migrate ansible-vault to hashicorp

2022-06-06 13:32:15 +02:00 · 2022-06-06 13:32:15 +02:00 · 4a004caece
commit 4a004caece
parent acc8fffa0b
11 changed files with 27 additions and 251 deletions
--- a/group_vars/HashicorpStack
+++ b/group_vars/HashicorpStack
@ -1,11 +1,12 @@
 consul_client_addr: "0.0.0.0"
 consul_datacenter: "homelab"
-consul_gossip_encryption_key: "{{vault_consul_encryption}}"
+consul_gossip_encryption_key: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:consul_encryption') }}"
 consul_backup_location: "/mnt/diskstation/git/backup/consul"
 consul_ansible_group: HashicorpStack
 consul_bootstrap_expect: 2
 nomad_vault_enabled: true
 nomad_vault_address: "http://active.vault.service.consul:8200"
 nomad_vault_role: "nomad-cluster"
-nomad_vault_token: "{{  vault_nomad_vault_token }}"
+nomad_vault_token: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:nomad_vault_token') }}"
 nomad_bootstrap_expect: 2
--- a/group_vars/VPS
+++ b/group_vars/VPS
@ -78,7 +78,7 @@ credentials_files:
      type: smb
      path: /etc/creds/hetzner_credentials
      username: u304977
-      password: "{{vault_hetzner_storage}}"
+      password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/storage:hetzner') }}"
--- a/group_vars/all/all
+++ b/group_vars/all/all
@ -17,7 +17,7 @@ system_arch_local_mirror: "https://arch.{{domain.name}}"
 privatekeytodeploy:
    - user: "{{user.name}}"
      keyfile: "/home/{{user.name}}/.ssh/id_gitea"
-      privatekey: "{{vault_gitea_private_key}}"
+      privatekey: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}"
    - user: root
      keyfile: /root/.ssh/id_gitea
-      privatekey: "{{vault_gitea_private_key}}"
+      privatekey: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}"
--- a/group_vars/all/all_vault
+++ b/group_vars/all/all_vault
@ -1,192 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 61626562363436326532656663663434636364643836613333343035373637643565666436383165
 6663346364633662326334656231343165366631316366340a313966303234356139646530376130
 66343839656534613436326531356236643332373061326163303336646362613738336562343737
 3738613231643836320a633563663339323438383138663762303965313965343364326334353233
 35613261346563303335643362303864613032313961323863626237303438623332666633356436
 65656139613962633030653863643133323137313332333163613366336437666334633335343334
 33316263316563316562613037393365666439323737363330393338386237353534316534396138
 34373439326339373830303833396436386334383530633831356531393534326666313561383839
 65653534303065356432313165616537626635373438373930353438306337653865656639306138
 37636431333563393937316537323330383766353764366439313062333861396261623639623466
 31343733343463643363343634653637623361323334383766643865646166626333386237663132
 31323866303963383663363266636131633333386434393132386535303733666365303938623831
 39316466383936626562333764326562373862363761366662343733383637633537613139393333
 31363230653437613738393235353539333332313832386430653664633731646130386662613832
 62666439613939306539383362666633373631346636353365663531633639373666396362636231
 38666634313438356561643261623734623666626131383935643265383864346138336638663936
 32303239306235383263346366376532346431653934366262623034316662373166616439653539
 63643461613862393331343561393061356366343533333831316465346666303361323262386132
 32383161313738363633366166646238643832623735353630663236616665336534396134333034
 34323765396631336562376661636163386237326563343964373938666432616365636537343035
 66336163663133313330646237396666356464643434646237653637653864323766633765656538
 62656432626233666161663037646435313936363434373834313539613034653466353131383231
 38346337653231356639383136653461383534303664323864613937353339646538643830613931
 39343633386131666462363963396238666133613738353066393939333330366135306437323239
 62336431613661363939613736313663303166373063616235313831613565316636653462306532
 34663938656661343662323765333233626637383331396138663066363363323263316466313466
 35653965626361373432316137636236356135663766393562626538373963353335336636613835
 65356533323265306332636233636134373864303761366530303462353136643462393835333761
 64373935653666623164663536316666313466366466353134633036353532386333313630323530
 32653138336364353134376461656630313238366565363938346438333661303666613361336134
 61393633363065623832376532346261353666393665666330393063373734376335616664353536
 66663537656430623162376631633839326465323162663862303164353236353264363032383938
 35376535643961623531353562383662623162356432373537663731663930303936323134363964
 63373334353664636637666366303234636666363334336132653631396133623238653662376530
