Merge branch 'super-secret-vault' into 'master'

Move highly sensitive secrets to new "super" vault See merge request archlinux/infrastructure!565

Merge branch 'super-secret-vault' into 'master'
Move highly sensitive secrets to new "super" vault See merge request archlinux/infrastructure!565
2702ddfe · Evangelos Foutras · cecfd92e · 375a7816 · 2702ddfe · 2702ddfe
Commit 2702ddfe authored May 07, 2022 by Evangelos Foutras 🐱
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,7 +9,8 @@ ansible-lint:
    - chmod o-w .
    # Fix syntax-check rule (https://github.com/ansible-community/ansible-lint/issues/1350#issuecomment-778764110)
    - sed "s/,hcloud_inventory.py//" -i ansible.cfg
-    - sed "/^vault_password_file/d" -i ansible.cfg
+    - sed "/^vault_identity_list/d" -i ansible.cfg
+    - sed "/misc\/vaults\/vault_/d" -i playbooks/*.yml
    # Fix load-failure: Failed to load or parse file
    - ansible-lint $(printf -- "--exclude %s " */*/vault_*)


--- a/.gitlab/issue_templates/New Official Project.md
+++ b/.gitlab/issue_templates/New Official Project.md
@@ -38,9 +38,9 @@ If you want to add a new official project, here are some guidelines to follow:
   - All of these should be activated by default as per group rules but it's good to check.
 1. [ ] The *Protected Branches* in https://gitlab.archlinux.org/archlinux/my-example/-/settings/repository should specify
       `Allowed to merge` and `Allowed to push` as `Developers + Maintainers.`
-1. [ ] Disable unneeded project features under *Visibility, project features, permissions* (https://gitlab.archlinux.org/archlinux/my-example/edit)  
+1. [ ] Disable unneeded project features under *Visibility, project features, permissions* (https://gitlab.archlinux.org/archlinux/my-example/edit)
   Always:
-   - `Users can request access`: `off`  
+   - `Users can request access`: `off`
   Often, but not always:
   - Repository -> Container registry
   - Repository -> Git Large File Storage (LFS)
@@ -86,7 +86,7 @@ If you want to add a new official project, here are some guidelines to follow:
   - `Issues`
   - `Projects`
 1. [ ] Go to https://github.com/archlinux/my-example/settings/hooks and add a new webhook
-   - `Payload URL`: `$(misc/get_key.py misc/vault_github.yml github_pull_closer_webhook_url)`
+   - `Payload URL`: `$(misc/get_key.py misc/vaults/vault_github.yml github_pull_closer_webhook_url)`
   - `Content type`: `application/json`
   - `Which events would you like to trigger this webhook?`
     - `Let me select individual events.`: `Pull requests`

--- a/.gitlab/issue_templates/Onboarding.md
+++ b/.gitlab/issue_templates/Onboarding.md
@@ -30,7 +30,7 @@ https://www.gnupg.org/gph/en/manual/x135.html
 -->

 ## All roles checklist
-The mailing list password can be found in [`misc/additional-credentials.vault`](misc/additional-credentials.vault).
+The mailing list password can be found in [`misc/vaults/additional-credentials.vault`](misc/vaults/additional-credentials.vault).

 - [ ] Add new user email as per [`docs/email.md`](docs/email.md).
 - [ ] Create a new user in [archweb](https://www.archlinux.org/devel/newuser/). Select the appropriate group membership and allowed repos (if applicable).

--- a/README.md
+++ b/README.md
@@ -20,7 +20,7 @@ run the provisioning script: `ansible-playbook playbooks/tasks/install-arch.yml
 The provisioning script configures a sane basic systemd with sshd. By design, it is NOT idempotent.
 After the provisioning script has run, it is safe to reboot.

-Once in the new system, run the regular playbook: `HCLOUD_TOKEN=$(misc/get_key.py misc/vault_hetzner.yml hetzner_cloud_api_key) ansible-playbook playbooks/$hostname.yml`.
+Once in the new system, run the regular playbook: `HCLOUD_TOKEN=$(misc/get_key.py misc/vaults/vault_hetzner.yml hetzner_cloud_api_key) ansible-playbook playbooks/$hostname.yml`.
 This playbook is the one regularity used for administrating the server and is entirely idempotent.

 When adding a new machine you should also deploy our SSH known_hosts file and update the SSH hostkeys file in this git repo.
@@ -29,9 +29,16 @@ It will also deploy any new SSH host keys to all our machines.

 #### Note about GPG keys

-The `root_access.yml` file contains the `root_gpgkeys` variable that determine the users that have access to the vault, as well as the borg backup keys.
-All the keys should be on the local user gpg keyring and at **minimum** be locally signed with `--lsign-key`. This is necessary for running either the reencrypt-vault-key
-or the fetch-borg-keys tasks.
+The `root_access.yml` file contains the `vault_default_pgpkeys` variable which
+determines the users that have access to the `default` vault, as well as the
+borg backup keys. A separate `super` vault exists for storing highly sensitive
+secrets like Hetzner credentials; access to the `super` vault is controlled by
+the `vault_super_pgpkeys` variable.
+
+All the keys should be on the local user gpg keyring and at **minimum** be
+locally signed with `--lsign-key`. This is necessary for running any of the
+`reencrypt-vault-default-key`, `reencrypt-vault-super-key `or `fetch-borg-keys`
+tasks.

 #### Note about Ansible dynamic inventories

@@ -45,7 +52,7 @@ They'll be available automatically.
 We use packer to build snapshots on hcloud to use as server base images.
 In order to use this, you need to install packer and then run

-    packer build -var $(misc/get_key.py misc/vault_hetzner.yml hetzner_cloud_api_key --format env) packer/archlinux.json
+    packer build -var $(misc/get_key.py misc/vaults/vault_hetzner.yml hetzner_cloud_api_key --format env) packer/archlinux.json

 This will take some time after which a new snapshot will have been created on the primary hcloud archlinux project.

@@ -151,26 +158,20 @@ This section has been moved to [docs/servers.md](docs/servers.md).

 ## Ansible repo workflows

-### Replace vault password and change vaulted passwords
-
-  - Generate a new key and save it as ./new-vault-pw: `pwgen -s 64 1 > new-vault-pw`
-  - `for i in $(ag ANSIBLE_VAULT -l); do ansible-vault rekey --new-vault-password-file new-vault-pw $i; done`
-  - Change the key in misc/vault-password.gpg
-  - `rm new-vault-pw`
-
-### Re-encrypting the vault after adding or removing a new GPG key
-
-  - Make sure you have all the GPG keys **at least** locally signed
-  - Run the `playbooks/tasks/reencrypt-vault-key.yml` playbook and make sure it does not have **any** failed task
-  - Test that the vault is working by running ansible-vault view on any encrypted vault file
-  - Commit and push your changes
-
 ### Fetching the borg keys for local storage

  - Make sure you have all the GPG keys **at least** locally signed
  - Run the `playbooks/tasks/fetch-borg-keys.yml` playbook
  - Make sure the playbook runs successfully and check the keys under the borg-keys directory

+### Re-encrypting the vaults after adding a new PGP key
+
+Follow the instructions in [group_vars/all/root_access.yml](group_vars/all/root_access.yml).
+
+### Changing the vault password on encrypted files
+
+See [docs/vault-rekeying.md](docs/vault-rekeying.md).
+
 ## Backup documentation

 We use BorgBackup for all of our backup needs. We have a primary backup storage as well as an

--- a/ansible.cfg
+++ b/ansible.cfg
@@ -5,7 +5,8 @@ remote_tmp = $HOME/.ansible/tmp
 remote_user = root
 nocows = 1
 roles_path = roles
-vault_password_file = misc/get-vault-pass.sh
+vault_id_match = True
+vault_identity_list = default@misc/vault-keyring-client.sh,super@misc/vault-keyring-client.sh
 retry_files_enabled = False
 callback_plugins = plugins/callback
 callbacks_enabled = profile_tasks

--- a/docs/otp.md
+++ b/docs/otp.md
@@ -14,7 +14,7 @@ Run

    pass otp insert -i GitHub -a archlinux-master-token github.com/archlinux-master-token -s

-When asked for a secret, provide the `github_master_seed` from `misc/vault_github.yml`.
+When asked for a secret, provide the `github_master_seed` from `misc/vaults/vault_github.yml`.
 You can then run

    pass otp code github.com/archlinux-master-token
@@ -30,7 +30,7 @@ Run

    pass otp insert -i Hetzner -a archlinux-master-token Hetzner/archlinux-master-token -s

-When asked for a secret, provide the `hetzner_master_seed` from `misc/vault_hetzner.yml`.
+When asked for a secret, provide the `hetzner_master_seed` from `misc/vaults/vault_hetzner.yml`.
 You can then run

    pass otp code Hetzner/archlinux-master-token
@@ -43,7 +43,7 @@ Run

    pass otp insert -i UptimeRobot -a archlinux UptimeRobot/archlinux-master-token -s

-When asked for a secret, provide the `2FA token seed` from `misc/additional-credentials.vault`.
+When asked for a secret, provide the `2FA token seed` from `misc/vaults/additional-credentials.vault`.
 You can then run

    pass otp code UptimeRobot/archlinux-master-token

--- a/docs/vault-rekeying.md
+++ b/docs/vault-rekeying.md
+# Vault rekeying
+
+## Changing the default vault password
+
+```bash
+# Generate a new password for the default vault
+pwgen -s 64 >new-default-pw
+
+# Re-encrypt all default vaults
+ansible-vault rekey --new-vault-password-file ./new-default-pw \
+  $(git grep -l 'ANSIBLE_VAULT;1.1;AES256$')
+
+# Save the new password in encrypted form
+# (replace "RECIPIENT" with your email)
+gpg -r RECIPIENT -o misc/vault-default-password.gpg -e new-default-pw
+
+# Re-encrypt the new password with all DevOps keys
+ansible-playbook playbooks/tasks/reencrypt-vault-default-key.yml
+
+# Ensure the new password is usable
+ansible-vault view misc/vaults/vault_hcloud.yml
+
+# Remove the unencrypted password file
+rm new-default-pw
+
+# Review and commit the changes
+```
+
+## Changing the super vault password
+
+```bash
+# Generate a new password for the super vault
+pwgen -s 64 >new-super-pw
+
+# Re-encrypt all super vaults
+ansible-vault rekey --new-vault-id super@./new-super-pw \
+  $(git grep -l 'ANSIBLE_VAULT;1.2;AES256;super$')
+
+# Save the new password in encrypted form
+# (replace "RECIPIENT" with your email)
+gpg -r RECIPIENT -o misc/vault-super-password.gpg -e new-super-pw
+
+# Re-encrypt the new password with all DevOps super keys
+ansible-playbook playbooks/tasks/reencrypt-vault-super-key.yml
+
+# Ensure the new password is usable
+ansible-vault view misc/vaults/vault_hetzner.yml
+
+# Remove the unencrypted password file
+rm new-super-pw
+
+# Review and commit the changes
+```
--- a/group_vars/all/root_access.yml
+++ b/group_vars/all/root_access.yml
@@ -24,9 +24,12 @@ root_ssh_keys:
  - key: klausenbusk.pub
    additional_keys: [klausenbusk_2.pub]

