From 595e3316c4ab7572777f408b4b7971448c74e361 Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutrelis.com>
Date: Sat, 17 Sep 2022 22:09:27 +0300
Subject: [PATCH] aurweb/rspamd: append .vault to vaulted secrets

This avoids triggering a GitLab push rule which rejects files that look
like secrets.
---
 docs/email.md                                               | 4 ++--
 roles/aurweb/files/{id_ed25519 => id_ed25519.vault}         | 0
 roles/aurweb/tasks/main.yml                                 | 2 +-
 ...kim-ed25519.key => archlinux.org.dkim-ed25519.key.vault} | 0
 ...ux.org.dkim-rsa.key => archlinux.org.dkim-rsa.key.vault} | 0
 ...25519.key => lists.archlinux.org.dkim-ed25519.key.vault} | 0
 ....dkim-rsa.key => lists.archlinux.org.dkim-rsa.key.vault} | 0
 roles/rspamd/tasks/main.yml                                 | 6 +++---
 8 files changed, 6 insertions(+), 6 deletions(-)
 rename roles/aurweb/files/{id_ed25519 => id_ed25519.vault} (100%)
 rename roles/rspamd/files/{archlinux.org.dkim-ed25519.key => archlinux.org.dkim-ed25519.key.vault} (100%)
 rename roles/rspamd/files/{archlinux.org.dkim-rsa.key => archlinux.org.dkim-rsa.key.vault} (100%)
 rename roles/rspamd/files/{lists.archlinux.org.dkim-ed25519.key => lists.archlinux.org.dkim-ed25519.key.vault} (100%)
 rename roles/rspamd/files/{lists.archlinux.org.dkim-rsa.key => lists.archlinux.org.dkim-rsa.key.vault} (100%)

diff --git a/docs/email.md b/docs/email.md
index 65163b23b..152c1b3e4 100644
--- a/docs/email.md
+++ b/docs/email.md
@@ -62,8 +62,8 @@ rspamadm dkim_keygen -s dkim-rsa -b 4096 -d archlinux.org -t rsa -k archlinux.or
 the ouput gives you the DNS entries to add to the terraform files.
 The keys generated need to go to the vault:
 ```
-roles/rspamd/files/archlinux.org.dkim-rsa.key
-roles/rspamd/files/archlinux.org.dkim-ed25519.key
+roles/rspamd/files/archlinux.org.dkim-rsa.key.vault
+roles/rspamd/files/archlinux.org.dkim-ed25519.key.vault
 ```
 
 # Gitlab servicedesk
diff --git a/roles/aurweb/files/id_ed25519 b/roles/aurweb/files/id_ed25519.vault
similarity index 100%
rename from roles/aurweb/files/id_ed25519
rename to roles/aurweb/files/id_ed25519.vault
diff --git a/roles/aurweb/tasks/main.yml b/roles/aurweb/tasks/main.yml
index 4b2c40d6f..957ddb77a 100644
--- a/roles/aurweb/tasks/main.yml
+++ b/roles/aurweb/tasks/main.yml
@@ -33,7 +33,7 @@
   file: path={{ aur_user.home }}/.ssh state=directory owner={{ aur_user.name }} group={{ aur_user.name }} mode=0700
 
 - name: Install SSH key for mirroring to GitHub
-  copy: src=id_ed25519 dest={{ aur_user.home }}/.ssh/ owner={{ aur_user.name }} group={{ aur_user.name }} mode=0600
+  copy: src=id_ed25519.vault dest={{ aur_user.home }}/.ssh/id_ed25519 owner={{ aur_user.name }} group={{ aur_user.name }} mode=0600
 
 - name: Fetch host keys for github.com
   command: ssh-keyscan github.com
diff --git a/roles/rspamd/files/archlinux.org.dkim-ed25519.key b/roles/rspamd/files/archlinux.org.dkim-ed25519.key.vault
similarity index 100%
rename from roles/rspamd/files/archlinux.org.dkim-ed25519.key
rename to roles/rspamd/files/archlinux.org.dkim-ed25519.key.vault
diff --git a/roles/rspamd/files/archlinux.org.dkim-rsa.key b/roles/rspamd/files/archlinux.org.dkim-rsa.key.vault
similarity index 100%
rename from roles/rspamd/files/archlinux.org.dkim-rsa.key
rename to roles/rspamd/files/archlinux.org.dkim-rsa.key.vault
diff --git a/roles/rspamd/files/lists.archlinux.org.dkim-ed25519.key b/roles/rspamd/files/lists.archlinux.org.dkim-ed25519.key.vault
similarity index 100%
rename from roles/rspamd/files/lists.archlinux.org.dkim-ed25519.key
rename to roles/rspamd/files/lists.archlinux.org.dkim-ed25519.key.vault
diff --git a/roles/rspamd/files/lists.archlinux.org.dkim-rsa.key b/roles/rspamd/files/lists.archlinux.org.dkim-rsa.key.vault
similarity index 100%
rename from roles/rspamd/files/lists.archlinux.org.dkim-rsa.key
rename to roles/rspamd/files/lists.archlinux.org.dkim-rsa.key.vault
diff --git a/roles/rspamd/tasks/main.yml b/roles/rspamd/tasks/main.yml
index ae1c52c4f..ef22bf590 100644
--- a/roles/rspamd/tasks/main.yml
+++ b/roles/rspamd/tasks/main.yml
@@ -22,11 +22,11 @@
 #
 # the ouput gives you the DNS entries to add to the terraform files.
 # The keys generated need to go to the vault:
-# roles/rspamd/files/archlinux.org.dkim-rsa.key
-# roles/rspamd/files/archlinux.org.dkim-ed25519.key
+# roles/rspamd/files/archlinux.org.dkim-rsa.key.vault
+# roles/rspamd/files/archlinux.org.dkim-ed25519.key.vault
 #
 - name: Install DKIM keys
-  copy: src={{ item }} dest=/var/lib/rspamd/dkim/ owner=rspamd group=rspamd mode=0600
+  copy: src={{ item }}.vault dest=/var/lib/rspamd/dkim/{{ item }} owner=rspamd group=rspamd mode=0600
   loop:
     - "{{ rspamd_dkim_domain }}.dkim-ed25519.key"
     - "{{ rspamd_dkim_domain }}.dkim-rsa.key"
-- 
GitLab