Digitalboard/reference-ansible
6
1
Fork 0
Code Pull requests Activity Actions

chore: start modeling gymburgdorf demo and test bao secret lookup

Browse source 
Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
This commit is contained in:
Bert-Jan Fikse 2026-04-10 17:23:41 +02:00
parent bcb75ed078
commit 2f9f7e61f9
Signed by: bert-jan
GPG key ID: C1E0AB516AC16D1A
8 changed files with 28 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Makefile
View file

@ -1,6 +1,12 @@
export BAO_ADDR=https://bao.digitalboard.ch
install:
ansible-galaxy collection install -r requirements.yml -p collections
bao:
bao login -method=oidc -path=Digitalboard role=default
$(eval export VAULT_TOKEN=$(shell bao print token))
ping_demo:
echo "# pinging demo-gymburgdorf"
ansible all -i inventories/demo-gymburgdorf/hosts.yml -m ping || true

9
README.md
View file

@ -4,14 +4,11 @@
### Secrets
Secrets are managed using [OpenBao](https://bao.digitalboard.ch).
Download the CLI binary once (not checked in):
```bash
curl -L https://github.com/openbao/openbao/releases/latest/download/bao_linux_amd64 -o ./bao && chmod +x ./bao
```
The bao CLI needs to be installed. e.g `sudo pacman -S openbao python-hvac`
Authenticate and export token before running playbooks:
```bash
export BAO_ADDR=https://bao.digitalboard.ch
./bao login -method=oidc -path=Digitalboard
export VAULT_TOKEN=$(./bao print token)
bao login -method=oidc -path=Digitalboard
export VAULT_TOKEN=$(bao print token)
```

1
inventories/demo-gymburgdorf/group_vars/all/docker.yml Normal file
View file

@ -0,0 +1 @@
docker_registry_mirrors: ["https://registry-mirror.wksbern.ch"]

2
inventories/demo-gymburgdorf/group_vars/all/vault.yml Normal file
View file

@ -0,0 +1,2 @@
vault_addr: "https://bao.digitalboard.ch"
vault_mount: "demo-gymburgdorf"

1
inventories/demo-gymburgdorf/group_vars/backend_servers/traefik.yml Normal file
View file

@ -0,0 +1 @@
traefik_mode: backend

13
inventories/demo-gymburgdorf/group_vars/traefik_servers/traefik.yml Normal file
View file

@ -0,0 +1,13 @@
_acme_tsig: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/acme-tsig', url=vault_addr ) }}"
traefik_use_ssl: true
traefik_cert_mode: "acme"
traefik_log_level: DEBUG
traefik_network: proxy
traefik_acme_dns_zone: "gymb._acme.digitalboard.ch"
traefik_acme_dns_nameserver: "{{ _acme_tsig.server }}"
traefik_acme_tsig_algorithm: "hmac-sha256"
traefik_acme_tsig_key: "{{ _acme_tsig.tsig_key }}"
traefik_acme_tsig_secret: "{{ _acme_tsig.tsig_secret }}"

1
inventories/demo-gymburgdorf/host_vars/reverseproxy/traefik.yml Normal file
View file

@ -0,0 +1 @@
traefik_mode: dmz

1
inventories/demo-gymburgdorf/hosts.yml
View file

@ -22,6 +22,7 @@ all:
backend_servers:
hosts:
application:
storage:
garage_servers:
hosts: