Add a vaulted secret key for the flask application.

ansible/ansible.cfg

@@ -4,6 +4,7 @@ internal_poll_interval=0.004
 inventory=inventory
 retry_files_enabled=false
 roles_path=roles
+vault_password_file=bin/open-vault
 
 [privilege_escalation]
 become=false

ansible/bin/open-vault

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# Note(decentral1se): We should arrange a way to share secrets
+#                     For now, only I have this password.
+pass show books.vvvvvvaria.org/ansible-vault-password

ansible/plays/main.yml

@@ -5,6 +5,7 @@
     - role: perms       # Setup users and groups
     - role: git         # Clone the project source
     - role: pipenv      # Install Python dependencies
+    - role: env         # Configure application environment
     - role: rqlite      # Install RQLite
     - role: supervisor  # Setup managed proccesses
     - role: nginx       # Setup Nginx configuration

ansible/roles/env/defaults/main.yml

@@ -0,0 +1,11 @@
+---
+
+xppl_secret_key: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  63383039393130376566643264343636326531633134643866646531393437373463363166653264
+  3936316365313533623934333265313536393232643138340a326266363362363939383037633463
+  32633266626261653166343063336434646137643136366136393266646366303531383035653466
+  3836623437323435350a663435353630623338626566356631336135326536663261636563616439
+  33326362393130366164653932393066633330623966666235326666646462303663643030656339
+  62613635396532343535313637656139366336626666383565656436646562313163363136613337
+  616562666538363238663064373434343665

ansible/roles/env/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Get the environment configuration in place.
+  become: true
+  become_user: xppl
+  template:
+    src: env.j2
+    dest: /var/xppl/.env
+    mode: 0644

ansible/roles/env/templates/env.j2

@@ -0,0 +1 @@
+SECRET_KEY={{ xppl_secret_key }}