diff --git a/README.md b/README.md index 53b2ced..71f12fd 100644 --- a/README.md +++ b/README.md @@ -22,12 +22,6 @@ make create-dev ## Rebuild -to rebuild from scratch ansible need a vault server up and unseal -you can rebuild a standalone vault server with a consul database snaphot with - -```sh -make vault-dev FILE=./yourconsulsnaphot.snap -``` ## Architecture diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index cf39c54..943c0a0 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -136,7 +136,7 @@ timeout = 30 # If set, configures the path to the Vault password file as an alternative to # specifying --vault-password-file on the command line. -#vault_password_file = /path/to/vault_password_file +vault_password_file = ./misc/vault-keyring-client.sh # format of string {{ ansible_managed }} available within Jinja2 # templates indicates to users editing templates files will be replaced. diff --git a/ansible/group_vars/VPS/mount b/ansible/group_vars/VPS/mount index 9918c74..8bed2cc 100644 --- a/ansible/group_vars/VPS/mount +++ b/ansible/group_vars/VPS/mount @@ -18,15 +18,6 @@ systemd_mounts: - mfsymlinks automount: true -credentials_files: - 1: - type: smb - path: /etc/creds/hetzner_credentials - username: u304977 - password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/storage:hetzner') }}" - - - systemd_mounts_enabled: - diskstation_nomad - hetzner_storage diff --git a/ansible/group_vars/VPS/vault_mount b/ansible/group_vars/VPS/vault_mount new file mode 100644 index 0000000..b62154d --- /dev/null +++ b/ansible/group_vars/VPS/vault_mount @@ -0,0 +1,12 @@ +$ANSIBLE_VAULT;1.1;AES256 +31303539336464336239376636623862303066336438383739356163616431643366386565366361 +3264336232303135336334333663326234393832343235640a313638323963666631353836373531 +61636261623662396330653135326238363630363938323166303861313563393063386161393238 +3231336232663533640a333763643864363939336566333731353031313739616633623537386435 +39613934663133613733356433616162363430616439623830663837343530623937656434366663 +33656466396263616132356337326236383761363834663363643163343231366563333865656433 +39316365663734653734363362363539623636666261333534313935343566646166316233623535 +32323831626463656337313266343634303830633936396232663966373264313762346235646665 +61333139363039363436393962666365336334663164306230393433636664623934343039323637 +33383036323233646237343031633030353330633734353232343633623864333834646239346362 +643634303135656333646235343366636361 diff --git a/ansible/group_vars/all/nomad b/ansible/group_vars/all/nomad index 16a79bb..f644a75 100644 --- a/ansible/group_vars/all/nomad +++ b/ansible/group_vars/all/nomad @@ -5,5 +5,4 @@ nomad_docker_allow_caps: nomad_vault_enabled: true nomad_vault_address: "http://active.vault.service.{{consul_domain}}:8200" nomad_vault_role: "nomad-cluster" -nomad_vault_token: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:nomad_vault_token') }}" diff --git a/ansible/group_vars/all/sssd b/ansible/group_vars/all/sssd index 9650a7c..2f30f16 100644 --- a/ansible/group_vars/all/sssd +++ b/ansible/group_vars/all/sssd @@ -3,7 +3,3 @@ sssd_configure: true ldap_search_base: "dc=ducamps,dc=win" ldap_uri: "ldaps://ldap.ducamps.win" ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=win" -ldap_default_bind_dn : "uid=vaultserviceaccount,cn=users,dc=ducamps,dc=win" -ldap_password : "{{lookup('hashi_vault', 'secret=secrets/data/ansible/other:vaulserviceaccount')}}" -userPassword: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/user:userPassword')}}" - diff --git a/ansible/group_vars/all/users b/ansible/group_vars/all/users index e602fee..16bdf83 100644 --- a/ansible/group_vars/all/users +++ b/ansible/group_vars/all/users @@ -11,7 +11,7 @@ user: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCYHkEIa38p3e4+m/LScHm8Ei7H2X/pDksjVAzoJ4fHr8oXc6DKkC8SWwMnh3L4WzWBhfTbzwUgFTNpsxhp/UyJf+fdzmzetlbVlYSuA6yWuSmgMeFbXFImhZ+Sn3i59hLeqAAyrkQLjba2waehdEsuOQ/AGoDbMYm38Xf9Wka/1YIeUPE4gLeLvymRnGw7BSug6Unycy52WlFAquollObOvc7tNiX0uLDh81Dp0KZhqWRs75hfmQ9du4g4uNhFLiF11hOGNgj3PWV+nWe8GWNQYVUBChWX1dsP8ct/ahG9IFXSPEaFD1IZeFp29u2ln3mgKkBtcRTRe1e3CLQqiRsUq2aixVFbSgFMFgGSUiNGNqKR4f9DeyJrYBplSj6HXjWoBny4Wm8+yfk8qR2RtQpS6AUu81xtKnXOaj9Q5VZO3kVF0U3EXHAZutTYDj9mDlhLSBS7x7hmrkRBbIy7adSx9Gx5Ck3/RllqG6KD+LdJa4I0pUTRNetpLpYDeZpwjnDP1r7udaSQMyRMH5YKLzhtHqIV/imn9QO4KCxNxTgwxt9ho6HDvlDGERCxm+yeHUu3CPyq2ZGSF5HHsYTGUtYvQw4JfQyw/5DrZ7IIdU1e7ZuaE3h/NvFgKJPVTP52nmUtIW7pIOkHpn9mddjm/oKMayOzMspLn9HLFVbqi7A5Xw== vincent@zen-pc privatekey: - keyname: "id_gitea" - key: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}" + key: "{{lookup('file', '~/.ssh/id_gitea')}}" @@ -19,11 +19,6 @@ system_user: - name: drone-deploy home: /home/drone-deploy shell: /bin/bash - privatekey: - - keyname: id_gitea - key: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}" - - authorized_keys: - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUaK+pQlosmopbZfucll9UdqDOTaODOBwoxRwkJEk1i drone@oscar @@ -35,15 +30,13 @@ system_user: home: /root privatekey: - keyname: id_gitea - key: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}" + key: "{{lookup('file', '~/.ssh/id_gitea')}}" + user_custom_host: - host: "git.ducamps.win" user: "git" keyfile: "~/.ssh/id_gitea" - - host: "gitlab.com" - user: "git" - keyfile: "~/.ssh/id_consort" user_config_repo: "ssh://git@git.{{ domain.name }}:2222/vincent/conf2.git" diff --git a/ansible/group_vars/all/vault_nomad b/ansible/group_vars/all/vault_nomad new file mode 100644 index 0000000..792ef3b --- /dev/null +++ b/ansible/group_vars/all/vault_nomad @@ -0,0 +1,11 @@ +$ANSIBLE_VAULT;1.1;AES256 +39613433313663653039643961643165643632313938626339653365376633613135653436363938 +6331623132366638633665636163336462393333336264320a666466303465663839646435626231 +38396437363034313236383261326637306238616162303131356537393635363939376236386130 +6466353961643233310a306631333664363332336263656638623763393732306361306632386662 +37623934633932653965316532386664353130653830356237313337643266366233346633323265 +37616533303561363864626531396366323565396536383133643539663630636633356238386633 +34383464333363663532643239363438626135336632316135393537643930613532336231633064 +35376561663637623932313365636261306131353233636661313435643563323534623365346436 +65366132333635643832353464323961643466343832376635386531393834336535386364396333 +3932393561646133336437643138373230366266633430663937 diff --git a/ansible/group_vars/all/vault_sssd b/ansible/group_vars/all/vault_sssd new file mode 100644 index 0000000..855815c --- /dev/null +++ b/ansible/group_vars/all/vault_sssd @@ -0,0 +1,11 @@ +$ANSIBLE_VAULT;1.1;AES256 +34356264306639303930393736376562653636383538623131343939323563653938616534623163 +6536366261666662376533393836626664373766313439660a363331326231303638626165393164 +63323063623365393566643230653964393565636430303365653233323931646236366664346430 +3162383233656139320a323133323262386638363738346336613862626539386538633864613131 +30306539376639303365323665613732616138346530346162633761386466626238373065316230 +38396662363364336134306130616661643835616161313535613331303133383334393333653335 +66363538313631373736396333363837376664616166663665343030336232346237333965303861 +36613763666135393531653637616463333461343232366137656336383239623166633338646561 +39336563636665396666663339306534643661366264623061626661343762373037383037373561 +3431656130306133323436616531343034366665636434333362 diff --git a/ansible/group_vars/all/vault_users b/ansible/group_vars/all/vault_users new file mode 100644 index 0000000..ee01c0a --- /dev/null +++ b/ansible/group_vars/all/vault_users @@ -0,0 +1,14 @@ +$ANSIBLE_VAULT;1.1;AES256 +35303137383361396262313561623237626336306366376630663065396664643630383638376436 +3930346265616235383331383735613166383461643233310a663564356266663366633539303630 +37616532393035356133653838323964393464333230313861356465326433353339336435363263 +3162653932646662650a613762393062613433343362633365316434663661306637623363333834 +61303231303362313133346461373738633239613933303564383532353537626538363636306461 +66663330346566356637623036363964396137646435333139323430353639386134396537366334 +39303130386432366335383433626431663034656466626265393863623438366130346562623365 +63653963393663353666313631326131636361333230386461383638333338393137336562323935 +37343034363961306663303232346139356534613837663230393962323333656536303161373939 +65626164336166306264653538313661393934383966303135356161336331623835663235646332 +63343764643861366537383962616230323036326331386333346463353835393762653735353862 +32323839663365353337303363313535633362643231653663393936363539363933636430613832 +32336566633962646463316636346330336265626130373636643335323762363661 diff --git a/ansible/group_vars/all/vault_vault b/ansible/group_vars/all/vault_vault new file mode 100644 index 0000000..af0781a --- /dev/null +++ b/ansible/group_vars/all/vault_vault @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +34363036323764633162633834333038323732633032633438613731613338636532363934396262 +6432333762316132643130383934663537396331363536320a393332666564346137666430616562 +35653437383636316136316661333039616137616234393562313634363563303766653832313831 +6635646261393937360a643534653861393265613032343337316237623634613834313131633137 +61323464376436323462633732663932633730336639333736613162353730313134646661366338 +39653961313439386632356130353033386338623831636639346163636138336338353665353330 +36333963306333383064653730643231303435306362663963363732613237626138653361373135 +38663539643039643564386565393661633935626139366434643766346161393539653734343064 +31336263363831646630376364663636636332336161633038663130306639393336 diff --git a/ansible/group_vars/database b/ansible/group_vars/database deleted file mode 100644 index 8117154..0000000 --- a/ansible/group_vars/database +++ /dev/null @@ -1,54 +0,0 @@ - -postgresql_users: - - name: root - role_attr_flags: SUPERUSER - password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:root')}}" - - name: wikijs - password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/wikijs:password')}}" - - name: ttrss - password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/ttrss:password')}}" - - name: gitea - password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/gitea:password')}}" - - name: supysonic - password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/supysonic:password')}}" - - name: hass - password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/homeassistant:password')}}" - - name: vaultwarden - password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/vaultwarden:password')}}" - - name: drone - password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/droneci:password')}}" - - name: dendrite - password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/dendrite:password')}}" - - name: paperless - password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/paperless:password')}}" - - name: dump - password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/dump:password')}}" - - name: vikunja - password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/vikunja:password')}}" - - name: ghostfolio - password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/ghostfolio:password')}}" - - -postgresql_databases: - - name: wikijs - owner: wikijs - - name: ttrss - owner: ttrss - - name: gitea - owner: gitea - - name: supysonic - owner: supysonic - - name: hass - owner: hass - - name: vaultwarden - owner: vaultwarden - - name: drone - owner: drone - - name: dendrite - owner: dendrite - - name: paperless - owner: paperless - - name: vikunja - owner: vikunja - - name: ghostfolio - owner: ghostfolio diff --git a/ansible/group_vars/database/database b/ansible/group_vars/database/database new file mode 100644 index 0000000..3c0540b --- /dev/null +++ b/ansible/group_vars/database/database @@ -0,0 +1,20 @@ + +postgresql_databases: + - name: ttrss + owner: ttrss + - name: gitea + owner: gitea + - name: supysonic + owner: supysonic + - name: hass + owner: hass + - name: vaultwarden + owner: vaultwarden + - name: drone + owner: drone + - name: paperless + owner: paperless + - name: vikunja + owner: vikunja + - name: ghostfolio + owner: ghostfolio diff --git a/ansible/group_vars/database/vault_database