Added info about generating tunnel secrets

README.md

@@ -0,0 +1,32 @@
+## Secrets
+
+ansible vault secrets are stored in [group_vars/all/vault.yml](group_vars/all/vault.yml)
+
+Note that the directory path and filename are important.
+
+The format of the file is
+
+```yaml
+---
+become_pass: <ansible_user_become_pass>
+```
+
+Secrets required for Terraform can be stored in a file:
+
+ex. terraform/.secrets which is already ignored by Git
+
+Required variables:
+```shell
+export TF_VAR_cloudflare_token=<cloudflare_token>
+export TF_VAR_zone_id=<cloudflare_zone_id>
+export TF_VAR_account_id=<cloudflare_account_id>
+export TF_VAR_tunnel_secret=<tunnel_secret>
+```
+
+Note the cloudflare token requires Zone/DNS:edit and Account/Cloudflare Tunnel:edit privs
+
+I generate tunnel secrets with this command:
+
+```shell
+hexdump -vn32 -e'4/4 "%08X"' /dev/urandom | base64 -w0 -
+```

group_vars/all/vault.yml

@@ -1,7 +1,7 @@
 $ANSIBLE_VAULT;1.1;AES256
-32643233343538366363373035373736393162363762643866323561656462356539613639386537
+32333266666163316137626335643664386135323562666232306334386265333034373531613261
-6264303136303132326235336265346533323930643762330a323661326230333763383737336362
+3339633836333330623533333430386131376539626137350a313832663639363133353262383835
-34626439306334313539333065643366633438356330386465626539306439666630643531383630
+65326662316535333237666565346534363863303635613961643763656563646339663062306466
-3134643463313236370a333566393539613963646131383830643538386561393539646366356338
+3934353235393236630a326562636630316333353035616432363738666132303039643961653631
-32343438323936323265643732333964363032303564623864393461376339306264663162306434
+33303266623262323837643438633564353132393037366331653833393936323065653831343862
-6266623662306137346366306264353165656162326131343235
+6538393632346563636361363364366235336162373934643730