fix: update ansible playbooks and scripts to use new vault references

2025-07-15 21:43:13 +00:00
parent fec97c7e82
commit 464ced8e6b
13 changed files with 117 additions and 111 deletions
--- a/bin/actions/secrets.py
+++ b/bin/actions/secrets.py
@@ -17,7 +17,7 @@ def get_password():

    # Try to get the password
    success, output = run_command(
-        [op_cmd, "read", "op://j7nmhqlsjmp2r6umly5t75hzb4/Dotfiles Secrets/password"]
+        [op_cmd, "read", "op://Dotfiles/Dotfiles Secrets/password"]
    )

    if not success:
--- a/config/ansible/caddy-playbook.yml
+++ b/config/ansible/caddy-playbook.yml
@@ -19,7 +19,7 @@

      - name: Get Caddy email from 1Password
        ansible.builtin.set_fact:
-            caddy_email: "{{ lookup('community.general.onepassword', 'qwvcr4cuumhqh3mschv57xdqka', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='email') }}"
+            caddy_email: "{{ lookup('community.general.onepassword', 'Caddy (Proxy)', vault='Dotfiles', field='email') }}"
        ignore_errors: true
        tags:
            - caddy
--- a/config/ansible/tasks/servers/juicefs.yml
+++ b/config/ansible/tasks/servers/juicefs.yml
@@ -1,90 +1,94 @@
 ---
- name: Check if JuiceFS is already installed
-  ansible.builtin.command: which juicefs
-  register: juicefs_check
-  ignore_errors: true
-  changed_when: false
+- name: JuiceFS Installation and Configuration
+  block:
+    - name: Check if JuiceFS is already installed
+      ansible.builtin.command: which juicefs
+      register: juicefs_check
+      ignore_errors: true
+      changed_when: false

- name: Install JuiceFS using the automatic installer
-  ansible.builtin.shell: curl -sSL https://d.juicefs.com/install | sh -
-  register: juicefs_installation
-  when: juicefs_check.rc != 0
-  become: true
+    - name: Install JuiceFS using the automatic installer
+      ansible.builtin.shell: curl -sSL https://d.juicefs.com/install | sh -
+      register: juicefs_installation
+      when: juicefs_check.rc != 0
+      become: true

- name: Verify JuiceFS installation
-  ansible.builtin.command: juicefs version
-  register: juicefs_version
-  changed_when: false
-  when: juicefs_check.rc != 0 or juicefs_installation.changed
+    - name: Verify JuiceFS installation
+      ansible.builtin.command: juicefs version
+      register: juicefs_version
+      changed_when: false
+      when: juicefs_check.rc != 0 or juicefs_installation.changed

- name: Create mount directory
-  ansible.builtin.file:
-    path: /mnt/object_storage
-    state: directory
-    mode: "0755"
-  become: true
+    - name: Create mount directory
+      ansible.builtin.file:
+        path: /mnt/object_storage
+        state: directory
+        mode: "0755"
+      become: true

- name: Create cache directory
-  ansible.builtin.file:
-    path: /var/jfsCache
-    state: directory
-    mode: "0755"
-  become: true
+    - name: Create cache directory
+      ansible.builtin.file:
+        path: /var/jfsCache
+        state: directory
+        mode: "0755"
+      become: true

- name: Configure JuiceFS network performance optimizations
-  ansible.builtin.sysctl:
-    name: "{{ item.name }}"
-    value: "{{ item.value }}"
-    state: present
-    reload: true
-  become: true
-  loop:
-    - { name: "net.core.rmem_max", value: "16777216" }
-    - { name: "net.core.wmem_max", value: "16777216" }
-    - { name: "net.ipv4.tcp_rmem", value: "4096 87380 16777216" }
-    - { name: "net.ipv4.tcp_wmem", value: "4096 65536 16777216" }
+    - name: Configure JuiceFS network performance optimizations
+      ansible.builtin.sysctl:
+        name: "{{ item.name }}"
+        value: "{{ item.value }}"
+        state: present
+        reload: true
+      become: true
+      loop:
+        - { name: "net.core.rmem_max", value: "16777216" }
+        - { name: "net.core.wmem_max", value: "16777216" }
+        - { name: "net.ipv4.tcp_rmem", value: "4096 87380 16777216" }
+        - { name: "net.ipv4.tcp_wmem", value: "4096 65536 16777216" }