-# run playbook 'playbooks/tasks/reencrypt-vault-key.yml' when this changes
-# before running it, make sure to gpg --lsign-key all of the below keys
-root_gpgkeys:
+# - run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this
+#   changes; before doing so, make sure to 'gpg --lsign-key' all listed keys
+# - before committing the re-encrypted password file, test if both vaults are
+#   working using `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
+# NOTE: adding a key to this list gives access to both default and super vaults
+vault_super_pgpkeys: &vault_super_pgpkeys
  - 86CFFCA918CF3AF47147588051E8B148A9999C34  # foutrelis
  - 05C7775A9E8B977407FE08E69D4C5AA15426DA0A  # freswa
  - ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB  # grazzolini
@@ -35,3 +38,10 @@ root_gpgkeys:
  - 8FC15A064950A99DD1BD14DD39E4B877E62EB915  # svenstaro
  - E240B57E2C4630BA768E2F26FC1B547C8D8172C8  # anthraxx
  - DB650286BD9EAE39890D3FE6FE3DC1668CB24956  # klausenbusk
+
+# - run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes
+# - before running it, make sure to 'gpg --lsign-key' all keys listed below
+# - before committing the re-encrypted password file, test that the vault
+#   is working by running `ansible-vault view misc/vaults/vault_hcloud.yml`
+vault_default_pgpkeys:
+  - *vault_super_pgpkeys
--- a/group_vars/all/vault_arch-boxes.yml
+++ b/group_vars/all/vault_arch-boxes.yml
-$ANSIBLE_VAULT;1.1;AES256
-31616334663762643765636239633666663235363933616561386333313365666536663435623739
-3433363161663531313562666662353437333233396134390a336230353662316436363166326562
-39623835623266643133313865316437613133633630383463393361656132626334356432356338
-3730653762633437350a316461396263616662623638306565333362396532636331313263366362
-30333432626161316433393831386262613461613836616138326430386662396536383133663338
-34303238663239326133396138623465643865633931653965336664303761626562383331326663
-63623666613837333933386564396231363036633964346433376336353066396433313863656335
-37373763666136386435363733666434363965336334663762643038386135356531653138653738
-33653261613163366461366466316262363862383931383932386139636130383965393965393762
-6530663632323266653064356639316330323330316134326564
--- a/group_vars/all/vault_archive.yml
+++ b/group_vars/all/vault_archive.yml
-$ANSIBLE_VAULT;1.1;AES256
-63313830353630313333373332386337306165346632356563373537383539633735666562356637
-6537343465356337613632343432353934356364373064370a326237353134373465303736646536
-36356461336663306532613861356464663032393636656661323061313237353930653935373333
-3432643831306536320a396533343961333866313738633965623862623063623464316638646537
-62353639383065333966653034623437393538343266373938666335653637643639343662623832
-30393232633763346239663066356430616565323338363634326434383537366232373865386462
-32353839353330626263356237353635366332613435303064616235336531653938366235396165
-35306361616237336261336631626638633064383332343330336337666361346134313337393033
-30633134346362393562363239323530363563633333613730623937393733646138633938373666
-3437656233333937376461616539393565376536383262643230
--- a/group_vars/all/vault_archmanweb.yml
+++ b/group_vars/all/vault_archmanweb.yml
 $ANSIBLE_VAULT;1.1;AES256
-61323463643538343139646562616537313436663237633061333262636333363564306433353330
-3064306136366262653432383632333764353832376162320a323066366462343039646235393633
-63373666323931623530653035373936303631376631346163353239653932393638353261356366
-3766663931616137340a383735623532313462313533346539636334383339623561386165316663
-63386465393033323736343662383731383232643035636666623963646436306461303063386662
-65653439646438373466366635303662393031333739313739636434666166373235356562316464
-36376332646635623964303837336139303564333566366462666631346461636363653639383361
-62643833386334393136643465396430303835326339383632333165643233656462303432353735
-31383735316265636635393830636135343339623033396362396533363263386536
+36373932666664656436656335333131383062336662353932653066383638316264323461386239
+6632363764633534386130306637653136326337636464380a633865306262643463613231326364
+62316536633562313665653638303130663632636337363961643835626332373265396361636566
+6436653339316462380a306334613731623163306333633330303165656166623339336237336136
+35386365323962313461336133333466363164626661393839323238363236376435303439336266
+30303431626661303738343539336563633437346264626334663235333365303037383538313864
+37373433356139316338326432646330336463346130356262343661633062343939613031613032
+30376366663037393334613537653430343635613362613835316463613461323239376630333463
+31663730323232383263366430346538393431633637386632643961336136646630
--- a/group_vars/all/vault_archweb.yml
+++ b/group_vars/all/vault_archweb.yml
 $ANSIBLE_VAULT;1.1;AES256
-34373565336261636435623037626134306239363436343463363062633131333864373165363031
-3037393931396437633135326630333366626537663061350a346136346130343132386434366333
-64356266373637616535656531306161393332653036633136393234336436303562636235383535
-6366303962643064620a653863646433333539336239656531626134323032643832356165396563
-30313261373931343066356132616363653663373339343364313563343332646565363561393562
-37633334613931373964323537633361663230343434386565316432393336363263343164353933
-35636235663466613562306432383333663066356632613039353962356337333737353439386537
-31313439326237366639323230343961393330623633333737353063613963373766363734343064
-32316661646437643663323134663762653636383563396562353533613566656662336566393536
-31636533343561393534663233663030393363663837363965663038343966353830633764386339
-30646163383731376130636462346235616633316161623135303264633332633063633362356638
-33306138633064613463386438386365643063616537616666393266336136636530353662636161
-66646631613031653339356236356233343936626439396539306462376566306230363933663235
-33356362316264383733313437326437636566323263383062343066393435616663306336613465
