update secrets to use docker swarm

.github/workflows/infrastructure.yml

@@ -36,3 +36,8 @@ jobs:
       with:
         name: inventory
         path: infra/playbooks/inventory.yml
+    - name: save cx_string as artefact
+      uses: actions/upload-artifact@v4
+      with:
+        name: cx_string
+        path: infra/playbooks/cx_string

.github/workflows/playbooks.yml

@@ -21,5 +21,15 @@ jobs:
       with:
         name: inventory
         path: infra/playbooks
-    - name: test service
+    - name: download cx_secret
+      uses: actions/download-artifact@v4
+      with:
+        name: cx_string
+        path: infra/playbooks
+    - name: Create secret files
+      run: |
+          echo ${{secrets.AUTH_SECRET}} > ./auth_secret && \
+          echo ${{secrets.GITHUB_CLIENT_ID}} > ./github_client_id && \
+          echo ${{secrets.GITHUB_CLIENT_SECRET}} > ./github_client_secret
+    - name: Deploy Service
       run: ansible-playbook -i inventory.yml service.yml

infra/modules/db/postgres.tf

@@ -12,3 +12,8 @@ resource "aws_db_instance" "default" {
 output "db_cx_string" {
   value = aws_db_instance.default.endpoint
 }
+
+resource "local_file" "cx_string" {
+  filename = "playbooks/cx_string"
+  content  = aws_db_instance.default.endpoint
+}

infra/playbooks/service.yml

@@ -38,7 +38,27 @@
 - name: Docker Secrets
   hosts: managers[0]
   tasks:
-    - name: Docker Swarm Secrets
+    - name: Secret - GITHUB_CLIENT_ID
       community.docker.docker_secret:
-        name: dev-asm
-        data: test
+        name: CLIENT_ID
+        data: "{{lookup('file', './github_client_id') | b64encode}}"
+        data_is_b64: true
+        state: present
+    - name: Secret - GITHUB_CLIENT_SECRET
+      community.docker.docker_secret:
+        name: CLIENT_SECRET
+        data: "{{lookup('file', './github_client_secret') | b64encode}}"
+        data_is_b64: true
+        state: present
+    - name: Secret - AUTH_SECRET
+      community.docker.docker_secret:
+        name: AUTH_SECRET
+        data: "{{lookup('file', './auth_secret') | b64encode}}"
+        data_is_b64: true
+        state: present
+    - name: Secret - CX_STRING
+      community.docker.docker_secret:
+        name: DATABASE_URL
+        data: "{{lookup('file', './cx_string') | b64encode}}"
+        data_is_b64: true
+        state: present

src/lib.rs

@@ -38,8 +38,17 @@ pub static RQ: Lazy<Mutex<Client>> = Lazy::new(|| Mutex::new(Client::new()));
 use lazy_static::lazy_static;
 #[cfg(feature = "ssr")]
 lazy_static! {
-    pub static ref CLIENT_ID: String = std::env::var("GITHUB_CLIENT_ID").expect("ENV VAR NOT SET");
-    pub static ref CLIENT_SECRET: String =
-        std::env::var("GITHUB_CLIENT_SECRET").expect("ENV VAR NOT SET");
-    pub static ref AUTH_SECRET: String = std::env::var("AUTH_SECRET").expect("ENV VAR NOT SET");
+    pub static ref CLIENT_ID: String = get_secret("GITHUB_CLIENT_ID");
+    pub static ref CLIENT_SECRET: String = get_secret("GITHUB_CLIENT_SECRET");
+    pub static ref AUTH_SECRET: String = get_secret("AUTH_SECRET");
+
+    fn get_secret(key: &str) -> String {
+        std::env::var(key)
+            .or_else(|x| read_secret_from_file(key))
+            .expect("could not find required secrets in the environment")
+    }
+
+    fn read_secret_from_file(key: &str) -> Result<String, String> {
+        std::fs::read_to_string(format!("/run/secrets/{}", key))
+    }
 }