b/ansible/group_vars/database/vault_database new file mode 100644 index 0000000..af70022 --- /dev/null +++ b/ansible/group_vars/database/vault_database @@ -0,0 +1,38 @@ +$ANSIBLE_VAULT;1.1;AES256 +31336239306162353439323635633133393530396161656139303031323330366431653665623032 +3133326132353635336331353236396334623736383461310a633931616636396665363931393432 +34663535363362363030323439646134653163656538306230323739653739316464363232623264 +3638643737316132640a316461316335336432383066356134356231323964383861313465373765 +39393536636531663136346461383530343233346233613562336633353934353861313135643239 +36303930363663633936626361623835633932633863653230313532336239653931303530623536 +36626631363662346661313664303866343165303337376131656663373266383261643331386263 +64333137653134613365383538646463653336663637623163666365646439383636376238643131 +35373965326561666238656363333266633262373431653837623562633436386132376239363461 +37376631336265326137626138653063353766346264663632366266636635313364303432363731 +32323938386430653238303834636465333865383962623066356430396531353463393133653730 +33383364373130366437393938616431646536623635356464356438323664383635363665323561 +65613463636633643033396232386437373532663338346437656562333536333863306538386563 +34326138646331663165323061336139323963666632626635643931363330316136353262306637 +65343432643136383136636335313038343963383937663865303430623466383465623332373764 +66366232646132653632366530643362323131616333333534616264326136636363386138623463 +61323562303261363331653363326137313966323563373331356362373431313735613937313239 +30373130336637623766393130646330366235373831336538376364376139396362326336396238 +33353234323036333631343137323130303531616133363630633336633434363932386334333964 +66396632616433643637306564656431663531353762356534663866613765376631356566626164 +62646262616265313533666362653837373230303863313336656566623036396530346561313937 +66376662353361653532616637666439653565383737636239396233613435373330653664323931 +61333434346430623637653232363462336330386538646433303830373235333539326433333261 +32306634396531626638366465646364393330653739393764623639396565653234376634366535 +36303361613662353337333162343633313437316431336332646235636332653239366338623737 +35643262316531623538626335343563636238363639373730333332393032396565643735383236 +61383437336237363934626535343037353036343532646339393937316535623532633838373964 +61633932626664353264653535373130346334626262373665666137663366663738656563393966 +62313939643930353165356430363031613830383738333938386635333234636630313735613266 +62373862306335383839656566386163333530626539353436623031303432643461623663303036 +66313064323363623438316532386331313762343266323430303066643861653261363765623038 +38613334356431323033653733363835616534316233383431303136623761333935343231626430 +38353237333430633063303264653033316539353862336433366661303538653933373437346161 +34313164346332336637653563336631313762333031333237326265663437666539306332396136 +36323736313562636235353139663532333436363163383238643531336131386664636530336239 +38336539363661333330643238326263333730663035313534643039376237313332363638663863 +32643334343034333438383132666134386562643566643463346561313036363837 diff --git a/ansible/group_vars/dhcp b/ansible/group_vars/dhcp/dhcp similarity index 92% rename from ansible/group_vars/dhcp rename to ansible/group_vars/dhcp/dhcp index d6c06d2..5c606a5 100644 --- a/ansible/group_vars/dhcp +++ b/ansible/group_vars/dhcp/dhcp @@ -4,10 +4,6 @@ dhcpd_domain_name: "lan.{{ domain.name }}" dhcpd_nameservers: - '192.168.1.4' - '192.168.1.41' -dhcpd_keys: - - key: dhcp - algorithm: HMAC-MD5 - secret: "{{ lookup('hashi_vault','secret=secrets/data/ansible/other:dhcpd_key') }}" dhcpd_zones: - zone: "lan.{{ domain.name }}." diff --git a/ansible/group_vars/dhcp/vault_dhcp b/ansible/group_vars/dhcp/vault_dhcp new file mode 100644 index 0000000..759bbc9 --- /dev/null +++ b/ansible/group_vars/dhcp/vault_dhcp @@ -0,0 +1,13 @@ +$ANSIBLE_VAULT;1.1;AES256 +66616338633634336135333064663732313730373234663838623537396533373536623563636661 +6639333231346463346133313664626438383432383864310a326665386463666633333537303139 +62313337666231636664356439343333646166313062616235663463386339393661396537653132 +3162303733376534630a633236613235323835363636323031313132646430346235636533323565 +65633837303666346338333262333430623636393464636662373831393639376262353563616266 +39646539633831613732643337343661653566383962343330393634626639343465353233373234 +61653539626630303634373163383362346132323866623035663962643865363766626235653561 +63616232383761643431343239356566643630376563333236663835666534623535653663303165 +62343331653162336339663764346439306264353961623431313935353530623864643734303038 +64653366653739656161663638653561336433373439643138366331303135323264613162616636 +30353635623437666164353766666233323530393334613165343065663264303835336462643338 +63336132646437336466 diff --git a/ansible/host_vars/oscar b/ansible/host_vars/oscar index 6e56334..a88c9fc 100644 --- a/ansible/host_vars/oscar +++ b/ansible/host_vars/oscar @@ -19,8 +19,6 @@ consul_snapshot: True vault_snapshot: true vault_backup_location: "/mnt/diskstation/git/backup/vault" -vault_roleID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_approle') }}" -vault_secretID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_secretID') }}" partition_table: - device: "/dev/sda" label: gpt diff --git a/ansible/host_vars/oscar-dev b/ansible/host_vars/oscar-dev index c264ea2..d4edca3 100644 --- a/ansible/host_vars/oscar-dev +++ b/ansible/host_vars/oscar-dev @@ -15,5 +15,3 @@ wireguard_postdown: consul_snapshot: True vault_snapshot: True vault_backup_location: "/mnt/diskstation/git/backup/vault" -vault_roleID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_approle') }}" -vault_secretID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_secretID') }}" diff --git a/ansible/misc/vault-keyring-client.sh b/ansible/misc/vault-keyring-client.sh new file mode 100755 index 0000000..cfdb6e6 --- /dev/null +++ b/ansible/misc/vault-keyring-client.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +readonly vault_password_file_encrypted="$(dirname $0)/vault-password.gpg" + +# flock used to work around "gpg: decryption failed: No secret key" in tf-stage2 +# would otherwise need 'auto-expand-secmem' (https://dev.gnupg.org/T3530#106174) +flock "$vault_password_file_encrypted" \ + gpg --batch --decrypt --quiet "$vault_password_file_encrypted" + diff --git a/ansible/misc/vault-password.gpg b/ansible/misc/vault-password.gpg new file mode 100644 index 0000000..d391af9 Binary files /dev/null and b/ansible/misc/vault-password.gpg differ diff --git a/ansible/provisionning.yml b/ansible/provisionning.yml index 436b57a..3983e18 100644 --- a/ansible/provisionning.yml +++ b/ansible/provisionning.yml @@ -1,16 +1,12 @@ --- - hosts: all remote_user: root - vars: - provissionning_default_root: "{{ lookup('hashi_vault','secret=secrets/data/ansible/user:root') }}" roles: - ansible-arch-provissionning - hosts: all remote_user: root - vars: - ansible_password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/user:root') }}" - roles: + roles: - ansible_bootstrap # - remote_user: "{{ user.name }}" diff --git a/docs/How-to/ansible_vault.md b/docs/How-to/ansible_vault.md new file mode 100644 index 0000000..4bce2cb --- /dev/null +++ b/docs/How-to/ansible_vault.md @@ -0,0 +1,25 @@ +# ansible vault management + +ansible password are encoded with a gpg key store in ansible/misc +to renew password follow this workflown + +```sh +# Generate a new password for the default vault +pwgen -s 64 default-pw + +# Re-encrypt all default vaults +ansible-vault rekey --new-vault-password-file ./default-pw \ + $(git grep -l 'ANSIBLE_VAULT;1.1;AES256$') + +# Save the new password in encrypted form +# (replace "RECIPIENT" with your email) +gpg -r RECIPIENT -o misc/vault--password.gpg -e default-pw + +# Ensure the new password is usable +ansible-vault view misc/vaults/vault_hcloud.yml + +# Remove the unencrypted password file +rm new-default-pw +``` + +script `vault-keyring-client.sh` is set in ansible.cfg as vault_password_file to decrypt the gpg file