSWORD') | default(vault_ghost_database_password, true) }}"
+
+matomo_database_root_password: "{{ lookup('env', 'MATOMO_DATABASE_ROOT_PASSWORD') | default(vault_matomo_database_root_password, true) }}"
+matomo_database_username: "{{ lookup('env', 'MATOMO_DATABASE_USER') | default(vault_matomo_database_username, true) }}"
+matomo_database_password: "{{ lookup('env', 'MATOMO_PASSWORD') | default(vault_matomo_database_password, true) }}"
+matomo_user: "{{ lookup('env', 'MATOMO_USER') | default(vault_matomo_user, true) }}"
+matomo_password: "{{ lookup('env', 'MATOMO_PASSWORD') | default(vault_matomo_password, true) }}"
+
+grafana_admin_user: "{{ lookup('env', 'GRAFANA_ADMIN_USER') | default(vault_grafana_admin_user, true) }}"
+grafana_admin_password: "{{ lookup('env', 'GRAFANA_ADMIN_PASSWORD') | default(vault_grafana_admin_password, true) }}"
+
+vouch_oauth_client_id: "{{ lookup('env', 'VOUCH_OAUTH_CLIENT_ID') | default(vault_vouch_oauth_client_id, true) }}"
+vouch_oauth_client_secret: "{{ lookup('env', 'VOUCH_OAUTH_CLIENT_SECRET') | default(vault_vouch_oauth_client_secret, true) }}"
+vouch_whitelist: "{{ lookup('env', 'VOUCH_WHITELIST').split(',') | default(vault_vouch_whitelist, true) }}"
diff --git a/provisioning/inventories/production/host_vars/laprimaire_2022/vault_main.yml b/provisioning/inventories/production/host_vars/laprimaire_2022/vault_main.yml
new file mode 100644
index 0000000..9f914df
--- /dev/null
+++ b/provisioning/inventories/production/host_vars/laprimaire_2022/vault_main.yml
@@ -0,0 +1,34 @@
+$ANSIBLE_VAULT;1.1;AES256
+33373336343737393065396365376366313530643062346330363031326633313138323266343331
+3166633130393932346534663265393534333164623061650a323831643635613164643436646662
+62386231373035646333613330636532653832636361323033393434316235656166646463333565
+6233336639356562300a373361316533353963363131666637343834366237366663303136636466
+30666234663463376636653661653932373662333731383239663939316533393035323639313163
+39626639336431623038326562376661613431366232343463616265643939316335343130623934
+62376330333834366632303362313237376532383631646366323566386166653262383438336331
+39383765626430373162373035636535383237366437303137356261366336306261643465646462
+38663034343430323431653430333833623230656562643431356534303539366430623333316161
+64323963633236323961663933383363323137616334343834633662343836346335396465343135
+64623833393235393131373130386265666433326131363233393962306664623465633838343866
+30343834333632336436623566373431316261646236393065383362613532343136643364323665
+39633966393831356630646462643266663736303032316133383062346633646164626263343037
+33653934383065666435353639343632343232333538623633346130636666346561303263383333
+38616438373636316635356536373966616638323065326531346463313764316137316531343437
+38393464393561633732623436323538653065393339623064633730646663653830303533623533
+62636232353536643134396263386265393131663734626366666661346462613664336536636534
+35353766343337633133353165373862643136333939623933383466326166666166663966623235
+66386265643565336531356531316130633638663739323463343938396236353539636465393730
+64663431383833346432373333623261323665666335303134653138356539376434303766633064
+64356232383537646237393361323065313062306532353936363865383337303139363131633066
+66376331303639393639643935333634623134656366366332333734383235373238366465343130
+35396332363966336265323133393238353032636132313730633332393233316337633565363337
+38616534383561646164643366306437613734343163376366653535356330373666383064303635
+31656133633834363538363139373061383431633531313363316335383031383936366631613833
+39326333613134373837643735343261393165393032383832656366336634393664653232636533
+66356161626432366561333739326132316461646634646335626439353932663561386133386532
+35343534316135336262376637323166653531323263653037376432313137653837666265316536
+65373836623262626238623731623638663531326435383537316261336465346461663632353335
+31326632333863613631303434636162393736623933343464383634653766353530346332653633
+61353639616132616633383433343331316464613931346262636233663730323766376561383266
+65356136373665373263666332636433623663363761646266636539333239393833303735313538
+3466
diff --git a/provisioning/inventories/production/hosts.yml b/provisioning/inventories/production/hosts.yml
new file mode 100644
index 0000000..f1f7839
--- /dev/null
+++ b/provisioning/inventories/production/hosts.yml
@@ -0,0 +1,34 @@
+all:
+  hosts:
+    laprimaire_2022:
+      ansible_host: "{{ (base_hostname == 'laprimaire.org.test') | ternary('2022.' + base_hostname, '51.159.163.166') }}"
+      ansible_ssh_private_key_file: "{{ (base_hostname == 'laprimaire.org.test') | ternary('/vagrant/.vagrant/machines/laprimaire_2022/virtualbox/private_key', '/vagrant/key/laprimaire.org') }}"
+      ansible_ssh_user: root
+      ansible_become: yes
+    org:
+      ansible_host: "org.{{ base_hostname }}"
+    blog:
+      ansible_host: "2022.{{ base_hostname }}"
+    monitoring:
+      ansible_host: "monitoring.infra.{{ base_hostname }}"
+    metrics:
+      ansible_host: "metrics.infra.{{ base_hostname }}"
+    logs:
+      ansible_host: "logs.infra.{{ base_hostname }}"
+    analytics:
+      ansible_host: "analytics.infra.{{ base_hostname }}"
+
+infra:
+  hosts:
+    monitoring:
+    metrics:
+    logs:
+    analytics:
+      vouch_public_locations:
+        # Allow Vouch to bypass authentication for
+        # the routes used to perform analytics.
+        - "~ /matomo\\.(js|php)"
+
+server:
+  hosts:
+    laprimaire_2022: