~xenrox/ansible

61f8805f46e3a209e9689af95ff76bc07480b9fe — Thorben Günther a month ago 85bb5f6
Move remaining file secrets to vault

References: https://todo.xenrox.net/~xenrox/infrastructure/7
5 files changed, 65 insertions(+), 21 deletions(-)

M playbooks/avalon.yml
M roles/borg/tasks/main.yml
M roles/srht/tasks/main.yml
M terraform_vault/secrets.tf
D terraform_vault/vault-files.sh
M playbooks/avalon.yml => playbooks/avalon.yml +1 -1
@@ 39,7 39,7 @@
    - { role: keycloak }
    - { role: grafana }
    - { role: murmur }
    # - { role: borg } # file secret
    - { role: borg }
    - { role: navidrome }
    # - { role: screego } # docker
    - { role: syncthing }

M roles/borg/tasks/main.yml => roles/borg/tasks/main.yml +8 -3
@@ 1,4 1,9 @@
---
- name: Get secrets
  ansible.builtin.set_fact:
    ssh_key: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/ssh/avalon_borg:private') }}"
    borg_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/borg/' ~ inventory_hostname) }}"

- name: Install
  community.general.pacman:
    name: borg


@@ 14,7 19,7 @@

- name: Install SSH key
  ansible.builtin.copy:
    src: /home/xenrox/decrypted/ssh/{{ inventory_hostname }}.priv
    content: "{{ ssh_key }}"
    dest: /root/.ssh/id_rsa
    owner: root
    group: root


@@ 30,7 35,7 @@

- name: Install borg passphrase
  ansible.builtin.copy:
    src: /home/xenrox/decrypted/borg/{{ inventory_hostname }}.pass
    content: "{{ borg_secrets['pass'] }}"
    dest: /etc/.secrets/borg.pass
    owner: root
    group: root


@@ 46,7 51,7 @@

- name: Install borg key
  ansible.builtin.copy:
    src: /home/xenrox/decrypted/borg/{{ inventory_hostname }}.key
    content: "{{ borg_secrets['key'] }}"
    dest: /root/.config/borg/keys/borg.key
    owner: root
    group: root

M roles/srht/tasks/main.yml => roles/srht/tasks/main.yml +1 -10
@@ 2,17 2,8 @@
- name: Get secrets
  ansible.builtin.set_fact:
    srht_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/srht') }}"

- name: Get gpg secrets
  ansible.builtin.set_fact:
    gpg_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/srht-gpg') }}"

- name: Get minio secrets
  ansible.builtin.set_fact:
    gpg_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/gpg/sourcehut') }}"
    minio_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/minio') }}"

- name: Get email secrets
  ansible.builtin.set_fact:
    email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"

- name: install srht packages

M terraform_vault/secrets.tf => terraform_vault/secrets.tf +55 -1
@@ 26,7 26,7 @@ resource "vault_generic_secret" "wireguard" {
}

# wireguard VPN keys
#

resource "vault_generic_secret" "wireguard_vpn" {
  for_each = fileset("/home/xenrox/decrypted/wireguard_vpn", "*")



@@ 35,3 35,57 @@ resource "vault_generic_secret" "wireguard_vpn" {
    content = file("/home/xenrox/decrypted/wireguard_vpn/${each.key}")
  })
}

# SSH keys

locals {
  ssh_keys = toset([
    "avalon_borg"
  ])
}

resource "vault_generic_secret" "ssh_keys" {
  for_each = local.ssh_keys

  path = "ansible/ssh/${each.key}"
  data_json = jsonencode({
    public  = file("/home/xenrox/decrypted/ssh/${each.key}.pub")
    private = file("/home/xenrox/decrypted/ssh/${each.key}.priv")
  })
}

# GPG keys

locals {
  gpg_keys = toset([
    "sourcehut"
  ])
}

resource "vault_generic_secret" "gpg_keys" {
  for_each = local.gpg_keys

  path = "ansible/gpg/${each.key}"
  data_json = jsonencode({
    public  = file("/home/xenrox/decrypted/gpg/${each.key}/public.key")
    private = file("/home/xenrox/decrypted/gpg/${each.key}/private.key")
  })
}

# Borg

locals {
  borg = toset([
    "xenrox.net"
  ])
}

resource "vault_generic_secret" "borg" {
  for_each = local.borg

  path = "ansible/borg/${each.key}"
  data_json = jsonencode({
    key  = file("/home/xenrox/decrypted/borg/${each.key}.key")
    pass = file("/home/xenrox/decrypted/borg/${each.key}.pass")
  })
}

D terraform_vault/vault-files.sh => terraform_vault/vault-files.sh +0 -6
@@ 1,6 0,0 @@
#!/bin/sh

# Store files in vault with help of the CLI

vault kv put ansible/srht-gpg private=@/home/xenrox/decrypted/gpg/sourcehut/private.key \
    public=@/home/xenrox/decrypted/gpg/sourcehut/public.key