From 61f8805f46e3a209e9689af95ff76bc07480b9fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thorben=20G=C3=BCnther?= <admin@xenrox.net>
Date: Wed, 25 May 2022 15:03:37 +0200
Subject: [PATCH] Move remaining file secrets to vault

References: https://todo.xenrox.net/~xenrox/infrastructure/7
---
 playbooks/avalon.yml           |  2 +-
 roles/borg/tasks/main.yml      | 11 +++++--
 roles/srht/tasks/main.yml      | 11 +------
 terraform_vault/secrets.tf     | 56 +++++++++++++++++++++++++++++++++-
 terraform_vault/vault-files.sh |  6 ----
 5 files changed, 65 insertions(+), 21 deletions(-)
 delete mode 100755 terraform_vault/vault-files.sh

diff --git a/playbooks/avalon.yml b/playbooks/avalon.yml
index 928447d..13ae38d 100644
--- a/playbooks/avalon.yml
+++ b/playbooks/avalon.yml
@@ -39,7 +39,7 @@
     - { role: keycloak }
     - { role: grafana }
     - { role: murmur }
-    # - { role: borg } # file secret
+    - { role: borg }
     - { role: navidrome }
     # - { role: screego } # docker
     - { role: syncthing }
diff --git a/roles/borg/tasks/main.yml b/roles/borg/tasks/main.yml
index b4c2439..980d67f 100644
--- a/roles/borg/tasks/main.yml
+++ b/roles/borg/tasks/main.yml
@@ -1,4 +1,9 @@
 ---
+- name: Get secrets
+  ansible.builtin.set_fact:
+    ssh_key: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/ssh/avalon_borg:private') }}"
+    borg_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/borg/' ~ inventory_hostname) }}"
+
 - name: Install
   community.general.pacman:
     name: borg
@@ -14,7 +19,7 @@
 
 - name: Install SSH key
   ansible.builtin.copy:
-    src: /home/xenrox/decrypted/ssh/{{ inventory_hostname }}.priv
+    content: "{{ ssh_key }}"
     dest: /root/.ssh/id_rsa
     owner: root
     group: root
@@ -30,7 +35,7 @@
 
 - name: Install borg passphrase
   ansible.builtin.copy:
-    src: /home/xenrox/decrypted/borg/{{ inventory_hostname }}.pass
+    content: "{{ borg_secrets['pass'] }}"
     dest: /etc/.secrets/borg.pass
     owner: root
     group: root
@@ -46,7 +51,7 @@
 
 - name: Install borg key
   ansible.builtin.copy:
-    src: /home/xenrox/decrypted/borg/{{ inventory_hostname }}.key
+    content: "{{ borg_secrets['key'] }}"
     dest: /root/.config/borg/keys/borg.key
     owner: root
     group: root
diff --git a/roles/srht/tasks/main.yml b/roles/srht/tasks/main.yml
index 4eae081..40264b2 100644
--- a/roles/srht/tasks/main.yml
+++ b/roles/srht/tasks/main.yml
@@ -2,17 +2,8 @@
 - name: Get secrets
   ansible.builtin.set_fact:
     srht_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/srht') }}"
-
-- name: Get gpg secrets
-  ansible.builtin.set_fact:
-    gpg_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/srht-gpg') }}"
-
-- name: Get minio secrets
-  ansible.builtin.set_fact:
+    gpg_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/gpg/sourcehut') }}"
     minio_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/minio') }}"
-
-- name: Get email secrets
-  ansible.builtin.set_fact:
     email_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/email') }}"
 
 - name: install srht packages
diff --git a/terraform_vault/secrets.tf b/terraform_vault/secrets.tf
index 3191d64..ac5033f 100644
--- a/terraform_vault/secrets.tf
+++ b/terraform_vault/secrets.tf
@@ -26,7 +26,7 @@ resource "vault_generic_secret" "wireguard" {
 }
 
 # wireguard VPN keys
-#
+
 resource "vault_generic_secret" "wireguard_vpn" {
   for_each = fileset("/home/xenrox/decrypted/wireguard_vpn", "*")
 
@@ -35,3 +35,57 @@ resource "vault_generic_secret" "wireguard_vpn" {
     content = file("/home/xenrox/decrypted/wireguard_vpn/${each.key}")
   })
 }
+
+# SSH keys
+
+locals {
+  ssh_keys = toset([
+    "avalon_borg"
+  ])
+}
+
+resource "vault_generic_secret" "ssh_keys" {
+  for_each = local.ssh_keys
+
+  path = "ansible/ssh/${each.key}"
+  data_json = jsonencode({
+    public  = file("/home/xenrox/decrypted/ssh/${each.key}.pub")
+    private = file("/home/xenrox/decrypted/ssh/${each.key}.priv")
+  })
+}
+
+# GPG keys
+
+locals {
+  gpg_keys = toset([
+    "sourcehut"
+  ])
+}
+
+resource "vault_generic_secret" "gpg_keys" {
+  for_each = local.gpg_keys
+
+  path = "ansible/gpg/${each.key}"
+  data_json = jsonencode({
+    public  = file("/home/xenrox/decrypted/gpg/${each.key}/public.key")
+    private = file("/home/xenrox/decrypted/gpg/${each.key}/private.key")
+  })
+}
+
+# Borg
+
+locals {
+  borg = toset([
+    "xenrox.net"
+  ])
+}
+
+resource "vault_generic_secret" "borg" {
+  for_each = local.borg
+
+  path = "ansible/borg/${each.key}"
+  data_json = jsonencode({
+    key  = file("/home/xenrox/decrypted/borg/${each.key}.key")
+    pass = file("/home/xenrox/decrypted/borg/${each.key}.pass")
+  })
+}
diff --git a/terraform_vault/vault-files.sh b/terraform_vault/vault-files.sh
deleted file mode 100755
index bb03e9c..0000000
--- a/terraform_vault/vault-files.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-
-# Store files in vault with help of the CLI
-
-vault kv put ansible/srht-gpg private=@/home/xenrox/decrypted/gpg/sourcehut/private.key \
-    public=@/home/xenrox/decrypted/gpg/sourcehut/public.key
-- 
2.44.0