Move highly sensitive secrets to new "super" vault

The idea bebind this is to be able to give vault access to new DevOps members without giving away more important credentials like Hetzner's.

Move highly sensitive secrets to new "super" vault
The idea bebind this is to be able to give vault access to new DevOps members without giving away more important credentials like Hetzner's.
b4d60ae2 · Evangelos Foutras · cecfd92e · b4d60ae2 · b4d60ae2 · b4d60ae2
Verified Commit b4d60ae2 authored May 01, 2022 by Evangelos Foutras 🐱
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,7 +9,8 @@ ansible-lint:
    - chmod o-w .
    # Fix syntax-check rule (https://github.com/ansible-community/ansible-lint/issues/1350#issuecomment-778764110)
    - sed "s/,hcloud_inventory.py//" -i ansible.cfg
-    - sed "/^vault_password_file/d" -i ansible.cfg
+    - sed "/^vault_identity_list/d" -i ansible.cfg
+    - sed "/misc\/vaults\/vault_/d" -i playbooks/*.yml
    # Fix load-failure: Failed to load or parse file
    - ansible-lint $(printf -- "--exclude %s " */*/vault_*)


--- a/.gitlab/issue_templates/New Official Project.md
+++ b/.gitlab/issue_templates/New Official Project.md
@@ -38,9 +38,9 @@ If you want to add a new official project, here are some guidelines to follow:
   - All of these should be activated by default as per group rules but it's good to check.
 1. [ ] The *Protected Branches* in https://gitlab.archlinux.org/archlinux/my-example/-/settings/repository should specify
       `Allowed to merge` and `Allowed to push` as `Developers + Maintainers.`
-1. [ ] Disable unneeded project features under *Visibility, project features, permissions* (https://gitlab.archlinux.org/archlinux/my-example/edit)  
+1. [ ] Disable unneeded project features under *Visibility, project features, permissions* (https://gitlab.archlinux.org/archlinux/my-example/edit)
   Always:
-   - `Users can request access`: `off`  
+   - `Users can request access`: `off`
   Often, but not always:
   - Repository -> Container registry
   - Repository -> Git Large File Storage (LFS)
@@ -86,7 +86,7 @@ If you want to add a new official project, here are some guidelines to follow:
   - `Issues`
   - `Projects`
 1. [ ] Go to https://github.com/archlinux/my-example/settings/hooks and add a new webhook
-   - `Payload URL`: `$(misc/get_key.py misc/vault_github.yml github_pull_closer_webhook_url)`
+   - `Payload URL`: `$(misc/get_key.py misc/vaults/vault_github.yml github_pull_closer_webhook_url)`
   - `Content type`: `application/json`
   - `Which events would you like to trigger this webhook?`
     - `Let me select individual events.`: `Pull requests`

--- a/.gitlab/issue_templates/Onboarding.md
+++ b/.gitlab/issue_templates/Onboarding.md
@@ -30,7 +30,7 @@ https://www.gnupg.org/gph/en/manual/x135.html
 -->

 ## All roles checklist
-The mailing list password can be found in [`misc/additional-credentials.vault`](misc/additional-credentials.vault).
+The mailing list password can be found in [`misc/vaults/additional-credentials.vault`](misc/vaults/additional-credentials.vault).

 - [ ] Add new user email as per [`docs/email.md`](docs/email.md).
 - [ ] Create a new user in [archweb](https://www.archlinux.org/devel/newuser/). Select the appropriate group membership and allowed repos (if applicable).

--- a/README.md
+++ b/README.md
@@ -20,7 +20,7 @@ run the provisioning script: `ansible-playbook playbooks/tasks/install-arch.yml
 The provisioning script configures a sane basic systemd with sshd. By design, it is NOT idempotent.
 After the provisioning script has run, it is safe to reboot.

-Once in the new system, run the regular playbook: `HCLOUD_TOKEN=$(misc/get_key.py misc/vault_hetzner.yml hetzner_cloud_api_key) ansible-playbook playbooks/$hostname.yml`.
+Once in the new system, run the regular playbook: `HCLOUD_TOKEN=$(misc/get_key.py misc/vaults/vault_hetzner.yml hetzner_cloud_api_key) ansible-playbook playbooks/$hostname.yml`.
 This playbook is the one regularity used for administrating the server and is entirely idempotent.

 When adding a new machine you should also deploy our SSH known_hosts file and update the SSH hostkeys file in this git repo.
@@ -29,9 +29,16 @@ It will also deploy any new SSH host keys to all our machines.

 #### Note about GPG keys

-The `root_access.yml` file contains the `root_gpgkeys` variable that determine the users that have access to the vault, as well as the borg backup keys.
-All the keys should be on the local user gpg keyring and at **minimum** be locally signed with `--lsign-key`. This is necessary for running either the reencrypt-vault-key
-or the fetch-borg-keys tasks.
+The `root_access.yml` file contains the `vault_default_pgpkeys` variable which
+determines the users that have access to the `default` vault, as well as the
+borg backup keys. A separate `super` vault exists for storing highly sensitive
+secrets like Hetzner credentials; access to the `super` vault is controlled by
+the `vault_super_pgpkeys` variable.
+
+All the keys should be on the local user gpg keyring and at **minimum** be
+locally signed with `--lsign-key`. This is necessary for running any of the
+`reencrypt-vault-default-key`, `reencrypt-vault-super-key `or `fetch-borg-keys`
+tasks.

