From bad42de98efc669388716bca4e4c18ccbdb2729a Mon Sep 17 00:00:00 2001
From: Illia Shestakov <illia@ishestakov.com>
Date: Tue, 7 Nov 2023 14:05:08 +0200
Subject: [PATCH] Add support of environment-specific secrets

They are loaded at runtime from ansible's environment
---
 tasks/config.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tasks/config.yml b/tasks/config.yml
index 64eb6ea..852ae3f 100644
--- a/tasks/config.yml
+++ b/tasks/config.yml
@@ -61,6 +61,24 @@
     - tutor_config
     - tutor_deploy
 
+- name: TUTOR | Update config with environment-specific secrets
+  ansible.builtin.command: |
+    {{ tutor_venv_path }}/{{ tutor_exec_name }} config save --set {{ item.key }}={{ lookup("env", item.value) | to_yaml }}
+  environment:
+    TUTOR_ROOT: "{{ tutor_config_path }}"
+    TUTOR_PLUGINS_ROOT: "{{ tutor_config_path }}/plugins"
+    TUTOR_APP: "{{ tutor_app }}"
+  loop: "{{ tutor_env_secrets | dict2items }}"
+  when: tutor_env_secrets is defined
+  no_log: true
+  become: true
+  become_user: "{{ tutor_user }}"
+  changed_when: true  # Might change every moment
+  tags:
+    - tutor_config
+    - tutor_env_config
+    - tutor_deploy
+
 - name: TUTOR | Install production plugins
   ansible.builtin.copy:
     content: "{{ item.value }}"