 63393038613738353134313337316464613339653533663964366633323536366266636336383937
 62336436323366396161376339633631336338316666616161663466623931643364343232333665
 36653162333232376439666235306134663865336239306230366233366233626234616566653437
 31633839643965613536393661633562356562656432633534623034643462633363326230663038
 36633365386232316331383365653134663538303632366638363938316237616131633130343732
 62613061346261636235336330653538343731353336343130373234383636653738613161326661
 30336434613163396462663737363131373730343065323538363730366538373531643732633264
 38303337636437666161386538323331643166336539393461653963623630643863333135303236
 65656133383932386365353666396337663531336464346231633135363661626161383561346666
 61343135636362383436326163303037343132616461636439363861653363396235386139333935
 34626264306365393535343836366432396162336465343534353162383066306236356133346530
 64383436623431353234363962333665643865363861303635303835646535383839366533663436
 33323338366131663737613536373135313434313563616138333631666130363434363739386337
 36633066356361313233633836363333633963363161656330363436613730303166353261343939
 63373263663562656535363034376539383031373739666633313765653562376161623232656666
 39363033303664383364636265333863353462323533366462653836626539353630323465333931
 30623134306363613765373730393734663937316262666230336334303033326263363461333663
 35316365663335363265343266646433383638396334613530353566613530623665663265383135
 64393534343532303336353438333561313564343739336462653662663861303133383162333436
 63666139333962643061626232396638383766333834646434623833343032613639343364393332
 31623635383535653961663331313233616364613437663562613934663932393430316135353533
 64663937393464383266643366343463316436636262366636373963333461326135313231393964
 33613362376231393631383531326461366461376130613632613834313831643937336531663239
 39353265303966326633633539643030373865666530666432376366623236336433316332303762
 38663734366339626237343435393235363161376337643165616232623938363730336630616139
 38303138626136306536366530636162636166383531363331393730323961386330326366613633
 32316562306464633135666365323562393230653164663238373935393433366139343463373562
 61626238646535373035613061323936373830313630353065316161326565353765363836386363
 31343835623937313462643163613238376335353034656133663265626136643839346361646261
 31386138326636616330663661393931326432636539363133663463353761653265373934346130
 36333263343034643365343930396233306434356635623136313231373730643361306164356562
 36376336663437346237653635366435353135636631666166353037636439623837613831326539
 31646537623463623634313137303132656634366664336530346233613364623361333062613366
 36363362666636623933656637316132616637373032303235376634393039666462333236656134
 34656630633133376635396136323362363665376330326133383766663365613662353933353835
 63333333623936353732656136376335626535356232653032383566366164613235393633353232
 64343733356565633766323561353037376338356638323665653263663737656133356430356165
 37636232316433343137373735613534303266316363376663623961313965316335623435393133
 61653662386361366466393262323131333830366238636333396161333037366531346261323365
 61663462623531643637646630616230663132383962346632373663343936663632373339366331
 33653663376137303761616463373737653363303437383839646535323236376438623232633163
 34386237613530313261376235313338336632366139326263393234326430303962346434376233
 35373937396533363133633931353839333066303936653236336266663338313431323863643237
 33616165386563303561363639666138343435336432643637393033303463633432353532616330
 30373337383130303933353733626630373637393065383239386434383666636637363136383431
 61626632386131663836333235343765303438316130373461666134396562393165656264633965
 33323033646538323633323739383363323139633865383563313037613963303565306432376265
 35313863663463383064393236626539386164663264383133333032383935663661656238666235
 35306163303239333138373230366564616366386433383033666535623832633831346233663738
 34653664393961623137316162663231646335343138346639633731383434356364613363333633
 66623237656338646561383861326135393262623538653539393063353731383739303363303939
 62313737333136613664623538313838346635306631343365353738393935373338383235386438
 30393636393465313165653763356166626634303963643136633035333230393865653734313863
 37616431326239656536383866343764343462396461313030653166663665643261373463323331
 30643738333132636662313565383861653164356530613866303663373234666432353862383332
 63356237613035353163323737656134316137636635626433653363393936323261326131666135
 66613063653533373061396137333733303965303638656665633365366436303938646235333537
 65373439633833343061346636626637633337613131363333376235303461323561383866663336
 66663266356239323166643839386663663762313037663265306264373738626464313233393435
 63323938656432393139386432393533353732326635346332373034333238346235376263333366
 62663261366630313164383430626637356563666165313161393364383662663637386431623836
 32336238623339613532346630356430636334643363336665366234643936353166373063303865
 39306434336139306134653037356130366539666434336532623036613537363836633763306163
 35333564613533373537386538326236656435636236366163336431376130663961633061383439
 64663139326663633934333832363866333639663763633762343039303635623062386337393532
 37383037386664633035313463306462646166303863666531376263303338323535383631626539
 38643530633564626238666137343566393166646533363738626131396466356161613461316539
 30383264396366393435666162616461326538323832343361363866343130653062363339636565
 34343732386436393838336264633836333432653433663832623534633466313536663830393366
 33366231303666316364613834336265643237376339393063643235306462313437623861663932
 34626538316362313862393634393732623036613661646564393163313032646631343465613039
 34333537646664666365623063633630633437613563303561653234396566643938313138663161
 34326463626130303138363263626131626239343863313461663861646665366133643530343739
 31323537613331316164353561653162646166396265323666353034616661366234396338333238
 32643964633238383637333337656561303964353062336136363062393038376339393537383139
 32636235663632343834316165626261316166653035633138343365633733386130336230643139
 37396235393336323162333233623161356333653262613130623562346230363232373230353564
 32346664356362616161303963646632633135333838666530616231383633656562346634326334
 32643137346638623932653461393361366539396337663865386431386439393537313639643938
 38303636316339666333313064363063343765306638376439343534633964623339363561373338
 37306632643866626466353430626137363437366135306231663631636234653165333439623266
 33663065336130326638656566396665663139323732353331653439353435353538633762313831
 62613134313262386439316561613364336336396333653664643566363734663131613365623330
 35373662363961383331636135393532646361363135643639616662666666363430323330643863
 39613464643236383961303132323635353030636565643835636462376238623464613463313763
 65373263333266323736393833666335623230663937633866656365343939376334623561613339
 31363531353730633435336337636331333639376264323635613637306632373665323435633930
 32643166383439353561343836393063343665373230303566303831643831336564616263653765
 66666666303366643530373432366636623066363339656432383066383438353739366433653236
 34643631376335333233613230353462653935366630316665663639363438323936306538353634
 63356337363165636331386562356466396266623063616535303438663764626133393532306237
 32353132363535323934663064373862653039656266373830346138643236376233643535393433
 38353939666664313235633065336262336530313864656563616565333932316437666537356362
 33373664383362313937633562396135323432313563643731656531313962643162346664383661
 30366530363463643439353638393339336265323037313834393630616365663738303361653564
 37363462396661326338313938326531653835643738303666393130363763396231373039626663
 63326537366162643939643365333832346265393365373638333539656134363833313765343134
 34363338346139636536663938336561373532326163333731333163663435373165363466663665
 64373539623632313637636332653139353234303062363731363432373939363139646364306235
 63383162643733653534393063306162626136326432303766373133333639363737613463356131
 33393961313533383564653863633733653336643836383531363837613133666361316263646239
 63656461303633653035666134323834393666303033653632393764653836646638616264386163
 33343865636133353066636164336661373738313135646636393137333138633462666337333062
 39313963376361343137633363313134326235646266313132633030643263393538666231353833
 66643637306566623131343537303163306661353366356430373461386266383062346534393362
 32343339643361336466373962646439623665653863393166386639323634376332383861303032
 39363237386466363634623161666531616261323962346566346164653165633965336361366530
 31376638383065613831626432396638396132316138646639343439376439646237303132333936
 64373536353065333435663063633631643536636332306338383432623162653030636138366633
 33373665373864353136333966663464376433303262366163626664393331356631633361363136
 30633739303036633731623036626431333736396431373063326534613366383936356535363365
 34393362663061326136613831313830643437316364326132363738333931646339326138396666
 34353334343133616137623832393238353330656132393937636462373561646363303137613237
 63316563346231336433343634383539666234663964623434363335623936326534333933393532
 36653865373939383934386436623536393563626636666330336561636164636664643935666231
 65643430646365613164653938343831666366663965316635653934363631643165323162633566
 33363135366136383235636635383239346532383434393336376638306434313936326639616234
 31636331343231306162643030636131316163386538613638633431663065393039356230393031
 61383163316336653866653035326538623562616361343834326533376339333034303861633362
 34656461306163626665656536363632393130303466373536386538393432373434323063663731
 32613234313232326563613639373934373039303234346362636139326165376261386566623063
 66633036626562346538663536386136663361366637613863386431313336313466656535666464
 62656164323134343264373461383536396430313132376337323363626339326161376134663931
 63396237363661373639373866313636303435666137333364623665613139626337656230633065
 65306138636536353365303564663164623535366265393530356666646531653731306430363631
 35316437613638363964303231623935616461663938336533636531653364333763326636303237
 35353831313436663539643563613336383230343736386561666637633133343032313136613962
 33313161333063303161653765656661626430313863653539333130366466376164316566303537
 30613162333366316361363435393835613431343936326137356233643736333234343039303761
 30376138346431646162626464623939306136646539326464646236383962323332333133393731
 39316537383631323531666538633534616364666335386332396263373364306530666666353737
 33396261346231656465313764363533343765333936366164656264306333333766323165616265
 34336361356239346164303434356431326632653462333933333530633334363134313463646635
 61376632653465656262323537646230323031316638616634313835376465363265663463316465
 34346530653664313031396337323839653761343331643337613837333561353937333565616138
 30346462303234343663393239623865323631303036356237666264643837313439333238376234
 36633030336366636130336239323533303166613233363366656465326234323431616133643032
 32353733383130386461303236666434616434303836626532356436303361356565613136303430
 30336261626531323563346439326434633438646433333266663732626130383330386431613234
 35656332313333646463386338306635646366323966613564626365633436386365343438343838
 62323734653638316434316231313034663134646166613638623636383338393631396235373238
 33333464333066356538393765363939316361303331633764383464313834613266306362626162
 65653866323631373238333438326337373339626536393831626134376130646634653266363032
 66366632663839333233656432383065313438316335656637343330643438366533663634623539
 64653331626662663332383366393531663366316533353136623032343138313330643733313537
 38353338386561346237383763363137396364353661323234323561656232646230666630643563
 64333861363363373134323332623332376132306636396165383462626337373234313639343534
 31336161613235383664643162636237396239353237646363323235363731643337306530363035
 64623938323436363439626165656437353664656630613237316636633931373962343234653837
 34363863633366346637366166306337346430306532643635663337393735336639386663663364
 63623833363130396565663464393332396439396139353836633331353936356336336338363731
 33656130306436646233323336343234363263663436613935386562303233363835636638366137
 36323136383732616633393531353064363363356631373134636162636262393437653437663839
 39653463393338353130623733626362363665613430316365623938303635666365633163373533
 63336332336638613562373830663263376233646565646233343334646261316164663361393438
 66333938623438653166353636656539613430353035353561643864363661353535666334393865
 613665376161323236363633396531623662
--- a/group_vars/dhcp
+++ b/group_vars/dhcp
@ -4,7 +4,10 @@ dhcpd_domain_name: "{{ domain.name }}"
 dhcpd_nameservers:
  - '192.168.1.40'
  - '192.168.1.10'
-dhcpd_keys: "{{ vault_dhcpd_keys }}"
+dhcpd_keys: 
  - key: dhcp
    algorithm: HMAC-MD5
    secret: "{{ lookup('hashi_vault','secret=secrets/data/ansible/other:dhcpd_key') }}"
 dhcpd_zones:
  - zone: "{{ domain.name }}."
@ -137,7 +140,7 @@ credentials_files:
        type: smb
        path: /etc/creds/.diskstation_credentials
        username: admin
-        password: "{{ vault_diskstation_admin }}"
+        password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/storage:diskstation_admin') }}"
 systemd_mounts_enabled:
--- a/group_vars/server/database
+++ b/group_vars/server/database
@ -2,24 +2,23 @@
 postgresql_users:
  - name: root
    role_attr_flags: SUPERUSER
-    password: "{{ vault_db_root }}"
+    password: "{{  lookup('hashi_vault', 'secret=secrets/data/ansible/database:root')}}"
  - name: wikijs
-    password: "{{ vault_db_wikijs }}"
+    password: "{{  lookup('hashi_vault', 'secret=secrets/data/ansible/database:wikijs')}}"
  - name: ttrss
