From 52828e4ba4809c0db4c184d5c41ff4bfe6f9b1e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thorben=20G=C3=BCnther?= <admin@xenrox.net>
Date: Thu, 14 Oct 2021 12:59:25 +0200
Subject: [PATCH] srht: Store GPG keys in vault as well

This enables a better auto-deploy pipeline.
---
 roles/srht/tasks/main.yml              | 12 ++++++++----
 roles/srht/templates/sourcehut.priv.j2 |  1 +
 roles/srht/templates/sourcehut.pub.j2  |  1 +
 terraform_vault/vault-files.sh         |  6 ++++++
 4 files changed, 16 insertions(+), 4 deletions(-)
 create mode 100644 roles/srht/templates/sourcehut.priv.j2
 create mode 100644 roles/srht/templates/sourcehut.pub.j2
 create mode 100755 terraform_vault/vault-files.sh

diff --git a/roles/srht/tasks/main.yml b/roles/srht/tasks/main.yml
index 31060d1..f05de1e 100644
--- a/roles/srht/tasks/main.yml
+++ b/roles/srht/tasks/main.yml
@@ -3,6 +3,10 @@
   ansible.builtin.set_fact:
     srht_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/srht') }}"
 
+- name: Get gpg secrets
+  ansible.builtin.set_fact:
+    gpg_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/srht-gpg') }}"
+
 - name: Get minio secrets
   ansible.builtin.set_fact:
     minio_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/minio') }}"
@@ -34,16 +38,16 @@
   notify: restart srht
 
 - name: Deposit GPG private key
-  ansible.builtin.copy:
-    src: /home/xenrox/decrypted/gpg/sourcehut/private.key
+  ansible.builtin.template:
+    src: sourcehut.priv.j2
     dest: /etc/sr.ht/sourcehut.priv
     owner: root
     group: root
     mode: 0644
 
 - name: Deposit GPG public key
-  ansible.builtin.copy:
-    src: /home/xenrox/decrypted/gpg/sourcehut/public.key
+  ansible.builtin.template:
+    src: sourcehut.pub.j2
     dest: /etc/sr.ht/sourcehut.pub
     owner: root
     group: root
diff --git a/roles/srht/templates/sourcehut.priv.j2 b/roles/srht/templates/sourcehut.priv.j2
new file mode 100644
index 0000000..9cec2fb
--- /dev/null
+++ b/roles/srht/templates/sourcehut.priv.j2
@@ -0,0 +1 @@
+{{ gpg_secrets['private'] }}
diff --git a/roles/srht/templates/sourcehut.pub.j2 b/roles/srht/templates/sourcehut.pub.j2
new file mode 100644
index 0000000..feab627
--- /dev/null
+++ b/roles/srht/templates/sourcehut.pub.j2
@@ -0,0 +1 @@
+{{ gpg_secrets['public'] }}
diff --git a/terraform_vault/vault-files.sh b/terraform_vault/vault-files.sh
new file mode 100755
index 0000000..bb03e9c
--- /dev/null
+++ b/terraform_vault/vault-files.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+# Store files in vault with help of the CLI
+
+vault kv put ansible/srht-gpg private=@/home/xenrox/decrypted/gpg/sourcehut/private.key \
+    public=@/home/xenrox/decrypted/gpg/sourcehut/public.key
-- 
2.44.0