 #### Note about Ansible dynamic inventories

@@ -45,7 +52,7 @@ They'll be available automatically.
 We use packer to build snapshots on hcloud to use as server base images.
 In order to use this, you need to install packer and then run

-    packer build -var $(misc/get_key.py misc/vault_hetzner.yml hetzner_cloud_api_key --format env) packer/archlinux.json
+    packer build -var $(misc/get_key.py misc/vaults/vault_hetzner.yml hetzner_cloud_api_key --format env) packer/archlinux.json

 This will take some time after which a new snapshot will have been created on the primary hcloud archlinux project.

@@ -151,26 +158,20 @@ This section has been moved to [docs/servers.md](docs/servers.md).

 ## Ansible repo workflows

-### Replace vault password and change vaulted passwords
-
-  - Generate a new key and save it as ./new-vault-pw: `pwgen -s 64 1 > new-vault-pw`
-  - `for i in $(ag ANSIBLE_VAULT -l); do ansible-vault rekey --new-vault-password-file new-vault-pw $i; done`
-  - Change the key in misc/vault-password.gpg
-  - `rm new-vault-pw`
-
-### Re-encrypting the vault after adding or removing a new GPG key
-
-  - Make sure you have all the GPG keys **at least** locally signed
-  - Run the `playbooks/tasks/reencrypt-vault-key.yml` playbook and make sure it does not have **any** failed task
-  - Test that the vault is working by running ansible-vault view on any encrypted vault file
-  - Commit and push your changes
-
 ### Fetching the borg keys for local storage

  - Make sure you have all the GPG keys **at least** locally signed
  - Run the `playbooks/tasks/fetch-borg-keys.yml` playbook
  - Make sure the playbook runs successfully and check the keys under the borg-keys directory

+### Re-encrypting the vaults after adding a new PGP key
+
+Follow the instructions in [group_vars/all/root_access.yml](group_vars/all/root_access.yml).
+
+### Changing the vault password on encrypted files
+
+See [docs/vault-rekeying.md](docs/vault-rekeying.md).
+
 ## Backup documentation

 We use BorgBackup for all of our backup needs. We have a primary backup storage as well as an

--- a/ansible.cfg
+++ b/ansible.cfg
@@ -5,7 +5,8 @@ remote_tmp = $HOME/.ansible/tmp
 remote_user = root
 nocows = 1
 roles_path = roles
-vault_password_file = misc/get-vault-pass.sh
+vault_id_match = True
+vault_identity_list = default@misc/vault-keyring-client.sh,super@misc/vault-keyring-client.sh
 retry_files_enabled = False
 callback_plugins = plugins/callback
 callbacks_enabled = profile_tasks

--- a/docs/otp.md
+++ b/docs/otp.md
@@ -14,7 +14,7 @@ Run

    pass otp insert -i GitHub -a archlinux-master-token github.com/archlinux-master-token -s

-When asked for a secret, provide the `github_master_seed` from `misc/vault_github.yml`.
+When asked for a secret, provide the `github_master_seed` from `misc/vaults/vault_github.yml`.
 You can then run

    pass otp code github.com/archlinux-master-token
@@ -30,7 +30,7 @@ Run

    pass otp insert -i Hetzner -a archlinux-master-token Hetzner/archlinux-master-token -s

-When asked for a secret, provide the `hetzner_master_seed` from `misc/vault_hetzner.yml`.
+When asked for a secret, provide the `hetzner_master_seed` from `misc/vaults/vault_hetzner.yml`.
 You can then run

    pass otp code Hetzner/archlinux-master-token
@@ -43,7 +43,7 @@ Run

    pass otp insert -i UptimeRobot -a archlinux UptimeRobot/archlinux-master-token -s

-When asked for a secret, provide the `2FA token seed` from `misc/additional-credentials.vault`.
+When asked for a secret, provide the `2FA token seed` from `misc/vaults/additional-credentials.vault`.
 You can then run

    pass otp code UptimeRobot/archlinux-master-token

--- a/docs/vault-rekeying.md
+++ b/docs/vault-rekeying.md
+# Vault rekeying
+
+## Changing the default vault password
+
+```bash
+# Generate a new password for the default vault
+pwgen -s 64 >new-default-pw
+
+# Re-encrypt all default vaults
+ansible-vault rekey --new-vault-password-file ./new-default-pw \
+  $(git grep -l 'ANSIBLE_VAULT;1.1;AES256$')
+
+# Save the new password in encrypted form
+# (replace "RECIPIENT" with your email)
+gpg -r RECIPIENT -o misc/vault-default-password.gpg -e new-default-pw
+
+# Re-encrypt the new password with all DevOps keys
+ansible-playbook playbooks/tasks/reencrypt-vault-default-key.yml
+
+# Ensure the new password is usable
+ansible-vault view misc/vaults/vault_hcloud.yml
+
+# Remove the unencrypted password file
+rm new-default-pw
+
+# Review and commit the changes
+```
+
+## Changing the super vault password
+
+```bash
+# Generate a new password for the super vault
+pwgen -s 64 >new-super-pw
+
+# Re-encrypt all super vaults
+ansible-vault rekey --new-vault-id super@./new-super-pw \
+  $(git grep -l 'ANSIBLE_VAULT;1.2;AES256;super$')
+
+# Save the new password in encrypted form
+# (replace "RECIPIENT" with your email)
+gpg -r RECIPIENT -o misc/vault-super-password.gpg -e new-super-pw
+
+# Re-encrypt the new password with all DevOps super keys
+ansible-playbook playbooks/tasks/reencrypt-vault-super-key.yml
+
+# Ensure the new password is usable
+ansible-vault view misc/vaults/vault_hetzner.yml
+
+# Remove the unencrypted password file
+rm new-super-pw
+
+# Review and commit the changes
+```
--- a/group_vars/all/root_access.yml
+++ b/group_vars/all/root_access.yml
@@ -24,9 +24,12 @@ root_ssh_keys:
  - key: klausenbusk.pub
    additional_keys: [klausenbusk_2.pub]

-# run playbook 'playbooks/tasks/reencrypt-vault-key.yml' when this changes
-# before running it, make sure to gpg --lsign-key all of the below keys
-root_gpgkeys:
+# - run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this
+#   changes; before doing so, make sure to 'gpg --lsign-key' all listed keys
+# - before committing the re-encrypted password file, test if both vaults are
+#   working using `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
+# NOTE: adding a key to this list gives access to both default and super vaults
+vault_super_pgpkeys: &vault_super_pgpkeys
  - 86CFFCA918CF3AF47147588051E8B148A9999C34  # foutrelis
  - 05C7775A9E8B977407FE08E69D4C5AA15426DA0A  # freswa
  - ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB  # grazzolini
@@ -35,3 +38,10 @@ root_gpgkeys:
  - 8FC15A064950A99DD1BD14DD39E4B877E62EB915  # svenstaro
  - E240B57E2C4630BA768E2F26FC1B547C8D8172C8  # anthraxx
  - DB650286BD9EAE39890D3FE6FE3DC1668CB24956  # klausenbusk
+
+# - run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes
+# - before running it, make sure to 'gpg --lsign-key' all keys listed below
+# - before committing the re-encrypted password file, test that the vault
+#   is working by running `ansible-vault view misc/vaults/vault_hcloud.yml`
+vault_default_pgpkeys:
+  - *vault_super_pgpkeys
--- a/group_vars/all/vault_archive.yml
+++ b/group_vars/all/vault_archive.yml
-$ANSIBLE_VAULT;1.1;AES256
-63313830353630313333373332386337306165346632356563373537383539633735666562356637
-6537343465356337613632343432353934356364373064370a326237353134373465303736646536
-36356461336663306532613861356464663032393636656661323061313237353930653935373333
-3432643831306536320a396533343961333866313738633965623862623063623464316638646537
-62353639383065333966653034623437393538343266373938666335653637643639343662623832
-30393232633763346239663066356430616565323338363634326434383537366232373865386462
-32353839353330626263356237353635366332613435303064616235336531653938366235396165
-35306361616237336261336631626638633064383332343330336337666361346134313337393033
-30633134346362393562363239323530363563633333613730623937393733646138633938373666
-3437656233333937376461616539393565376536383262643230
--- a/group_vars/all/vault_dnswl.yml
+++ b/group_vars/all/vault_dnswl.yml
-$ANSIBLE_VAULT;1.1;AES256
-66383261323565303133623663323763383537323633623861356339313831333761373430643533
-3831393837613132376565353736353431383833313231390a663430613938643733623365376364
-37323264633764343532366635643838636434343363333266643038643961633961363638663538
-3062613636616265360a393666653735383563333462376661376562633132373236376534366531
-35333335323636326438373565643931333730316632303864356564363662333932633538663936
-61663162666563623564333639393135633039393536373139656137666263623339353864353565
-30663939376564636438313937373631343766376661663731663165376137396531333961313133
-66666437336236306461
--- a/group_vars/all/vault_docker.yml
+++ b/group_vars/all/vault_docker.yml
-$ANSIBLE_VAULT;1.1;AES256
-39623037633332613232313762623162663966613130323462316561666531626162323330356334
-6562623637616234376632363132313261353736353063300a653732326333653565663262323535
-66346465343865613334353931633064323234336439633065663238316535366661376436303433
-3537663835336563610a323838386533636536626662306232313433633837663739636339643131
-61303138393231363930313866613164303066623032323536623034616365396234666134643035
-31343162386461343732303438323736336539326535363233623837653136616265303336376534
-33663063626432323739663166623135373363366334646566393333333934636562616366336633
-34653839346565353630336265663536346133363065646531333762616537656132303161633834
-31336132383435393064626338333062313237663130616161613532663531333861323634333065
-30353166343430303062393665316162346661653339386238333864333530613933303832393439
-64386133623366646665343063386332616434346263656436393236643130353534653835326263
-64306366653161343334653364333663353666303465353935323930393261336466356633313661
-62333333623565363765373461656230383631343136373634663835343336393731663832633237
-32323665376634353036616361383632646435613235643663393039356266653066303231636161
-356565336332626566633766386665633532
--- a/group_vars/all/vault_matrix.yml
+++ b/group_vars/all/vault_matrix.yml
 $ANSIBLE_VAULT;1.1;AES256
-63663336343539643062373939303536353339336561616336643331333561636433333439646335
-6462303834396162633833343365383331666439646661630a626339316632363332353232396234
-63616636303032623461643934373663653838616165383532306464356266643736393739623961
-3136303265656137320a346639383832306662376131343132326537666366326530663932363539
-31333463653136316431386336313266303463333538623431636439643134353338363436376130
-33633366633264353533376636626661643465643130326366336233616163643339346439633366
-64323364646363306536646366326165303861663436316561343134626333376233303939663561
-32646133316664643766636634653938653133346562663264363465653962653132326466323763
-62633732323338366461323632316639616337353964346633386333666535386262316235376666
-30643063326562663937346635663766653335336134343665333235353533373265626461393930
-33383132646533323431393864666630346262316239623037366433313766653831386532626637
-35626661383437363838613439343530636634316237393631393931326665356162376235306134
-62663861646463653165626138363531366235646336613761623237376161393035313264646265
-36333166363130653361643435333763396536633239333834313139633439313436323030336537
-64363130616239306237666537656538373937383463396166383234383162356663313761383032
-31386266333333653939616333363636633165313861656238653232356439666664636365633733
-37386637383561323365326166616265653536356535356530666436383630653830353137376435
-65383265333965373031643364353563613165643034303536303239643537646133313636323265
-64653835633935306430363233373733333933363931316130633061633934656564343339626630
-36343066666530633362306438303065303065393036656665303239633238313138383462383061
-63656431613230623763386463643839656637636166633235633637306630356262303837303236
-30636137326533623733383337623530383238633931313863386338303839393438656638636230
-36636262643237383862366439386231303664616536343061636362633637633935383162623066