-    password: "{{ vault_db_ttrss }}"
+    password:  "{{  lookup('hashi_vault', 'secret=secrets/data/ansible/database:ttrss')}}"
  - name: gitea
-    password: "{{ vault_db_gitea }}"
+    password: "{{  lookup('hashi_vault', 'secret=secrets/data/ansible/database:gitea')}}"
  - name: supysonic
-    password: "{{ vault_db_supysonic }}"
+    password: "{{  lookup('hashi_vault', 'secret=secrets/data/ansible/database:supysonic')}}"
  - name: hass
-    password: "{{ vault_db_hass }}"
+    password: "{{  lookup('hashi_vault', 'secret=secrets/data/ansible/database:hass')}}"
  - name: nextcloud
-    password: "{{ vault_db_nextcloud }}"
+    password: "{{  lookup('hashi_vault', 'secret=secrets/data/ansible/database:nextcloud')}}"
  - name: vaultwarden
-    password: "{{ vault_db_vaultwarden }}"
+    password: "{{  lookup('hashi_vault', 'secret=secrets/data/ansible/database:vaultwarden')}}"
  - name: drone
-    password: "{{ vault_db_drone }}"
+    password: "{{  lookup('hashi_vault', 'secret=secrets/data/ansible/database:drone')}}"
 postgresql_databases:
  - name: wikijs
--- a/group_vars/server/mount
+++ b/group_vars/server/mount
@ -57,18 +57,6 @@ systemd_mounts:
        options:
            - " "
        automount: true
    diskstation_nextcloud:
        share: //diskstation.ducamps.win/nextcloud
        mount: /mnt/diskstation/nextcloud
        type: cifs
        options:
            - credentials=/etc/creds/.diskstation_credentials
            - uid=33
            - gid=33
            - vers=3.0
            - dir_mode=0770
            - _netdev
        automount: true
    diskstation_archMirror:
        share: diskstation.ducamps.win:/volume2/archMirror
        mount: /mnt/diskstation/archMirror
@ -76,13 +64,6 @@ systemd_mounts:
        options:
            - " "
        automount: true
    diskstation_certs:
        share: diskstation.ducamps.win:/volume2/certs/letsencrypt
        mount: /etc/letsencrypt
        type: nfs
        options:
            - " "
        automount: false
    diskstation_nomad:
        share: diskstation.ducamps.win:/volume2/nomad
        mount: /mnt/diskstation/nomad
@ -100,9 +81,7 @@ systemd_mounts_enabled:
    - diskstation_CardDav
    - diskstation_media
    - diskstation_ebook
    - diskstation_nextcloud
    - diskstation_archMirror
    - diskstation_certs
    - diskstation_nomad
 credentials_files:
@ -110,18 +89,5 @@ credentials_files:
        type: smb
        path: /etc/creds/.diskstation_credentials
        username: admin
-        password: "{{ vault_diskstation_admin }}"
+        password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/storage:diskstation_admin') }}"
 samba_shares:
  - name: hassconfig
    path: /var/lib/hass
    read_only: no
    writable: yes
    directory_mode: 770
    owner: hass
    group: hass
    write_list: "{{user.name}}"
 samba_users:
  - name: "{{user.name}}"
    password: "{{ vault_smb_user }}"
--- a/group_vars/server/server
+++ b/group_vars/server/server
@ -1,7 +1,7 @@
 notification_mail: "{{inventory_hostname}}@{{ domain.name }}"
 msmtp_mailhub: smtp.{{ domain.name }}
 msmtp_auth_user: "{{ user.mail }}"
-msmtp_auth_pass: "{{ vault_email_password }}"
+msmtp_auth_pass: "{{ lookup('hashi_vault','secret=secrets/data/ansible/other:email') }}"
 rsynclocations:
    - name: backup nas
@ -31,8 +31,7 @@ chisel_server_port: 9090
 chisel_server_backend: https://www.{{domain.name}}
 chisel_server_auth:
      user: chisel
-      pass: "{{vault_chisel_server_pass}}"
+      pass: "{{ lookup('hashi_vault','secret=secrets/data/ansible/other:chisel_pass') }}"
 arch_mirror_location: "/mnt/diskstation/archMirror"
 system_user:
--- a/group_vars/workstation
+++ b/group_vars/workstation
@ -67,7 +67,7 @@ credentials_files:
        type: smb
        path: /etc/creds/.diskstation_credentials
        username: admin
-        password: "{{ vault_diskstation_admin }}"
+        password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/storage:diskstation_admin') }}"
 keystodeploy:
    - name: juicessh without password
--- a/4
+++ b/4
@ -8,5 +8,5 @@ deploy_production:
 deploy_staging:
 	ansible-playbook site.yml -i staging --vault-password-file=./ansible-vault-pass.sh
-edit-vault:
+generate-token:
-	ansible-vault edit group_vars/all/all_vault  --vault-password-file=./ansible-vault-pass.sh
+	@echo export VAULT_TOKEN=`vault token create -policy=ansible -field="token" -period 6h`
--- a/provisionning.yml
+++ b/provisionning.yml
@ -7,7 +7,7 @@
 - hosts: all
  remote_user: root
  vars:
-    ansible_password: "{{ vault_default_root }}"
+    ansible_password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/user:root') }}"
  roles:
    - ansible_bootstrap