remove hasshicorp vault dependance on ansil metal deployment

This commit is contained in:
vincent 2023-10-29 20:04:53 +01:00
parent 521ea28229
commit 14b1ac38e2
22 changed files with 168 additions and 98 deletions

View File

@ -22,12 +22,6 @@ make create-dev
## Rebuild
to rebuild from scratch ansible need a vault server up and unseal
you can rebuild a standalone vault server with a consul database snaphot with
```sh
make vault-dev FILE=./yourconsulsnaphot.snap
```
## Architecture

View File

@ -136,7 +136,7 @@ timeout = 30
# If set, configures the path to the Vault password file as an alternative to
# specifying --vault-password-file on the command line.
#vault_password_file = /path/to/vault_password_file
vault_password_file = ./misc/vault-keyring-client.sh
# format of string {{ ansible_managed }} available within Jinja2
# templates indicates to users editing templates files will be replaced.

View File

@ -18,15 +18,6 @@ systemd_mounts:
- mfsymlinks
automount: true
credentials_files:
1:
type: smb
path: /etc/creds/hetzner_credentials
username: u304977
password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/storage:hetzner') }}"
systemd_mounts_enabled:
- diskstation_nomad
- hetzner_storage

View File

@ -0,0 +1,12 @@
$ANSIBLE_VAULT;1.1;AES256
31303539336464336239376636623862303066336438383739356163616431643366386565366361
3264336232303135336334333663326234393832343235640a313638323963666631353836373531
61636261623662396330653135326238363630363938323166303861313563393063386161393238
3231336232663533640a333763643864363939336566333731353031313739616633623537386435
39613934663133613733356433616162363430616439623830663837343530623937656434366663
33656466396263616132356337326236383761363834663363643163343231366563333865656433
39316365663734653734363362363539623636666261333534313935343566646166316233623535
32323831626463656337313266343634303830633936396232663966373264313762346235646665
61333139363039363436393962666365336334663164306230393433636664623934343039323637
33383036323233646237343031633030353330633734353232343633623864333834646239346362
643634303135656333646235343366636361

View File

@ -5,5 +5,4 @@ nomad_docker_allow_caps:
nomad_vault_enabled: true
nomad_vault_address: "http://active.vault.service.{{consul_domain}}:8200"
nomad_vault_role: "nomad-cluster"
nomad_vault_token: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:nomad_vault_token') }}"

View File

@ -3,7 +3,3 @@ sssd_configure: true
ldap_search_base: "dc=ducamps,dc=win"
ldap_uri: "ldaps://ldap.ducamps.win"
ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=win"
ldap_default_bind_dn : "uid=vaultserviceaccount,cn=users,dc=ducamps,dc=win"
ldap_password : "{{lookup('hashi_vault', 'secret=secrets/data/ansible/other:vaulserviceaccount')}}"
userPassword: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/user:userPassword')}}"

View File

@ -11,7 +11,7 @@ user:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCYHkEIa38p3e4+m/LScHm8Ei7H2X/pDksjVAzoJ4fHr8oXc6DKkC8SWwMnh3L4WzWBhfTbzwUgFTNpsxhp/UyJf+fdzmzetlbVlYSuA6yWuSmgMeFbXFImhZ+Sn3i59hLeqAAyrkQLjba2waehdEsuOQ/AGoDbMYm38Xf9Wka/1YIeUPE4gLeLvymRnGw7BSug6Unycy52WlFAquollObOvc7tNiX0uLDh81Dp0KZhqWRs75hfmQ9du4g4uNhFLiF11hOGNgj3PWV+nWe8GWNQYVUBChWX1dsP8ct/ahG9IFXSPEaFD1IZeFp29u2ln3mgKkBtcRTRe1e3CLQqiRsUq2aixVFbSgFMFgGSUiNGNqKR4f9DeyJrYBplSj6HXjWoBny4Wm8+yfk8qR2RtQpS6AUu81xtKnXOaj9Q5VZO3kVF0U3EXHAZutTYDj9mDlhLSBS7x7hmrkRBbIy7adSx9Gx5Ck3/RllqG6KD+LdJa4I0pUTRNetpLpYDeZpwjnDP1r7udaSQMyRMH5YKLzhtHqIV/imn9QO4KCxNxTgwxt9ho6HDvlDGERCxm+yeHUu3CPyq2ZGSF5HHsYTGUtYvQw4JfQyw/5DrZ7IIdU1e7ZuaE3h/NvFgKJPVTP52nmUtIW7pIOkHpn9mddjm/oKMayOzMspLn9HLFVbqi7A5Xw== vincent@zen-pc
privatekey:
- keyname: "id_gitea"
key: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}"
key: "{{lookup('file', '~/.ssh/id_gitea')}}"
@ -19,11 +19,6 @@ system_user:
- name: drone-deploy
home: /home/drone-deploy
shell: /bin/bash
privatekey:
- keyname: id_gitea
key: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}"
authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUaK+pQlosmopbZfucll9UdqDOTaODOBwoxRwkJEk1i drone@oscar
@ -35,15 +30,13 @@ system_user:
home: /root
privatekey:
- keyname: id_gitea
key: "{{lookup('hashi_vault', 'secret=secrets/data/ansible/privatekey:gitea')}}"
key: "{{lookup('file', '~/.ssh/id_gitea')}}"
user_custom_host:
- host: "git.ducamps.win"
user: "git"
keyfile: "~/.ssh/id_gitea"
- host: "gitlab.com"
user: "git"
keyfile: "~/.ssh/id_consort"
user_config_repo: "ssh://git@git.{{ domain.name }}:2222/vincent/conf2.git"

View File

@ -0,0 +1,11 @@
$ANSIBLE_VAULT;1.1;AES256
39613433313663653039643961643165643632313938626339653365376633613135653436363938
6331623132366638633665636163336462393333336264320a666466303465663839646435626231
38396437363034313236383261326637306238616162303131356537393635363939376236386130
6466353961643233310a306631333664363332336263656638623763393732306361306632386662
37623934633932653965316532386664353130653830356237313337643266366233346633323265
37616533303561363864626531396366323565396536383133643539663630636633356238386633
34383464333363663532643239363438626135336632316135393537643930613532336231633064
35376561663637623932313365636261306131353233636661313435643563323534623365346436
65366132333635643832353464323961643466343832376635386531393834336535386364396333
3932393561646133336437643138373230366266633430663937

View File

@ -0,0 +1,11 @@
$ANSIBLE_VAULT;1.1;AES256
34356264306639303930393736376562653636383538623131343939323563653938616534623163
6536366261666662376533393836626664373766313439660a363331326231303638626165393164
63323063623365393566643230653964393565636430303365653233323931646236366664346430
3162383233656139320a323133323262386638363738346336613862626539386538633864613131
30306539376639303365323665613732616138346530346162633761386466626238373065316230
38396662363364336134306130616661643835616161313535613331303133383334393333653335
66363538313631373736396333363837376664616166663665343030336232346237333965303861
36613763666135393531653637616463333461343232366137656336383239623166633338646561
39336563636665396666663339306534643661366264623061626661343762373037383037373561
3431656130306133323436616531343034366665636434333362

View File

@ -0,0 +1,14 @@
$ANSIBLE_VAULT;1.1;AES256
35303137383361396262313561623237626336306366376630663065396664643630383638376436
3930346265616235383331383735613166383461643233310a663564356266663366633539303630
37616532393035356133653838323964393464333230313861356465326433353339336435363263
3162653932646662650a613762393062613433343362633365316434663661306637623363333834
61303231303362313133346461373738633239613933303564383532353537626538363636306461
66663330346566356637623036363964396137646435333139323430353639386134396537366334
39303130386432366335383433626431663034656466626265393863623438366130346562623365
63653963393663353666313631326131636361333230386461383638333338393137336562323935
37343034363961306663303232346139356534613837663230393962323333656536303161373939
65626164336166306264653538313661393934383966303135356161336331623835663235646332
63343764643861366537383962616230323036326331386333346463353835393762653735353862
32323839663365353337303363313535633362643231653663393936363539363933636430613832
32336566633962646463316636346330336265626130373636643335323762363661

View File

@ -0,0 +1,10 @@
$ANSIBLE_VAULT;1.1;AES256
34363036323764633162633834333038323732633032633438613731613338636532363934396262
6432333762316132643130383934663537396331363536320a393332666564346137666430616562
35653437383636316136316661333039616137616234393562313634363563303766653832313831
6635646261393937360a643534653861393265613032343337316237623634613834313131633137
61323464376436323462633732663932633730336639333736613162353730313134646661366338
39653961313439386632356130353033386338623831636639346163636138336338353665353330
36333963306333383064653730643231303435306362663963363732613237626138653361373135
38663539643039643564386565393661633935626139366434643766346161393539653734343064
31336263363831646630376364663636636332336161633038663130306639393336

