Add webhook secrets

Author: QuLogic

README.md

@@ -56,8 +56,8 @@ prerequisites:
 * Create a DigitalOcean API token, and pass it to the inventory generator by
   setting the `DO_API_TOKEN` environment variable.
 * Set the vault decryption password of the ansible vaulted file with our
-  secrets. This may be done by setting the `VAULT_PASSWORD` environment
-  variable.
+  secrets. This may be done by setting the `ANSIBLE_VAULT_PASSWORD_FILE`
+  environment variable to point to a file containing the password.
 * Download all the collections the playbooks depend on with the following
   command:
   ```

files/webhook_vars.yml

@@ -0,0 +1,40 @@
+$ANSIBLE_VAULT;1.1;AES256
+65306563353430353163613637333436323338303765623138396631353762623635333537336134
+3430356337646531623632666139343735336131333963620a303065316365336335383438393236
+61633337643735376163356430616665353361656366616363303362373635393632383331323330
+3737623137626338360a373635623564306330643565643537666465666264346366333263663839
+33316437643434373734626335623165373837346533316234366331383333646436613538643533
+38623036653735326461366637386530313765356431616536316164376636626635623030343436
+31313338346538336136343134383864303536386662613230333937653266386363343236303465
+32363666343332666534326562313535613463613435653565343031643737666163333662363838
+62363238653866313231613739343834633835336235376531383031623137663933656439663639
+31633766663862643465653530626431366431663331323634346230646233623731393136343164
+62666534613538393366366233633939386132343466373263333962363335313031613665386534
+38383530646664306230396331393561623034343637616434376230343436653839643031313835
+66323530396334303761386666353039313161616435333031336262363239303836393738323065
+32396430373530383833366564643838643566626332396537326433316163356461363134663934
+39393830613538303061353637343533386466343632663961333130363336333461333865326635
+32346633396233313732613438383563636666643931306637393335626266373430373339326434
+35646532623166383133623530656566616537376162336430666265336336326631663434346632
+61343438353763346135383730623638623639333631663738623734393538373064306565363561
+35346134623830373465326365313233656235373536333731363530323435656166346539623863
+62633062386534663735613532343930353937613136636134623739336165373664383035653930
+30636564353837356130303465393139626235363233623862353037653839303363666465346335
+35316132306130383336353231383661663266636665393231363732653364336136326131376232
+34613337373533613964326334653064383335393964343132366361333838656435653234653635
+37303563333637373536656163356233353162313933643933353861313362323735343630313636
+32636466626237623333303530663333653830393862376535623162373734336665323164383362
+32353038663630356662636530613365323335323466643463393761623162363765333131353733
+33646663353031333534616662333734356666663033613430373462646161373030623737386538
+66616635346464653432636238663832343038643065376564373233303430313035386234353132
+33646562363733356531346134616233353666386664326132396231666464393638356438343366
+30306432346334633635323831333266316532393366376364323833366264306235613737643139
+65613065656136643534316163663934383635373335363138383536393962613539303663303438
+63616465626666373864373561393336303538333564303631636331393733303832306231323362
+39393238616664623364636537643433346562393463346363316336633464383333643035653165
+32306637323234623439303866373731623863383962313761363837313138386262616334623439
+36313433353565663963356631373564613766613931313138663532646563363533333134393735
+39323832613465306263383465383736633937306566303233343534303632656436636463333638
+35353234633137353634363837333532336461303231333338376565623632383631646665613532
+65633237373237653533636165326237643665643264323236323337363535626230363330393363
+613963376332656365373633646339373033

templates/webhook.env.j2

@@ -0,0 +1,4 @@
+SITE_DIR=/usr/share/caddy
+{%  for site, secret in webhook_secrets.items() %}
+WEBHOOK_{{ site | upper | replace('.', '_') | replace('-', '_') }}_SECRET={{secret}}
+{% endfor %}

website.yml

@@ -1,5 +1,7 @@
 ---
 - hosts: website
+  vars_files:
+    - files/webhook_vars.yml
   tasks:
     # Installation tasks
     # ##################
@@ -159,8 +161,8 @@
         - Restart webhook
 
     - name: Configure webhook secrets
-      ansible.builtin.copy:
-        content: "SITE_DIR=/usr/share/caddy"
+      ansible.builtin.template:
+        src: webhook.env.j2
         dest: /etc/caddy/webhook.env
         mode: 0644
       notify: