bin/rotate-vault-password


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

#! /usr/bin/env sh

head -c 128 /dev/urandom | base64 > password.txt

ansible-vault rekey
    --new-vault-password-file password.txt \
    `git grep -l 'ANSIBLE_VAULT;1.1;AES256$'`

gpg \
  -r d@ilvokhin.com \
  --armor \
  --output misc/vault-password.asc \
  --encrypt password.txt

ansible-vault view misc/vaults/example.yml |\
    grep 'Secret revealed!' > /dev/null && rm password.txt