diff options
-rw-r--r-- | .gitignore | 5 | ||||
-rw-r--r-- | README_secrets.md | 117 | ||||
-rw-r--r-- | ansible.cfg | 12 | ||||
-rwxr-xr-x | apply-role.sh | 13 | ||||
-rw-r--r-- | generic.yaml | 5 | ||||
-rwxr-xr-x | gpg/add-key.sh | 21 | ||||
-rwxr-xr-x | gpg/get-vault-pass.sh | 2 | ||||
-rwxr-xr-x | gpg/gpg2.sh | 2 | ||||
-rwxr-xr-x | gpg/list-keys.sh | 2 | ||||
-rwxr-xr-x | gpg/remove-keys.sh | 35 | ||||
-rwxr-xr-x | gpg/set-vault-pass.sh | 20 | ||||
-rw-r--r-- | gpg/vault-keyring.gpg | bin | 0 -> 53199 bytes | |||
-rw-r--r-- | gpg/vault-pass.gpg | 30 | ||||
-rw-r--r-- | hosts | 31 | ||||
-rw-r--r-- | ssh/config | 82 |
15 files changed, 377 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3b3711f --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +/log +/gpg/vault-keyring.gpg~ +*.pyc +*.retry +.*.sw? diff --git a/README_secrets.md b/README_secrets.md new file mode 100644 index 0000000..311cc2a --- /dev/null +++ b/README_secrets.md @@ -0,0 +1,117 @@ +Secrets and Vaults +================== + +All secrets are stored inside encrypted ansible vault files which live +inside the secrets directory. Access to the vault files is controlled via +GPG keys. Anybody who uses this ansible repository needs to have a GPG key. + + +Creating a GPG key +------------------ + +You can use the following command to generate a new GPG key: + +``` +# gpg2 --full-gen-key + - select "RSA and RSA" as kind (should be option: 1) + - set keysize to: 4096 + - set key expiration to: 2y + - set Real name and eMail adress + - set a passphrase for the key (please use a strong passphrase!!!) +``` + +This command prints the fingerprint and other inforamtion about the newly +generated key. In the line starting with pub you can find the key ID. This +ID can be used to uniquely identify your key. Here is a sample output: + +``` +pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01] + Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678 +uid [ unknown] Firstname Lastname <lastname@example.com> +sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01] +``` + +The key ID is the hexadecimal number next to ```rsa4096/``` in the line +starting with ```pub``` (not ```sub```). In this case the key ID is: ```0x1234567812345678``` + +In order to add your key to the list of keys which can read the ansible vault +you first need to export the public part of your key using the following +command: + +``` +# gpg2 --armor --export "<your key id>" > mykey.asc +``` + + + +Adding a key to the Vault +------------------------- + +Everybody who currently has access to the vault can add keys using the +following command: + +``` +# gpg/add-keys.sh mykey.asc +``` + +This will add the new key to the keyring stored inside the repository and +reencrypt the secret to unlock the vault for all keys inside the keyring. + + + +Removing a key from the Vault +----------------------------- + +Everybody who currently has access to the vault can remove keys using the +following command: + +``` +# gpg/remove-keys.sh "<key-id>" +``` + +This will remove the key from the keyring stored inside the repository and +reencrypt the secret to unlock the vault for all remaining keys inside the +keyring. + +You can find out the key ID using the command: + +``` +# gpg/list-keys.sh +``` + +Here is an example output: + +``` +pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01] + Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678 +uid [ unknown] Firstname Lastname <lastname@example.com> +sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01] +``` + +The key ID is the hexadecimal number next to ```rsa4096/``` in the line +starting with ```pub``` (not ```sub```). In this case the key ID is: ```0x1234567812345678``` + + + +Working with Vault files +------------------------ + + * create new vault: + ``` +# ansible-vault create secrets/foo.vault.yml + ``` + This will open up an editor which allows you to add variables. Once you + store