This Ansible role automates the deployment of Infisical, along with its required PostgreSQL database and Redis cache. It provides a flexible setup for installing and configuring these components across multiple hosts. This role doesn't come with HA (high availability). An HA deployment role will be released soon.
To install the Infisical Deployment Ansible role, run the following command:
$ ansible-galaxy install infisical.infisical_deployment
This command will download and install the role from Ansible Galaxy, making it available for use in your Ansible projects.
- Clone this role into your Ansible roles directory.
- Create your playbook (e.g.,
playbook.yml
) and inventory file (e.g.,inventory.ini
). You can find examples for the playbook.yml and inventory.ini further down in the README. - Run the playbook:
$ ansible-playbook -i inventory.ini playbook.yml
- Ansible 2.9 or higher
- Target machines running a Debian-based Linux distribution (e.g., Ubuntu)
- SSH access to the target machines
- Sudo privileges on the target machines
The role uses several variables to customize the deployment. Here are the main variables you can configure:
install_postgres
: Set totrue
to install and configure PostgreSQL (default:false
)install_redis
: Set totrue
to install and configure Redis (default:false
)install_infisical
: Set totrue
to install and configure Infisical (default:false
)
db_user_username
: PostgreSQL user usernamedb_user_password
: PostgreSQL user passworddb_name
: Name of the database to createallowed_ip_addresses
: List of IP addresses allowed to connect to PostgreSQL
redis_username
: Redis usernameredis_password
: Redis password
env_vars
: A dictionary of environment variables to set for Infisical
IMPORTANT: The DB_CONNECTION_URI
and REDIS_URL
variables will automatically be set if you specified postgres_server and redis_server hosts.
If you wish to use your own redis server or postgres server, you can specify the DB_CONNECTION_URI
and REDIS_URL
in the env_vars
.
ENCRYPTION_KEY
and AUTH_SECRET
is automatically generated if they're not passed as a part of the env_vars
.
Here's an example playbook that demonstrates how to use this role:
---
- hosts: postgres_server
vars:
ansible_user: ssh_username
ansible_password: your_ssh_password
ansible_become_password: your_sudo_password
roles:
- role: infisical_deploy
vars:
install_postgres: true
allowed_ip_addresses:
- "YOUR_LOCAL_IP"
- "YOUR_INFISICAL_INSTANCE_IP"
db_user_username: your_db_user
db_user_password: your_db_password
db_name: your_db_name
- hosts: redis_server
vars:
ansible_user: ssh_username
ansible_password: your_ssh_password
ansible_become_password: your_sudo_password
roles:
- role: infisical_deploy
vars:
install_redis: true
redis_username: "your_redis_user"
redis_password: "your_redis_password"
- hosts: infisical_instance
vars:
ansible_user: ssh_username
ansible_password: your_ssh_password
ansible_become_password: your_sudo_password
roles:
- role: infisical_deploy
vars:
install_infisical: true
env_vars:
TEST_VAR: "TEST_VALUE"
TEST_VAR_2: "OTHER_VALUE"
Here's an example inventory file (inventory.ini
) to use with this role:
[postgres_server]
YOUR_POSTGRES_SERVER_IP
[redis_server]
YOUR_REDIS_IP
[infisical_instance]
YOUR_INFISICAL_INSTANCE_IP # This is where Infisical will run on!
- This role installs and configures HAProxy on the Infisical instance to handle incoming traffic.
- The role automatically generates and manages encryption keys and authentication secrets for Infisical.
- PostgreSQL and Redis connection URIs are automatically shared between hosts.
- Firewall rules are configured to allow necessary incoming connections.
- Ensure that you're using strong, unique passwords for all components (PostgreSQL, Redis, SSH).
- Review and adjust the
allowed_ip_addresses
for PostgreSQL to limit access as needed. - Consider using Ansible Vault to encrypt sensitive variables in your playbook.