remove hasshicorp vault dependance on ansil metal deployment
This commit is contained in:
parent
521ea28229
commit
14b1ac38e2
@ -22,12 +22,6 @@ make create-dev
|
||||
|
||||
## Rebuild
|
||||
|
||||
to rebuild from scratch ansible need a vault server up and unseal
|
||||
you can rebuild a standalone vault server with a consul database snaphot with
|
||||
|
||||
```sh
|
||||
make vault-dev FILE=./yourconsulsnaphot.snap
|
||||
```
|
||||
|
||||
## Architecture
|
||||
|
||||
|
@ -136,7 +136,7 @@ timeout = 30
|
||||
|
||||
# If set, configures the path to the Vault password file as an alternative to
|
||||
# specifying --vault-password-file on the command line.
|
||||
#vault_password_file = /path/to/vault_password_file
|
||||
vault_password_file = ./misc/vault-keyring-client.sh
|
||||
|
||||
# format of string {{ ansible_managed }} available within Jinja2
|
||||
# templates indicates to users editing templates files will be replaced.
|
||||
|
@ -18,15 +18,6 @@ systemd_mounts:
|
||||
- mfsymlinks
|
||||
automount: true
|
||||
|
||||
credentials_files:
|
||||
1:
|
||||
type: smb
|
||||
path: /etc/creds/hetzner_credentials
|
||||
username: u304977
|
||||
password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/storage:hetzner') }}"
|
||||
|
||||
|
||||
|
||||
systemd_mounts_enabled:
|
||||
- diskstation_nomad
|
||||
- hetzner_storage
|
||||
|
12
ansible/group_vars/VPS/vault_mount
Normal file
12
ansible/group_vars/VPS/vault_mount
Normal file
@ -0,0 +1,12 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
31303539336464336239376636623862303066336438383739356163616431643366386565366361
|
||||
3264336232303135336334333663326234393832343235640a313638323963666631353836373531
|
||||
61636261623662396330653135326238363630363938323166303861313563393063386161393238
|
||||
3231336232663533640a333763643864363939336566333731353031313739616633623537386435
|
||||
39613934663133613733356433616162363430616439623830663837343530623937656434366663
|
||||
33656466396263616132356337326236383761363834663363643163343231366563333865656433
|
||||
39316365663734653734363362363539623636666261333534313935343566646166316233623535
|
||||
32323831626463656337313266343634303830633936396232663966373264313762346235646665
|
||||
61333139363039363436393962666365336334663164306230393433636664623934343039323637
|
||||
33383036323233646237343031633030353330633734353232343633623864333834646239346362
|
||||
643634303135656333646235343366636361
|
@ -5,5 +5,4 @@ nomad_docker_allow_caps:
|
||||
nomad_vault_enabled: true
|
||||
nomad_vault_address: "http://active.vault.service.{{consul_domain}}:8200"
|
||||
nomad_vault_role: "nomad-cluster"
|
||||
nomad_vault_token: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:nomad_vault_token') }}"
|
||||
|
||||
|
@ -3,7 +3,3 @@ sssd_configure: true
|
||||
ldap_search_base: "dc=ducamps,dc=win"
|
||||
ldap_uri: "ldaps://ldap.ducamps.win"
|
||||
ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=win"
|
||||
ldap_default_bind_dn : "uid=vaultserviceaccount,cn=users,dc=ducamps,dc=win"
|
||||
ldap_password : "{{lookup('hashi_vault', 'secret=secrets/data/ansible/other:vaulserviceaccount')}}"
|
||||
userPassword: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/user:userPassword')}}"
|
||||
|
||||
|
@ -11,7 +11,7 @@ user:
|
||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCYHkEIa38p3e4+m/LScHm8Ei7H2X/pDksjVAzoJ4fHr8oXc6DKkC8SWwMnh3L4WzWBhfTbzwUgFTNpsxhp/UyJf+fdzmzetlbVlYSuA6yWuSmgMeFbXFImhZ+Sn3i59hLeqAAyrkQLjba2waehdEsuOQ/AGoDbMYm38Xf9Wka/1YIeUPE4gLeLvymRnGw7BSug6Unycy52WlFAquollObOvc7tNiX0uLDh81Dp0KZhqWRs75hfmQ9du4g4uNhFLiF11hOGNgj3PWV+nWe8GWNQYVUBChWX1dsP8ct/ahG9IFXSPEaFD1IZeFp29u2ln3mgKkBtcRTRe1e3CLQqiRsUq2aixVFbSgFMFgGSUiNGNqKR4f9DeyJrYBplSj6HXjWoBny4Wm8+yfk8qR2RtQpS6AUu81xtKnXOaj9Q5VZO3kVF0U3EXHAZutTYDj9mDlhLSBS7x7hmrkRBbIy7adSx9Gx5Ck3/RllqG6KD+LdJa4I0pUTRNetpLpYDeZpwjnDP1r7udaSQMyRMH5YKLzhtHqIV/imn9QO4KCxNxTgwxt9ho6HDvlDGERCxm+yeHUu3CPyq2ZGSF5HHsYTGUtYvQw4JfQyw/5DrZ7IIdU1e7ZuaE3h/NvFgKJPVTP52nmUtIW7pIOkHpn9mddjm/oKMayOzMspLn9HLFVbqi7A5Xw== vincent@zen-pc
|
||||
privatekey:
|
||||
- keyname: "id_gitea"
|
||||
key: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}"
|
||||
key: "{{lookup('file', '~/.ssh/id_gitea')}}"
|
||||
|
||||
|
||||
|
||||
@ -19,11 +19,6 @@ system_user:
|
||||
- name: drone-deploy
|
||||
home: /home/drone-deploy
|
||||
shell: /bin/bash
|
||||
privatekey:
|
||||
- keyname: id_gitea
|
||||
key: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}"
|
||||
|
||||
|
||||
authorized_keys:
|
||||
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUaK+pQlosmopbZfucll9UdqDOTaODOBwoxRwkJEk1i drone@oscar
|
||||
|
||||
@ -35,15 +30,13 @@ system_user:
|
||||
home: /root
|
||||
privatekey:
|
||||
- keyname: id_gitea
|
||||
key: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}"
|
||||
key: "{{lookup('file', '~/.ssh/id_gitea')}}"
|
||||
|
||||
|
||||
|
||||
user_custom_host:
|
||||
- host: "git.ducamps.win"
|
||||
user: "git"
|
||||
keyfile: "~/.ssh/id_gitea"
|
||||
- host: "gitlab.com"
|
||||
user: "git"
|
||||
keyfile: "~/.ssh/id_consort"
|
||||
|
||||
user_config_repo: "ssh://git@git.{{ domain.name }}:2222/vincent/conf2.git"
|
||||
|
11
ansible/group_vars/all/vault_nomad
Normal file
11
ansible/group_vars/all/vault_nomad
Normal file
@ -0,0 +1,11 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
39613433313663653039643961643165643632313938626339653365376633613135653436363938
|
||||
6331623132366638633665636163336462393333336264320a666466303465663839646435626231
|
||||
38396437363034313236383261326637306238616162303131356537393635363939376236386130
|
||||
6466353961643233310a306631333664363332336263656638623763393732306361306632386662
|
||||
37623934633932653965316532386664353130653830356237313337643266366233346633323265
|
||||
37616533303561363864626531396366323565396536383133643539663630636633356238386633
|
||||
34383464333363663532643239363438626135336632316135393537643930613532336231633064
|
||||
35376561663637623932313365636261306131353233636661313435643563323534623365346436
|
||||
65366132333635643832353464323961643466343832376635386531393834336535386364396333
|
||||
3932393561646133336437643138373230366266633430663937
|
11
ansible/group_vars/all/vault_sssd
Normal file
11
ansible/group_vars/all/vault_sssd
Normal file
@ -0,0 +1,11 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
34356264306639303930393736376562653636383538623131343939323563653938616534623163
|
||||
6536366261666662376533393836626664373766313439660a363331326231303638626165393164
|
||||
63323063623365393566643230653964393565636430303365653233323931646236366664346430
|
||||
3162383233656139320a323133323262386638363738346336613862626539386538633864613131
|
||||
30306539376639303365323665613732616138346530346162633761386466626238373065316230
|
||||
38396662363364336134306130616661643835616161313535613331303133383334393333653335
|
||||
66363538313631373736396333363837376664616166663665343030336232346237333965303861
|
||||
36613763666135393531653637616463333461343232366137656336383239623166633338646561
|
||||
39336563636665396666663339306534643661366264623061626661343762373037383037373561
|
||||
3431656130306133323436616531343034366665636434333362
|
14
ansible/group_vars/all/vault_users
Normal file
14
ansible/group_vars/all/vault_users
Normal file
@ -0,0 +1,14 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
35303137383361396262313561623237626336306366376630663065396664643630383638376436
|
||||
3930346265616235383331383735613166383461643233310a663564356266663366633539303630
|
||||
37616532393035356133653838323964393464333230313861356465326433353339336435363263
|
||||
3162653932646662650a613762393062613433343362633365316434663661306637623363333834
|
||||
61303231303362313133346461373738633239613933303564383532353537626538363636306461
|
||||
66663330346566356637623036363964396137646435333139323430353639386134396537366334
|
||||
39303130386432366335383433626431663034656466626265393863623438366130346562623365
|
||||
63653963393663353666313631326131636361333230386461383638333338393137336562323935
|
||||
37343034363961306663303232346139356534613837663230393962323333656536303161373939
|
||||
65626164336166306264653538313661393934383966303135356161336331623835663235646332
|
||||
63343764643861366537383962616230323036326331386333346463353835393762653735353862
|
||||
32323839663365353337303363313535633362643231653663393936363539363933636430613832
|
||||
32336566633962646463316636346330336265626130373636643335323762363661
|
10
ansible/group_vars/all/vault_vault
Normal file
10
ansible/group_vars/all/vault_vault
Normal file
@ -0,0 +1,10 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
34363036323764633162633834333038323732633032633438613731613338636532363934396262
|
||||
6432333762316132643130383934663537396331363536320a393332666564346137666430616562
|
||||
35653437383636316136316661333039616137616234393562313634363563303766653832313831
|
||||
6635646261393937360a643534653861393265613032343337316237623634613834313131633137
|
||||
61323464376436323462633732663932633730336639333736613162353730313134646661366338
|
||||
39653961313439386632356130353033386338623831636639346163636138336338353665353330
|
||||
36333963306333383064653730643231303435306362663963363732613237626138653361373135
|
||||
38663539643039643564386565393661633935626139366434643766346161393539653734343064
|
||||
31336263363831646630376364663636636332336161633038663130306639393336
|
@ -1,54 +0,0 @@
|
||||
|
||||
postgresql_users:
|
||||
- name: root
|
||||
role_attr_flags: SUPERUSER
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:root')}}"
|
||||
- name: wikijs
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/wikijs:password')}}"
|
||||
- name: ttrss
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/ttrss:password')}}"
|
||||
- name: gitea
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/gitea:password')}}"
|
||||
- name: supysonic
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/supysonic:password')}}"
|
||||
- name: hass
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/homeassistant:password')}}"
|
||||
- name: vaultwarden
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/vaultwarden:password')}}"
|
||||
- name: drone
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/droneci:password')}}"
|
||||
- name: dendrite
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/dendrite:password')}}"
|
||||
- name: paperless
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/paperless:password')}}"
|
||||
- name: dump
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/dump:password')}}"
|
||||
- name: vikunja
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/vikunja:password')}}"
|
||||
- name: ghostfolio
|
||||
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/ghostfolio:password')}}"
|
||||
|
||||
|
||||
postgresql_databases:
|
||||
- name: wikijs
|
||||
owner: wikijs
|
||||
- name: ttrss
|
||||
owner: ttrss
|
||||
- name: gitea
|
||||
owner: gitea
|
||||
- name: supysonic
|
||||
owner: supysonic
|
||||
- name: hass
|
||||
owner: hass
|
||||
- name: vaultwarden
|
||||
owner: vaultwarden
|
||||
- name: drone
|
||||
owner: drone
|
||||
- name: dendrite
|
||||
owner: dendrite
|
||||
- name: paperless
|
||||
owner: paperless
|
||||
- name: vikunja
|
||||
owner: vikunja
|
||||
- name: ghostfolio
|
||||
owner: ghostfolio
|
20
ansible/group_vars/database/database
Normal file
20
ansible/group_vars/database/database
Normal file
@ -0,0 +1,20 @@
|
||||
|
||||
postgresql_databases:
|
||||
- name: ttrss
|
||||
owner: ttrss
|
||||
- name: gitea
|
||||
owner: gitea
|
||||
- name: supysonic
|
||||
owner: supysonic
|
||||
- name: hass
|
||||
owner: hass
|
||||
- name: vaultwarden
|
||||
owner: vaultwarden
|
||||
- name: drone
|
||||
owner: drone
|
||||
- name: paperless
|
||||
owner: paperless
|
||||
- name: vikunja
|
||||
owner: vikunja
|
||||
- name: ghostfolio
|
||||
owner: ghostfolio
|
38
ansible/group_vars/database/vault_database
Normal file
38
ansible/group_vars/database/vault_database
Normal file
@ -0,0 +1,38 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
31336239306162353439323635633133393530396161656139303031323330366431653665623032
|
||||
3133326132353635336331353236396334623736383461310a633931616636396665363931393432
|
||||
34663535363362363030323439646134653163656538306230323739653739316464363232623264
|
||||
3638643737316132640a316461316335336432383066356134356231323964383861313465373765
|
||||
39393536636531663136346461383530343233346233613562336633353934353861313135643239
|
||||
36303930363663633936626361623835633932633863653230313532336239653931303530623536
|
||||
36626631363662346661313664303866343165303337376131656663373266383261643331386263
|
||||
64333137653134613365383538646463653336663637623163666365646439383636376238643131
|
||||
35373965326561666238656363333266633262373431653837623562633436386132376239363461
|
||||
37376631336265326137626138653063353766346264663632366266636635313364303432363731
|
||||
32323938386430653238303834636465333865383962623066356430396531353463393133653730
|
||||
33383364373130366437393938616431646536623635356464356438323664383635363665323561
|
||||
65613463636633643033396232386437373532663338346437656562333536333863306538386563
|
||||
34326138646331663165323061336139323963666632626635643931363330316136353262306637
|
||||
65343432643136383136636335313038343963383937663865303430623466383465623332373764
|
||||
66366232646132653632366530643362323131616333333534616264326136636363386138623463
|
||||
61323562303261363331653363326137313966323563373331356362373431313735613937313239
|
||||
30373130336637623766393130646330366235373831336538376364376139396362326336396238
|
||||
33353234323036333631343137323130303531616133363630633336633434363932386334333964
|
||||
66396632616433643637306564656431663531353762356534663866613765376631356566626164
|
||||
62646262616265313533666362653837373230303863313336656566623036396530346561313937
|
||||
66376662353361653532616637666439653565383737636239396233613435373330653664323931
|
||||
61333434346430623637653232363462336330386538646433303830373235333539326433333261
|
||||
32306634396531626638366465646364393330653739393764623639396565653234376634366535
|
||||
36303361613662353337333162343633313437316431336332646235636332653239366338623737
|
||||
35643262316531623538626335343563636238363639373730333332393032396565643735383236
|
||||
61383437336237363934626535343037353036343532646339393937316535623532633838373964
|
||||
61633932626664353264653535373130346334626262373665666137663366663738656563393966
|
||||
62313939643930353165356430363031613830383738333938386635333234636630313735613266
|
||||
62373862306335383839656566386163333530626539353436623031303432643461623663303036
|
||||
66313064323363623438316532386331313762343266323430303066643861653261363765623038
|
||||
38613334356431323033653733363835616534316233383431303136623761333935343231626430
|
||||
38353237333430633063303264653033316539353862336433366661303538653933373437346161
|
||||
34313164346332336637653563336631313762333031333237326265663437666539306332396136
|
||||
36323736313562636235353139663532333436363163383238643531336131386664636530336239
|
||||
38336539363661333330643238326263333730663035313534643039376237313332363638663863
|
||||
32643334343034333438383132666134386562643566643463346561313036363837
|
@ -4,10 +4,6 @@ dhcpd_domain_name: "lan.{{ domain.name }}"
|
||||
dhcpd_nameservers:
|
||||
- '192.168.1.4'
|
||||
- '192.168.1.41'
|
||||
dhcpd_keys:
|
||||
- key: dhcp
|
||||
algorithm: HMAC-MD5
|
||||
secret: "{{ lookup('hashi_vault','secret=secrets/data/ansible/other:dhcpd_key') }}"
|
||||
|
||||
dhcpd_zones:
|
||||
- zone: "lan.{{ domain.name }}."
|
13
ansible/group_vars/dhcp/vault_dhcp
Normal file
13
ansible/group_vars/dhcp/vault_dhcp
Normal file
@ -0,0 +1,13 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
66616338633634336135333064663732313730373234663838623537396533373536623563636661
|
||||
6639333231346463346133313664626438383432383864310a326665386463666633333537303139
|
||||
62313337666231636664356439343333646166313062616235663463386339393661396537653132
|
||||
3162303733376534630a633236613235323835363636323031313132646430346235636533323565
|
||||
65633837303666346338333262333430623636393464636662373831393639376262353563616266
|
||||
39646539633831613732643337343661653566383962343330393634626639343465353233373234
|
||||
61653539626630303634373163383362346132323866623035663962643865363766626235653561
|
||||
63616232383761643431343239356566643630376563333236663835666534623535653663303165
|
||||
62343331653162336339663764346439306264353961623431313935353530623864643734303038
|
||||
64653366653739656161663638653561336433373439643138366331303135323264613162616636
|
||||
30353635623437666164353766666233323530393334613165343065663264303835336462643338
|
||||
63336132646437336466
|
@ -19,8 +19,6 @@ consul_snapshot: True
|
||||
|
||||
vault_snapshot: true
|
||||
vault_backup_location: "/mnt/diskstation/git/backup/vault"
|
||||
vault_roleID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_approle') }}"
|
||||
vault_secretID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_secretID') }}"
|
||||
partition_table:
|
||||
- device: "/dev/sda"
|
||||
label: gpt
|
||||
|
@ -15,5 +15,3 @@ wireguard_postdown:
|
||||
consul_snapshot: True
|
||||
vault_snapshot: True
|
||||
vault_backup_location: "/mnt/diskstation/git/backup/vault"
|
||||
vault_roleID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_approle') }}"
|
||||
vault_secretID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_secretID') }}"
|
||||
|
9
ansible/misc/vault-keyring-client.sh
Executable file
9
ansible/misc/vault-keyring-client.sh
Executable file
@ -0,0 +1,9 @@
|
||||
#!/bin/sh
|
||||
|
||||
readonly vault_password_file_encrypted="$(dirname $0)/vault-password.gpg"
|
||||
|
||||
# flock used to work around "gpg: decryption failed: No secret key" in tf-stage2
|
||||
# would otherwise need 'auto-expand-secmem' (https://dev.gnupg.org/T3530#106174)
|
||||
flock "$vault_password_file_encrypted" \
|
||||
gpg --batch --decrypt --quiet "$vault_password_file_encrypted"
|
||||
|
BIN
ansible/misc/vault-password.gpg
Normal file
BIN
ansible/misc/vault-password.gpg
Normal file
Binary file not shown.
@ -1,15 +1,11 @@
|
||||
---
|
||||
- hosts: all
|
||||
remote_user: root
|
||||
vars:
|
||||
provissionning_default_root: "{{ lookup('hashi_vault','secret=secrets/data/ansible/user:root') }}"
|
||||
roles:
|
||||
- ansible-arch-provissionning
|
||||
|
||||
- hosts: all
|
||||
remote_user: root
|
||||
vars:
|
||||
ansible_password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/user:root') }}"
|
||||
roles:
|
||||
- ansible_bootstrap
|
||||
|
||||
|
25
docs/How-to/ansible_vault.md
Normal file
25
docs/How-to/ansible_vault.md
Normal file
@ -0,0 +1,25 @@
|
||||
# ansible vault management
|
||||
|
||||
ansible password are encoded with a gpg key store in ansible/misc
|
||||
to renew password follow this workflown
|
||||
|
||||
```sh
|
||||
# Generate a new password for the default vault
|
||||
pwgen -s 64 default-pw
|
||||
|
||||
# Re-encrypt all default vaults
|
||||
ansible-vault rekey --new-vault-password-file ./default-pw \
|
||||
$(git grep -l 'ANSIBLE_VAULT;1.1;AES256$')
|
||||
|
||||
# Save the new password in encrypted form
|
||||
# (replace "RECIPIENT" with your email)
|
||||
gpg -r RECIPIENT -o misc/vault--password.gpg -e default-pw
|
||||
|
||||
# Ensure the new password is usable
|
||||
ansible-vault view misc/vaults/vault_hcloud.yml
|
||||
|
||||
# Remove the unencrypted password file
|
||||
rm new-default-pw
|
||||
```
|
||||
|
||||
script `vault-keyring-client.sh` is set in ansible.cfg as vault_password_file to decrypt the gpg file
|
Loading…
Reference in New Issue
Block a user