feat: Sync supabase secrets to gitea

feat: Backup supabase
2026-04-14 20:22:55 -04:00
parent 4e23df5a8e
commit b74528b6f1
3 changed files with 176 additions and 0 deletions
--- a/playbooks/sync_gitea_secrets.yml
+++ b/playbooks/sync_gitea_secrets.yml
@@ -0,0 +1,64 @@
+---
+- name: Sync Supabase secrets to Gitea repo variables
+  hosts: localhost
+  connection: local
+  gather_facts: false
+
+  tasks:
+    - name: Read Supabase dev secrets from Vault
+      ansible.builtin.set_fact:
+        _supabase_dev: "{{ lookup('community.hashi_vault.hashi_vault',
+          'secret=oys/dev/supabase url=' + vault_addr + ' engine_mount_point=kv') }}"
+      no_log: true
+
+    - name: Read Supabase prod secrets from Vault
+      ansible.builtin.set_fact:
+        _supabase_prod: "{{ lookup('community.hashi_vault.hashi_vault',
+          'secret=oys/prod/supabase url=' + vault_addr + ' engine_mount_point=kv') }}"
+      no_log: true
+
+    - name: Read Gitea API token from Vault
+      ansible.builtin.set_fact:
+        _gitea_token: "{{ lookup('community.hashi_vault.hashi_vault',
+          'secret=oys/shared/infra/gitea_token url=' + vault_addr + ' engine_mount_point=kv') }}"
+      no_log: true
+
+    - name: Construct ENV_FILE_DEV content
+      ansible.builtin.set_fact:
+        _env_file_dev: |
+          SUPABASE_URL={{ _supabase_dev.url }}
+          SUPABASE_ANON_KEY={{ _supabase_dev.anon_key }}
+      no_log: true
+
+    - name: Construct ENV_FILE_PROD content
+      ansible.builtin.set_fact:
+        _env_file_prod: |
+          SUPABASE_URL={{ _supabase_prod.url }}
+          SUPABASE_ANON_KEY={{ _supabase_prod.anon_key }}
+      no_log: true
+
+    - name: Update ENV_FILE_DEV Gitea variable
+      ansible.builtin.uri:
+        url: "{{ gitea_base_url }}/api/v1/repos/{{ gitea_owner }}/{{ gitea_repo }}/actions/variables/ENV_FILE_DEV"
+        method: PUT
+        headers:
+          Authorization: "token {{ _gitea_token.value }}"
+          Content-Type: application/json
+        body_format: json
+        body:
+          value: "{{ _env_file_dev }}"
+        status_code: [201, 204]
+      no_log: true
+
+    - name: Update ENV_FILE_PROD Gitea variable
+      ansible.builtin.uri:
+        url: "{{ gitea_base_url }}/api/v1/repos/{{ gitea_owner }}/{{ gitea_repo }}/actions/variables/ENV_FILE_PROD"
+        method: PUT
+        headers:
+          Authorization: "token {{ _gitea_token.value }}"
+          Content-Type: application/json
+        body_format: json
+        body:
+          value: "{{ _env_file_prod }}"
+        status_code: [201, 204]
+      no_log: true