-37333361376130363633393432633436616438343130613430646163313239383637393566343265
-30323736383665633734623630353434646337383438306466336330343663373261643335393030
-65343432306363636666313934336338613634313339313463666431383737333132366536306231
-36306439353935306639323932663662343037306432623035653934666332396538653930623464
-63323835656565623733343734363034303262643539386264326539383762626362613162313735
-36666532383434663661353662633463376131376436303761633438313062383138356261303065
-32303233626135336161653963386165626264646166643731356439316262653039323238666630
-37343765353663643961643730623337366630363032643530363662613161643061646531323234
-34333261633931626562623264633166333166313961373336326462356132353864373136376635
-31633862303030376434343738613439333037343537383139626233343666663139376430373032
-64616166656237323865363532653065633164323632393030393366306130383832653862306432
-36666363626537386661666233323236363338643361613061353333633335393133646364353832
-63373730336432623930323530643531336437613531363466373637613937613537306130663466
-31363732613862653466643666303139613739343332623436336332643763323933633565626333
-35396130353231323334366266383564313862656637623866643131613862313666306436383135
-37646363393465643662363136643431376662303232353564346361333134396137633631353566
-64353839303032383466323163366562343231623234343634313432643439393032306430383235
-37353762656432633534666566653932316332326665383361636434396365633466613632386630
-36633665346561323633323936656365393866653936613761633838343764663235303164323032
-38393036373066313363666437313036623631356365383739653962303530306338373462663761
-35656432363962363031633762336633366135633465623037323662663739333530386435333331
-30363935646637633061373963626366316162643064626461363232306635313266643337316662
-62393766323438313638313536313232343363663462363234356364613862613537383030623335
-37396562383730393062376336633662386162626364316666626634323834393362663966373337
-65303337323038636437373266356137393931356162643761343630626336366130643633623465
-61636434383832653961643435666330393436303835313931386431646162623833373039333863
-63646436303061383934626336633338626462356137343132373061303264396235366330343635
-65313261323866386265636161373432663834323865653165616561326663653263393266633933
-33636139326565303131663337316234373961646462643163623265383532656361653336623863
-31343030666639663232376139646136663839373465643163306439643963623030633531323039
-32336263323531326161303734363364363166666635326233323239323535356335393463316539
-64633132363766343163373137666361356533333033343462643639636163323835373831303438
-33366534626461653364393663663330303239613061616161323866383834383166626464346630
-30653165323036653564393533666132373032356635313737333664303265376364653765633133
-32626165363862303733623162336438323732656637303064343633333364333132616233363336
-35666362643763376231306534343266613037666663356465626163663331366339376562396437
-38633533383763356139356139323932363733393866343937376234303331663937613334376366
-32653564613539626136356637623932666364646431643463393432336236303435613538386361
-66663237383531356336373439303739303232376466383761383935653030363737373231616562
-31663765323933643964323465643330306337363832343365653939303765393431386437393933
-36663763303465626432633538323339343031343938643738616434396639333532396364303665
-34623466326261383034663764626132656633366439363139353030373564656235653663343165
-61636630303230656134303362643662336461383935313937633264393738316563623235633933
-61653639613362633162393437393763336262333038623462373461383462333631656434373537
-65316564303834343139613731636331623036663165636234346234636231633537356536623562
-30336264313431663836363336326330356565616230346263653533666463353264313063653431
-61363161376235326365336230336265346633653238656464616464313034373435643232623934
-39363362616430353436316134626361383461353631343064643439333962336261383230623532
-61643030306637656566396230356333333961653534663864366665636666623439656538616664
-39343236373165356462376535636539373262613038666239326563336636653832356566366537
-63313564353437396464366331626562353439633663316234396239323961646534353932383737
-61353161373534616564363035313463633462363931663761356434633238376531633034363037
-65653239643332383139613039633539613664623564336635306234316230336637383863376332
-35623362393738306633666534353930306162376134653432346234393061356239656663383333
-31306435626635333364333538303532363134666639636565353036363561623535653230666531
-39666631666666623836346236356662383134336336633137383964343236626362616638316436
-64356163343230373633306363313637306630666230393037393431356138303230363665623531
-37346339323137333565306636666334633062393934303665373332353839366635623130356263
-61666534303730353963616161356237653731623938666333323962626634653430323337303134
-30393638646531663864396238323839643261353965656662326136616234343430326163326239
-65316531313165356231306466643765313333376539373435373733663661386431353732643134
-63636632376239373066636265326664643634656538616365393833613336363232393163646462
-32306133303138356538666235353438353662376339656131616637323635393664666338643437
-38663263346539346535363764363336613061376464656336323936363635626238633534633763
-37303837626430363932613938333666663937363566663631616438373063656339623462336661
-64396534396336343966636439366339613862613465653761643438383363653761396165653865
-32306665376162376362373563336435656434666331643832323166303235353165623466323161
-65613434313461336134373262363335336339663135326439663763626565336635303430616265
-33656436376532623030373530313264663038383739393535346132633037633635323134316666
-38653031616239313662393032383633353461613733623432393339333265383230326361336234
-64383436626432336336326230356132363338613039343237656532386263636436666163363733
-63383432613830366435333864306630636338636235366164343230663864636162356433666636
-33363862316633613134313338306164366665386436303165306561353266373936623936356132
-35333235333465363166616666326537613133656139656132363833383933373763663731646436
-33336366343162623838366631306430343131646634346437636630653336373232306466383964
-66343763643865336632353934653430666439323838336135666232333933303865623063306337
-32376539333965376361316566306433333138373162366237363836666134396634666531656664
-65383866353431656137643535623937386138323562306562323831323338656635383931346263
-63653534356131343236323061376666613837383336313636366434626338643961616561643833
-62353330363138333531616663316636613434366332656234376330303461623566356261663531
-39623364346539653162353839653335303733303531643630656631333962373364343430656239
-31616362346565323531313232653637336665353864323032353764393137646334633066306631
-64333766616363633336623032363934663734396330313136343863303230376662353764653335
-38326537313231383332623664393265316434656364333934316536306366306133646639346235
-39373733643861363734396561376433326263663335386538343332326630643366373530626636
-33643236663362376661303365306538623338616566376236333536666463636263656632623534
-37333735383834646232363364333933393863323832656637616263303366343833663936616131
-64373332323239613366323831373831663631333932373838613337613133663066386564383632
-35323635313431376138613964613633643964346236623131356464646362616663376537316630
-37376361393530396137326634333863336337626432323832303561353836383037306162386639
-65663034626430333062653337343830303130636661616137663539323466393237383065316566
-35303936663366306433653034623663373232356538636130303661623561323637613537653736
-66666464326330373138613433636534346630663531633464306564373061636237656635336636
-37393461363733626665663235383833356161303232333961623233326637386230646633333239
-66623832613232653931383433376364383533636161326139366661323738306339366661313237
-65366336393064366463646265656364396334333433356535653764633831613761613534623961
-39616538353032623865376461396136636664333230333335353438303165373830626365613939
-66346536346536616566383764633238333530643132616534366465343961663564656165666230
-34366662383135373730316237343166616366303434313431323361336163313637313865343739
-38656433316663393966656633323166653965333534303435646264303838316631613439656234
-61613635646534353637623065616634393632333164656465393431326639626337633537393035
-62323739323039313962663437366661646265643861623161353862343336633763646236616135
-62623639316537366566613161386335666263663839306139306239623337396334313734353839
-66336365323261313238653431393766366134633032333966383438653362383666643539656137
-39383135343538313761656164613336656133326261643731313733393734663639366632363730
-38396265623738623439313835613264353032383837656462306334376332623961343531306332
-66623034653237316639613634623438366233376338333464663266313531346364633638333766
-61343165356239613262646535616537333362383936333037346366313166396132656232386466
-39336134363865303039643738666534353037343666333734303136663430313564656363313832
-38656166333835616231336363623230623366616664616266316163323462343161356666396362
-38616331386565353866626133656531616432356263396563643331383031653231353033376464
-65313531663265356633393832346161353039613435393462336466373231646564636565363761
-32633939643662326563313862363630376531323565376434336135616136336531376138663662
-63353566346362303134363737623139323330303162653635636165343233373064353562353031
-38613033303233366131313663373263323665343736303939613366633435366430373431356537
-35623530363135396332623665316431636637373666303637653164653336363530393938366339
-65383464613362386564356332613238626236623166336265303035643930623366336661343964
-32376563636338313533313165346462313736393135383436663132333565363762383232633331
-37363738323937363436336463386338656561353162303632353532303433366438643539333064
-64613430353562636462633131313639393265653038626134336463346135303362653635613864
-33666338653465326136363331613364316432326531363433363564623763313537626330346535
-34363432353866643062303162613564376437633130393038356262303436656564346664663737
-35623534383934383765303261373736346330633833326239663363643762363839626163343631
-63653337313031646236313266346530363832336431306365303464356664383662663665333139
-34656535376238336163356231303766623466386164333561383165386262393939623034663030
-66363938643266623930653064383539306631306136346632643338303535303966346231643734
-30363739343130363432343166333939356338333130393232353839323061616238303734666138
-38383837323530343562633238333863386130656336306637316439363966663433313436333366
-65333133346638383534353266356162326639373531633865313535303839333436313130616134
-66626436396261643734623935303339633438633639323539663064303037313433613737373831
-65646361326533373131653930616532383336373538353764393430393761636461656463613938
-33373234376533663761386639323266633831623135323933373963626238353934363861363733
-62383365373530393739373665373865313536396664633230663364646630613236353866373531
-37303365663835326262653933653835396338303166643430313235636361376561663336653034
-32633237623262333535336461663839393964346136636238343662623263373864363531323461
-31353032316439333932386366363566653534316435626432363132343632316664633730356361
-65393338376562666135363362353333306665333834346435646235376234393036643931653665
-62663635313733313238646662303166613433623833386165636162643965626663643364366136
-33336132653166396362623634343530626561613363353137393263663564666134623835373430
-36323461623761646234643236613136306434626635333862393839313032616265613331653839
-64653164666331623938633937633030306634633034343630613737616166653562303039353864
-38653064356364376431646335343630623735613535343730336161376236386535633635306633
-37376332616634306435333635383936626566353433626333373534353132323234373130376339
-62613539663065373037396432383366613664333663636564666130663462343630316235313234
-66653732633939306235376330613939386464613335373635373935643361643931666161633564
-32613037346435386665306464346537326131306163636361333831383364303533353864333561
-62613533313632633934643461656130626232626236313231656330303234343339366633306162
-62616562343465633332616535396566386131393065643430666436656462316330623466653865
-33343637376236363530396639343237333637656231643464316135306531383562623037373635
-35663438326137323937653861313535373535656630653464373164646133656431663263363539
-38633561613032383233643630343264666662353237323163623537373132363132306436626336
-35393336386237663531376262626337666464373963373862336665366337613533313466333434
-34313534306138323864303936383064623964333732343362336433363537666663366536343138
