synapse: encrypt LDAP password with age

Switching from Ansible Vault to `age`. This value is encrypted with the following public key: age1j63kzwldegazaaj4rm2ydzlm4wlh6z4cgm4s7g6pzysskh04duhslyc5yy
2024-01-09 17:22:11 -06:00 · 2024-01-09 17:22:11 -06:00 · 51dc5a690d
parent 1ac58c5148
commit 51dc5a690d
3 changed files with 9 additions and 11 deletions
--- a/group_vars/synapse/main.yml
+++ b/group_vars/synapse/main.yml
@ -4,7 +4,14 @@ synapse_ldap_enabled: true
 synapse_ldap_uri: ldap://ldap.pyrocufflink.blue:389
 synapse_ldap_base: DC=pyrocufflink,DC=blue
 synapse_ldap_bind_dn: CN=svc.synapse,CN=Users,DC=pyrocufflink,DC=blue
-synapse_ldap_bind_password: '{{ vault_synapse_ldap_bind_password }}'
+synapse_ldap_bind_password: |
+  -----BEGIN AGE ENCRYPTED FILE-----
+  YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBza1BRS1Y5WFFIVDk1R0Fj
+  S09STXh3dEZBL0dtWk1PZXZHT0ZiZ0J6N1JVCkhFYXpqM3RqbmxmUlEySGgrcDla
+  eWVld3JmR1IxWmM0dlMzRXR0RDg4aEEKLS0tIHd1Tm5HVzZVTHBXUUV0OGQwb2o4
+  YkxqNkxzMHY3UWdibmFQajRIVFU2WlUKPrK1boO/OLSGTYKqz4VhiSLvfNO3EnU2
+  I3NhniF1WpbqwEkYzL7CM4teYYYQOHPJpBaj4vUT7mMOZyw5VOkKYQ==
+  -----END AGE ENCRYPTED FILE-----
 matrix_tls_cert: websites/hatch.chat.cer
 matrix_tls_key: websites/hatch.chat.key

--- a/group_vars/synapse/secrets
+++ b/group_vars/synapse/secrets
@ -1,9 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-63353463626538346438303931303537663265346634313861653364333635323337666634303136
-3036343162343532306263653634376132663836393962640a623738393633336437643330656264
-66633166306532373631323236346237626239643839313934383264393231313134323761313163
-6464626566623466630a313363386332613637346638333439666438383939306632666466353966
-30323538326462313836306563353233663935636130636361353938623331396432356436383137
-30336464646136633931613763363464373165386435613939656435663332326432396539633037
-30373035663336613937383038363032373330316137333333303632353839643338393938343238
-34393634643139323066
--- a/roles/synapse/templates/homeserver.yaml.j2
+++ b/roles/synapse/templates/homeserver.yaml.j2
@ -80,7 +80,7 @@ password_providers:
 {% if synapse_ldap_bind_dn|d %}
     bind_dn: '{{ synapse_ldap_bind_dn }}'
 {% if synapse_ldap_bind_password|d %}
-     bind_password: '{{ synapse_ldap_bind_password }}'
+     bind_password: '{{ synapse_ldap_bind_password | decrypt }}'
 {% endif %}
 {% endif %}
 {% endif %}