-62373965616134643830313562386437396437353036323038353439613833316233653962663265
-36663763393636376138663938643761346434396331336637313034323838393361636135316637
-63306630653264366639663031666135343564636564613639333432363431393737376464383263
-31343434383331363937323833376232353335626132353332373835303363646562393039636235
-30313239656135626539386437626630626162646262336638646435633639356461653935653234
-30376266383464623561633139303164376565373761323535616332313630323732396533363730
-38353561373937623961343464633465306566616266633038653231653534323533623562376335
-31623638643336663637356331656363333633663730316635326133376633303933346461373838
-39326537376338313161376537303738376139613631316332663739313266366434323465313335
-61323964396331626365363737373566336565333438303935623534626433363130316133626236
-64656535613435326464633561343065313865313437366365316162323534666430393234383163
-3663353632333065383764313531303631386335646363636363
+34616161346465373533343761366432323732346633303031316636376231313133386363653634
+3632393764636436623837646163306337653832396434380a383637306261616432346139666439
+30396465373833346138376564643861376531346137346465623430636230313364336530643337
+6566393639623866330a626461333665366366616435313430623064643634316638666361343231
+32646533366139343731376466346262316533383830666561666637626335363131316163393265
+61313966396161343338623738353536636538653237663935333434363564343837343562623230
+62333037343238383663333631613734626231616331366663333465663739333539303964393531
+39636430363530633934336331323465383264323633316630313863623137373266333465376166
+36343062346230356239333231393031303437373934353962613439336262333437633431336466
+30366638643961656663343162656533393335636365623537326635643436333530323835633537
+66383061343064646365366535356639323665373937386536353538656466316362323034363661
+34623763636533313739346230353731663434396164623635663237323437303736326562316139
+32396562313162343164623134323632396665323837323862336666663731313034663538626264
+62643930386235633734643032386336356537663966393361303965663132323066373162613931
+37343835613864343764323139323636613837666435616334336538633832663034323462336634
+37383464366465353635363033323464343636393062653033306333303533396531613130333736
+37353531613066656536373436666537636633323161343637353238626333393433353863633939
+65353837303130333765393363663837383933633834346338316666636363646332303234663137
+64646530326130326561383732333638633131646438393161343962613861383739646139343537
+66626439386565663334383836633632633732353661346130323661333061663464616233663464
+35383161656338633737383233356563616339663165353262326463383235303334343332363265
+34616161636263616132393836373031626437306532663364303838393935643533396564343434
+39336233393834323162363730636161356663643762643333323530313562643131306364353138
+64363037633335633836653237333236323062353537623766636435666562626438386430653939
+62623362326535393037303736313263366138636363303564393831353665386566646265393234
+3132333865303039353137306237623036353661646665613566
--- a/group_vars/all/vault_archwiki.yml
+++ b/group_vars/all/vault_archwiki.yml
 $ANSIBLE_VAULT;1.1;AES256
-32656432386262646434353338626361306136333830386335306131663861356539643835623861
-3636373336623663626231303137396464323362393466330a303666663337303430633166373636
-64653965633030386632306138643965646366626630373134666239653639333563626233613864
-3165623332623230310a626139303632646235343430336665366239396132396436623934663635
-35353532626637613363356663646537393663303762376338383134626161653965386236666437
-65613164343662376437386662326538383134656636353631323366646563393536386434633131
-63366466356434616563663261356234356464386165366232313839663866303038366462333430
-31383236343438303961323137623263346630616166336265343861303939316232346231333538
-34623965623937326161343633646433343436373335393837653434336136633965343232643865
-33613662393734343161396130326139643634623439663161346536653065306633316238613633
-65633164313964316463333162353864626338353563633037393134383634306532643830653565
-35333131666262313739353338336532633462376166326533373734396665336165626365653734
-34326534393833346463323065326238623832336663636638636163326338663732303235313665
-3166313865633165313932623733623561313964303534393432
+39353338653939653833623663616532633266323936623731386235633565303930336434346662
+3730353930363139366330653738383638356661636165340a616163643730323136316565356464
+39633834626333343939333730373364633666306362306231646437353362323435356463343265
+3334376636663663660a323534393266373564383862316534663066653333393031663735363931
+32656538336338636661633930356366356231303936643332306663396336646236643861396330
+65393835636361653866636233316335656564363937636163666536323334636230356361356335
+65393934313733383136336165656565396336616533623331343163353864363033316461383032
+63343964633130333533356137353965663862646464303739646434373263656438656239366662
+39663538353961336262623863343532656137353532633165613333643133663034663035363234
+31646164643232383236653031373764343235623661343261383766343339373663333632323438
+39643931653439386365303032373063613563343037333030373033613634666235633266636163
+61643339356264656265666465653363396339636130393234326463636437356134333662643833
+61626139666565363764303166326631323235383030333435336133643663303435666139626337
+3131363133386230623265633838383532353031623335396235
--- a/group_vars/all/vault_dnswl.yml
+++ b/group_vars/all/vault_dnswl.yml
-$ANSIBLE_VAULT;1.1;AES256
-66383261323565303133623663323763383537323633623861356339313831333761373430643533
-3831393837613132376565353736353431383833313231390a663430613938643733623365376364
-37323264633764343532366635643838636434343363333266643038643961633961363638663538
-3062613636616265360a393666653735383563333462376661376562633132373236376534366531
-35333335323636326438373565643931333730316632303864356564363662333932633538663936