View File

@ -1,54 +0,0 @@
postgresql_users:
- name: root
role_attr_flags: SUPERUSER
password: "{{ lookup('hashi_vault', 'secret=secrets/data/ansible/database:root')}}"
- name: wikijs
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/wikijs:password')}}"
- name: ttrss
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/ttrss:password')}}"
- name: gitea
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/gitea:password')}}"
- name: supysonic
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/supysonic:password')}}"
- name: hass
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/homeassistant:password')}}"
- name: vaultwarden
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/vaultwarden:password')}}"
- name: drone
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/droneci:password')}}"
- name: dendrite
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/dendrite:password')}}"
- name: paperless
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/paperless:password')}}"
- name: dump
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/dump:password')}}"
- name: vikunja
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/vikunja:password')}}"
- name: ghostfolio
password: "{{ lookup('hashi_vault', 'secret=secrets/data/database/ghostfolio:password')}}"
postgresql_databases:
- name: wikijs
owner: wikijs
- name: ttrss
owner: ttrss
- name: gitea
owner: gitea
- name: supysonic
owner: supysonic
- name: hass
owner: hass
- name: vaultwarden
owner: vaultwarden
- name: drone
owner: drone
- name: dendrite
owner: dendrite
- name: paperless
owner: paperless
- name: vikunja
owner: vikunja
- name: ghostfolio
owner: ghostfolio

View File

@ -0,0 +1,20 @@
postgresql_databases:
- name: ttrss
owner: ttrss
- name: gitea
owner: gitea
- name: supysonic
owner: supysonic
- name: hass
owner: hass
- name: vaultwarden
owner: vaultwarden
- name: drone
owner: drone
- name: paperless
owner: paperless
- name: vikunja
owner: vikunja
- name: ghostfolio
owner: ghostfolio

View File

@ -0,0 +1,38 @@
$ANSIBLE_VAULT;1.1;AES256
31336239306162353439323635633133393530396161656139303031323330366431653665623032
3133326132353635336331353236396334623736383461310a633931616636396665363931393432
34663535363362363030323439646134653163656538306230323739653739316464363232623264
3638643737316132640a316461316335336432383066356134356231323964383861313465373765
39393536636531663136346461383530343233346233613562336633353934353861313135643239
36303930363663633936626361623835633932633863653230313532336239653931303530623536
36626631363662346661313664303866343165303337376131656663373266383261643331386263
64333137653134613365383538646463653336663637623163666365646439383636376238643131
35373965326561666238656363333266633262373431653837623562633436386132376239363461
37376631336265326137626138653063353766346264663632366266636635313364303432363731
32323938386430653238303834636465333865383962623066356430396531353463393133653730
33383364373130366437393938616431646536623635356464356438323664383635363665323561
65613463636633643033396232386437373532663338346437656562333536333863306538386563
34326138646331663165323061336139323963666632626635643931363330316136353262306637
65343432643136383136636335313038343963383937663865303430623466383465623332373764
66366232646132653632366530643362323131616333333534616264326136636363386138623463
61323562303261363331653363326137313966323563373331356362373431313735613937313239
30373130336637623766393130646330366235373831336538376364376139396362326336396238
33353234323036333631343137323130303531616133363630633336633434363932386334333964
66396632616433643637306564656431663531353762356534663866613765376631356566626164
62646262616265313533666362653837373230303863313336656566623036396530346561313937
66376662353361653532616637666439653565383737636239396233613435373330653664323931
61333434346430623637653232363462336330386538646433303830373235333539326433333261
32306634396531626638366465646364393330653739393764623639396565653234376634366535
36303361613662353337333162343633313437316431336332646235636332653239366338623737
35643262316531623538626335343563636238363639373730333332393032396565643735383236
61383437336237363934626535343037353036343532646339393937316535623532633838373964
61633932626664353264653535373130346334626262373665666137663366663738656563393966
62313939643930353165356430363031613830383738333938386635333234636630313735613266
62373862306335383839656566386163333530626539353436623031303432643461623663303036
66313064323363623438316532386331313762343266323430303066643861653261363765623038
38613334356431323033653733363835616534316233383431303136623761333935343231626430
38353237333430633063303264653033316539353862336433366661303538653933373437346161
34313164346332336637653563336631313762333031333237326265663437666539306332396136
36323736313562636235353139663532333436363163383238643531336131386664636530336239
38336539363661333330643238326263333730663035313534643039376237313332363638663863
32643334343034333438383132666134386562643566643463346561313036363837