and close the file the content is automatically encrypted. + + * edit a vault file: + ``` +# ansible-vault edit secrets/foo.vault.yml + ``` + This will open up an editor which allows you to add/remove/change variables. + Once you store and close the file the content is automatically encrypted. + + * show the contents of a vault file: + ``` +# ansible-vault view secrets/foo.vault.yml + ``` + This will automatially decrypt the file and print it's contents. diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..387e4e4 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,12 @@ +[defaults] +inventory = ./hosts +remote_user = equinox +log_path = ./log +nocows=1 + +gathering = smart +var_compression_level = 9 + +[ssh_connection] +pipelining = True +ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -F ssh/config diff --git a/apply-role.sh b/apply-role.sh new file mode 100755 index 0000000..3d39f34 --- /dev/null +++ b/apply-role.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +if [ -z "$1" ] || [ -z "$2" ] ; then + echo "$0 <host(s)> <role>" + exit 1 +fi +hosts="$1" +shift +role="$1" +shift + +echo "######## applying the role '$role' to host(s) '$hosts' ########" +exec ansible-playbook -e "myhosts=$hosts" -e "myrole=$role" $@ generic.yaml diff --git a/generic.yaml b/generic.yaml new file mode 100644 index 0000000..d3b8de8 --- /dev/null +++ b/generic.yaml @@ -0,0 +1,5 @@ +--- +- name: "Apply role {{ myrole }} to hosts: {{ myhosts }}" + hosts: "{{ myhosts }}" + roles: + - role: "{{ myrole }}" diff --git a/gpg/add-key.sh b/gpg/add-key.sh new file mode 100755 index 0000000..98e2917 --- /dev/null +++ b/gpg/add-key.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +if [ -z "$1" ]; then + echo "no keyfile specified, reading from stdin ..." +fi + +"${BASH_SOURCE%/*}/gpg2.sh" --import $@ +if [ $? -ne 0 ]; then + echo -e "\nERROR: import key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg." + exit 1 +fi + +echo "" +"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh" +if [ $? -ne 0 ]; then + echo -e "\nERROR: reencrypting vault password file failed!" + echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!" + exit 1 +fi +echo "Successfully reencrypted vault password file!" +echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg." diff --git a/gpg/get-vault-pass.sh b/gpg/get-vault-pass.sh new file mode 100755 index 0000000..202c94f --- /dev/null +++ b/gpg/get-vault-pass.sh @@ -0,0 +1,2 @@ +#!/bin/bash +gpg2 --decrypt --batch < "${BASH_SOURCE%/*}/vault-pass.gpg" 2> /dev/null diff --git a/gpg/gpg2.sh b/gpg/gpg2.sh new file mode 100755 index 0000000..b00c49c --- /dev/null +++ b/gpg/gpg2.sh @@ -0,0 +1,2 @@ +#!/bin/bash +exec gpg2 --keyring "${BASH_SOURCE%/*}/vault-keyring.gpg" --secret-keyring /dev/null --no-default-keyring $@ diff --git a/gpg/list-keys.sh b/gpg/list-keys.sh new file mode 100755 index 0000000..4b01049 --- /dev/null +++ b/gpg/list-keys.sh @@ -0,0 +1,2 @@ +#!/bin/bash +exec "${BASH_SOURCE%/*}/gpg2.sh" --list-keys $@ diff --git a/gpg/remove-keys.sh b/gpg/remove-keys.sh new file mode 100755 index 0000000..80ae157 --- /dev/null +++ b/gpg/remove-keys.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +if [ -z "$1" ]; then + echo "Please specify at least one key ID!" + echo "" + echo "You can find out the key ID using the command: gpg/list-keys.sh" + echo "" + echo " Here is an example output:" + echo "" + echo " pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01]" + echo " Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678" + echo " uid [ unknown] Firstname Lastname <lastname@example.com>" + echo " sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01]" + echo "" + echo " The key ID is the hexadecimal number next to rsa4096/ in the line" + echo " starting with pub (not sub). In this case the key ID is: 0x1234567812345678" + echo "" + exit 1 +fi + +"${BASH_SOURCE%/*}/gpg2.sh" --delete-keys $@ +if [ $? -ne 0 ]; then + echo -e "\nERROR: removing key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg." + exit 1 +fi + +echo "" +"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh" +if [ $? -ne 0 ]; then + echo -e "\nERROR: reencrypting vault password file failed!" + echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!" + exit 1 +fi +echo "Successfully reencrypted vault password file!" +echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg." diff --git a/gpg/set-vault-pass.sh b/gpg/set-vault-pass.sh new file mode 100755 index 0000000..1fb3426 --- /dev/null +++ b/gpg/set-vault-pass.