diff options
| author | Dmitry Ilvokhin <d@ilvokhin.com> | 2024-01-20 17:52:30 +0000 |
|---|---|---|
| committer | Dmitry Ilvokhin <d@ilvokhin.com> | 2024-01-20 17:52:30 +0000 |
| commit | 2822b40326df4c24042b879a64389ce5e594fa5b (patch) | |
| tree | f8cc582a2a7c57299bc730bdfb645d119e75f70e | |
| parent | de7032e7921ad11807a4a6a6a5e41d12a0e943c3 (diff) | |
| download | infra-2822b40326df4c24042b879a64389ce5e594fa5b.tar.gz infra-2822b40326df4c24042b879a64389ce5e594fa5b.tar.bz2 infra-2822b40326df4c24042b879a64389ce5e594fa5b.zip | |
Prepare to store encrypted secrets in the repo
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | README.txt | 8 | ||||
| -rw-r--r-- | ansible.cfg | 1 | ||||
| -rwxr-xr-x | bin/decrypt-vault-password.sh | 3 | ||||
| -rw-r--r-- | bin/rotate-vault-password.sh | 15 | ||||
| -rw-r--r-- | misc/vault-password.asc | 12 | ||||
| -rw-r--r-- | misc/vaults/example.yml | 6 |
7 files changed, 45 insertions, 1 deletions
@@ -1,3 +1,4 @@ .env *.swp .DS_Store +password.txt @@ -10,7 +10,13 @@ $ pip3 install -r requirements.txt RUN -$ ansible-playbook playbooks/essential.yml +$ ansible-playbook essential.yml +$ ansible-playbook web.yml + + +ROTATE VAULT PASSWORD + +$ bin/rotate-vault-password.sh REFERENCES diff --git a/ansible.cfg b/ansible.cfg index 4423c2a..d5556bf 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -2,6 +2,7 @@ inventory = hosts.ini roles_path = roles remote_user = root +vault_password_file = bin/decrypt-vault-password.sh # Don't want to see warning about Python. On everything I run, proper Python 3 # should be discoverable. interpreter_python = auto_silent diff --git a/bin/decrypt-vault-password.sh b/bin/decrypt-vault-password.sh new file mode 100755 index 0000000..e82de62 --- /dev/null +++ b/bin/decrypt-vault-password.sh @@ -0,0 +1,3 @@ +#! /usr/bin/env sh + +gpg --decrypt --batch --quiet --use-agent misc/vault-password.asc diff --git a/bin/rotate-vault-password.sh b/bin/rotate-vault-password.sh new file mode 100644 index 0000000..1762786 --- /dev/null +++ b/bin/rotate-vault-password.sh @@ -0,0 +1,15 @@ +#! /usr/bin/env sh + +head -c 128 /dev/urandom | base64 > password.txt + +ansible-vault rekey + --new-vault-password-file password.txt \ + `git grep -l 'ANSIBLE_VAULT;1.1;AES256$'` + +gpg \ + -r d@ilvokhin.com \ + --armor \ + --output misc/vault-password.asc \ + --encrypt password.txt + +ansible-vault view misc/vaults/example.yml && rm password.txt diff --git a/misc/vault-password.asc b/misc/vault-password.asc new file mode 100644 index 0000000..db9b52c --- /dev/null +++ b/misc/vault-password.asc @@ -0,0 +1,12 @@ +-----BEGIN PGP MESSAGE----- + +hF4DhWoD11YjyQUSAQdA041H8MaJmYwTGOmnFeFZZFlI7goQ/Sv2+1/LaWwX+20w +dC8Tzmmve4y0G2Q4BOqJjVj/R5bIm+i4/ovqPUF7oeGY1wqEB2rUUTHMSn4Mh2ke +1MA5AQkCEHCd1rcstoNdveW0k+AzIAS0vnhf/TwUpjp7ekDwaazpzW87kdo4Ga3M +2IBSnVDa4/qhv1bFG2XxHSBAjQtde1yJNqGDb4zK8mLDvjGOBOkdv0ZRS4yjXT9o +UTx1ugb/5CxmNY86ful48kGbaUzNC3avLHf5rRgqJAvGoBALIKDhafaeEhKdAFUy +KNmOhzdN6d9WVtbJ4SGtK6PyDYIB5BfJg+2RQQ1aGphfdwFq27tDk3i+vmLIVc3R +q7h06Gw0KRbnDge8APp09OLjZ3mzHsBvXHrUD3nvW/VVC1PcKYiJIgtMGQ7jP6zQ +tP7i/KCUya3ARmJj +=x2lC +-----END PGP MESSAGE----- diff --git a/misc/vaults/example.yml b/misc/vaults/example.yml new file mode 100644 index 0000000..f7e9a05 --- /dev/null +++ b/misc/vaults/example.yml @@ -0,0 +1,6 @@ +$ANSIBLE_VAULT;1.1;AES256 +65653232303032636133323634333132656530356166333532323631383164646666323961633030 +3162643165663837326566643731376661623165333631620a383737386561313134336438326261 +33356361633535663731356432303432363833616532663433653230393433396366626339323165 +3236303631336530660a623262656632666139623038616133646139336565643732366337323331 +31633965303737336264356533653435373861366366616463656565636530306461 |