View File

@ -4,10 +4,6 @@ dhcpd_domain_name: "lan.{{ domain.name }}"
dhcpd_nameservers:
- '192.168.1.4'
- '192.168.1.41'
dhcpd_keys:
- key: dhcp
algorithm: HMAC-MD5
secret: "{{ lookup('hashi_vault','secret=secrets/data/ansible/other:dhcpd_key') }}"
dhcpd_zones:
- zone: "lan.{{ domain.name }}."

View File

@ -0,0 +1,13 @@
$ANSIBLE_VAULT;1.1;AES256
66616338633634336135333064663732313730373234663838623537396533373536623563636661
6639333231346463346133313664626438383432383864310a326665386463666633333537303139
62313337666231636664356439343333646166313062616235663463386339393661396537653132
3162303733376534630a633236613235323835363636323031313132646430346235636533323565
65633837303666346338333262333430623636393464636662373831393639376262353563616266
39646539633831613732643337343661653566383962343330393634626639343465353233373234
61653539626630303634373163383362346132323866623035663962643865363766626235653561
63616232383761643431343239356566643630376563333236663835666534623535653663303165
62343331653162336339663764346439306264353961623431313935353530623864643734303038
64653366653739656161663638653561336433373439643138366331303135323264613162616636
30353635623437666164353766666233323530393334613165343065663264303835336462643338
63336132646437336466

View File

@ -19,8 +19,6 @@ consul_snapshot: True
vault_snapshot: true
vault_backup_location: "/mnt/diskstation/git/backup/vault"
vault_roleID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_approle') }}"
vault_secretID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_secretID') }}"
partition_table:
- device: "/dev/sda"
label: gpt

View File

@ -15,5 +15,3 @@ wireguard_postdown:
consul_snapshot: True
vault_snapshot: True
vault_backup_location: "/mnt/diskstation/git/backup/vault"
vault_roleID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_approle') }}"
vault_secretID: "{{ lookup('hashi_vault','secret=secrets/data/ansible/hashistack:vault-snapshot_secretID') }}"

View File

@ -0,0 +1,9 @@
#!/bin/sh
readonly vault_password_file_encrypted="$(dirname $0)/vault-password.gpg"
# flock used to work around "gpg: decryption failed: No secret key" in tf-stage2
# would otherwise need 'auto-expand-secmem' (https://dev.gnupg.org/T3530#106174)
flock "$vault_password_file_encrypted" \
gpg --batch --decrypt --quiet "$vault_password_file_encrypted"

Binary file not shown.

View File

@ -1,15 +1,11 @@
---
- hosts: all
remote_user: root
vars:
provissionning_default_root: "{{ lookup('hashi_vault','secret=secrets/data/ansible/user:root') }}"
roles:
- ansible-arch-provissionning
- hosts: all
remote_user: root
vars:
ansible_password: "{{ lookup('hashi_vault','secret=secrets/data/ansible/user:root') }}"
roles:
- ansible_bootstrap

View File

@ -0,0 +1,25 @@
# ansible vault management
ansible password are encoded with a gpg key store in ansible/misc
to renew password follow this workflown
```sh
# Generate a new password for the default vault
pwgen -s 64 default-pw
# Re-encrypt all default vaults
ansible-vault rekey --new-vault-password-file ./default-pw \
$(git grep -l 'ANSIBLE_VAULT;1.1;AES256$')
# Save the new password in encrypted form
# (replace "RECIPIENT" with your email)
gpg -r RECIPIENT -o misc/vault--password.gpg -e default-pw
# Ensure the new password is usable
ansible-vault view misc/vaults/vault_hcloud.yml
# Remove the unencrypted password file
rm new-default-pw
```
script `vault-keyring-client.sh` is set in ansible.cfg as vault_password_file to decrypt the gpg file