-61663162666563623564333639393135633039393536373139656137666263623339353864353565
-30663939376564636438313937373631343766376661663731663165376137396531333961313133
-66666437336236306461
--- a/group_vars/all/vault_docker.yml
+++ b/group_vars/all/vault_docker.yml
-$ANSIBLE_VAULT;1.1;AES256
-39623037633332613232313762623162663966613130323462316561666531626162323330356334
-6562623637616234376632363132313261353736353063300a653732326333653565663262323535
-66346465343865613334353931633064323234336439633065663238316535366661376436303433
-3537663835336563610a323838386533636536626662306232313433633837663739636339643131
-61303138393231363930313866613164303066623032323536623034616365396234666134643035
-31343162386461343732303438323736336539326535363233623837653136616265303336376534
-33663063626432323739663166623135373363366334646566393333333934636562616366336633
-34653839346565353630336265663536346133363065646531333762616537656132303161633834
-31336132383435393064626338333062313237663130616161613532663531333861323634333065
-30353166343430303062393665316162346661653339386238333864333530613933303832393439
-64386133623366646665343063386332616434346263656436393236643130353534653835326263
-64306366653161343334653364333663353666303465353935323930393261336466356633313661
-62333333623565363765373461656230383631343136373634663835343336393731663832633237
-32323665376634353036616361383632646435613235643663393039356266653066303231636161
-356565336332626566633766386665633532
--- a/group_vars/all/vault_fluxbb.yml
+++ b/group_vars/all/vault_fluxbb.yml
 $ANSIBLE_VAULT;1.1;AES256
-64383032376139303033393463373430326534386434363565363439393561666439376338633661
-6235633862386434366232643662333463633366333139340a613863373636383731333363373830
-32303966386632313964396666633139376335616431646633353234626238346132346366623330
-6139386434633036630a386262386463636638323562613130323261326234346535633634303433
-35623530396638336661616263323133663662393466316166353633623062353738646365323432
-30336332323238346331373538353464633733656565336164343537333737666130386634663032
-39633366643238333137613037393065666263336630396334653337343633626464326231623532
-37303861633130323066643838653264346330303934353436663836396136666134656235636162
-61626531373765613433373030636135366363656235333630316131643630643431373838383438
-35383065613930656663396339353166666332356537343533393461316665616464383565383038
-35343339653664363636643665323065373863333331313363353961613561336163623565303434
-35636339333339343165
+61633537666636653165363061303131656231636238643238343566623961663234623238626366
+3631393934633566363365656564396164333163396662660a376263643664356135653333363664
+30383965623836626165666663666661303132363464356564333762383766326231303366393534
+3365636333343638350a623735366461663034646139346233643837353563316631326136363237
+64356535343736633137303261396363396433636262323766336561393363643766393538666632
+66636534346137333662626634306635356363343863393761656264313135383038643535646634
+62626536356262646330626235313935326361626461626135366365343561646262636534363839
+37306238333837353432346439383136643034356234353730636639336565646266643266656631
+30313862356362666164636535363639626264663131653966313537383236343131643165373239
+66363936303031326434626533383865326239383465636164373066663562633637346238303163
+61353934646535313866643034373837626565636434663764633632306534303366666232343163
+33386261613165376235
--- a/group_vars/all/vault_flyspray.yml
+++ b/group_vars/all/vault_flyspray.yml
 $ANSIBLE_VAULT;1.1;AES256
-61343361613862303633633138396439386134383837636362333836313839666632303565353630
-3537313830663163313235663564353261356237646533640a376533383532353638393161383862
-61373434313033613137373238353963353931656238613166633230386636313335316233656335
-3939633066353538620a346262303531653133393061393136383130326330326338353034376339
-31343366653431353565306662396232666164396366393731386661366261643063613133386431
-63373039393264393366306565616437643032653565663866376263626436613437363837373661
-30626432326665616334363538656435613238663739646630383838636339363932336530643863
-61343337373933643765386366336233383764646564383234336361363730306161306531303338
-35333535386438326162323436653664383231346566626332386565363537313438643833363632
-6566363537646133393038323339303862373165353431653038
+38623837376363333665653136393533393530313665643963636562343337626439383830343331
+3365316131333534306132346430303164623361663862310a633237306132663634633435326138
+65386235393039643335656535306239613063306434303264373737656534396337376463646231
+6563376565663739370a353164393161613235653763353830653936643237613839376138336434
+30333561386330373531613730623062356165366261643434323564663366343036643361633162
+61666138306165666635613764633863343563366639313535326532646162346463386361626238
+62396666313662616531636366663539663364373131666439316264663365626431626538636263
+34396332643435386430616631313334386435383061656132363832306463636533386164666432
+34373937663034383237643637393538313864643633313263343864656663656337303130613134
+3035356334393633613866633034616533353565643438346230
--- a/group_vars/all/vault_github.yml
+++ b/group_vars/all/vault_github.yml
 $ANSIBLE_VAULT;1.1;AES256
-34363332353038316637303436316631666563666264313531616334306135373565353333653532
-6231316461666563316462373266356338616262623463350a633631376361343430336235326430
-35353265643161666333313330383137633965303862303963616537643363393532666236373934
-3830323863326235640a346537613464316364613139386362363136643138363538613835393135
-34663063383763323733356361323530303761323739303538636237663834353538643066393230
-61663836616137616339353630616238323763663136363365363966363763386331623935393336
-34656161663539346263633738636533613532383231366266633230316138346330363834636338
-39366435383561306330666663396138363066646466663465613134346136616565383336653162
-63663432646563373631363765386635323430323161313162343962396634353234336438326364
