Try registered variables to template app secrets

roles/mastodon-config/tasks/main.yml

@@ -3,6 +3,33 @@
 # setup, pre-compiles assets, starts Mastodon daemons, adds media cleanup
 # cron job
 
+- name: Generate PAPERCLIP_SECRET and register it
+  shell: cd /home/mastodon/live && /home/mastodon/.rbenv/shims/bundle exec rake secret
+  register: PAPERCLIP_SECRET
+  environment:
+    RAILS_ENV: production
+  args:
+    executable: /bin/bash
+  become: true
+  become_user: mastodon
+- name: Generate SECRET_KEY_BASE and register it
+  shell: cd /home/mastodon/live && /home/mastodon/.rbenv/shims/bundle exec rake secret
+  register: SECRET_KEY_BASE
+  environment:
+    RAILS_ENV: production
+  args:
+    executable: /bin/bash
+  become: true
+  become_user: mastodon
+- name: Generate OTP_SECRET and register it
+  shell: cd /home/mastodon/live && /home/mastodon/.rbenv/shims/bundle exec rake secret
+  register: OTP_SECRET
+  environment:
+    RAILS_ENV: production
+  args:
+    executable: /bin/bash
+  become: true
+  become_user: mastodon
 - name: Copy Mastodon .env.production
   template:
     src: .env.production

roles/mastodon-config/templates/.env.production.sample

@@ -21,11 +21,10 @@ LOCAL_DOMAIN={{ mastodon_hostname }}
 LOCAL_HTTPS=true
 
 # Application secrets
-# Generate each with `RAILS_ENV=production bundle exec rake secret` on
-# the Mastodon host
-PAPERCLIP_SECRET=
-SECRET_KEY_BASE=
-OTP_SECRET=
+# Don't edit the 3 below, we get this from a registered variable
+PAPERCLIP_SECRET={{ PAPERCLIP_SECRET }}
+SECRET_KEY_BASE={{ SECRET_KEY_BASE }}
+OTP_SECRET={{ SECRET_KEY_BASE }}
 
 # Web Push VAPID keys
 # Generate with `web-push generate-vapid-keys` on Mastodon host and then