From 66662594d014f284ef8204faffc372134f7c46c2 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Tue, 21 Dec 2021 19:57:43 +0000
Subject: [PATCH] Extract plausible secrets to dedicated vault

---
 .../roles/plausible/files/docker-compose.yml  |  4 ++--
 ansible/roles/plausible/tasks/main.yml        |  3 +++
 ansible/roles/plausible/vars/main.yml         | 23 ++-----------------
 ansible/roles/plausible/vars/vault.yml        | 16 +++++++++++++
 4 files changed, 23 insertions(+), 23 deletions(-)
 create mode 100644 ansible/roles/plausible/vars/vault.yml

diff --git a/ansible/roles/plausible/files/docker-compose.yml b/ansible/roles/plausible/files/docker-compose.yml
index ca34222..a769ac1 100644
--- a/ansible/roles/plausible/files/docker-compose.yml
+++ b/ansible/roles/plausible/files/docker-compose.yml
@@ -22,8 +22,8 @@ services:
       - traefik.http.routers.plausible-embed.middlewares=plausible-index
 
     environment:
-      - SECRET_KEY_BASE={{ secret_key }}
-      - SIGNING_SALT={{ signing_salt }}
+      - SECRET_KEY_BASE={{ plausible_secret_key }}
+      - SIGNING_SALT={{ plausible_signing_salt }}
       - DATABASE_URL=postgres://plausible:plausible@db:5432/plausible
       - DISABLE_REGISTRATION=true
       - DISABLE_SUBSCRIPTION=true
diff --git a/ansible/roles/plausible/tasks/main.yml b/ansible/roles/plausible/tasks/main.yml
index 0293245..4c431a7 100644
--- a/ansible/roles/plausible/tasks/main.yml
+++ b/ansible/roles/plausible/tasks/main.yml
@@ -1,3 +1,6 @@
+- name: Include vault
+  include_vars: vault.yml
+
 - name: Create install directory
   file:
     path: /opt/plausible
diff --git a/ansible/roles/plausible/vars/main.yml b/ansible/roles/plausible/vars/main.yml
index 9d2dd72..aff74af 100644
--- a/ansible/roles/plausible/vars/main.yml
+++ b/ansible/roles/plausible/vars/main.yml
@@ -1,21 +1,2 @@
-secret_key: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  39336333353061326461306663306661393465646536323664353933643030623561393732323438
-  3162376361386238623238323765376261303431643530660a646234653266326264336636343264
-  38396537646661386435353134663033336133646233343334356364663136373233623436383862
-  6139326335313830370a623737303837643630613535363534613663343163353330626131376435
-  61346534303264643065663763653837396530333166336364346234663031616565666163323631
-  64626666626466333131353264313166313139623865393833393766636466383139323463313263
-  36376337623437346465346665633732333264333662363632623235326262626339366434396563
-  64326232306534656161343638316166313763333834393065323965626465663136356332636463
-  62343466396637643466373561316665333238393964306232353239303062653432303466666638
-  62623038393639393339303661633039306463306364656339656164313033643536356266363939
-  613233393837653836633837373339653934
-signing_salt: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  35366665313061333735636265386535663830666531376365323033353338653536633334646566
-  3065393638663934623237336561633365303664613863350a326661393439393532316666653134
-  61353939626433396530636665636439313966636130386365396535326239366331646664383562
-  3763326533373266620a376230613664633332663065393561656565653634366130323534633865
-  35336236653664373131343364373637653261303030663239333534653432386438343162393866
-  3563353137633338623239346538643662393537313932386366
+plausible_secret_key: "{{ vault_plausible_secret_key }}"
+plausible_signing_salt: "{{ vault_plausible_signing_salt }}"
diff --git a/ansible/roles/plausible/vars/vault.yml b/ansible/roles/plausible/vars/vault.yml
new file mode 100644
index 0000000..caf934d
--- /dev/null
+++ b/ansible/roles/plausible/vars/vault.yml
@@ -0,0 +1,16 @@
+$ANSIBLE_VAULT;1.1;AES256
+31656261333332323730306162626265323432313264663230303264623662353065393362616635
+6131376236383233646366663264653663363930653937650a373264623632633130626330343264
+66633064303765323666323162376262636461626563626134613230326635616636386463393931
+6633373864666139310a636137346161333738396335346239623334663061353231326337343436
+63313338336535356538316132393066343965646466633864666263356139363934316161363062
+65646236663464626335636661623063626166633363336237303738393739346232623132386432
+39663561313139636261323238373163333432643237333334393364323831636266636132316261
+32396235663364353439386430653765663063343761323832323332383538323934656131373034
+31356665623632646163626361353462396531323263346162626236396333396564306631613766
+31313136613938383661643263373064366566616432306263643235626461653465613134623738
+62323630613533316138363837303366373835653661626332656638646265356538383535636436
+64356332363662356630613839373039323463306362313937313364613736363832323830656163
+64356537363935613362386436656434333338313565613464346534616634653532343566643739
+33303037636633623163363465663630366333323464666231333432643133646636643130383034
+326237356631656161376530303139633032