diff --git a/docs/services/infisical.md b/docs/services/infisical.md new file mode 100644 index 0000000..aac4486 --- /dev/null +++ b/docs/services/infisical.md @@ -0,0 +1,64 @@ +# Infisical + +[Infisical](https://infisical.com/) is an open-source end-to-end encrypted platform for securely managing secrets and configs across your team, devices, and infrastructure. + + +## Dependencies + +This service requires the following other services: + +- a [MongoDB](mongodb.md) document-oriented database server +- a [Traefik](traefik.md) reverse-proxy server + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# infisical # +# # +######################################################################## + +infisical_enabled: true + +infisical_hostname: infisical.example.com + +# Generate this with: `openssl rand -hex 16` +infisical_backend_environment_variable_encryption_key: '' + +# WARNING: uncomment this after creating your first user account, +# unless you'd like to run a server with public registration enabled. +# infisical_backend_environment_variable_invite_only_signup: true + +######################################################################## +# # +# /infisical # +# # +######################################################################## +``` + + +### URL + +In the example configuration above, we configure the service to be hosted at `https://infisical.example.com`. + +Hosting Infisical under a subpath (by configuring the `infisical_path_prefix` variable) does not seem to be possible right now, due to Infisical limitations. + + +### Authentication + +Public registration can be enabled/disabled using the `infisical_backend_environment_variable_invite_only_signup` variable. + +We recommend installing with public registration enabled at first (which is the default value for this variable), creating your first user account, and then disabling public registration by explicitly setting `infisical_backend_environment_variable_invite_only_signup` to `true`. + + +## Usage + +After installation, you can go to the Infisical URL, as defined in `infisical_hostname`. + +As mentioned in [Authentication](#authentication) above, you can create the first user from the web interface. + +If you'd like to prevent other users from registering, consider disabling public registration by explicitly setting `infisical_backend_environment_variable_invite_only_signup` variable to `true` in your configuration and re-running the playbook (`just install-service infisical`). diff --git a/docs/supported-services.md b/docs/supported-services.md index 25025a0..26222eb 100644 --- a/docs/supported-services.md +++ b/docs/supported-services.md @@ -19,6 +19,7 @@ | [Grafana](https://grafana.com/) | An open and composable observability and data visualization platform, often used with [Prometheus](services/prometheus.md) | [Link](services/grafana.md) | | [Healthchecks](https://healthchecks.io/) | A simple and Effective Cron Job Monitoring solution | [Link](services/healthchecks.md) | | [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) | +| [Infisical](https://infisical.com/) | An open-source end-to-end encrypted platform for securely managing secrets and configs across your team, devices, and infrastructure. | [Link](services/infisical.md) | | [Jitsi](https://jitsi.org/) | A fully encrypted, 100% Open Source video conferencing solution | [Link](services/jitsi.md) | | [Keycloak](https://www.keycloak.org/) | An open source identity and access management solution. | [Link](services/keycloak.md) | | [Lago](https://www.getlago.com/) | Open-source metering and usage-based billing | [Link](services/lago.md) | diff --git a/group_vars/mash_servers b/group_vars/mash_servers index c03411c..ece9d0b 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -119,6 +119,10 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (healthchecks_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'healthchecks']}] if healthchecks_enabled else []) + + ([{'name': (infisical_identifier + '-backend.service'), 'priority': 2000, 'groups': ['mash', 'infisical', 'infisical-backend']}] if infisical_enabled else []) + + + ([{'name': (infisical_identifier + '-frontend.service'), 'priority': 2000, 'groups': ['mash', 'infisical', 'infisical-frontend']}] if infisical_enabled else []) + + ([{'name': (jitsi_identifier + '-web.service'), 'priority': 4200, 'groups': ['mash', 'jitsi', 'jitsi-web']}] if jitsi_enabled else []) + ([{'name': (jitsi_identifier + '-prosody.service'), 'priority': 4000, 'groups': ['mash', 'jitsi', 'jitsi-prosody']}] if jitsi_enabled else []) @@ -1384,6 +1388,70 @@ hubsite_service_list_auto: | +######################################################################## +# # +# infisical # +# # +######################################################################## + +infisical_enabled: false + +infisical_identifier: "{{ mash_playbook_service_identifier_prefix }}infisical" + +infisical_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}infisical" + +infisical_uid: "{{ mash_playbook_uid }}" +infisical_gid: "{{ mash_playbook_gid }}" + +infisical_backend_systemd_required_services_list: | + {{ + (['docker.service']) + + + ([mongodb_identifier ~ '.service'] if mongodb_enabled and infisical_mongodb_hostname == mongodb_identifier else []) + }} + +infisical_backend_container_additional_networks: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + + + ([mongodb_container_network] if mongodb_enabled and infisical_mongodb_hostname == mongodb_identifier and infisical_backend_container_network != mongodb_container_network else []) + }} + +infisical_backend_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +infisical_backend_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +infisical_backend_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +infisical_backend_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +# Intentionally not auto-generating infisical_backend_environment_variable_encryption_key here. +# We prefer it to be explicit as it seems important that it remains stable. + +infisical_backend_environment_variable_jwt_signup_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.signup', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}" +infisical_backend_environment_variable_jwt_refresh_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.r', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}" +infisical_backend_environment_variable_jwt_auth_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.a', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}" +infisical_backend_environment_variable_jwt_service_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.svc', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}" + +infisical_frontend_container_additional_networks: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + }} + +infisical_frontend_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +infisical_frontend_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +infisical_frontend_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +infisical_frontend_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +infisical_mongodb_hostname: "{{ mongodb_identifier if mongodb_enabled else '' }}" +infisical_mongodb_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'infisical.db', rounds=655555) | to_uuid }}" +infisical_mongodb_auth_source: "{{ infisical_mongodb_db_name }}" + +######################################################################## +# # +# /infisical # +# # +######################################################################## + + + ######################################################################## # # # jitsi # @@ -1637,7 +1705,14 @@ mongodb_gid: "{{ mash_playbook_gid }}" mongodb_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}mongodb" -mongodb_managed_databases_auto: [] +mongodb_managed_databases_auto: | + {{ + ([{ + 'name': infisical_mongodb_db_name, + 'username': infisical_mongodb_username, + 'password': infisical_mongodb_password, + }] if infisical_enabled and infisical_mongodb_hostname == mongodb_identifier else []) + }} ######################################################################## # # diff --git a/requirements.yml b/requirements.yml index 20c57b7..08b094c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -80,6 +80,9 @@ - src: git+https://github.com/moan0s/hubsite.git version: v1.23.3-2 name: hubsite +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-infisical.git + version: v0.3.8-0 + name: infisical - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v8615-0 name: jitsi diff --git a/setup.yml b/setup.yml index 0239eea..8534cbf 100644 --- a/setup.yml +++ b/setup.yml @@ -90,6 +90,8 @@ - role: galaxy/healthchecks + - role: galaxy/infisical + - role: galaxy/hubsite - role: galaxy/jitsi