digitalboard.core/roles/ess_pro_compose/tasks/secrets.yml

# SPDX-License-Identifier: MIT-0
---
# Generate the ess-generated secret bundle. Mirrors the chart's `init-secrets`
# job, but runs locally on the host. Idempotent — only writes missing files.

- name: Render generate-secrets script
  ansible.builtin.template:
    src: generate-secrets.py.j2
    dest: "{{ ess_compose_dir }}/.generate-secrets.py"
    mode: "0700"

- name: Run generate-secrets (creates only what's missing)
  ansible.builtin.command:
    cmd: "/usr/bin/python3 {{ ess_compose_dir }}/.generate-secrets.py"
  register: ess_secrets_run
  changed_when: "'CREATED:' in ess_secrets_run.stdout"

- name: Verify every required secret exists
  ansible.builtin.stat:
    path: "{{ ess_compose_secrets_dir }}/{{ item }}"
  register: ess_secret_stat
  loop: "{{ _ess_secret_names }}"
  failed_when: not ess_secret_stat.stat.exists

- name: Read postgres passwords for config templates (not persisted)
  ansible.builtin.slurp:
    src: "{{ ess_compose_secrets_dir }}/{{ item }}"
  register: ess_password_slurp
  loop:
    - POSTGRES_ADMIN_PASSWORD
    - POSTGRES_SYNAPSE_PASSWORD
    - POSTGRES_MATRIX_AUTHENTICATION_SERVICE_PASSWORD
    - SYNAPSE_MACAROON
    - SYNAPSE_REGISTRATION_SHARED_SECRET
    - SYNAPSE_WORKERS_REPLICATION_SECRET
    - MAS_SYNAPSE_SHARED_SECRET
    - MAS_MATRIX_TOOLS_OIDC_CLIENT_SECRET
    - ELEMENT_CALL_LIVEKIT_SECRET
  no_log: true

- name: Expose passwords as facts for templates
  ansible.builtin.set_fact:
    _ess_secrets: "{{ _ess_secrets | default({}) | combine({item.item: (item.content | b64decode).strip()}) }}"
  loop: "{{ ess_password_slurp.results }}"
  loop_control:
    label: "{{ item.item }}"
  no_log: true