summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Pointner <equinox@ffgraz.net>2017-05-30 00:16:55 +0200
committerChristian Pointner <equinox@ffgraz.net>2017-05-30 00:16:55 +0200
commit8cb754dacac0864f6b112e39fd6e7eaf3a339756 (patch)
tree623278e2d9f0cdfc7bf9efb0b11dfbca015e8cd0
inital commit
-rw-r--r--.gitignore5
-rw-r--r--README_secrets.md117
-rw-r--r--ansible.cfg12
-rwxr-xr-xapply-role.sh13
-rw-r--r--generic.yaml5
-rwxr-xr-xgpg/add-key.sh21
-rwxr-xr-xgpg/get-vault-pass.sh2
-rwxr-xr-xgpg/gpg2.sh2
-rwxr-xr-xgpg/list-keys.sh2
-rwxr-xr-xgpg/remove-keys.sh35
-rwxr-xr-xgpg/set-vault-pass.sh20
-rw-r--r--gpg/vault-keyring.gpgbin0 -> 53199 bytes
-rw-r--r--gpg/vault-pass.gpg30
-rw-r--r--hosts31
-rw-r--r--ssh/config82
15 files changed, 377 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..3b3711f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+/log
+/gpg/vault-keyring.gpg~
+*.pyc
+*.retry
+.*.sw?
diff --git a/README_secrets.md b/README_secrets.md
new file mode 100644
index 0000000..311cc2a
--- /dev/null
+++ b/README_secrets.md
@@ -0,0 +1,117 @@
+Secrets and Vaults
+==================
+
+All secrets are stored inside encrypted ansible vault files which live
+inside the secrets directory. Access to the vault files is controlled via
+GPG keys. Anybody who uses this ansible repository needs to have a GPG key.
+
+
+Creating a GPG key
+------------------
+
+You can use the following command to generate a new GPG key:
+
+```
+# gpg2 --full-gen-key
+ - select "RSA and RSA" as kind (should be option: 1)
+ - set keysize to: 4096
+ - set key expiration to: 2y
+ - set Real name and eMail adress
+ - set a passphrase for the key (please use a strong passphrase!!!)
+```
+
+This command prints the fingerprint and other inforamtion about the newly
+generated key. In the line starting with pub you can find the key ID. This
+ID can be used to uniquely identify your key. Here is a sample output:
+
+```
+pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01]
+ Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678
+uid [ unknown] Firstname Lastname <lastname@example.com>
+sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01]
+```
+
+The key ID is the hexadecimal number next to ```rsa4096/``` in the line
+starting with ```pub``` (not ```sub```). In this case the key ID is: ```0x1234567812345678```
+
+In order to add your key to the list of keys which can read the ansible vault
+you first need to export the public part of your key using the following
+command:
+
+```
+# gpg2 --armor --export "<your key id>" > mykey.asc
+```
+
+
+
+Adding a key to the Vault
+-------------------------
+
+Everybody who currently has access to the vault can add keys using the
+following command:
+
+```
+# gpg/add-keys.sh mykey.asc
+```
+
+This will add the new key to the keyring stored inside the repository and
+reencrypt the secret to unlock the vault for all keys inside the keyring.
+
+
+
+Removing a key from the Vault
+-----------------------------
+
+Everybody who currently has access to the vault can remove keys using the
+following command:
+
+```
+# gpg/remove-keys.sh "<key-id>"
+```
+
+This will remove the key from the keyring stored inside the repository and
+reencrypt the secret to unlock the vault for all remaining keys inside the
+keyring.
+
+You can find out the key ID using the command:
+
+```
+# gpg/list-keys.sh
+```
+
+Here is an example output:
+
+```
+pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01]
+ Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678
+uid [ unknown] Firstname Lastname <lastname@example.com>
+sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01]
+```
+
+The key ID is the hexadecimal number next to ```rsa4096/``` in the line
+starting with ```pub``` (not ```sub```). In this case the key ID is: ```0x1234567812345678```
+
+
+
+Working with Vault files
+------------------------
+
+ * create new vault:
+ ```
+# ansible-vault create secrets/foo.vault.yml
+ ```
+ This will open up an editor which allows you to add variables. Once you
+ store and close the file the content is automatically encrypted.
+
+ * edit a vault file:
+ ```
+# ansible-vault edit secrets/foo.vault.yml
+ ```
+ This will open up an editor which allows you to add/remove/change variables.
+ Once you store and close the file the content is automatically encrypted.
+
+ * show the contents of a vault file:
+ ```
+# ansible-vault view secrets/foo.vault.yml
+ ```
+ This will automatially decrypt the file and print it's contents.
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..387e4e4
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,12 @@
+[defaults]
+inventory = ./hosts
+remote_user = equinox
+log_path = ./log
+nocows=1
+
+gathering = smart
+var_compression_level = 9
+
+[ssh_connection]
+pipelining = True
+ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -F ssh/config
diff --git a/apply-role.sh b/apply-role.sh
new file mode 100755
index 0000000..3d39f34
--- /dev/null
+++ b/apply-role.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+if [ -z "$1" ] || [ -z "$2" ] ; then
+ echo "$0 <host(s)> <role>"
+ exit 1
+fi
+hosts="$1"
+shift
+role="$1"
+shift
+
+echo "######## applying the role '$role' to host(s) '$hosts' ########"
+exec ansible-playbook -e "myhosts=$hosts" -e "myrole=$role" $@ generic.yaml
diff --git a/generic.yaml b/generic.yaml
new file mode 100644
index 0000000..d3b8de8
--- /dev/null
+++ b/generic.yaml
@@ -0,0 +1,5 @@
+---
+- name: "Apply role {{ myrole }} to hosts: {{ myhosts }}"
+ hosts: "{{ myhosts }}"
+ roles:
+ - role: "{{ myrole }}"
diff --git a/gpg/add-key.sh b/gpg/add-key.sh
new file mode 100755
index 0000000..98e2917
--- /dev/null
+++ b/gpg/add-key.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+if [ -z "$1" ]; then
+ echo "no keyfile specified, reading from stdin ..."
+fi
+
+"${BASH_SOURCE%/*}/gpg2.sh" --import $@
+if [ $? -ne 0 ]; then
+ echo -e "\nERROR: import key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg."
+ exit 1
+fi
+
+echo ""
+"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh"
+if [ $? -ne 0 ]; then
+ echo -e "\nERROR: reencrypting vault password file failed!"
+ echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!"
+ exit 1
+fi
+echo "Successfully reencrypted vault password file!"
+echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg."
diff --git a/gpg/get-vault-pass.sh b/gpg/get-vault-pass.sh
new file mode 100755
index 0000000..202c94f
--- /dev/null
+++ b/gpg/get-vault-pass.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+gpg2 --decrypt --batch < "${BASH_SOURCE%/*}/vault-pass.gpg" 2> /dev/null
diff --git a/gpg/gpg2.sh b/gpg/gpg2.sh
new file mode 100755
index 0000000..b00c49c
--- /dev/null
+++ b/gpg/gpg2.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+exec gpg2 --keyring "${BASH_SOURCE%/*}/vault-keyring.gpg" --secret-keyring /dev/null --no-default-keyring $@
diff --git a/gpg/list-keys.sh b/gpg/list-keys.sh
new file mode 100755
index 0000000..4b01049
--- /dev/null
+++ b/gpg/list-keys.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+exec "${BASH_SOURCE%/*}/gpg2.sh" --list-keys $@
diff --git a/gpg/remove-keys.sh b/gpg/remove-keys.sh
new file mode 100755
index 0000000..80ae157
--- /dev/null
+++ b/gpg/remove-keys.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+if [ -z "$1" ]; then
+ echo "Please specify at least one key ID!"
+ echo ""
+ echo "You can find out the key ID using the command: gpg/list-keys.sh"
+ echo ""
+ echo " Here is an example output:"
+ echo ""
+ echo " pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01]"
+ echo " Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678"
+ echo " uid [ unknown] Firstname Lastname <lastname@example.com>"
+ echo " sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01]"
+ echo ""
+ echo " The key ID is the hexadecimal number next to rsa4096/ in the line"
+ echo " starting with pub (not sub). In this case the key ID is: 0x1234567812345678"
+ echo ""
+ exit 1
+fi
+
+"${BASH_SOURCE%/*}/gpg2.sh" --delete-keys $@
+if [ $? -ne 0 ]; then
+ echo -e "\nERROR: removing key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg."
+ exit 1
+fi
+
+echo ""
+"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh"
+if [ $? -ne 0 ]; then
+ echo -e "\nERROR: reencrypting vault password file failed!"
+ echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!"
+ exit 1
+fi
+echo "Successfully reencrypted vault password file!"
+echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg."
diff --git a/gpg/set-vault-pass.sh b/gpg/set-vault-pass.sh
new file mode 100755
index 0000000..1fb3426
--- /dev/null
+++ b/gpg/set-vault-pass.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+keyids=$("${BASH_SOURCE%/*}/gpg2.sh" --list-keys --with-colons --fast-list-mode 2>/dev/null | awk -F: '/^pub/{printf "%s\n", $5}')
+if [ -z "$keyids" ]; then
+ echo "ERROR: no keys to encrypt to, is the keyring empty?"
+ exit 1
+fi
+
+receipients=""
+for keyid in $keyids; do
+ receipients="$receipients -r $keyid"
+done
+
+
+"${BASH_SOURCE%/*}/gpg2.sh" --yes --trust-model always --encrypt -a -o "${BASH_SOURCE%/*}/vault-pass.gpg.$$" $receipients
+if [ $? -ne 0 ]; then
+ rm -f "${BASH_SOURCE%/*}/vault-pass.gpg.$$"
+ exit 1
+fi
+mv "${BASH_SOURCE%/*}/vault-pass.gpg.$$" "${BASH_SOURCE%/*}/vault-pass.gpg"
diff --git a/gpg/vault-keyring.gpg b/gpg/vault-keyring.gpg
new file mode 100644
index 0000000..ac982f5
--- /dev/null
+++ b/gpg/vault-keyring.gpg
Binary files differ
diff --git a/gpg/vault-pass.gpg b/gpg/vault-pass.gpg
new file mode 100644
index 0000000..10013e2
--- /dev/null
+++ b/gpg/vault-pass.gpg
@@ -0,0 +1,30 @@
+-----BEGIN PGP MESSAGE-----
+
+hQIMA+Cpej/CiKjBAQ/9F6GVffeVLlCbF5Y30yP8drkV3uOFFwi46nUbRtz+VESN
+627nxJookhYBB9RS1r6L1Db17Qi5pgusqeihu7IWdXtvdtcOAmExJ+ePlXUILy4r
+1BKWIDIIj9z2t09v4KAAXEJYtJmRUf7tACmHHBhNbZzN/oaXutEfPrrxLaLg1Pcd
+d1A9J4baa5XMal59BzwToDdz1T1UCa7H/6rm76LuLb+dFttyZw24FnwBkH1aDbcz
+kTdMXzqaNVbh/0jQT3c0ATBltpam+vBx5MqRHJquysdaZ6WIf7vbSnPKopzegMOi
+kdn7H6Hb9u88cZ7ND29NBKvpRUBe5T3HVkHErS/RBZLqfKMzxpf/neFwkUwbK3oH
+agTszNHPDfyM9GqWDeeakp2amlZ4QKAC9WjX/1PHEItivHBettJqyPRTXQ+jqYx/
+jubCeGErOY9T6ub5zwPfyjtUAvZx7nXbWQbkP3IedF7Iq/c0shjuTCDWLwanRCbv
+mrcqdUsxXxw/9B3QB0TqrmKu8WiM1biemQbo3ZE0V4KQUcKeYII5L57XReeU/u5q
+WdtPLdLBQvuIKELXbiEVGqHwvwHo6INVnrkO+18wrgDQ+izxvxxlLzWZLev+pr0f
+PEX263MFK7nloRvaAeStj5/3wcElq3mR7Ksy8D/bbUvPJwRGK+G8Ntc5zDgKVaSF
+AgwDdyX9zyGgIjQBEACwYMmdtlOA/9LNsAvvzygU6N6vHnVcv3nSqLc4c66t5seC
+ytlHXIHtuN9THwYep6scTj8XE6ZIMLpb9mybMneAZajDqwOLQ4tp81wkBjvZysyJ
+OOqTrhZxuglRDbJWbfPfK52F6Gm+I/nFKySU8r8wo7ScqaDtJF9WaKdCSU26+2AC
+spuAatd7vn0DuJoAJFa6KKdwCe8bGy+2oJzNND+wmwt0KgFhI27ghPwQgl+2kshd
+K0t4KCgMC5RM0ixptypPYOrT6L76lwu+QCnpQftdnOemUDDtve3UM/Nbs2c1REve
+RR58faZOYsLq2AibUbdyZii2eRZeGlQhuXzOdhgYrA08qHvT+vJeYSR8QHQ6Q011
