From 2822b40326df4c24042b879a64389ce5e594fa5b Mon Sep 17 00:00:00 2001 From: Dmitry Ilvokhin Date: Sat, 20 Jan 2024 17:52:30 +0000 Subject: Prepare to store encrypted secrets in the repo --- .gitignore | 1 + README.txt | 8 +++++++- ansible.cfg | 1 + bin/decrypt-vault-password.sh | 3 +++ bin/rotate-vault-password.sh | 15 +++++++++++++++ misc/vault-password.asc | 12 ++++++++++++ misc/vaults/example.yml | 6 ++++++ 7 files changed, 45 insertions(+), 1 deletion(-) create mode 100755 bin/decrypt-vault-password.sh create mode 100644 bin/rotate-vault-password.sh create mode 100644 misc/vault-password.asc create mode 100644 misc/vaults/example.yml diff --git a/.gitignore b/.gitignore index fe1ae0c..c80010a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .env *.swp .DS_Store +password.txt diff --git a/README.txt b/README.txt index 4b04a8c..b3b36a9 100644 --- a/README.txt +++ b/README.txt @@ -10,7 +10,13 @@ $ pip3 install -r requirements.txt RUN -$ ansible-playbook playbooks/essential.yml +$ ansible-playbook essential.yml +$ ansible-playbook web.yml + + +ROTATE VAULT PASSWORD + +$ bin/rotate-vault-password.sh REFERENCES diff --git a/ansible.cfg b/ansible.cfg index 4423c2a..d5556bf 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -2,6 +2,7 @@ inventory = hosts.ini roles_path = roles remote_user = root +vault_password_file = bin/decrypt-vault-password.sh # Don't want to see warning about Python. On everything I run, proper Python 3 # should be discoverable. interpreter_python = auto_silent diff --git a/bin/decrypt-vault-password.sh b/bin/decrypt-vault-password.sh new file mode 100755 index 0000000..e82de62 --- /dev/null +++ b/bin/decrypt-vault-password.sh @@ -0,0 +1,3 @@ +#! /usr/bin/env sh + +gpg --decrypt --batch --quiet --use-agent misc/vault-password.asc diff --git a/bin/rotate-vault-password.sh b/bin/rotate-vault-password.sh new file mode 100644 index 0000000..1762786 --- /dev/null +++ b/bin/rotate-vault-password.sh @@ -0,0 +1,15 @@ +#! /usr/bin/env sh + +head -c 128 /dev/urandom | base64 > password.txt + +ansible-vault rekey + --new-vault-password-file password.txt \ + `git grep -l 'ANSIBLE_VAULT;1.1;AES256$'` + +gpg \ + -r d@ilvokhin.com \ + --armor \ + --output misc/vault-password.asc \ + --encrypt password.txt + +ansible-vault view misc/vaults/example.yml && rm password.txt diff --git a/misc/vault-password.asc b/misc/vault-password.asc new file mode 100644 index 0000000..db9b52c --- /dev/null +++ b/misc/vault-password.asc @@ -0,0 +1,12 @@ +-----BEGIN PGP MESSAGE----- + +hF4DhWoD11YjyQUSAQdA041H8MaJmYwTGOmnFeFZZFlI7goQ/Sv2+1/LaWwX+20w +dC8Tzmmve4y0G2Q4BOqJjVj/R5bIm+i4/ovqPUF7oeGY1wqEB2rUUTHMSn4Mh2ke +1MA5AQkCEHCd1rcstoNdveW0k+AzIAS0vnhf/TwUpjp7ekDwaazpzW87kdo4Ga3M +2IBSnVDa4/qhv1bFG2XxHSBAjQtde1yJNqGDb4zK8mLDvjGOBOkdv0ZRS4yjXT9o +UTx1ugb/5CxmNY86ful48kGbaUzNC3avLHf5rRgqJAvGoBALIKDhafaeEhKdAFUy +KNmOhzdN6d9WVtbJ4SGtK6PyDYIB5BfJg+2RQQ1aGphfdwFq27tDk3i+vmLIVc3R +q7h06Gw0KRbnDge8APp09OLjZ3mzHsBvXHrUD3nvW/VVC1PcKYiJIgtMGQ7jP6zQ +tP7i/KCUya3ARmJj +=x2lC +-----END PGP MESSAGE----- diff --git a/misc/vaults/example.yml b/misc/vaults/example.yml new file mode 100644 index 0000000..f7e9a05 --- /dev/null +++ b/misc/vaults/example.yml @@ -0,0 +1,6 @@ +$ANSIBLE_VAULT;1.1;AES256 +65653232303032636133323634333132656530356166333532323631383164646666323961633030 +3162643165663837326566643731376661623165333631620a383737386561313134336438326261 +33356361633535663731356432303432363833616532663433653230393433396366626339323165 +3236303631336530660a623262656632666139623038616133646139336565643732366337323331 +31633965303737336264356533653435373861366366616463656565636530306461 -- cgit v1.2.3-70-g09d2