README.md

@@ -53,7 +53,7 @@ Note that some roles already run this automatically.
 We use packer to build snapshots on hcloud to use as server base images.
 In order to use this, you need to install packer and then run
 
-    packer build -var $(misc/get_key.py misc/vault_hetzner.yml hetzner_cloud_api_key env) packer/archlinux.json
+    packer build -var $(misc/get_key.py misc/vault_hetzner.yml hetzner_cloud_api_key --format env) packer/archlinux.json
 
 This will take some time after which a new snapshot will have been created on the primary hcloud archlinux project.
 

group_vars/all/vault_github.yml

+$ANSIBLE_VAULT;1.1;AES256
+34363332353038316637303436316631666563666264313531616334306135373565353333653532
+6231316461666563316462373266356338616262623463350a633631376361343430336235326430
+35353265643161666333313330383137633965303862303963616537643363393532666236373934
+3830323863326235640a346537613464316364613139386362363136643138363538613835393135
+34663063383763323733356361323530303761323739303538636237663834353538643066393230
+61663836616137616339353630616238323763663136363365363966363763386331623935393336
+34656161663539346263633738636533613532383231366266633230316138346330363834636338
+39366435383561306330666663396138363066646466663465613134346136616565383336653162
+63663432646563373631363765386635323430323161313162343962396634353234336438326364
+37653931613636323166613939383736343465323561326236336161626333653266623130303463
+346430393562333431363766636263316633

misc/get_key.py

 #!/usr/bin/python3
 
-from contextlib import contextmanager
-from enum import Enum
-from pathlib import Path
-import argparse
 import json
 import os
 import sys
+from contextlib import contextmanager
+from enum import Enum
+from pathlib import Path
+from typing import List
+import typer
 import yaml
 
+app = typer.Typer()
+
 
 @contextmanager
 def chdir(path):
@@ -45,7 +48,7 @@ def load_vault(path):
         )
 
 
-class Output(Enum):
+class OutputFormat(str, Enum):
     BARE = "bare"
     ENV = "env"
     JSON = "json"
@@ -54,37 +57,31 @@ class Output(Enum):
         return self.value
 
 
-def parse_args():
-    parser = argparse.ArgumentParser(
-        description="Retrieve a password from an Ansible vault."
-    )
-    parser.add_argument(dest="vault", type=Path, help="vault to open")
-    parser.add_argument(dest="key", help="key to extract")
-    parser.add_argument(
-        dest="output",
-        nargs="?",
-        type=Output,
-        choices=Output,
-        default=Output.BARE,
-        help="style of output",
-    )
-    return parser.parse_args()
-
-
-def main():
-    args = parse_args()
-    value = load_vault(args.vault)[args.key]
-
-    if args.output == Output.BARE:
-        print(value)
-    elif args.output == Output.ENV:
-        print(f"{args.key}={value}")
-    elif args.output == Output.JSON:
-        json.dump({args.key: value}, sys.stdout)
+def main(
+    vault: Path = typer.Argument(...),
+    keys: List[str] = typer.Argument(...),
+    format: OutputFormat = typer.Option(
+        OutputFormat.BARE, show_default=True, help="Output format"
+    ),
+):
+    """
+    Get a bunch of entries from the vault located at VAULT.
+
+    Use KEYS to choose which keys in the vault you want to output.
+    """
+    vault = load_vault(vault)
+    filtered = {vault_key: vault[vault_key] for vault_key in keys}
+
+    if format == OutputFormat.BARE:
+        for secret in filtered.values():
+            print(secret)
+    elif format == OutputFormat.ENV:
+        for key, secret in filtered.items():
+            print(f"{key}={secret}")
+    elif format == OutputFormat.JSON:
+        json.dump(filtered, sys.stdout)
         print()
-    else:
-        assert False
 
 
 if __name__ == "__main__":
-    main()
+    typer.run(main)

tf-stage1/archlinux.tf

@@ -5,7 +5,7 @@ terraform {
 }
 
 data "external" "hetzner_cloud_api_key" {
-  program = ["${path.module}/../misc/get_key.py", "misc/vault_hetzner.yml", "hetzner_cloud_api_key", "json"]
+  program = ["${path.module}/../misc/get_key.py", "misc/vault_hetzner.yml", "hetzner_cloud_api_key", "--format", "json"]
 }
 