+FRe8fgC25MGdtrnDMFhWqZ0cJs2VgT0oyMsgU2KrDCENSuMKdKz+Jsmn2x6L6nrn
+rjZjWqGq0dF8L1EImpBwxd2eh3pgVWXJDUWYeUk9h1jjzN61Sa0imDl5857CxclP
+E0x0wGs7QqC+GrVtBEsttmhRfSHeAGP6rKlFMRek3sxP0jFi4c9/a6A45NhlB4Q8
+fyGCaqFsHl75QMDzNKpz9LcJJje2l9uMpmG5WW1Mx4PR3mWaknlCWB+91eVRtp0F
+W5rA3fldoyu2odovHuTuHo0H2xiDPg2d4BUgjho4nH/0F2rkUbH5Vuh9fCuHKdK8
+ASmgdNFxud8rSaf2K37EUQKh7RFWZWP/6bwT7xDTmYC6lnvO0cewbbMrhgRKvn+t
+8Agn/ixqginL/qJglP/yFeME9bAoAkHsh9KlifTBziv3gSNG/Gy5CTTsrkLmj0+G
+Fb2eUjzf8n7cjVc1COqfMHW3e/rGlkVuR63EtAywpy4kgD8aYpzdJr1Z+UxthUjc
+1ASaJxhr6Qemd+D1Jnp08QHP0ykRf4dyIzpI+lp1NKXolCW9FAenR7U4KlM=
+=UjRk
+-----END PGP MESSAGE-----
diff --git a/hosts b/hosts
new file mode 100644
index 0000000..791109f
--- /dev/null
+++ b/hosts
@@ -0,0 +1,31 @@
+[baremetalservers]
+spektral
+mur
+tub
+
+[kvmhosts]
+spektral
+mur
+tub
+
+[virtualservers]
+oldgw
+gw-cc
+stats
+www
+git
+build
+build2
+tun
+conftun
+gw-mur
+debian
+spider
+gw-wien
+dvb
+nodedb
+nodedbstage
+
+[servers:children]
+baremetalservers
+virtualservers
diff --git a/ssh/config b/ssh/config
new file mode 100644
index 0000000..c12c550
--- /dev/null
+++ b/ssh/config
@@ -0,0 +1,82 @@
+Ciphers aes256-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-cbc,aes128-cbc
+Macs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160
+
+Host *
+ ProxyCommand ssh -q pan nc -q0 -w1 %h %p
+ IdentityFile ~/.ssh/id_ff_rsa
+ IdentitiesOnly yes
+ PasswordAuthentication no
+ Port 22000
+
+#################################
+## KVM host @ spektral
+
+Host ffspektral
+ Hostname spektral.ffgraz.net
+
+
+Host ffoldgw
+ Hostname oldgw.ffgraz.net
+
+Host ffgw-cc
+ Hostname gw-cc.ffgraz.net
+
+Host ffstats
+ Hostname stats.ffgraz.net
+
+Host ffwww
+ Hostname www.ffgraz.net
+
+Host ffgit
+ Hostname git.ffgraz.net
+ User git
+
+Host ffbuild
+ Hostname build.ffgraz.net
+ User builder
+
+Host ffbuild2
+ Hostname server88.ffgraz.net
+
+Host fftun
+ Hostname tun.ffgraz.net
+
+Host ffconftun
+ Hostname conftun.ffgraz.net
+
+
+#################################
+## KVM host @ mur.at
+
+Host ffmur
+ Hostname mur.ffgraz.net
+
+
+Host ffgw-mur
+ Hostname gw-mur.ffgraz.net
+
+Host ffdebian
+ Hostname debian.ffgraz.net
+
+Host ffspider
+ Hostname spider.ffgraz.net
+
+
+#################################
+## KVM host @ TU Bibliothek
+
+Host fftub
+ Hostname tub.ffgraz.net
+
+
+Host ffgw-wien
+ Hostname gw-wien.ffgraz.net
+
+Host ffdvb
+ Hostname dvb.ffgraz.net
+
+Host ffnodedb
+ Hostname nodedb.ffgraz.net
+
+Host ffnodedbstage
+ Hostname nodedb-staging.ffgraz.net