Reference¶
Secrets summary table¶
Element |
Storage |
If lost |
|---|---|---|
init.json (unseal keys + root token) |
Local file (Ansible controller), recommended encrypted with ansible-vault |
CATASTROPHIC: Vault loses its data on the next restart |
ansible-vault passphrase |
Password manager |
The encrypted init.json file becomes unreadable |
CredentialAPI token |
Docker Swarm secret ( |
Regenerable via the root token from init.json |
Temporary Vault tokens (5 min, for Portal Credential) |
Memory of application containers |
Regenerated on the next cycle, no action required |
Useful commands¶
# Full deployment
ansible-playbook -i inv playbook/reemo-infra.yml
# Deployment with ansible-vault
ansible-playbook -i inv playbook/reemo-infra.yml --ask-vault-pass
# Vault update only
ansible-playbook -i inv playbook/reemo-infra.yml --tags vault
# CredentialAPI / Portal Credential update
ansible-playbook -i inv playbook/reemo-infra.yml --tags credentialapi,credentialportal
# Encrypt init.json
ansible-vault encrypt playbooks/secrets/reemo/vault/init.json
# View encrypted content
ansible-vault view playbooks/secrets/reemo/vault/init.json
# Vault status
docker exec $(docker ps --filter name=reemo_vault1. -q) bao status
# CredentialAPI token details
TOKEN=$(docker exec $(docker ps --filter name=reemo_credentialapi. -q | head -1) cat /run/secrets/reemo_credentialapi_vault_token)
docker exec -e BAO_TOKEN=$TOKEN $(docker ps --filter name=reemo_vault1. -q) bao token lookup