- name: Set JuiceFS facts
-  ansible.builtin.set_fact:
-    hetzner_access_key: "{{ lookup('community.general.onepassword', 'mfk2qgnaplgtk6xmfc3r6w6neq', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='AWS_ACCESS_KEY_ID') }}"
-    hetzner_secret_key:
-      "{{ lookup('community.general.onepassword', 'mfk2qgnaplgtk6xmfc3r6w6neq', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='AWS_SECRET_ACCESS_KEY')
-      }}"
-    redis_password: "{{ lookup('community.general.onepassword', '4cioblm633bdkl6put35lk6ql4', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='password') }}"
+    - name: Set JuiceFS facts
+      ansible.builtin.set_fact:
+        hetzner_access_key: "{{ lookup('community.general.onepassword', 'Hetzner Object Storage Bucket', vault='Dotfiles', field='AWS_ACCESS_KEY_ID') }}"
+        hetzner_secret_key:
+          "{{ lookup('community.general.onepassword', 'Hetzner Object Storage Bucket', vault='Dotfiles', field='AWS_SECRET_ACCESS_KEY')
+          }}"
+        redis_password: "{{ lookup('community.general.onepassword', 'JuiceFS (Redis)', vault='Dotfiles', field='password') }}"

- name: Create JuiceFS systemd service file
-  ansible.builtin.template:
-    src: templates/juicefs.service.j2
-    dest: /etc/systemd/system/juicefs.service
-    owner: root
-    group: root
-    mode: "0644"
-  become: true
+    - name: Create JuiceFS systemd service file
+      ansible.builtin.template:
+        src: templates/juicefs.service.j2
+        dest: /etc/systemd/system/juicefs.service
+        owner: root
+        group: root
+        mode: "0644"
+      become: true

- name: Reload systemd daemon
-  ansible.builtin.systemd:
-    daemon_reload: true
-  become: true
+    - name: Reload systemd daemon
+      ansible.builtin.systemd:
+        daemon_reload: true
+      become: true

- name: Include JuiceFS Redis tasks
-  ansible.builtin.include_tasks: services/redis/redis.yml
-  when: inventory_hostname == 'mennos-cloud-server'
+    - name: Include JuiceFS Redis tasks
+      ansible.builtin.include_tasks: services/redis/redis.yml
+      when: inventory_hostname == 'mennos-cloud-server'

- name: Enable and start JuiceFS service
-  ansible.builtin.systemd:
-    name: juicefs.service
-    enabled: true
-    state: started
-  become: true
+    - name: Enable and start JuiceFS service
+      ansible.builtin.systemd:
+        name: juicefs.service
+        enabled: true
+        state: started
+      become: true

- name: Check if JuiceFS is mounted
-  ansible.builtin.shell: df -h | grep /mnt/object_storage
-  become: true
-  register: mount_check
-  ignore_errors: true
-  changed_when: false
+    - name: Check if JuiceFS is mounted
+      ansible.builtin.shell: df -h | grep /mnt/object_storage
+      become: true
+      register: mount_check
+      ignore_errors: true
+      changed_when: false

- name: Display mount status
-  ansible.builtin.debug:
-    msg: "JuiceFS is successfully mounted at /mnt/object_storage"
-  when: mount_check.rc == 0
+    - name: Display mount status
+      ansible.builtin.debug:
+        msg: "JuiceFS is successfully mounted at /mnt/object_storage"
+      when: mount_check.rc == 0
+  tags:
+    - juicefs
--- a/config/ansible/tasks/servers/server.yml
+++ b/config/ansible/tasks/servers/server.yml
@@ -10,6 +10,8 @@

    - name: Include JuiceFS tasks
      ansible.builtin.include_tasks: juicefs.yml
+      tags:
+        - juicefs

