M playbooks/avalon.yml => playbooks/avalon.yml +1 -1
@@ 39,7 39,7 @@
- { role: keycloak }
- { role: grafana }
- { role: murmur }
- # - { role: borg } # file secret
+ - { role: borg }
- { role: navidrome }
# - { role: screego } # docker
- { role: syncthing }
M roles/borg/tasks/main.yml => roles/borg/tasks/main.yml +8 -3
@@ 1,4 1,9 @@
---
+- name: Get secrets
+ ansible.builtin.set_fact:
+ ssh_key: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/ssh/avalon_borg:private') }}"
+ borg_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/borg/' ~ inventory_hostname) }}"
+
- name: Install
community.general.pacman:
name: borg
@@ 14,7 19,7 @@
- name: Install SSH key
ansible.builtin.copy:
- src: /home/xenrox/decrypted/ssh/{{ inventory_hostname }}.priv
+ content: "{{ ssh_key }}"
dest: /root/.ssh/id_rsa
owner: root
group: root
@@ 30,7 35,7 @@
- name: Install borg passphrase
ansible.builtin.copy:
- src: /home/xenrox/decrypted/borg/{{ inventory_hostname }}.pass
+ content: "{{ borg_secrets['pass'] }}"
dest: /etc/.secrets/borg.pass
owner: root
group: root
@@ 46,7 51,7 @@
- name: Install borg key
ansible.builtin.copy:
- src: /home/xenrox/decrypted/borg/{{ inventory_hostname }}.key
+ content: "{{ borg_secrets['key'] }}"
dest: /root/.config/borg/keys/borg.key
owner: root
group: root
M roles/srht/tasks/main.yml => roles/srht/tasks/main.yml +1 -10
@@ 2,17 2,8 @@
- name: Get secrets
ansible.builtin.set_fact:
srht_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/srht') }}"
-
-- name: Get gpg secrets
- ansible.builtin.set_fact:
- gpg_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/srht-gpg') }}"
-
-- name: Get minio secrets
- ansible.builtin.set_fact:
+ gpg_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/gpg/sourcehut') }}"
minio_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/minio') }}"
-
-- name: Get email secrets
- ansible.builtin.set_fact:
email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"
- name: install srht packages
M terraform_vault/secrets.tf => terraform_vault/secrets.tf +55 -1
@@ 26,7 26,7 @@ resource "vault_generic_secret" "wireguard" {
}
# wireguard VPN keys
-#
+
resource "vault_generic_secret" "wireguard_vpn" {
for_each = fileset("/home/xenrox/decrypted/wireguard_vpn", "*")
@@ 35,3 35,57 @@ resource "vault_generic_secret" "wireguard_vpn" {
content = file("/home/xenrox/decrypted/wireguard_vpn/${each.key}")
})
}
+
+# SSH keys
+
+locals {
+ ssh_keys = toset([
+ "avalon_borg"
+ ])
+}
+
+resource "vault_generic_secret" "ssh_keys" {
+ for_each = local.ssh_keys
+
+ path = "ansible/ssh/${each.key}"
+ data_json = jsonencode({
+ public = file("/home/xenrox/decrypted/ssh/${each.key}.pub")
+ private = file("/home/xenrox/decrypted/ssh/${each.key}.priv")
+ })
+}
+
+# GPG keys
+
+locals {
+ gpg_keys = toset([
+ "sourcehut"
+ ])
+}
+
+resource "vault_generic_secret" "gpg_keys" {
+ for_each = local.gpg_keys
+
+ path = "ansible/gpg/${each.key}"
+ data_json = jsonencode({
+ public = file("/home/xenrox/decrypted/gpg/${each.key}/public.key")
+ private = file("/home/xenrox/decrypted/gpg/${each.key}/private.key")
+ })
+}
+
+# Borg
+
+locals {
+ borg = toset([
+ "xenrox.net"
+ ])
+}
+
+resource "vault_generic_secret" "borg" {
+ for_each = local.borg
+
+ path = "ansible/borg/${each.key}"
+ data_json = jsonencode({
+ key = file("/home/xenrox/decrypted/borg/${each.key}.key")
+ pass = file("/home/xenrox/decrypted/borg/${each.key}.pass")
+ })
+}
D terraform_vault/vault-files.sh => terraform_vault/vault-files.sh +0 -6
@@ 1,6 0,0 @@
-#!/bin/sh
-
-# Store files in vault with help of the CLI
-
-vault kv put ansible/srht-gpg private=@/home/xenrox/decrypted/gpg/sourcehut/private.key \
- public=@/home/xenrox/decrypted/gpg/sourcehut/public.key