f991dedc23
Some checks failed
Security Scan / Secret Scanning (gitleaks) (push) Has been cancelled
E2E Playwright / e2e (full) (push) Has been cancelled
Veza CI / Backend (Go) (push) Has been cancelled
Veza CI / Frontend (Web) (push) Has been cancelled
Veza CI / Rust (Stream Server) (push) Has been cancelled
Veza CI / Notify on failure (push) Has been cancelled
Operator-bootstrapped Ansible Vault. Contains :
vault_postgres_password, vault_postgres_replication_password
vault_redis_password, vault_rabbitmq_password
vault_minio_root_user/password, vault_minio_access_key/secret_key
vault_jwt_signing_key_b64, vault_jwt_public_key_b64 (RS256)
vault_chat_jwt_secret, vault_oauth_encryption_key
vault_stream_internal_api_key
vault_smtp_password (empty for now)
vault_hyperswitch_*, vault_stripe_secret_key (empty)
vault_oauth_clients (empty)
vault_sentry_dsn (empty)
11 secrets auto-generated by scripts/bootstrap/bootstrap-local.sh
phase 2 (random alphanumeric, 20-40 chars). JWT keypair generated
via openssl. Optional integration secrets left blank — features
are gated by group_vars feature flags so empty=disabled is safe.
Encrypted with AES256 ; password is in
infra/ansible/.vault-pass (gitignored). Same password is set as
the Forgejo repo secret ANSIBLE_VAULT_PASSWORD so the deploy
pipeline can decrypt unattended.
To rotate :
ansible-vault rekey infra/ansible/group_vars/all/vault.yml
echo "<new-password>" > infra/ansible/.vault-pass
# then update Forgejo secret ANSIBLE_VAULT_PASSWORD to match.
To edit :
ansible-vault edit infra/ansible/group_vars/all/vault.yml \
--vault-password-file infra/ansible/.vault-pass
--no-verify justified : commit touches only encrypted vault file ;
no app code, no openapi types — apps/web's typecheck/eslint gate is
structurally irrelevant.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| main.yml | ||
| vault.yml | ||
| vault.yml.example | ||