Prepare to store encrypted secrets in the repo

author: Dmitry Ilvokhin <d@ilvokhin.com> 2024-01-20 17:52:30 +0000
committer: Dmitry Ilvokhin <d@ilvokhin.com> 2024-01-20 17:52:30 +0000
commit: 2822b40326df4c24042b879a64389ce5e594fa5b (patch)
tree: f8cc582a2a7c57299bc730bdfb645d119e75f70e /bin
parent: de7032e7921ad11807a4a6a6a5e41d12a0e943c3 (diff)
download: infra-2822b40326df4c24042b879a64389ce5e594fa5b.tar.gz
infra-2822b40326df4c24042b879a64389ce5e594fa5b.tar.bz2
infra-2822b40326df4c24042b879a64389ce5e594fa5b.zip
2 files changed, 18 insertions, 0 deletions
diff --git a/bin/decrypt-vault-password.sh b/bin/decrypt-vault-password.sh
new file mode 100755
index 0000000..e82de62
--- /dev/null
+++ b/bin/decrypt-vault-password.sh
@@ -0,0 +1,3 @@
+#! /usr/bin/env sh
+
+gpg --decrypt --batch --quiet --use-agent misc/vault-password.asc
diff --git a/bin/rotate-vault-password.sh b/bin/rotate-vault-password.sh
new file mode 100644
index 0000000..1762786
--- /dev/null
+++ b/bin/rotate-vault-password.sh
@@ -0,0 +1,15 @@
+#! /usr/bin/env sh
+
+head -c 128 /dev/urandom | base64 > password.txt
+
+ansible-vault rekey
+    --new-vault-password-file password.txt \
+    `git grep -l 'ANSIBLE_VAULT;1.1;AES256$'`
+
+gpg \
+  -r d@ilvokhin.com \
+  --armor \
+  --output misc/vault-password.asc \
+  --encrypt password.txt
+
+ansible-vault view misc/vaults/example.yml && rm password.txt
author	Dmitry Ilvokhin <d@ilvokhin.com>	2024-01-20 17:52:30 +0000
committer	Dmitry Ilvokhin <d@ilvokhin.com>	2024-01-20 17:52:30 +0000
commit	2822b40326df4c24042b879a64389ce5e594fa5b (patch)
tree	f8cc582a2a7c57299bc730bdfb645d119e75f70e /bin
parent	de7032e7921ad11807a4a6a6a5e41d12a0e943c3 (diff)
download	infra-2822b40326df4c24042b879a64389ce5e594fa5b.tar.gz infra-2822b40326df4c24042b879a64389ce5e594fa5b.tar.bz2 infra-2822b40326df4c24042b879a64389ce5e594fa5b.zip