Verified Commit 0abfe90e authored by Jan Alexander Steffens (heftig)'s avatar Jan Alexander Steffens (heftig)
Browse files

misc: Replace vault-reading shell scripts with python

parent 4130787f
...@@ -19,7 +19,7 @@ run the provisioning script: `ansible-playbook playbooks/tasks/install-arch.yml ...@@ -19,7 +19,7 @@ run the provisioning script: `ansible-playbook playbooks/tasks/install-arch.yml
The provisioning script configures a sane basic systemd with sshd. By design, it is NOT idempotent. The provisioning script configures a sane basic systemd with sshd. By design, it is NOT idempotent.
After the provisioning script has run, it is safe to reboot. After the provisioning script has run, it is safe to reboot.
Once in the new system, run the regular playbook: `HCLOUD_TOKEN=$(misc/get_hcloud_api_key_ansible.sh) ansible-playbook playbooks/$hostname.yml`. Once in the new system, run the regular playbook: `HCLOUD_TOKEN=$(misc/get_key.py misc/vault_hetzner.yml hetzner_cloud_api_key) ansible-playbook playbooks/$hostname.yml`.
This playbook is the one regularity used for administrating the server and is entirely idempotent. This playbook is the one regularity used for administrating the server and is entirely idempotent.
#### Note about Ansible dynamic inventories #### Note about Ansible dynamic inventories
...@@ -44,7 +44,7 @@ Note that some roles already run this automatically. ...@@ -44,7 +44,7 @@ Note that some roles already run this automatically.
We use packer to build snapshots on hcloud to use as server base images. We use packer to build snapshots on hcloud to use as server base images.
In order to use this, you need to install packer and then run In order to use this, you need to install packer and then run
packer build -var $(./misc/get_hetzner_cloud_api_key_packer.sh) packer/archlinux.json packer build -var $(misc/get_key.py misc/vault_hetzner.yml hetzner_cloud_api_key env) packer/archlinux.json
This will take some time after which a new snapshot will have been created on the primary hcloud archlinux project. This will take some time after which a new snapshot will have been created on the primary hcloud archlinux project.
...@@ -53,7 +53,7 @@ This will take some time after which a new snapshot will have been created on th ...@@ -53,7 +53,7 @@ This will take some time after which a new snapshot will have been created on th
We use terraform to provision a part of the infrastructure on hcloud. We use terraform to provision a part of the infrastructure on hcloud.
The very first time you run terraform on your system, you'll have to init it: The very first time you run terraform on your system, you'll have to init it:
terraform init -backend-config="conn_str=postgres://terraform:$(ansible-vault view group_vars/all/vault_terraform.yml | grep vault_terraform_db_password | cut -f2 -d'"')@state.cloud.archlinux.org" terraform init -backend-config="conn_str=postgres://terraform:$(misc/get_key.py group_vars/all/vault_terraform.yml vault_terraform_db_password)@state.cloud.archlinux.org"
After making changes to the infrastructure in `archlinux.fg`, run After making changes to the infrastructure in `archlinux.fg`, run
......
...@@ -3,7 +3,7 @@ terraform { ...@@ -3,7 +3,7 @@ terraform {
} }
data "external" "hetzner_cloud_api_key" { data "external" "hetzner_cloud_api_key" {
program = ["bash", "${path.module}/misc/get_hetzner_cloud_api_key_terraform.sh"] program = ["${path.module}/misc/get_key.py", "misc/vault_hetzner.yml", "hetzner_cloud_api_key", "json"]
} }
# Find the id using `hcloud image list` # Find the id using `hcloud image list`
......
...@@ -9,10 +9,7 @@ import sys ...@@ -9,10 +9,7 @@ import sys
from hcloud import Client from hcloud import Client
from ansible import constants as C from misc.get_key import load_vault
from ansible.parsing.vault import VaultLib
from ansible.cli import CLI
from ansible.parsing.dataloader import DataLoader
def parse_args(): def parse_args():
...@@ -36,14 +33,7 @@ def get_host_details(client, host): ...@@ -36,14 +33,7 @@ def get_host_details(client, host):
def main(): def main():
args = parse_args() args = parse_args()
loader = DataLoader() loaded = load_vault('misc/vault_hetzner.yml')
vault_secret = CLI.setup_vault_secrets(
loader=loader,
vault_ids=C.DEFAULT_VAULT_IDENTITY_LIST
)
vault = VaultLib(vault_secret)
decrypted = vault.decrypt(open('misc/vault_hetzner.yml').read())
loaded = yaml.load(decrypted)
client = Client(token=loaded["hetzner_cloud_api_key"]) client = Client(token=loaded["hetzner_cloud_api_key"])
if args.list: if args.list:
......
#!/bin/bash #!/bin/sh
exec gpg --batch --decrypt --quiet "$(dirname $0)/vault-password.gpg"
exec gpg --batch --decrypt --quiet $(dirname $0)/vault-password.gpg
#!/bin/bash
echo "hetzner_cloud_api_key=$(ansible-vault view misc/vault_hetzner.yml | grep hetzner_cloud_api_key | cut -f2 -d' ')"
#!/bin/bash
echo "{\"hetzner_cloud_api_key\": \"$(ansible-vault view misc/vault_hetzner.yml | grep hetzner_cloud_api_key | cut -f2 -d' ')\"}"
#!/usr/bin/python3
from contextlib import contextmanager
from enum import Enum
from pathlib import Path
import argparse
import json
import os
import sys
import yaml
@contextmanager
def chdir(path):
oldcwd = os.getcwd()
os.chdir(path)
try:
yield
finally:
os.chdir(oldcwd)
root = Path(__file__).resolve().parents[1]
with chdir(root):
from ansible.cli import CLI
from ansible.constants import DEFAULT_VAULT_IDENTITY_LIST
from ansible.parsing.dataloader import DataLoader
from ansible.parsing.vault import VaultLib
data_loader = DataLoader()
data_loader.set_basedir(root)
vault_lib = VaultLib(
CLI.setup_vault_secrets(
data_loader, DEFAULT_VAULT_IDENTITY_LIST, auto_prompt=False
)
)
def load_vault(path):
with chdir(root):
return yaml.load(
vault_lib.decrypt(Path(path).read_text()), Loader=yaml.SafeLoader
)
class Output(Enum):
BARE = "bare"
ENV = "env"
JSON = "json"
def __str__(self):
return self.value
def parse_args():
parser = argparse.ArgumentParser(
description="Retrieve a password from an Ansible vault."
)
parser.add_argument(dest="vault", type=Path, help="vault to open")
parser.add_argument(dest="key", help="key to extract")
parser.add_argument(
dest="output",
nargs="?",
type=Output,
choices=Output,
default=Output.BARE,
help="style of output",
)
return parser.parse_args()
def main():
args = parse_args()
value = load_vault(args.vault)[args.key]
if args.output == Output.BARE:
print(value)
elif args.output == Output.ENV:
print(f"{args.key}={value}")
elif args.output == Output.JSON:
json.dump({args.key: value}, sys.stdout)
print()
else:
assert False
if __name__ == "__main__":
main()
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment