scip/bsdnix
1
0
Fork 0
Code Issues Pull Requests Activity

added secret encrpytion script and check, incl pre-commit hook

Browse Source
This commit is contained in:
Thomas von Dein 2024-11-27 12:42:27 +01:00
parent c49dff9ad4
commit caa6b9c78a
3 changed files with 106 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Makefile
View File

@ -1,13 +1,14 @@
.PHONY: all deploy check clean create debug editvars test .PHONY: all deploy check clean create debug editvars test
VARS = group_vars/all/vars.yaml VARS = group_vars/all/vars.yaml
VALL = group_vars/all/all.yaml VALL = group_vars/all/all.yaml
TOKEN = $(shell ansible-vault decrypt --output - $(VARS) | grep hetzner_cloud_token | cut -d' ' -f2) SECRET = ~/.config/ansible/hcloud.secret
KEYDIR = roles/pubnix/files/keys
TOKEN = $(shell ansible-vault decrypt --output - $(VARS) | grep hetzner_cloud_token | cut -d' ' -f2)
SNAPNAME = $(shell cat $(VALL) | yq .snapshot)
SNAPNAME = $(shell cat $(VALL) | yq .snapshot) SNAPSHOT = $(shell hcloud image list -t snapshot -o yaml | \
SNAPSHOT = $(shell hcloud image list -t snapshot -o yaml | \
yq '. | map(select(.description == "$(SNAPNAME)")) | .[].id') yq '. | map(select(.description == "$(SNAPNAME)")) | .[].id')
OPTIONS = -i inventory -t active OPTIONS = -i inventory -t active
@ -20,9 +21,6 @@ SHOW_COMMAND = ansible-inventory -i inventory/hosts.hcloud.yaml --list
ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose) ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
x:
@echo $(TOKEN)
all: create deploy all: create deploy
debug: debug:
@ -42,6 +40,10 @@ clean:
check: check:
$(ENV) ansible-playbook deploy.yaml --syntax-check $(ENV) ansible-playbook deploy.yaml --syntax-check
bin/encryptkeys $(KEYDIR) $(SECRET) check
encryptkeys:
bin/encryptkeys $(KEYDIR) $(SECRET) encrypt
editvars: editvars:
ansible-vault decrypt $(VARS) ansible-vault decrypt $(VARS)

53
bin/encryptkeys Executable file
View File

@ -0,0 +1,53 @@
#!/bin/bash
# encrypt unencrypted secrets or warn if a secret is unencrypted in check mode
keydir=$1
secret=$2
mode=$3
if test -z "$mode"; then
echo "Usage: $0 keydir vault-password-file (check|encrypt)"
exit 1
fi
err=""
for key in "$keydir"/*; do
filetype=$(file "$key")
case "$filetype" in
*OpenSSH*)
case "$mode" in
encrypt)
ansible-vault encrypt --vault-password-file "$secret" --vault-id default "$key"
;;
check)
echo "$key is unencrypted!"
err=1
;;
esac
;;
*Ansible*Vault*)
case "$mode" in
check)
:
;;
esac
;;
*)
case "$mode" in
check)
echo "$key is an unknown clear text file!"
err=1
;;
esac
;;
esac
done
if test -n "$err"; then
exit 1
fi

42
roles/pubnix/files/keys/tom Normal file
View File

@ -0,0 +1,42 @@
$ANSIBLE_VAULT;1.1;AES256
31356362656165313531663465316362386534323532313630636666373333333566646364636465
6536363632363133326538376666333563343363306266380a336537653435613638396436343931
66393530626237396332313039663837666438376430626565313565366431663533333566323862
3637386136663238340a373961663661323935353934633934633334663934623764633431623364
31653366336138323062653936653266663130313064313031333964653061326437366137623139
64616663383232313233316562383961303334343138333837623635646166343539623734396631
62616632346539313737626565333632383062383866633836326330653531336636623166396337
34646262386664333065313637666537366537383665666662653966353330373131306236346138
39353932343931636331333230333439666534376333313134653761333835336331333734393166
34643632613834616163366539346536356130363663386137373134613732383432373165623765
66653239643862636431643033336531633339626666353933653766323138663466326631323332
30306165633837623464353338396333386631396162623763363632326462633262316163333133
33303335663036393335313562646366373764656139656135303937626366653963336365383466
38616566613436363038613138643033376430636566386236356434346334633866373635383139
39313931373334396333336330613062326130623965666330633735616331373332373530643761
64303335613961623966636662363935346231386430663664626237663530393834666537383539
62643166663735303030386538313363333033363264373964343165383230373935383564373137
34313936386234366336316537616232343337323464343563613530343966626165333462343930
61376139373235366436633766613339373738663937333265643535643837626339333339336135
63383364393962623032646164646661343337663464303166663966303133316331373830663231
33626161303137633332383035353164326330643437666234613864376366346363653063333839
35393333666161653566343866313066633966613537666238343531376633636233323632663536
61356432373935376363333233613239336432376432656166326462623735643464666438323765
34646165323932303561373233373161613263306336613535636363353135313739646365393436
30626332653339353934353964323964323635333734663339306339303265653339336666373635
62316139323465366161353731353938666331393239376638323238346331373738366536346332
30626563366337663131626461393235626230373561313635366630666566613433646538636237
64386166653439663633616564636365303539303734633338393962306438396139376432356265
30626232666539616139646337383332646162323263333338313035336364656632306330386533
31303466363831316163346365623734616135343837383364363563393937626364336162656136
31323039323235373730343266343839363333616134356137666235333362383234333762646266
37663463366339303535333134313136393864656334613437623538396330633933616363373564
31646634383735393430326232633732623566323137363262346566373130323563323664666261
37363131383866623437373262383365333630373764393530626237643636633362626666623330
37636234383665626137626464373932636239383366336665633366316164663263636461616532
31373266666531323566663432346163643637366436666462323935356531623639303032663961
39303637373536643432653139633636666466313333326134643831633864343062363335313932
61626566663530393761336238323334663263336536363962373761386564333664306232656332
66386231373962373432333237626362353134363962633962363539613934633262343363303933
38306534613233303432363930323334663230306165313630663863313137366433396539333630
61643265316535653337613730373331383164306535306336313361396433636337