chriswininger
commented
1 year ago Maybe we can add some comments to the reame poinging to docks on some of these different things, ansible-vault, j3, just, ansible.
These all seem like good things that make it easier to tell a clean story with the commands but they also add a bit to the number of things someone new will need to learn before they can effectively makes changes to this layer, something to keep in mind. I'm not overly concerned though. I just think a few links might help call out what's in use and what you should familiarize yourself with
This PR does a few tightly integrated things to support managing secret / non-secret information consistently within ansible:
I added environment specific secrets to the ansible scripts: you can see these in group_vars. The .env files are now created via templates, and the scattering of other environment variables in playbooks and invocations are consolidated.
It is possible to do more consolidation since most of the third party services have the same info for staging & prod. But, because ansible already supports so many places that variables can be defined, I tried to be concise and consistent to make maintenance easier. Here is the differentiation this PR implements:
This branch has been run against staging and all services restarted following execution there. There is a backup ~/docker-files in production and the branch is safe to run against it.
Using inventory-based variables lends itself to limiting which hosts playbooks operate against using
-l <environment>as an invocation mechanism for ansible-playbook rather than using an environment variable as was done previously. All the associated bash scripts have been updated to reflect this. Personally, I'd like to ditch the scripts (or move them to a bin directory) to make the repo easier to navigate- I added a justfile which effectively replaces them.