-37653931613636323166613939383736343465323561326236336161626333653266623130303463
-346430393562333431363766636263316633
+32636634343433306539346566373462303564383261656162363632393563393062336431633761
+6334653661303834653631363937353664313132316634300a663931333832333564366363303632
+64306438333763383435353534366230303832326532646637346238386261346232346532333733
+3164353362613865300a343736373036653833626434323234303465393339326330313565656138
+63386132653532333765303066386534343262366337613166643366383337383035623934616461
+62383637373762313536343531313032343633336166666137373336663230656132656636383264
+63356131666531626435666330343632636663306562363232633036616266613665626535656565
+65613866613164393133643932636330326162303664376130323535363830333931666230363263
+62323162366332313937656530613235366339346138303432633738623938363261636339333166
+61346137366536363363626531663664366336633433393465383165616138343239636333313464
+323434323439663936613739363835356263
--- a/group_vars/all/vault_gitlab.yml
+++ b/group_vars/all/vault_gitlab.yml
 $ANSIBLE_VAULT;1.1;AES256
-62613736633165323131306431383535383930616333346638643034343036646363353337376561
-3834393838373239376230626162333036353761663536650a393137313532353766343066653630
-33626439613636396362656633333231303934313639353633633538363439656131653464633766
-3032656462623061650a616333623165313666303237366263623862313561613230383032373136
-66356538633566353232346166353134636131653736393531333630343730333862383535353439
-64333166383862646231393535303534393934393163343130343535656164363365623737616336
-63616566393932623162386234643439373138663231353361616161616530346462353966313935
-61643831323561383164396234633164363335363230396338386637613237353838396366656332
-63316565383234323861623661343665356433333038663164316366643434656233393136656566
-34646337373839616264383031376461643034613663376239363835393263336666666137393632
-63623730383361343037353138313261393163653366323764383364333062666336663661616437
-36333637313936373930663334353031393564386665303230386661326566353664363164633435
-61306564336335363638393838303164393565383163366330376531643564303537643130323636
-66383136646338616161666364326162343164643031613832383935363866393230633930623833
-31646432383735666131303638363866373961396634363762303438613331313934653136353536
-64326338393761316562313266393238633161636230363136346466306138326533663464613332
-31306365353364643936366432346237303862356536666463383364623839666435383231353837
-35386635353033373262386138663164616664343064356163383539343735326637363432326565
-30333633363131343464356539373538333139623566633862656633636436363366373765343062
-30363966666666363938613962393864346431363436633032613432663562383166663962323332
-37343532343433666465323863653234313432613066373831386362653934623431336138316136
-63373566613564366536343664353230633633626631643434366631313535623931363535356231
-36346566643736343262653663626636666362623564366661663164623839633130346338383334
-62313036633961386163373136653630303866636664656234306339306563643330306664303461
-31366133643231613738623435333566613332643062626637353133613736613463633737353464
-62303835613362336461313363386439663839393236656463366561316433633861363035326464
-36623031366664323964653665306564316366386661666533333264656262653163356564633030
-39346339623535636133613630306665333865383763363936373463313934326262613364383734
-32643037313730626263356366653032323832303736323864373334636633313134623163393937
-61373839346661376265643435313535663637643165343862323839353965393138346264396335
-38643365326638363632343731396563316233343038356633666164613761353338306264333735
-62613031323065353961366130303965316463643665663438326639363332376438383364303234
-37643037633035323366303034306235616139306466343862323339343763376563373162633833
-38393431366264376339666133393165376663616439323963643136313162303134616631313232
-30666130623763656533383530326136336266386637653533303066386634306532656637663431
-31336463613161656330636335393061303461323033643965376136653666346537646464346164
-34656632333961383535383232643038353539626339616163623763383439633661353963666539
-33633530346338626438663338613133373832306365333437336631643430333561613339616261
-32333339623636343336373563656438666531393161323665333235313062653966376464666163
-37626236316634666465326634336666313338626361313138333031333431616162616364376164
-66333961343231613134396531306336626366333936326138636566303132633265356566343463
-39303935326236303437663532653733333232353164393137313238356461353731396231623838
-30353631653536663765326436373534336130316632363965363638363431356262643931396565
-64653366323762376164643834316536626434616330326336303933636239653462373165656436
-65623235383466383236666233326331613662623932636232343534393531353234383333396230
-32626364623165666436323361663330343135653765313563333630323838326264646537653333
-33653163303961386563616466666566306430656131613134653235303661396235353932363937
-36366439626534663939663262343237303531643762333861336165366432353666626561353237
-33396361373933636636356462326561393935316362613532623464613230353161333431613532
-65333864613738376639633530323064336135376261333966613262313134316365633665383937
-61313330356664353636333265383133333935653665613337323536323661316539613164623939
-33616138396662613438633963393562323964373163356662386632393366383535333938333235
-37386466306634633738363337393066353939663665613963616436613265303533323439343336
-30383663666166326536306139633466613432653838393039653839636563316437616436346236
-36396637326537313934623939626634316337313031313434303335643630386536646538343132
-35623865363462386332353233316665643861653836656366363064623539653965643466616536
-38363237366238626161353966303935343461623333353463353161303337346337646134626534
-33353631363838383731323863393961633266346461326337633461313863656530656331663462
-61656264623032303134396633336630313433363132633939653266306262353861366266636632
