Secrets
Overview
Secrets are managed using Ansible Vault. The primary source of truth for all encrypted secrets is ansible/secrets.yml. This file is committed to the repository (AES256 encrypted) and is decrypted during provisioning/deployment to generate per-app .env files on the VPS.
Key Files
| File | Description |
|---|---|
ansible/secrets.yml | AES256 encrypted YAML file containing all secrets. |
scripts/vault-set.sh | CLI tool to sync .env variables into the encrypted vault. |
scripts/sync-vault.py | Python script to sync secrets from VPS .env files back into the repo. |
Managing Secrets locally
1. Adding/Updating a secret
Instead of editing the encrypted YAML manually, use scripts/vault-set.sh. It takes a .env file and upserts its values into the vault:
export ANSIBLE_VAULT_PASSWORD=your_password
./scripts/vault-set.sh path/to/.env
The script will:
- Decrypt
ansible/secrets.ymlto a temporary file. - Compare keys from your
.envwith the vault. - Update or add keys (prefixed with the app name, e.g.,
n8n_owner_email). - Re-encrypt and save the vault.
2. Viewing the Vault
To see the raw content of the vault:
ansible-vault view ansible/secrets.yml --vault-id @prompt
How Secrets are Deployed
During the Provision VPS workflow:
- Ansible decrypts
secrets.yml. - The
Write all app .env filestasks inplaybook.ymlmap vault variables to specific.envkeys. - The
.envfiles are written to/opt/vps-apps/<appname>/.envon the VPS with0600permissions.
Syncing Secrets from VPS
Sometimes secrets are generated or changed directly on the VPS (e.g., Authentik API tokens). To keep the repo in sync, the provision.yml workflow performs a "Sync back" operation:
- Dumps all
.envfiles from the VPS. - Decrypts
ansible/secrets.yml. - Runs
scripts/sync-vault.pyto merge VPS values back into the vault content. - Re-encrypts and commits the updated
ansible/secrets.ymlback to GitHub.
Required GitHub Secrets
| Secret | Description |
|---|---|
ANSIBLE_VAULT_PASSWORD | The password used to encrypt/decrypt ansible/secrets.yml. |
GH_PAT | Personal Access Token used by the workflow to push secret updates back to the repo. |
Never commit .env files or plaintext secrets. The .gitignore is configured to exclude all .env files and ansible/secrets.yml must ALWAYS be encrypted before committing.