-62663938333636323839343462643264616165333038623137363564366131626465613335363034
-62326263656664636532363330653964663634326232633239636338323761343163366165663531
-38636466396262363230643236663366633866313934343031646331363936323534626662343934
-63623632663633346163333865386663333232613365643662383265643637353163346563326433
-64313832626630316437356534386565663264313332333138323862383636316364316166326462
-38633936646337666136353639356637343536386262343933623738643866336335616233303936
-35646439343639383731653931623233306133333636633035363337346435353564646330396339
-39303939323963383730613264326264383839613636363932386165353663373739653537333064
-30323433393163313836303739626137623833386432623836643330366139303162626432656636
-36643034636663653834303236623863663633343462393636663965323536396631396239623035
-35326333313564356464656131323463363030363466656536623166313665333435366261346337
-31633830323231653536373034363264633633366336666466303762363661393938386237396662
-37346631336436366236663564656630383833663566353839663736376530386239356531323936
-38313565303535333736366562626261643665626266356531366133323264376538393639653262
-31663036386235386533663534316265333937396262396263623138626631663036383262383862
-66303837303539383762646464363230363536373066323564613763643432613932323131623138
-64636463633139316438633163303237313036373535653533306336633137323934663339323461
-64633333616265636364306539373038313062386338373461373864376539396362636139363332
-64623134643065636366313333363866626662343566626439313637346534306361623364613962
-34313936623436303931313034373434633335396137353963616537343332383532613032333563
-66646165356362343933363865356431383039633662666439633431613464656163623536643130
-30646431646364343864323362383532326333663863656333633566336530326538373234343731
-61346137363735353966643961396566636333353662326433343736393865333634313162653430
-38656332336637633331666562623039656531333439373532323732613330373762663532663435
-38383136323863396431363864353866343436303933633666663132306232663833326663313239
-37643966616538626136626566353233343164613936313838363337336234643166333739323362
-34346538646439613765623531346461616662393438633330363434363939663439306266653766
-62663535336663333964313933396331303965623665323563623430316265626533623334373335
-35613265373639666462316564336637393839383238623336646466306136376564646236653165
-36366566333233616130396236343863323365393266356138313961646633313031316130383937
-37626464633261646533323965366334313765616332616339613735653264373362333531303339
-37636232363464613136346563303635313230396234356338653463663434396162323865353430
-38646363386339373064646137623339363164373666363363333932336233653161333137336463
-64333033393733333261363663646330336132313930613631383438303366356465656438323466
-35393362366333363834363561333034366266333465336339636432663834633532643930363738
-34323761613837326636653235383466636135646131663938653361636637333337386332363864
-31303539353430333736363163366435323062343430643761663334353735636265643336333265
-39306533633130643630363230633134316565383066623761666230336664656339323035386630
-33643836386139626637616534636538313832346130663132316439666263333464303962376530
-65656230646337373034343563343661353365393338343930376339323530663133633962396465
-31616266316133383433303962643535613630326636616665373331333561333439373262613866
-62666239336632303035623030636364393737643865316564336536306339383662393465626264
-616338353633393864363461663338616263
+65323730393163303138353139626634383463343662663831326434396133326465613861653965
+6332333534666462316365366637396263623061303733630a653037656136623539616662343261
+63656436656438323437666635376335353131383731303462343234643664643539633636656335
+3131303530383130360a633933346262613138306266656436343234343265623966363661356430
+36616266363563303238623262643062333965363864363235623439316539643363643633623161
+39396164353139383434613163396439343639656166613035323239653961346330396630303437
+62316166383662333238613832336661636161303535316562393434613962363162353837303738
+39633638376136656439313332326666386435626363333363313661353036366434313936343233
+31353536343733396532363835313035393630616466653265666533363534613066333862326236
+37313266616238333434373136326431326436633131303061326265346461663839336365313739
+356132653164643336363664326561613639
--- a/group_vars/all/vault_mirror.yml
+++ b/group_vars/all/vault_mirror.yml
 $ANSIBLE_VAULT;1.1;AES256
-65343132353033393337636433393062303565656439373666313138353965366637653966306632
-3132373731326265613864623832386438373361613431620a366338383065643931346534633965
-39646165316666326237363830343833656132343634356365643865643862353632626466653833
-3139313736326333640a386230393633653337303162636330363164663837343134393436323432
-32316434373637363332313739363834663862653338646238643861343231616335666265616466
-31386132363334663739623539323766316635626366653263636131653365666337353632643063
-33376533346565366238303665303463386631326662373934363533353532313361396333343465
-62326233356435636535326438356164346534666630636663613162363165326664393934623532
-66326237383966643337316430386536353565626636366633333063393332333037643536616366
-35306264363535653133316464386563396334353939643731613363303731636164326565353264
-31666631633864633232633835383432666335666266306634396633656364376337653631373136
-32616436343735363830363363326665323565633662366631356530336265303937343538626365
-34653934616235333331666238613762646537333861666266356462376330383333
+30666231353737396239333934666132336539383161306131386465636231326139313965646331
+6437643562326438333232633236366465623765643538330a363564633332326331363762373236
+33376666356530303335313634373066666461353034363536353234353564343265316537396562
+6364366332653664650a343834383634383637643761396465633831666338323037613634326333
+37663162386538663437666238363731393661613036376331653637366562616634636230626232
+37306633663865373333626333666463623231653266353765323838323262316232373734363237
+34663331373135633139336639386264333965333139353931303762333933646137636535393536
+31333964626132646238
--- a/hcloud_inventory.py
+++ b/hcloud_inventory.py
@@ -27,7 +27,7 @@ def get_host_details(server):

