177 lines
5.7 KiB
YAML
177 lines
5.7 KiB
YAML
---
|
|
# Bootstraps a fresh Appwrite instance:
|
|
# 1. Creates the console admin user
|
|
# 2. Creates the BAB project
|
|
# 3. Registers web platforms (CORS allowed origins)
|
|
# 4. Generates an Ansible automation API key
|
|
# 5. Stores the API key secret in Vault at kv/oys/bab-appwrite-api-key
|
|
#
|
|
# Run once per environment after install_appwrite.yml.
|
|
# Safe to re-run: account and project creation tolerate 409.
|
|
# Platform and API key creation are NOT idempotent — re-running creates
|
|
# duplicates. Delete stale entries from the console.
|
|
#
|
|
# Required vars (from inventory):
|
|
# appwrite_domain - e.g. appwrite.toal.ca (used to build admin URL)
|
|
# appwrite_project - project ID to create
|
|
# appwrite_project_name - human-readable project name (default: BAB)
|
|
# appwrite_web_platforms - list of {name, hostname} dicts for CORS origins
|
|
#
|
|
# Note: uses appwrite_domain directly, not appwrite_admin_uri, because
|
|
# appwrite_admin_uri may point to an app-layer proxy (e.g. nginx) that
|
|
# does not expose the Appwrite admin/console endpoints.
|
|
|
|
- name: Bootstrap Appwrite — Admin, Project, and API Key
|
|
hosts: appwrite
|
|
gather_facts: false
|
|
|
|
vars:
|
|
appwrite_admin_uri: "https://{{ appwrite_domain }}/v1"
|
|
|
|
tasks:
|
|
- name: Read admin credentials from Vault
|
|
community.hashi_vault.vault_kv2_get:
|
|
path: oys/bab_admin
|
|
engine_mount_point: kv
|
|
register: vault_admin
|
|
no_log: true
|
|
delegate_to: localhost
|
|
|
|
- name: Create Appwrite console admin account
|
|
ansible.builtin.uri:
|
|
url: "{{ appwrite_admin_uri }}/account"
|
|
method: POST
|
|
body_format: json
|
|
headers:
|
|
X-Appwrite-Project: console
|
|
X-Appwrite-Response-Format: "1.6"
|
|
body:
|
|
userId: "{{ appwrite_admin_user_id | default('bab-admin') }}"
|
|
email: "{{ vault_admin.secret.bab_admin_user }}"
|
|
password: "{{ vault_admin.secret.bab_admin_password }}"
|
|
status_code: [201, 409, 501]
|
|
return_content: true
|
|
delegate_to: localhost
|
|
no_log: true
|
|
|
|
- name: Create admin session
|
|
ansible.builtin.uri:
|
|
url: "{{ appwrite_admin_uri }}/account/sessions/email"
|
|
method: POST
|
|
body_format: json
|
|
headers:
|
|
X-Appwrite-Project: console
|
|
X-Appwrite-Response-Format: "1.6"
|
|
body:
|
|
email: "{{ vault_admin.secret.bab_admin_user }}"
|
|
password: "{{ vault_admin.secret.bab_admin_password }}"
|
|
status_code: [201]
|
|
return_content: true
|
|
register: admin_session
|
|
delegate_to: localhost
|
|
no_log: false
|
|
|
|
- name: Create JWT from admin session
|
|
ansible.builtin.uri:
|
|
url: "{{ appwrite_admin_uri }}/account/jwt"
|
|
method: POST
|
|
body_format: json
|
|
headers:
|
|
X-Appwrite-Project: console
|
|
X-Appwrite-Response-Format: "1.6"
|
|
Cookie: "{{ admin_session.cookies_string }}"
|
|
status_code: [201]
|
|
return_content: true
|
|
register: admin_jwt
|
|
delegate_to: localhost
|
|
no_log: true
|
|
|
|
- name: Get admin user teams
|
|
ansible.builtin.uri:
|
|
url: "{{ appwrite_admin_uri }}/teams"
|
|
method: GET
|
|
headers:
|
|
X-Appwrite-Project: console
|
|
X-Appwrite-Response-Format: "1.6"
|
|
X-Appwrite-JWT: "{{ admin_jwt.json.jwt }}"
|
|
status_code: [200]
|
|
return_content: true
|
|
register: admin_teams
|
|
delegate_to: localhost
|
|
|
|
- name: Create BAB project
|
|
ansible.builtin.uri:
|
|
url: "{{ appwrite_admin_uri }}/projects"
|
|
method: POST
|
|
body_format: json
|
|
headers:
|
|
X-Appwrite-Project: console
|
|
X-Appwrite-Response-Format: "1.6"
|
|
X-Appwrite-JWT: "{{ admin_jwt.json.jwt }}"
|
|
body:
|
|
projectId: "{{ appwrite_project }}"
|
|
name: "{{ appwrite_project_name | default('BAB') }}"
|
|
teamId: "{{ admin_teams.json.teams[0]['$id'] }}"
|
|
region: default
|
|
status_code: [201, 409]
|
|
return_content: true
|
|
delegate_to: localhost
|
|
no_log: false
|
|
|
|
- name: Register web platforms (CORS allowed origins)
|
|
ansible.builtin.uri:
|
|
url: "{{ appwrite_admin_uri }}/projects/{{ appwrite_project }}/platforms"
|
|
method: POST
|
|
body_format: json
|
|
headers:
|
|
X-Appwrite-Project: console
|
|
X-Appwrite-Response-Format: "1.6"
|
|
X-Appwrite-JWT: "{{ admin_jwt.json.jwt }}"
|
|
body:
|
|
type: web
|
|
name: "{{ item.name }}"
|
|
hostname: "{{ item.hostname }}"
|
|
status_code: [201]
|
|
return_content: true
|
|
loop: "{{ appwrite_web_platforms | default([]) }}"
|
|
delegate_to: localhost
|
|
|
|
- name: Create Ansible automation API key
|
|
ansible.builtin.uri:
|
|
url: "{{ appwrite_admin_uri }}/projects/{{ appwrite_project }}/keys"
|
|
method: POST
|
|
body_format: json
|
|
headers:
|
|
X-Appwrite-Project: console
|
|
X-Appwrite-Response-Format: "1.6"
|
|
X-Appwrite-JWT: "{{ admin_jwt.json.jwt }}"
|
|
body:
|
|
name: ansible-automation
|
|
scopes:
|
|
- databases.read
|
|
- databases.write
|
|
- collections.read
|
|
- collections.write
|
|
- attributes.read
|
|
- attributes.write
|
|
- indexes.read
|
|
- indexes.write
|
|
- documents.read
|
|
- documents.write
|
|
- users.read
|
|
- users.write
|
|
status_code: [201]
|
|
return_content: true
|
|
register: api_key
|
|
delegate_to: localhost
|
|
no_log: true
|
|
|
|
- name: Store API key secret in Vault
|
|
community.hashi_vault.vault_kv2_write:
|
|
path: oys/bab-appwrite-api-key
|
|
engine_mount_point: kv
|
|
data:
|
|
appwrite_api_key: "{{ api_key.json.secret }}"
|
|
delegate_to: localhost
|
|
no_log: true
|