From c332e833125dd2c974b1f37c8b511c39c11b57cf Mon Sep 17 00:00:00 2001
From: staticsafe <me@staticsafe.ca>
Date: Sun, 26 Nov 2017 21:59:48 -0500
Subject: [PATCH] Try registered variables to template app secrets

---
 roles/mastodon-config/tasks/main.yml          | 27 +++++++++++++++++++
 .../templates/.env.production.sample          |  9 +++----
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/roles/mastodon-config/tasks/main.yml b/roles/mastodon-config/tasks/main.yml
index 444c0c8..db1a80e 100644
--- a/roles/mastodon-config/tasks/main.yml
+++ b/roles/mastodon-config/tasks/main.yml
@@ -3,6 +3,33 @@
 # setup, pre-compiles assets, starts Mastodon daemons, adds media cleanup
 # cron job
 
+- name: Generate PAPERCLIP_SECRET and register it
+  shell: cd /home/mastodon/live && /home/mastodon/.rbenv/shims/bundle exec rake secret
+  register: PAPERCLIP_SECRET
+  environment:
+    RAILS_ENV: production
+  args:
+    executable: /bin/bash
+  become: true
+  become_user: mastodon
+- name: Generate SECRET_KEY_BASE and register it
+  shell: cd /home/mastodon/live && /home/mastodon/.rbenv/shims/bundle exec rake secret
+  register: SECRET_KEY_BASE
+  environment:
+    RAILS_ENV: production
+  args:
+    executable: /bin/bash
+  become: true
+  become_user: mastodon
+- name: Generate OTP_SECRET and register it
+  shell: cd /home/mastodon/live && /home/mastodon/.rbenv/shims/bundle exec rake secret
+  register: OTP_SECRET
+  environment:
+    RAILS_ENV: production
+  args:
+    executable: /bin/bash
+  become: true
+  become_user: mastodon
 - name: Copy Mastodon .env.production
   template:
     src: .env.production
diff --git a/roles/mastodon-config/templates/.env.production.sample b/roles/mastodon-config/templates/.env.production.sample
index e98050a..c1d8e1d 100644
--- a/roles/mastodon-config/templates/.env.production.sample
+++ b/roles/mastodon-config/templates/.env.production.sample
@@ -21,11 +21,10 @@ LOCAL_DOMAIN={{ mastodon_hostname }}
 LOCAL_HTTPS=true
 
 # Application secrets
-# Generate each with `RAILS_ENV=production bundle exec rake secret` on
-# the Mastodon host
-PAPERCLIP_SECRET=
-SECRET_KEY_BASE=
-OTP_SECRET=
+# Don't edit the 3 below, we get this from a registered variable
+PAPERCLIP_SECRET={{ PAPERCLIP_SECRET }}
+SECRET_KEY_BASE={{ SECRET_KEY_BASE }}
+OTP_SECRET={{ SECRET_KEY_BASE }}
 
 # Web Push VAPID keys
 # Generate with `web-push generate-vapid-keys` on Mastodon host and then