From caa6b9c78aae9411933ea9193a3905d301fc5579 Mon Sep 17 00:00:00 2001
From: Thomas von Dein <tom@vondein.org>
Date: Wed, 27 Nov 2024 12:42:27 +0100
Subject: [PATCH] added secret encrpytion script and check, incl pre-commit
 hook

---
 Makefile                    | 20 +++++++-------
 bin/encryptkeys             | 53 +++++++++++++++++++++++++++++++++++++
 roles/pubnix/files/keys/tom | 42 +++++++++++++++++++++++++++++
 3 files changed, 106 insertions(+), 9 deletions(-)
 create mode 100755 bin/encryptkeys
 create mode 100644 roles/pubnix/files/keys/tom

diff --git a/Makefile b/Makefile
index 5349be8..ed8c280 100644
--- a/Makefile
+++ b/Makefile
@@ -1,13 +1,14 @@
 .PHONY: all deploy check clean create debug editvars test
 
 
-VARS = group_vars/all/vars.yaml
-VALL = group_vars/all/all.yaml
-TOKEN = $(shell ansible-vault decrypt --output - $(VARS) | grep hetzner_cloud_token | cut -d' ' -f2)
+VARS		= group_vars/all/vars.yaml
+VALL		= group_vars/all/all.yaml
+SECRET		= ~/.config/ansible/hcloud.secret
+KEYDIR		= roles/pubnix/files/keys
+TOKEN		= $(shell ansible-vault decrypt --output - $(VARS) | grep hetzner_cloud_token | cut -d' ' -f2)
+SNAPNAME	= $(shell cat $(VALL) | yq .snapshot)
 
-SNAPNAME = $(shell cat $(VALL) | yq .snapshot)
-
-SNAPSHOT = $(shell hcloud image  list -t snapshot -o yaml | \
+SNAPSHOT    = $(shell hcloud image  list -t snapshot -o yaml | \
 			       yq '. | map(select(.description == "$(SNAPNAME)")) | .[].id')
 
 OPTIONS = -i inventory -t active
@@ -20,9 +21,6 @@ SHOW_COMMAND = ansible-inventory -i inventory/hosts.hcloud.yaml --list
 
 ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
 
-x:
-	@echo $(TOKEN)
-
 all: create deploy
 
 debug:
@@ -42,6 +40,10 @@ clean:
 
 check:
 	$(ENV) ansible-playbook deploy.yaml  --syntax-check
+	bin/encryptkeys $(KEYDIR) $(SECRET) check
+
+encryptkeys:
+	bin/encryptkeys $(KEYDIR) $(SECRET) encrypt
 
 editvars:
 	ansible-vault decrypt $(VARS)
diff --git a/bin/encryptkeys b/bin/encryptkeys
new file mode 100755
index 0000000..35b8081
--- /dev/null
+++ b/bin/encryptkeys
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+# encrypt unencrypted secrets or warn if a secret is unencrypted in check mode
+
+keydir=$1
+secret=$2
+mode=$3
+
+if test -z "$mode"; then
+    echo "Usage: $0 keydir vault-password-file (check|encrypt)"
+    exit 1
+fi
+
+err=""
+
+for key in "$keydir"/*; do
+    filetype=$(file "$key")
+
+    case "$filetype" in
+        *OpenSSH*)
+            case "$mode" in
+                encrypt)
+                    ansible-vault encrypt --vault-password-file "$secret" --vault-id default "$key"
+                    ;;
+                check)
+                    echo "$key is unencrypted!"
+                    err=1
+                    ;;
+            esac
+            ;;
+        *Ansible*Vault*)
+            case "$mode" in
+                check)
+                    :
+                    ;;
+            esac
+            ;;
+        *)
+            case "$mode" in
+                check)
+                    echo "$key is an unknown clear text file!"
+                    err=1
+                    ;;
+            esac
+            ;;
+                            
+                            
+    esac
+done
+
+if test -n "$err"; then
+    exit 1
+fi
diff --git a/roles/pubnix/files/keys/tom b/roles/pubnix/files/keys/tom
new file mode 100644
index 0000000..94cf356
--- /dev/null
+++ b/roles/pubnix/files/keys/tom
@@ -0,0 +1,42 @@
+$ANSIBLE_VAULT;1.1;AES256
+31356362656165313531663465316362386534323532313630636666373333333566646364636465
+6536363632363133326538376666333563343363306266380a336537653435613638396436343931
+66393530626237396332313039663837666438376430626565313565366431663533333566323862
+3637386136663238340a373961663661323935353934633934633334663934623764633431623364
+31653366336138323062653936653266663130313064313031333964653061326437366137623139
+64616663383232313233316562383961303334343138333837623635646166343539623734396631
+62616632346539313737626565333632383062383866633836326330653531336636623166396337
+34646262386664333065313637666537366537383665666662653966353330373131306236346138
+39353932343931636331333230333439666534376333313134653761333835336331333734393166
+34643632613834616163366539346536356130363663386137373134613732383432373165623765
+66653239643862636431643033336531633339626666353933653766323138663466326631323332
+30306165633837623464353338396333386631396162623763363632326462633262316163333133
+33303335663036393335313562646366373764656139656135303937626366653963336365383466
+38616566613436363038613138643033376430636566386236356434346334633866373635383139
+39313931373334396333336330613062326130623965666330633735616331373332373530643761
+64303335613961623966636662363935346231386430663664626237663530393834666537383539
+62643166663735303030386538313363333033363264373964343165383230373935383564373137
+34313936386234366336316537616232343337323464343563613530343966626165333462343930
+61376139373235366436633766613339373738663937333265643535643837626339333339336135
+63383364393962623032646164646661343337663464303166663966303133316331373830663231
+33626161303137633332383035353164326330643437666234613864376366346363653063333839
+35393333666161653566343866313066633966613537666238343531376633636233323632663536
+61356432373935376363333233613239336432376432656166326462623735643464666438323765
+34646165323932303561373233373161613263306336613535636363353135313739646365393436
+30626332653339353934353964323964323635333734663339306339303265653339336666373635
+62316139323465366161353731353938666331393239376638323238346331373738366536346332
+30626563366337663131626461393235626230373561313635366630666566613433646538636237
+64386166653439663633616564636365303539303734633338393962306438396139376432356265
+30626232666539616139646337383332646162323263333338313035336364656632306330386533
+31303466363831316163346365623734616135343837383364363563393937626364336162656136
+31323039323235373730343266343839363333616134356137666235333362383234333762646266
+37663463366339303535333134313136393864656334613437623538396330633933616363373564
+31646634383735393430326232633732623566323137363262346566373130323563323664666261
+37363131383866623437373262383365333630373764393530626237643636633362626666623330
+37636234383665626137626464373932636239383366336665633366316164663263636461616532
+31373266666531323566663432346163643637366436666462323935356531623639303032663961
+39303637373536643432653139633636666466313333326134643831633864343062363335313932
+61626566663530393761336238323334663263336536363962373761386564333664306232656332
+66386231373962373432333237626362353134363962633962363539613934633262343363303933
+38306534613233303432363930323334663230306165313630663863313137366433396539333630
+61643265316535653337613730373331383164306535306336313361396433636337