 data "hcloud_image" "archlinux" {

tf-stage2/keycloak.tf

@@ -4,34 +4,33 @@ terraform {
   }
 }
 
-data "external" "keycloak_admin_user" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml", "vault_keycloak_admin_user", "json"]
+data "external" "vault_keycloak" {
+  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml",
+    "vault_keycloak_admin_user",
+    "vault_keycloak_admin_password",
+    "vault_keycloak_smtp_user",
+    "vault_keycloak_smtp_password",
+    "--format", "json"]
 }
 
-data "external" "keycloak_admin_password" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml", "vault_keycloak_admin_password", "json"]
+data "external" "vault_google" {
+  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_google.yml",
+    "vault_google_recaptcha_site_key",
+    "vault_google_recaptcha_secret_key",
+    "--format", "json"]
 }
 
-data "external" "keycloak_smtp_user" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml", "vault_keycloak_smtp_user", "json"]
-}
-
-data "external" "keycloak_smtp_password" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_keycloak.yml", "vault_keycloak_smtp_password", "json"]
-}
-
-data "external" "google_recaptcha_site_key" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_google.yml", "vault_google_recaptcha_site_key", "json"]
-}
-
-data "external" "google_recaptcha_secret_key" {
-  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_google.yml", "vault_google_recaptcha_secret_key", "json"]
+data "external" "vault_github" {
+  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_github.yml",
+    "vault_github_oauth_app_client_id",
+    "vault_github_oauth_app_client_secret",
+    "--format", "json"]
 }
 
 provider "keycloak" {
   client_id = "admin-cli"
-  username = data.external.keycloak_admin_user.result.vault_keycloak_admin_user
-  password = data.external.keycloak_admin_password.result.vault_keycloak_admin_password
+  username = data.external.vault_keycloak.result.vault_keycloak_admin_user
+  password = data.external.vault_keycloak.result.vault_keycloak_admin_password
   url = "https://accounts.archlinux.org"
 }
 
@@ -65,8 +64,8 @@ resource "keycloak_realm" "archlinux" {
     starttls = true
 
     auth {
-      username = data.external.keycloak_smtp_user.result.vault_keycloak_smtp_user
-      password = data.external.keycloak_smtp_password.result.vault_keycloak_smtp_password
+      username = data.external.vault_keycloak.result.vault_keycloak_smtp_user
+      password = data.external.vault_keycloak.result.vault_keycloak_smtp_password
     }
   }
 
@@ -92,6 +91,24 @@ resource "keycloak_realm" "archlinux" {
   }
 }
 
+resource "keycloak_oidc_identity_provider" "realm_identity_provider" {
+  realm = "archlinux"
+  alias = "github"
+  provider_id = "github"
+  authorization_url = "https://accounts.archlinux.org/auth/realms/archlinux/broker/github/endpoint"
+  client_id = data.external.vault_github.result.vault_github_oauth_app_client_id
+  client_secret = data.external.vault_github.result.vault_github_oauth_app_client_secret
+  token_url = ""
+  default_scopes = ""
+  enabled = false
+  trust_email = false
+  store_token = false
+  backchannel_supported = false
+  extra_config = {
+    syncMode = "IMPORT"
+  }
+}
+
 resource "keycloak_saml_client" "saml_gitlab" {
   realm_id = "archlinux"
   client_id = "saml_gitlab"
@@ -299,8 +316,8 @@ resource "keycloak_authentication_execution_config" "registration_recaptcha_acti
   execution_id = keycloak_authentication_execution.registration_recaptcha_action.id
   config = {
     "useRecaptchaNet" = "false",
-    "site.key" = data.external.google_recaptcha_site_key.result.vault_google_recaptcha_site_key
-    "secret" = data.external.google_recaptcha_secret_key.result.vault_google_recaptcha_secret_key
+    "site.key" = data.external.vault_google.result.vault_google_recaptcha_site_key
+    "secret" = data.external.vault_google.result.vault_google_recaptcha_secret_key
   }
 }