From 4a004caece0e397c7582dfeb8a9e7297c052c7a8 Mon Sep 17 00:00:00 2001 From: vincent Date: Mon, 6 Jun 2022 13:32:15 +0200 Subject: [PATCH] migrate ansible-vault to hashicorp --- group_vars/HashicorpStack | 5 +- group_vars/VPS | 2 +- group_vars/all/all | 4 +- group_vars/all/all_vault | 192 ------------------------------------- group_vars/dhcp | 7 +- group_vars/server/database | 19 ++-- group_vars/server/mount | 36 +------ group_vars/server/server | 5 +- group_vars/workstation | 2 +- makefile | 4 +- provisionning.yml | 2 +- 11 files changed, 27 insertions(+), 251 deletions(-) delete mode 100644 group_vars/all/all_vault diff --git a/group_vars/HashicorpStack b/group_vars/HashicorpStack index e5b76dc..35f3a4e 100644 --- a/group_vars/HashicorpStack +++ b/group_vars/HashicorpStack @@ -1,11 +1,12 @@ consul_client_addr: "0.0.0.0" consul_datacenter: "homelab" -consul_gossip_encryption_key: "{{vault_consul_encryption}}" +consul_gossip_encryption_key: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:consul_encryption') }}" + consul_backup_location: "/mnt/diskstation/git/backup/consul" consul_ansible_group: HashicorpStack consul_bootstrap_expect: 2 nomad_vault_enabled: true nomad_vault_address: "http://active.vault.service.consul:8200" nomad_vault_role: "nomad-cluster" -nomad_vault_token: "{{ vault_nomad_vault_token }}" +nomad_vault_token: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:nomad_vault_token') }}" nomad_bootstrap_expect: 2 diff --git a/group_vars/VPS b/group_vars/VPS index 23cfce7..3aa8e7c 100644 --- a/group_vars/VPS +++ b/group_vars/VPS @@ -78,7 +78,7 @@ credentials_files: type: smb path: /etc/creds/hetzner_credentials username: u304977 - password: "{{vault_hetzner_storage}}" + password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/storage:hetzner') }}" diff --git a/group_vars/all/all b/group_vars/all/all index a187d92..57a2dd8 100644 --- a/group_vars/all/all +++ b/group_vars/all/all @@ -17,7 +17,7 @@ system_arch_local_mirror: "https://arch.{{domain.name}}" privatekeytodeploy: - user: "{{user.name}}" keyfile: "/home/{{user.name}}/.ssh/id_gitea" - privatekey: "{{vault_gitea_private_key}}" + privatekey: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}" - user: root keyfile: /root/.ssh/id_gitea - privatekey: "{{vault_gitea_private_key}}" + privatekey: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}" diff --git a/group_vars/all/all_vault b/group_vars/all/all_vault deleted file mode 100644 index 1836303..0000000 --- a/group_vars/all/all_vault +++ /dev/null @@ -1,192 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -61626562363436326532656663663434636364643836613333343035373637643565666436383165 -6663346364633662326334656231343165366631316366340a313966303234356139646530376130 -66343839656534613436326531356236643332373061326163303336646362613738336562343737 -3738613231643836320a633563663339323438383138663762303965313965343364326334353233 -35613261346563303335643362303864613032313961323863626237303438623332666633356436 -65656139613962633030653863643133323137313332333163613366336437666334633335343334 -33316263316563316562613037393365666439323737363330393338386237353534316534396138 -34373439326339373830303833396436386334383530633831356531393534326666313561383839 -65653534303065356432313165616537626635373438373930353438306337653865656639306138 -37636431333563393937316537323330383766353764366439313062333861396261623639623466 -31343733343463643363343634653637623361323334383766643865646166626333386237663132 -31323866303963383663363266636131633333386434393132386535303733666365303938623831 -39316466383936626562333764326562373862363761366662343733383637633537613139393333 -31363230653437613738393235353539333332313832386430653664633731646130386662613832 -62666439613939306539383362666633373631346636353365663531633639373666396362636231 -38666634313438356561643261623734623666626131383935643265383864346138336638663936 -32303239306235383263346366376532346431653934366262623034316662373166616439653539 -63643461613862393331343561393061356366343533333831316465346666303361323262386132 -32383161313738363633366166646238643832623735353630663236616665336534396134333034 -34323765396631336562376661636163386237326563343964373938666432616365636537343035 -66336163663133313330646237396666356464643434646237653637653864323766633765656538 -62656432626233666161663037646435313936363434373834313539613034653466353131383231 -38346337653231356639383136653461383534303664323864613937353339646538643830613931 -39343633386131666462363963396238666133613738353066393939333330366135306437323239 -62336431613661363939613736313663303166373063616235313831613565316636653462306532 -34663938656661343662323765333233626637383331396138663066363363323263316466313466 -35653965626361373432316137636236356135663766393562626538373963353335336636613835 -65356533323265306332636233636134373864303761366530303462353136643462393835333761 -64373935653666623164663536316666313466366466353134633036353532386333313630323530 -32653138336364353134376461656630313238366565363938346438333661303666613361336134 -61393633363065623832376532346261353666393665666330393063373734376335616664353536 -66663537656430623162376631633839326465323162663862303164353236353264363032383938 -35376535643961623531353562383662623162356432373537663731663930303936323134363964 -63373334353664636637666366303234636666363334336132653631396133623238653662376530 -63393038613738353134313337316464613339653533663964366633323536366266636336383937 -62336436323366396161376339633631336338316666616161663466623931643364343232333665 -36653162333232376439666235306134663865336239306230366233366233626234616566653437 -31633839643965613536393661633562356562656432633534623034643462633363326230663038 -36633365386232316331383365653134663538303632366638363938316237616131633130343732 -62613061346261636235336330653538343731353336343130373234383636653738613161326661 -30336434613163396462663737363131373730343065323538363730366538373531643732633264 -38303337636437666161386538323331643166336539393461653963623630643863333135303236 -65656133383932386365353666396337663531336464346231633135363661626161383561346666 -61343135636362383436326163303037343132616461636439363861653363396235386139333935 -34626264306365393535343836366432396162336465343534353162383066306236356133346530 -64383436623431353234363962333665643865363861303635303835646535383839366533663436 -33323338366131663737613536373135313434313563616138333631666130363434363739386337 -36633066356361313233633836363333633963363161656330363436613730303166353261343939 -63373263663562656535363034376539383031373739666633313765653562376161623232656666 -39363033303664383364636265333863353462323533366462653836626539353630323465333931 -30623134306363613765373730393734663937316262666230336334303033326263363461333663 -35316365663335363265343266646433383638396334613530353566613530623665663265383135 -64393534343532303336353438333561313564343739336462653662663861303133383162333436 -63666139333962643061626232396638383766333834646434623833343032613639343364393332 -31623635383535653961663331313233616364613437663562613934663932393430316135353533 -64663937393464383266643366343463316436636262366636373963333461326135313231393964 -33613362376231393631383531326461366461376130613632613834313831643937336531663239 -39353265303966326633633539643030373865666530666432376366623236336433316332303762 -38663734366339626237343435393235363161376337643165616232623938363730336630616139 -38303138626136306536366530636162636166383531363331393730323961386330326366613633 -32316562306464633135666365323562393230653164663238373935393433366139343463373562 -61626238646535373035613061323936373830313630353065316161326565353765363836386363 -31343835623937313462643163613238376335353034656133663265626136643839346361646261 -31386138326636616330663661393931326432636539363133663463353761653265373934346130 -36333263343034643365343930396233306434356635623136313231373730643361306164356562 -36376336663437346237653635366435353135636631666166353037636439623837613831326539 -31646537623463623634313137303132656634366664336530346233613364623361333062613366 -36363362666636623933656637316132616637373032303235376634393039666462333236656134 -34656630633133376635396136323362363665376330326133383766663365613662353933353835 -63333333623936353732656136376335626535356232653032383566366164613235393633353232 -64343733356565633766323561353037376338356638323665653263663737656133356430356165 -37636232316433343137373735613534303266316363376663623961313965316335623435393133 -61653662386361366466393262323131333830366238636333396161333037366531346261323365 -61663462623531643637646630616230663132383962346632373663343936663632373339366331 -33653663376137303761616463373737653363303437383839646535323236376438623232633163 -34386237613530313261376235313338336632366139326263393234326430303962346434376233 -35373937396533363133633931353839333066303936653236336266663338313431323863643237 -33616165386563303561363639666138343435336432643637393033303463633432353532616330 -30373337383130303933353733626630373637393065383239386434383666636637363136383431 -61626632386131663836333235343765303438316130373461666134396562393165656264633965 -33323033646538323633323739383363323139633865383563313037613963303565306432376265 -35313863663463383064393236626539386164663264383133333032383935663661656238666235 -35306163303239333138373230366564616366386433383033666535623832633831346233663738 -34653664393961623137316162663231646335343138346639633731383434356364613363333633 -66623237656338646561383861326135393262623538653539393063353731383739303363303939 -62313737333136613664623538313838346635306631343365353738393935373338383235386438 -30393636393465313165653763356166626634303963643136633035333230393865653734313863 -37616431326239656536383866343764343462396461313030653166663665643261373463323331 -30643738333132636662313565383861653164356530613866303663373234666432353862383332 -63356237613035353163323737656134316137636635626433653363393936323261326131666135 -66613063653533373061396137333733303965303638656665633365366436303938646235333537 -65373439633833343061346636626637633337613131363333376235303461323561383866663336 -66663266356239323166643839386663663762313037663265306264373738626464313233393435 -63323938656432393139386432393533353732326635346332373034333238346235376263333366 -62663261366630313164383430626637356563666165313161393364383662663637386431623836 -32336238623339613532346630356430636334643363336665366234643936353166373063303865 -39306434336139306134653037356130366539666434336532623036613537363836633763306163 -35333564613533373537386538326236656435636236366163336431376130663961633061383439 -64663139326663633934333832363866333639663763633762343039303635623062386337393532 -37383037386664633035313463306462646166303863666531376263303338323535383631626539 -38643530633564626238666137343566393166646533363738626131396466356161613461316539 -30383264396366393435666162616461326538323832343361363866343130653062363339636565 -34343732386436393838336264633836333432653433663832623534633466313536663830393366 -33366231303666316364613834336265643237376339393063643235306462313437623861663932 -34626538316362313862393634393732623036613661646564393163313032646631343465613039 -34333537646664666365623063633630633437613563303561653234396566643938313138663161 -34326463626130303138363263626131626239343863313461663861646665366133643530343739 -31323537613331316164353561653162646166396265323666353034616661366234396338333238 -32643964633238383637333337656561303964353062336136363062393038376339393537383139 -32636235663632343834316165626261316166653035633138343365633733386130336230643139 -37396235393336323162333233623161356333653262613130623562346230363232373230353564 -32346664356362616161303963646632633135333838666530616231383633656562346634326334 -32643137346638623932653461393361366539396337663865386431386439393537313639643938 -38303636316339666333313064363063343765306638376439343534633964623339363561373338 -37306632643866626466353430626137363437366135306231663631636234653165333439623266 -33663065336130326638656566396665663139323732353331653439353435353538633762313831 -62613134313262386439316561613364336336396333653664643566363734663131613365623330 -35373662363961383331636135393532646361363135643639616662666666363430323330643863 -39613464643236383961303132323635353030636565643835636462376238623464613463313763 -65373263333266323736393833666335623230663937633866656365343939376334623561613339 -31363531353730633435336337636331333639376264323635613637306632373665323435633930 -32643166383439353561343836393063343665373230303566303831643831336564616263653765 -66666666303366643530373432366636623066363339656432383066383438353739366433653236 -34643631376335333233613230353462653935366630316665663639363438323936306538353634 -63356337363165636331386562356466396266623063616535303438663764626133393532306237 -32353132363535323934663064373862653039656266373830346138643236376233643535393433 -38353939666664313235633065336262336530313864656563616565333932316437666537356362 -33373664383362313937633562396135323432313563643731656531313962643162346664383661 -30366530363463643439353638393339336265323037313834393630616365663738303361653564 -37363462396661326338313938326531653835643738303666393130363763396231373039626663 -63326537366162643939643365333832346265393365373638333539656134363833313765343134 -34363338346139636536663938336561373532326163333731333163663435373165363466663665 -64373539623632313637636332653139353234303062363731363432373939363139646364306235 -63383162643733653534393063306162626136326432303766373133333639363737613463356131 -33393961313533383564653863633733653336643836383531363837613133666361316263646239 -63656461303633653035666134323834393666303033653632393764653836646638616264386163 -33343865636133353066636164336661373738313135646636393137333138633462666337333062 -39313963376361343137633363313134326235646266313132633030643263393538666231353833 -66643637306566623131343537303163306661353366356430373461386266383062346534393362 -32343339643361336466373962646439623665653863393166386639323634376332383861303032 -39363237386466363634623161666531616261323962346566346164653165633965336361366530 -31376638383065613831626432396638396132316138646639343439376439646237303132333936 -64373536353065333435663063633631643536636332306338383432623162653030636138366633 -33373665373864353136333966663464376433303262366163626664393331356631633361363136 -30633739303036633731623036626431333736396431373063326534613366383936356535363365 -34393362663061326136613831313830643437316364326132363738333931646339326138396666 -34353334343133616137623832393238353330656132393937636462373561646363303137613237 -63316563346231336433343634383539666234663964623434363335623936326534333933393532 -36653865373939383934386436623536393563626636666330336561636164636664643935666231 -65643430646365613164653938343831666366663965316635653934363631643165323162633566 -33363135366136383235636635383239346532383434393336376638306434313936326639616234 -31636331343231306162643030636131316163386538613638633431663065393039356230393031 -61383163316336653866653035326538623562616361343834326533376339333034303861633362 -34656461306163626665656536363632393130303466373536386538393432373434323063663731 -32613234313232326563613639373934373039303234346362636139326165376261386566623063 -66633036626562346538663536386136663361366637613863386431313336313466656535666464 -62656164323134343264373461383536396430313132376337323363626339326161376134663931 -63396237363661373639373866313636303435666137333364623665613139626337656230633065 -65306138636536353365303564663164623535366265393530356666646531653731306430363631 -35316437613638363964303231623935616461663938336533636531653364333763326636303237 -35353831313436663539643563613336383230343736386561666637633133343032313136613962 -33313161333063303161653765656661626430313863653539333130366466376164316566303537 -30613162333366316361363435393835613431343936326137356233643736333234343039303761 -30376138346431646162626464623939306136646539326464646236383962323332333133393731 -39316537383631323531666538633534616364666335386332396263373364306530666666353737 -33396261346231656465313764363533343765333936366164656264306333333766323165616265 -34336361356239346164303434356431326632653462333933333530633334363134313463646635 -61376632653465656262323537646230323031316638616634313835376465363265663463316465 -34346530653664313031396337323839653761343331643337613837333561353937333565616138 -30346462303234343663393239623865323631303036356237666264643837313439333238376234 -36633030336366636130336239323533303166613233363366656465326234323431616133643032 -32353733383130386461303236666434616434303836626532356436303361356565613136303430 -30336261626531323563346439326434633438646433333266663732626130383330386431613234 -35656332313333646463386338306635646366323966613564626365633436386365343438343838 -62323734653638316434316231313034663134646166613638623636383338393631396235373238 -33333464333066356538393765363939316361303331633764383464313834613266306362626162 -65653866323631373238333438326337373339626536393831626134376130646634653266363032 -66366632663839333233656432383065313438316335656637343330643438366533663634623539 -64653331626662663332383366393531663366316533353136623032343138313330643733313537 -38353338386561346237383763363137396364353661323234323561656232646230666630643563 -64333861363363373134323332623332376132306636396165383462626337373234313639343534 -31336161613235383664643162636237396239353237646363323235363731643337306530363035 -64623938323436363439626165656437353664656630613237316636633931373962343234653837 -34363863633366346637366166306337346430306532643635663337393735336639386663663364 -63623833363130396565663464393332396439396139353836633331353936356336336338363731 -33656130306436646233323336343234363263663436613935386562303233363835636638366137 -36323136383732616633393531353064363363356631373134636162636262393437653437663839 -39653463393338353130623733626362363665613430316365623938303635666365633163373533 -63336332336638613562373830663263376233646565646233343334646261316164663361393438 -66333938623438653166353636656539613430353035353561643864363661353535666334393865 -613665376161323236363633396531623662 diff --git a/group_vars/dhcp b/group_vars/dhcp index eeb73f8..fce043e 100644 --- a/group_vars/dhcp +++ b/group_vars/dhcp @@ -4,7 +4,10 @@ dhcpd_domain_name: "{{ domain.name }}" dhcpd_nameservers: - '192.168.1.40' - '192.168.1.10' -dhcpd_keys: "{{ vault_dhcpd_keys }}" +dhcpd_keys: + - key: dhcp + algorithm: HMAC-MD5 + secret: "{{ lookup('hashi_vault','secret=secrets/data/ansible/other:dhcpd_key') }}" dhcpd_zones: - zone: "{{ domain.name }}." @@ -137,7 +140,7 @@ credentials_files: type: smb path: /etc/creds/.diskstation_credentials username: admin - password: "{{ vault_diskstation_admin }}" + password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/storage:diskstation_admin') }}" systemd_mounts_enabled: diff --git a/group_vars/server/database b/group_vars/server/database index 316617d..36c0e98 100644 --- a/group_vars/server/database +++ b/group_vars/server/database @@ -2,24 +2,23 @@ postgresql_users: - name: root role_attr_flags: SUPERUSER - password: "{{ vault_db_root }}" + password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:root')}}" - name: wikijs - password: "{{ vault_db_wikijs }}" + password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:wikijs')}}" - name: ttrss - password: "{{ vault_db_ttrss }}" + password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:ttrss')}}" - name: gitea - password: "{{ vault_db_gitea }}" + password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:gitea')}}" - name: supysonic - password: "{{ vault_db_supysonic }}" + password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:supysonic')}}" - name: hass - password: "{{ vault_db_hass }}" + password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:hass')}}" - name: nextcloud - password: "{{ vault_db_nextcloud }}" + password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:nextcloud')}}" - name: vaultwarden - password: "{{ vault_db_vaultwarden }}" + password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:vaultwarden')}}" - name: drone - password: "{{ vault_db_drone }}" - + password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:drone')}}" postgresql_databases: - name: wikijs diff --git a/group_vars/server/mount b/group_vars/server/mount index aa04214..04922dd 100644 --- a/group_vars/server/mount +++ b/group_vars/server/mount @@ -57,18 +57,6 @@ systemd_mounts: options: - " " automount: true - diskstation_nextcloud: - share: //diskstation.ducamps.win/nextcloud - mount: /mnt/diskstation/nextcloud - type: cifs - options: - - credentials=/etc/creds/.diskstation_credentials - - uid=33 - - gid=33 - - vers=3.0 - - dir_mode=0770 - - _netdev - automount: true diskstation_archMirror: share: diskstation.ducamps.win:/volume2/archMirror mount: /mnt/diskstation/archMirror @@ -76,13 +64,6 @@ systemd_mounts: options: - " " automount: true - diskstation_certs: - share: diskstation.ducamps.win:/volume2/certs/letsencrypt - mount: /etc/letsencrypt - type: nfs - options: - - " " - automount: false diskstation_nomad: share: diskstation.ducamps.win:/volume2/nomad mount: /mnt/diskstation/nomad @@ -100,9 +81,7 @@ systemd_mounts_enabled: - diskstation_CardDav - diskstation_media - diskstation_ebook - - diskstation_nextcloud - diskstation_archMirror - - diskstation_certs - diskstation_nomad credentials_files: @@ -110,18 +89,5 @@ credentials_files: type: smb path: /etc/creds/.diskstation_credentials username: admin - password: "{{ vault_diskstation_admin }}" + password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/storage:diskstation_admin') }}" -samba_shares: - - name: hassconfig - path: /var/lib/hass - read_only: no - writable: yes - directory_mode: 770 - owner: hass - group: hass - write_list: "{{user.name}}" - -samba_users: - - name: "{{user.name}}" - password: "{{ vault_smb_user }}" diff --git a/group_vars/server/server b/group_vars/server/server index 8d237c9..b8e3513 100644 --- a/group_vars/server/server +++ b/group_vars/server/server @@ -1,7 +1,7 @@ notification_mail: "{{inventory_hostname}}@{{ domain.name }}" msmtp_mailhub: smtp.{{ domain.name }} msmtp_auth_user: "{{ user.mail }}" -msmtp_auth_pass: "{{ vault_email_password }}" +msmtp_auth_pass: "{{ lookup('hashi_vault','secret=secrets/data/ansible/other:email') }}" rsynclocations: - name: backup nas @@ -31,8 +31,7 @@ chisel_server_port: 9090 chisel_server_backend: https://www.{{domain.name}} chisel_server_auth: user: chisel - pass: "{{vault_chisel_server_pass}}" - + pass: "{{ lookup('hashi_vault','secret=secrets/data/ansible/other:chisel_pass') }}" arch_mirror_location: "/mnt/diskstation/archMirror" system_user: diff --git a/group_vars/workstation b/group_vars/workstation index 1b3ede2..b3bab91 100644 --- a/group_vars/workstation +++ b/group_vars/workstation @@ -67,7 +67,7 @@ credentials_files: type: smb path: /etc/creds/.diskstation_credentials username: admin - password: "{{ vault_diskstation_admin }}" + password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/storage:diskstation_admin') }}" keystodeploy: - name: juicessh without password diff --git a/makefile b/makefile index 76bcd76..d6a6f5b 100644 --- a/makefile +++ b/makefile @@ -8,5 +8,5 @@ deploy_production: deploy_staging: ansible-playbook site.yml -i staging --vault-password-file=./ansible-vault-pass.sh -edit-vault: - ansible-vault edit group_vars/all/all_vault --vault-password-file=./ansible-vault-pass.sh +generate-token: + @echo export VAULT_TOKEN=`vault token create -policy=ansible -field="token" -period 6h` diff --git a/provisionning.yml b/provisionning.yml index 3683d33..2173dde 100644 --- a/provisionning.yml +++ b/provisionning.yml @@ -7,7 +7,7 @@ - hosts: all remote_user: root vars: - ansible_password: "{{ vault_default_root }}" + ansible_password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/user:root') }}" roles: - ansible_bootstrap