read ip addresses for vhost files from env var
context:
- we currently store ip addresses to whitelist for loki and grafana in blackbox-encrypted vhost/****.ini files
- however, these ips are likely to change and it would be nice to have a singe source of truth for them
- further: it would be nice if we didn't have to encrypt our entire config files just to hide the credentials that often comprise a very small fraction of the config file
suggested solution
- baseline: use
env_subst
to inject env vars into.ini
files before mounting them into nginx container - extra credit: seek to replicate this solution for as many other encrypted config files as possible so that we can get as close as we can to a solution in which
.env
provides ALL credentials and config files merely read their values from.env
(payoff: a single source of truth for all credentials and more visibility into our infra configs for auditors and collaborators)
consolation prize
- add to our docs somewhere a playbook for moving server IPs around that reminds us we need to change the vhost files to hard-code the correct IP adddys
Edited by aguestuser