    - name: Include service tasks
      ansible.builtin.include_tasks: "services/{{ item.name }}/{{ item.name }}.yml"
--- a/config/ansible/tasks/servers/services/caddy/caddy.yml
+++ b/config/ansible/tasks/servers/services/caddy/caddy.yml
@@ -6,7 +6,7 @@
            caddy_service_dir: "{{ ansible_env.HOME }}/services/caddy"
            caddy_data_dir: "{{ '/mnt/services/caddy' if inventory_hostname == 'mennos-server' else '/mnt/object_storage/services/caddy' }}"
            geoip_db_path: "{{ '/mnt/services/echoip' if inventory_hostname == 'mennos-server' else '/mnt/object_storage/services/echoip' }}"
-            caddy_email: "{{ lookup('community.general.onepassword', 'qwvcr4cuumhqh3mschv57xdqka', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='email') }}"
+            caddy_email: "{{ lookup('community.general.onepassword', 'Caddy (Proxy)', vault='Dotfiles', field='email') }}"

      - name: Create Caddy directory
        ansible.builtin.file:
--- a/config/ansible/tasks/servers/services/downloaders/docker-compose.yml.j2
+++ b/config/ansible/tasks/servers/services/downloaders/docker-compose.yml.j2
@@ -19,10 +19,10 @@ services:
    environment:
      - PUID=1000
      - PGID=100
-      - VPN_SERVICE_PROVIDER={{ lookup('community.general.onepassword', 'qm7lxjrv2ctgzsjuwtolxpd5i4', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='VPN_SERVICE_PROVIDER') }}
-      - OPENVPN_USER={{ lookup('community.general.onepassword', 'qm7lxjrv2ctgzsjuwtolxpd5i4', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='OPENVPN_USER') }}
-      - OPENVPN_PASSWORD={{ lookup('community.general.onepassword', 'qm7lxjrv2ctgzsjuwtolxpd5i4', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='OPENVPN_PASSWORD') }}
-      - SERVER_COUNTRIES={{ lookup('community.general.onepassword', 'qm7lxjrv2ctgzsjuwtolxpd5i4', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='SERVER_COUNTRIES') }}
+      - VPN_SERVICE_PROVIDER={{ lookup('community.general.onepassword', 'Gluetun', vault='Dotfiles', field='VPN_SERVICE_PROVIDER') }}
+      - OPENVPN_USER={{ lookup('community.general.onepassword', 'Gluetun', vault='Dotfiles', field='OPENVPN_USER') }}
+      - OPENVPN_PASSWORD={{ lookup('community.general.onepassword', 'Gluetun', vault='Dotfiles', field='OPENVPN_PASSWORD') }}
+      - SERVER_COUNTRIES={{ lookup('community.general.onepassword', 'Gluetun', vault='Dotfiles', field='SERVER_COUNTRIES') }}
    restart: always

  sabnzbd:
--- a/config/ansible/tasks/servers/services/echoip/echoip.yml
+++ b/config/ansible/tasks/servers/services/echoip/echoip.yml
@@ -5,10 +5,10 @@
      ansible.builtin.set_fact:
        echoip_service_dir: "{{ ansible_env.HOME }}/services/echoip"
        echoip_data_dir: "{{ '/mnt/services/echoip' if inventory_hostname == 'mennos-server' else '/mnt/object_storage/services/echoip' }}"
-        maxmind_account_id: "{{ lookup('community.general.onepassword', 'finpwvqp6evflzjcsnwge74n34',
-          vault='j7nmhqlsjmp2r6umly5t75hzb4', field='account_id') | regex_replace('\\s+', '') }}"
-        maxmind_license_key: "{{ lookup('community.general.onepassword', 'finpwvqp6evflzjcsnwge74n34',
-          vault='j7nmhqlsjmp2r6umly5t75hzb4', field='license_key') | regex_replace('\\s+', '') }}"
+        maxmind_account_id: "{{ lookup('community.general.onepassword', 'MaxMind',
+          vault='Dotfiles', field='account_id') | regex_replace('\\s+', '') }}"
+        maxmind_license_key: "{{ lookup('community.general.onepassword', 'MaxMind',
+          vault='Dotfiles', field='license_key') | regex_replace('\\s+', '') }}"

