Move highly sensitive secrets to new "super" vault

The idea bebind this is to be able to give vault access to new DevOps members without giving away more important credentials like Hetzner's.

To view the contents of re-encrypted vaults:

git grep -l 'AES256;super$' | parallel 'echo -e "\n\n###" {} && ansible-vault view {}'

The rest of the vaults seem fine to continue using the default password:

git grep -l 'AES256$' | grep -v vault_wireguard | parallel 'echo -e "\n\n###" {} && ansible-vault view {}'

added 1 commit

• d61b325c - add readonly hcloud api key for inventory

Compare with previous version

We must remember to change the password in vault-default-password.gpg and reencrypt all the default vaults, so people with access to only the default vaults, can't decrypt vaults encrypted before the split (ex: older revision of the Hetzner vault).

added 1 commit

• 99c1dd89 - hcloud_inventory: use read-only API key for hcloud

Compare with previous version

added 3 commits

• 6dcbdc8e - Place more sensitive secrets into a separate vault
• e4bcf2d7 - hcloud_inventory: use read-only API key for hcloud
• 5cf1e0c0 - Re-encrypt all default vaults with a new password

Compare with previous version

resolved all threads

marked this merge request as ready

marked this merge request as draft

added 1 commit

• f6de5b8f - Improve vault key docs and consolidate related tasks

Compare with previous version

added 3 commits

• a3d3ecc1 - Place more sensitive secrets into a separate vault
• 9a02c89b - hcloud_inventory: use read-only API key for hcloud
• dea03425 - Re-encrypt all default vaults with a new password

Compare with previous version

marked this merge request as ready

added 3 commits

• f089c6c4 - Place more sensitive secrets into a separate vault
• cbb3838a - hcloud_inventory: use read-only API key for hcloud
• 9fe39934 - Re-encrypt all default vaults with a new password

Compare with previous version

added 4 commits

• cbb3838a...b0f0e2ec - 2 commits from branch master
• ef4e97cf - Place more sensitive secrets into a separate vault
• 72f9dc07 - hcloud_inventory: use read-only API key for hcloud

Compare with previous version

added 2 commits

• 2fa5c2e1 - Place more sensitive secrets into a separate vault
• 782e6cd5 - hcloud_inventory: use read-only API key for hcloud

Compare with previous version

added 1 commit

• 2b68d76b - Remove unused vaults and obsolete secrets

Compare with previous version

added 3 commits

• f9c5def6 - Place more sensitive secrets into a separate vault
• f67ca83b - hcloud_inventory: use read-only API key for hcloud
• 66b3904c - Remove unused vaults and obsolete secrets

Compare with previous version

mentioned in merge request !567 (merged)

added 3 commits

• 5d1d1930 - Place more sensitive secrets into a separate vault
• 383359ad - hcloud_inventory: use read-only API key for hcloud
• 64249484 - Remove unused vaults and obsolete secrets

Compare with previous version

added 3 commits

• 8c595b8f - Place more sensitive secrets into a separate vault
• 7cb3d6b5 - hcloud_inventory: use read-only API key for hcloud
• 882d4676 - Remove unused vaults and obsolete secrets

Compare with previous version

added 1 commit

• f717a19b - Remove unused vaults and obsolete secrets

Compare with previous version