 def main():
    args = parse_args()
-    loaded = load_vault('misc/vault_hetzner.yml')
+    loaded = load_vault('misc/vaults/vault_hetzner.yml')
    client = Client(token=loaded["hetzner_cloud_api_key"])
    servers = client.servers.get_all()


--- a/host_vars/localhost/vault_hetzner_storagebox.yml
+++ b/host_vars/localhost/vault_hetzner_storagebox.yml
-$ANSIBLE_VAULT;1.1;AES256
-37316639623364363536666561383935376436663233323431626639316438646631643165663734
-6431386565316161653535656137393634656333633863330a353364633135376461343137663938
-34343133336337656237373961303530393765383338613937313332313433363838383064363061
-3061376164316662350a313534656536303164626464353030356339353237313834336632393039
-65333832336635633730326230323934383733653533346135656431356534303765383365323538
-66323437313839653733323063343436386130343139343761363037646437653263333066316665
-63373335656238336136323961356133353833313737303538313936663366303435306134326138
-30396366336130386263356264336361343231313763326239643562666662346634616639663165
-33653962323336613537616363323931366235373930326436643863376463656165303433643635
-3632343163323137633630373561333731616334306135616234
--- a/host_vars/localhost/vault_hetzner_webservice.yml
+++ b/host_vars/localhost/vault_hetzner_webservice.yml
-$ANSIBLE_VAULT;1.1;AES256
-39623835306534616661653830393863636639343938313031316132376662316530366330623162
-3936383035626238336439363638633634623036343238300a366332303632323235303038343534
-34643833623730346430623961396464353235393465313264313465653864316131636665373864
-6565333732636366330a326664316638353065643838633865333036616331313637303736303865
-39316434636563653237376131636266333834626331356331613039366664373561353631666336
-63643439383163636239396232626131393431303637623236613433313533666562623339653239
-61336566613136383537623863316533343465343237636563313633653136373734376561373164
-30386533346162333662393337633133666138356139343331313662383038633561313265613534
-38343833313534303839316264633436313831633631666539663062396363333334
--- a/host_vars/localhost/vault_rsync.net.yml
+++ b/host_vars/localhost/vault_rsync.net.yml
-$ANSIBLE_VAULT;1.1;AES256
-61636661646538643333653838373262333039643437666165333332663337373733363135333639
-6233383866323934306362373036363836623432353363380a393039626130633562646165636635
-63616463616233313135336430343961656333613530633161313365613434306361316564666535
-3361353438326434330a613361633764393833383364303664646535346462386437333437393263
-34633734313762376564386364636131313233376165626533396332303665323131616339383432
-61306439363730356337363266646662333437376133636434313365373839636263326264343439
-39626433376462623532663632336234646339623237366133623230613430356435323030326138
-34643861396563346230626332313835616337346536373463393432316430656464396534393233
-34656634386337356565333634346664323339643466313337333030623939616364626433353834
-38383739646433633666633936393234633038376535366137346363383830396266316164313765
-34633839343734383533393165613234383635633062356166633038396635336332363832363063
-63626666656332646438
--- a/misc/additional-credentials.vault
+++ b/misc/additional-credentials.vault
-$ANSIBLE_VAULT;1.1;AES256
-32323131336534333032373566633766353736646365643436363936383630346664646561333933
-6539386132306335313134326233636239633162633638610a396364623565363737346236626630
-33613761653939396333353930636431633639323432336333393465636366376163373335306164
-3561613132363761340a333834323964306531666535366635613831336265656631633233653961
-62623635623236663830653533336330633831306364366632383465643639306333333861646162
-33633135646465323937373364323436626536663831343563653663303565373966666636393235
-63313433386530323564336539656530396137333061356633396338336561393635616234383532
-35643638343964663739636266316132613866353266636439636133663434623462653332643333
-31613366666365383563303264623234356462303633313533376237333061326632613565313439
-61383836323232623530303462373262316661303031343865666531346338636331373239386539
-30666633343865633364633466633236373266323439633536626161303736393435326465363831
-34396662666361626365366631383161666566353265306330626165663537613961353566626262
-31383262343733643261363436306435656230303265646661653661616238343561343137666235
-61363130343565366335346266306261343966323765333032343733663331383638336333326538
-36303363373762393330633261366136353133396130303730616632326237373666656334363434
-35373239616438323965366332623062396534396565663061373963616661376337636561316333
-63366364613535353464646336383635323766343934386465363464333464343662336636636335
-64346436626238626433383965306162653062363363333135633135643663613363313330376438
-37613130616233376237363364653861393837613834396663633937333139653662633233363633
-38643061383932366238303031376336613635373831643535383037323930393563356566356239
-35323636366333626662366338306665326535313762643733303362373630333032323931326536
-31386166303233656566643538323235383738383137323331343463376465323530333865626636
-66666435396462393531346663366139376238313961323735303732363538636534316165643837
-65613734396464356132366334376133306165643030343037643961333162633732383131636265
-66373761633136393935613666363635353833303162303133383731646536613465373065623132
-31383939356461623063646233653666353965343065343233306134623031326435383366616238
-66646137666334613336363931306434396163363039653032616263306433303734663132643532
-38373465633463663839623330623465646432663464343738626463346533353831623839353961
-37373535656333306134616662316465616566616130386539386663393631626133653061356430
-39633335333637366436626133393438336239373438633435343838653365306537646361373766
-36643265303832373564636564303465373332363165323061386631666330353031396661653936
-38666365616134393135396462366332376531373330633937323238636637303634336236626138
-36343165636235643065656633326135316264333939363765346337616332303664313465393863
-34373963356631663537323934643664383861613535376531636465623436616632313634393131
-37356533656534623762353034656634613734373262626563346130636437643834643165356266
-36373830366665393866643566366530303166653061356437336630313733363663366138643632
-66353264613562306233316466353037633263633961613463363463623336353038376335616534
-63323030343232646133363531333636343833323564653635666361646537646439303966376238
-39306239616434386161336634343236316362396434663837646331313939343336303962356161
-62313166663033393930333933376365653861323365653462366263666565326439396430313934
-32323434333266326338303965356663343262633739313864656535643235643937653633653864
-35353232643234323538316263323261346237613738343932356137613565333761353033643234
-31656564663630306336376330336436306565303534653836653139613237636632373464636334
-64343638646534373261646164363861383464373561393531323166616636313363316632333537