    - name: Create EchoIP directory
      ansible.builtin.file:
--- a/config/ansible/tasks/servers/services/gitea/docker-compose.yml.j2
+++ b/config/ansible/tasks/servers/services/gitea/docker-compose.yml.j2
@@ -23,7 +23,7 @@ services:
      - PUID=1000
      - PGID=100
      - POSTGRES_USER=gitea
-      - POSTGRES_PASSWORD={{ lookup('community.general.onepassword', '4gnclyzztfgqq7yxa3ctxs6tey', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='POSTGRES_PASSWORD') }}
+      - POSTGRES_PASSWORD={{ lookup('community.general.onepassword', 'Gitea', vault='Dotfiles', field='POSTGRES_PASSWORD') }}
      - POSTGRES_DB=gitea
    volumes:
      - {{gitea_data_dir}}/postgres:/var/lib/postgresql/data
@@ -40,7 +40,7 @@ services:
      - PUID=1000
      - PGID=100
      - GITEA_INSTANCE_URL=https://git.mvl.sh
-      - GITEA_RUNNER_REGISTRATION_TOKEN={{ lookup('community.general.onepassword', '4gnclyzztfgqq7yxa3ctxs6tey', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='GITEA_RUNNER_REGISTRATION_TOKEN') }}
+      - GITEA_RUNNER_REGISTRATION_TOKEN={{ lookup('community.general.onepassword', 'Gitea', vault='Dotfiles', field='GITEA_RUNNER_REGISTRATION_TOKEN') }}
      - GITEA_RUNNER_NAME=act-worker
      - CONFIG_FILE=/config.yaml
    restart: always
--- a/config/ansible/tasks/servers/services/golink/docker-compose.yml.j2
+++ b/config/ansible/tasks/servers/services/golink/docker-compose.yml.j2
@@ -4,7 +4,7 @@ services:
    image: ghcr.io/tailscale/golink:main
    user: root
    environment:
-      - TS_AUTHKEY={{ lookup('community.general.onepassword', '4gsgavajnxfpcrjvbkqhoc4drm', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='TS_AUTHKEY') }}
+      - TS_AUTHKEY={{ lookup('community.general.onepassword', 'GoLink', vault='Dotfiles', field='TS_AUTHKEY') }}
    volumes:
      - {{ golink_data_dir }}:/home/nonroot
    restart: "unless-stopped"
--- a/config/ansible/tasks/servers/services/karakeep/dotenv.j2
+++ b/config/ansible/tasks/servers/services/karakeep/dotenv.j2
@@ -10,6 +10,6 @@ TZ=Europe/Amsterdam
 PUID=1000
 PGID=100

-NEXTAUTH_SECRET="{{ lookup('community.general.onepassword', 'osnzlfidxonvetmomdgn7vxu5a', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='NEXTAUTH_SECRET') }}"
-MEILI_MASTER_KEY="{{ lookup('community.general.onepassword', 'osnzlfidxonvetmomdgn7vxu5a', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='MEILI_MASTER_KEY') }}"
-OPENAI_API_KEY="{{ lookup('community.general.onepassword', 'osnzlfidxonvetmomdgn7vxu5a', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='OPENAI_API_KEY') }}"
+NEXTAUTH_SECRET="{{ lookup('community.general.onepassword', 'Kara Keep', vault='Dotfiles', field='NEXTAUTH_SECRET') }}"
+MEILI_MASTER_KEY="{{ lookup('community.general.onepassword', 'Kara Keep', vault='Dotfiles', field='MEILI_MASTER_KEY') }}"
+OPENAI_API_KEY="{{ lookup('community.general.onepassword', 'Kara Keep', vault='Dotfiles', field='OPENAI_API_KEY') }}"
--- a/config/ansible/tasks/servers/services/redis/redis.yml
+++ b/config/ansible/tasks/servers/services/redis/redis.yml
@@ -4,7 +4,7 @@
    - name: Set Redis facts
      ansible.builtin.set_fact:
        redis_service_dir: "{{ ansible_env.HOME }}/services/juicefs-redis"
-        redis_password: "{{ lookup('community.general.onepassword', '4cioblm633bdkl6put35lk6ql4', vault='j7nmhqlsjmp2r6umly5t75hzb4', field='password') }}"
+        redis_password: "{{ lookup('community.general.onepassword', 'JuiceFS (Redis)', vault='Dotfiles', field='password') }}"

