Add support for Infisical

This commit is contained in:
Slavi Pantaleev 2023-06-02 17:50:15 +03:00
parent ab033ac3ec
commit c8bdc1f744
5 changed files with 146 additions and 1 deletions

View file

@ -0,0 +1,64 @@
# Infisical
[Infisical](https://infisical.com/) is an open-source end-to-end encrypted platform for securely managing secrets and configs across your team, devices, and infrastructure.
## Dependencies
This service requires the following other services:
- a [MongoDB](mongodb.md) document-oriented database server
- a [Traefik](traefik.md) reverse-proxy server
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# infisical #
# #
########################################################################
infisical_enabled: true
infisical_hostname: infisical.example.com
# Generate this with: `openssl rand -hex 16`
infisical_backend_environment_variable_encryption_key: ''
# WARNING: uncomment this after creating your first user account,
# unless you'd like to run a server with public registration enabled.
# infisical_backend_environment_variable_invite_only_signup: true
########################################################################
# #
# /infisical #
# #
########################################################################
```
### URL
In the example configuration above, we configure the service to be hosted at `https://infisical.example.com`.
Hosting Infisical under a subpath (by configuring the `infisical_path_prefix` variable) does not seem to be possible right now, due to Infisical limitations.
### Authentication
Public registration can be enabled/disabled using the `infisical_backend_environment_variable_invite_only_signup` variable.
We recommend installing with public registration enabled at first (which is the default value for this variable), creating your first user account, and then disabling public registration by explicitly setting `infisical_backend_environment_variable_invite_only_signup` to `true`.
## Usage
After installation, you can go to the Infisical URL, as defined in `infisical_hostname`.
As mentioned in [Authentication](#authentication) above, you can create the first user from the web interface.
If you'd like to prevent other users from registering, consider disabling public registration by explicitly setting `infisical_backend_environment_variable_invite_only_signup` variable to `true` in your configuration and re-running the playbook (`just install-service infisical`).

View file

@ -19,6 +19,7 @@
| [Grafana](https://grafana.com/) | An open and composable observability and data visualization platform, often used with [Prometheus](services/prometheus.md) | [Link](services/grafana.md) |
| [Healthchecks](https://healthchecks.io/) | A simple and Effective Cron Job Monitoring solution | [Link](services/healthchecks.md) |
| [Hubsite](https://github.com/moan0s/hubsite) | A simple, static site that shows an overview of the available services | [Link](services/hubsite.md) |
| [Infisical](https://infisical.com/) | An open-source end-to-end encrypted platform for securely managing secrets and configs across your team, devices, and infrastructure. | [Link](services/infisical.md) |
| [Jitsi](https://jitsi.org/) | A fully encrypted, 100% Open Source video conferencing solution | [Link](services/jitsi.md) |
| [Keycloak](https://www.keycloak.org/) | An open source identity and access management solution. | [Link](services/keycloak.md) |
| [Lago](https://www.getlago.com/) | Open-source metering and usage-based billing | [Link](services/lago.md) |

View file

@ -119,6 +119,10 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': (healthchecks_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'healthchecks']}] if healthchecks_enabled else [])
+
([{'name': (infisical_identifier + '-backend.service'), 'priority': 2000, 'groups': ['mash', 'infisical', 'infisical-backend']}] if infisical_enabled else [])
+
([{'name': (infisical_identifier + '-frontend.service'), 'priority': 2000, 'groups': ['mash', 'infisical', 'infisical-frontend']}] if infisical_enabled else [])
+
([{'name': (jitsi_identifier + '-web.service'), 'priority': 4200, 'groups': ['mash', 'jitsi', 'jitsi-web']}] if jitsi_enabled else [])
+
([{'name': (jitsi_identifier + '-prosody.service'), 'priority': 4000, 'groups': ['mash', 'jitsi', 'jitsi-prosody']}] if jitsi_enabled else [])
@ -1384,6 +1388,70 @@ hubsite_service_list_auto: |
########################################################################
# #
# infisical #
# #
########################################################################
infisical_enabled: false
infisical_identifier: "{{ mash_playbook_service_identifier_prefix }}infisical"
infisical_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}infisical"
infisical_uid: "{{ mash_playbook_uid }}"
infisical_gid: "{{ mash_playbook_gid }}"
infisical_backend_systemd_required_services_list: |
{{
(['docker.service'])
+
([mongodb_identifier ~ '.service'] if mongodb_enabled and infisical_mongodb_hostname == mongodb_identifier else [])
}}
infisical_backend_container_additional_networks: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+
([mongodb_container_network] if mongodb_enabled and infisical_mongodb_hostname == mongodb_identifier and infisical_backend_container_network != mongodb_container_network else [])
}}
infisical_backend_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
infisical_backend_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
infisical_backend_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
infisical_backend_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
# Intentionally not auto-generating infisical_backend_environment_variable_encryption_key here.
# We prefer it to be explicit as it seems important that it remains stable.
infisical_backend_environment_variable_jwt_signup_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.signup', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}"
infisical_backend_environment_variable_jwt_refresh_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.r', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}"
infisical_backend_environment_variable_jwt_auth_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.a', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}"
infisical_backend_environment_variable_jwt_service_secret: "{{ ('%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'inf.jwt.svc', rounds=655555) | to_uuid | replace('-', ''))[0:32] }}"
infisical_frontend_container_additional_networks: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
}}
infisical_frontend_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
infisical_frontend_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
infisical_frontend_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
infisical_frontend_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
infisical_mongodb_hostname: "{{ mongodb_identifier if mongodb_enabled else '' }}"
infisical_mongodb_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'infisical.db', rounds=655555) | to_uuid }}"
infisical_mongodb_auth_source: "{{ infisical_mongodb_db_name }}"
########################################################################
# #
# /infisical #
# #
########################################################################
########################################################################
# #
# jitsi #
@ -1637,7 +1705,14 @@ mongodb_gid: "{{ mash_playbook_gid }}"
mongodb_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}mongodb"
mongodb_managed_databases_auto: []
mongodb_managed_databases_auto: |
{{
([{
'name': infisical_mongodb_db_name,
'username': infisical_mongodb_username,
'password': infisical_mongodb_password,
}] if infisical_enabled and infisical_mongodb_hostname == mongodb_identifier else [])
}}
########################################################################
# #

View file

@ -80,6 +80,9 @@
- src: git+https://github.com/moan0s/hubsite.git
version: v1.23.3-2
name: hubsite
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-infisical.git
version: v0.3.8-0
name: infisical
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
version: v8615-0
name: jitsi

View file

@ -90,6 +90,8 @@
- role: galaxy/healthchecks
- role: galaxy/infisical
- role: galaxy/hubsite
- role: galaxy/jitsi