Reference

Secrets summary table

Element

Storage

If lost

init.json (unseal keys + root token)

Local file (Ansible controller), recommended encrypted with ansible-vault

CATASTROPHIC: Vault loses its data on the next restart

ansible-vault passphrase

Password manager

The encrypted init.json file becomes unreadable

CredentialAPI token

Docker Swarm secret (reemo_VAULT_TOKEN)

Regenerable via the root token from init.json

Temporary Vault tokens (5 min, for Portal Credential)

Memory of application containers

Regenerated on the next cycle, no action required

Useful commands

# Full deployment
ansible-playbook -i inv playbook/reemo-infra.yml

# Deployment with ansible-vault
ansible-playbook -i inv playbook/reemo-infra.yml --ask-vault-pass

# Vault update only
ansible-playbook -i inv playbook/reemo-infra.yml --tags vault

# CredentialAPI / Portal Credential update
ansible-playbook -i inv playbook/reemo-infra.yml --tags credentialapi,credentialportal

# Encrypt init.json
ansible-vault encrypt playbooks/secrets/reemo/vault/init.json

# View encrypted content
ansible-vault view playbooks/secrets/reemo/vault/init.json

# Vault status
docker exec $(docker ps --filter name=reemo_vault1. -q) bao status

# CredentialAPI token details
TOKEN=$(docker exec $(docker ps --filter name=reemo_credentialapi. -q | head -1) cat /run/secrets/reemo_credentialapi_vault_token)
docker exec -e BAO_TOKEN=$TOKEN $(docker ps --filter name=reemo_vault1. -q) bao token lookup