    - name: Create Redis service directory
      ansible.builtin.file:
--- a/config/ansible/tasks/servers/services/seafile/seafile.yml
+++ b/config/ansible/tasks/servers/services/seafile/seafile.yml
@@ -22,26 +22,26 @@
        # Database settings
        seafile_mysql_db_host: "db"
        seafile_mysql_root_password: >
-          {{ lookup('community.general.onepassword', 'bbzudwdo3byqs4pscd2wy7qsn4',
-              vault='j7nmhqlsjmp2r6umly5t75hzb4', field='MYSQL_ROOT_PASSWORD') }}
+          {{ lookup('community.general.onepassword', 'Seafile',
+              vault='Dotfiles', field='MYSQL_ROOT_PASSWORD') }}
        seafile_mysql_db_user: "seafile"
        seafile_mysql_db_password: >
-          {{ lookup('community.general.onepassword', 'bbzudwdo3byqs4pscd2wy7qsn4',
-            vault='j7nmhqlsjmp2r6umly5t75hzb4', field='MYSQL_PASSWORD') }}
+          {{ lookup('community.general.onepassword', 'Seafile',
+            vault='Dotfiles', field='MYSQL_PASSWORD') }}

        # Server settings
        time_zone: "Europe/Amsterdam"
        jwt_private_key: >
-          {{ lookup('community.general.onepassword', 'bbzudwdo3byqs4pscd2wy7qsn4',
-            vault='j7nmhqlsjmp2r6umly5t75hzb4', field='jwt_private_key') }}
+          {{ lookup('community.general.onepassword', 'Seafile',
+            vault='Dotfiles', field='jwt_private_key') }}
        seafile_server_hostname: "sf.mvl.sh"
        seafile_server_protocol: "https"

        # Admin credentials
        seafile_admin_email: "menno@vleeuwen.me"
        seafile_admin_password: >
-          {{ lookup('community.general.onepassword', 'bbzudwdo3byqs4pscd2wy7qsn4',
-            vault='j7nmhqlsjmp2r6umly5t75hzb4', field='password') }}
+          {{ lookup('community.general.onepassword', 'Seafile',
+            vault='Dotfiles', field='password') }}

    - name: Create Seafile directories
      ansible.builtin.file:
--- a/config/home-manager/flake.lock
+++ b/config/home-manager/flake.lock
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1752391422,
+        "lastModified": 1752544374,
        "narHash": "sha256-ReX0NG6nIAEtQQjLqeu1vUU2jjZuMlpymNtb4VQYeus=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "c26266790678863cce8e7460fdbf0d80991b1906",
+        "rev": "2e00ed310c218127e02ffcf28ddd4e0f669fde3e",
        "type": "github"
      },
      "original": {
@@ -23,11 +23,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1752308619,
-        "narHash": "sha256-pzrVLKRQNPrii06Rm09Q0i0dq3wt2t2pciT/GNq5EZQ=",
+        "lastModified": 1752436162,
+        "narHash": "sha256-Kt1UIPi7kZqkSc5HVj6UY5YLHHEzPBkgpNUByuyxtlw=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "650e572363c091045cdbc5b36b0f4c1f614d3058",
+        "rev": "dfcd5b901dbab46c9c6e80b265648481aafb01f8",
        "type": "github"
      },
      "original": {
@@ -39,11 +39,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1751984180,
-        "narHash": "sha256-LwWRsENAZJKUdD3SpLluwDmdXY9F45ZEgCb0X+xgOL0=",
+        "lastModified": 1752480373,
+        "narHash": "sha256-JHQbm+OcGp32wAsXTE/FLYGNpb+4GLi5oTvCxwSoBOA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "9807714d6944a957c2e036f84b0ff8caf9930bc0",
+        "rev": "62e0f05ede1da0d54515d4ea8ce9c733f12d9f08",
        "type": "github"
      },
      "original": {