-63663931313164383337666239633963653430383235333337636464623133346536613330393534
-62343030316338616332613961623034366536363265363437363934386433633864393263343161
-30623866373332303266333530363939666238646563653864636539363938333831383234386236
-38323632623337646665356565313562653237636632663362323638643638663339653633333038
-33653332346631346465333463383438343862643635343930393631363132656138383138376464
-32623435623761643435623033373536313664373664333433336563323262643963353634306461
-62376161656630653336326666646431396334353866353436323366386536643663373631336664
-64363865613065393237623737663239393062303464313364616563613734396332653836346134
-31643661336532646130363830363530323061343366643934373461383634363930623839326262
-65383464333930643062663634636365633561646363326134616366316631336165643666393665
-61636334346430666134373665303162643566343133646632323135656461343365646232633533
-37386437313633626362653331373138383962396433383332346663623031616634343735666366
-39653338303630326466373438356433663764653035333136383439343766623665643263306231
-65333163326434306235613436623265323761616536316362346236626634653534316237323530
-64633237613739386535363134323930316637396262393538363463636437643964383564373465
-38376335653963646635626630386566306564386330323431306434666139646435626533393765
-36303539323763636365663038396364663866666636366239343563613363326363643565623031
-66343239303733336538396336376433383539633832633737656266326466383164626135353366
-61373330613363626362303236616261646663363863353666353539333238386165663362346262
-66316333623834306463383739333564353431393136626237623637633965366566363831353764
-31616565326336323632386663336531303836623639376165303064333931353238373833303761
-32393433363539333635663936336538353530396262353431393762346536363630666262383166
-35383731373034393037353032363937336138373935383033363263353532656563383064636335
-61613236623061343461656135616164363933383135323564616364373461396662336133396537
-39353462653831653036346662363261376263373963306562616636313836343333363336373463
-36383866653162346664346134376537313730366637373765323164393564633330336633633030
-30316461353034363661323761313763366664366637313732623035333730396638636262376634
-62633065353664626465383831653930626162393261383537386331386164366664363837666361
-65343632313135303039666566613966663961626264663935353865626561663963353832326638
-65616336303962356662393536616365333539393131643835303538326335303631646563336362
-63343437656138636661383037613766396662643032306238383266316661613231356361326637
-38316561666266666234353761633634363937303664663734346537613863353134303031393031
-35623230663630646234623337343762666261303163316437623139326361313933353230623761
-37643066383834336437373133663031383135346436376235663030386133336461306232336533
-6132353238383465636635333937656365313638393066653631
+66653164396334363362323335316361623365313330623461386536326232383964393137363137
+3037313436373363653836383331323031303535363234320a386333326437323934653134343630
+39653931323030616632626336623966643439353763383536643435343139616531333434623437
+3235363735326635660a323138303836623437343761623465303862613237396430343964663739
+65306235306463653163633634626537353766383464623362343163303533383039653766633032
+62373730333430303237303832386266323839653839333738346237613565396333323135626135
+64363534396462343937333833643138363766333163396466323934326565353131363833626663
+31353863306164303532333037373666636536626162666463636535356532343661663931616438
+61313039663232333836316439313163623937326231636630636566613431303530643466336538
+66616535316465616462616365306338666130626237313863356461666635386139346661393965
+66663531383263313939663432383835383764386230336232613632656464356234343364316535
+38333139363732393564626338323065633734613564653036323763623038636337383866396564
+39303563373233623839396461393863633031353130343731333233623530346134626235396638
+62333635343332326535643063303635306638386431356637313839323861366331326233363434
+37613037363533373161326265656634633734316134633435663161613132393538373030323737
+32393966333738633638343239643839643562343265346537613239626531353564646566333138
+61396465363838333937393761376534663362613832346638653336306338376237323733633439
+32346566623264383836663030336139316530353937353930633130376661363138636138316665
+33383934393332393639313832653139613138366361633833663465663338623264326235623561
+32366663643966386436303437363839383935643135376364366333396331363630653763663262
+66636239386361316234313662613237653961666438346363393062623632333866646438393630
+34393261646530333939356363353761646665666664386432303031306665363730613766363332
+32313734303839393039623632633266346238643763376432366335643963323037323037666161
+33656262333561626166626534383530323461373636356362313136643564306538373039363733
+33343065303561353433633436316234626465633631393632356435363937376261623435623634
+39336266633133643731653235363562306162343638326464626565393265373463623831366162
+37376261613839323538623733356266626239663066336634363335303934336332376461306632
+65303536363738393464646336343036373463636535373261653133643162663464613134313466
+38633162396332666261633565316636636635653662633837386361633031363464303331313964
+38663432336364383163306365646438666563386564363464376635303833326539336638366661
+39356435366133303334323034613661626261373638666435613563666237656263623635366161
+34343865303562643163393235313932303165626462636163653864353764366136663763333730
+31623831333139616638323532613632623736613432663134353631343438353064316666643934
+35346433646630613138313066383938383139313632663361653762656436313765383265616434
+38666265326336663137663538383835633561383732383931663162653166333531626138333232
+64313363643731643362393035336234633864643236633965373536363830393163633832393861
+61636566623662353764303837636364666563646262316366336263623162363639396631323265
+32316633663534346166346365326661636632343739323331326162653035363462313035383562