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +keyids=$("${BASH_SOURCE%/*}/gpg2.sh" --list-keys --with-colons --fast-list-mode 2>/dev/null | awk -F: '/^pub/{printf "%s\n", $5}') +if [ -z "$keyids" ]; then + echo "ERROR: no keys to encrypt to, is the keyring empty?" + exit 1 +fi + +receipients="" +for keyid in $keyids; do + receipients="$receipients -r $keyid" +done + + +"${BASH_SOURCE%/*}/gpg2.sh" --yes --trust-model always --encrypt -a -o "${BASH_SOURCE%/*}/vault-pass.gpg.$$" $receipients +if [ $? -ne 0 ]; then + rm -f "${BASH_SOURCE%/*}/vault-pass.gpg.$$" + exit 1 +fi +mv "${BASH_SOURCE%/*}/vault-pass.gpg.$$" "${BASH_SOURCE%/*}/vault-pass.gpg" diff --git a/gpg/vault-keyring.gpg b/gpg/vault-keyring.gpg Binary files differnew file mode 100644 index 0000000..ac982f5 --- /dev/null +++ b/gpg/vault-keyring.gpg diff --git a/gpg/vault-pass.gpg b/gpg/vault-pass.gpg new file mode 100644 index 0000000..10013e2 --- /dev/null +++ b/gpg/vault-pass.gpg @@ -0,0 +1,30 @@ +-----BEGIN PGP MESSAGE----- + +hQIMA+Cpej/CiKjBAQ/9F6GVffeVLlCbF5Y30yP8drkV3uOFFwi46nUbRtz+VESN +627nxJookhYBB9RS1r6L1Db17Qi5pgusqeihu7IWdXtvdtcOAmExJ+ePlXUILy4r +1BKWIDIIj9z2t09v4KAAXEJYtJmRUf7tACmHHBhNbZzN/oaXutEfPrrxLaLg1Pcd +d1A9J4baa5XMal59BzwToDdz1T1UCa7H/6rm76LuLb+dFttyZw24FnwBkH1aDbcz +kTdMXzqaNVbh/0jQT3c0ATBltpam+vBx5MqRHJquysdaZ6WIf7vbSnPKopzegMOi +kdn7H6Hb9u88cZ7ND29NBKvpRUBe5T3HVkHErS/RBZLqfKMzxpf/neFwkUwbK3oH +agTszNHPDfyM9GqWDeeakp2amlZ4QKAC9WjX/1PHEItivHBettJqyPRTXQ+jqYx/ +jubCeGErOY9T6ub5zwPfyjtUAvZx7nXbWQbkP3IedF7Iq/c0shjuTCDWLwanRCbv +mrcqdUsxXxw/9B3QB0TqrmKu8WiM1biemQbo3ZE0V4KQUcKeYII5L57XReeU/u5q +WdtPLdLBQvuIKELXbiEVGqHwvwHo6INVnrkO+18wrgDQ+izxvxxlLzWZLev+pr0f +PEX263MFK7nloRvaAeStj5/3wcElq3mR7Ksy8D/bbUvPJwRGK+G8Ntc5zDgKVaSF +AgwDdyX9zyGgIjQBEACwYMmdtlOA/9LNsAvvzygU6N6vHnVcv3nSqLc4c66t5seC +ytlHXIHtuN9THwYep6scTj8XE6ZIMLpb9mybMneAZajDqwOLQ4tp81wkBjvZysyJ +OOqTrhZxuglRDbJWbfPfK52F6Gm+I/nFKySU8r8wo7ScqaDtJF9WaKdCSU26+2AC +spuAatd7vn0DuJoAJFa6KKdwCe8bGy+2oJzNND+wmwt0KgFhI27ghPwQgl+2kshd +K0t4KCgMC5RM0ixptypPYOrT6L76lwu+QCnpQftdnOemUDDtve3UM/Nbs2c1REve +RR58faZOYsLq2AibUbdyZii2eRZeGlQhuXzOdhgYrA08qHvT+vJeYSR8QHQ6Q011 +FRe8fgC25MGdtrnDMFhWqZ0cJs2VgT0oyMsgU2KrDCENSuMKdKz+Jsmn2x6L6nrn +rjZjWqGq0dF8L1EImpBwxd2eh3pgVWXJDUWYeUk9h1jjzN61Sa0imDl5857CxclP +E0x0wGs7QqC+GrVtBEsttmhRfSHeAGP6rKlFMRek3sxP0jFi4c9/a6A45NhlB4Q8 +fyGCaqFsHl75QMDzNKpz9LcJJje2l9uMpmG5WW1Mx4PR3mWaknlCWB+91eVRtp0F +W5rA3fldoyu2odovHuTuHo0H2xiDPg2d4BUgjho4nH/0F2rkUbH5Vuh9fCuHKdK8 +ASmgdNFxud8rSaf2K37EUQKh7RFWZWP/6bwT7xDTmYC6lnvO0cewbbMrhgRKvn+t +8Agn/ixqginL/qJglP/yFeME9bAoAkHsh9KlifTBziv3gSNG/Gy5CTTsrkLmj0+G +Fb2eUjzf8n7cjVc1COqfMHW3e/rGlkVuR63EtAywpy4kgD8aYpzdJr1Z+UxthUjc +1ASaJxhr6Qemd+D1Jnp08QHP0ykRf4dyIzpI+lp1NKXolCW9FAenR7U4KlM= +=UjRk +-----END PGP MESSAGE----- @@ -0,0 +1,31 @@ +[baremetalservers] +spektral +mur +tub + +[kvmhosts] +spektral +mur +tub + +[virtualservers] +oldgw +gw-cc +stats +www +git +build +build2 +tun +conftun +gw-mur +debian +spider +gw-wien +dvb +nodedb +nodedbstage + +[servers:children] +baremetalservers +virtualservers diff --git a/ssh/config b/ssh/config new file mode 100644 index 0000000..c12c550 --- /dev/null +++ b/ssh/config @@ -0,0 +1,82 @@ +Ciphers aes256-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-cbc,aes128-cbc +Macs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160 + +Host * + ProxyCommand ssh -q pan nc -q0 -w1 %h %p + IdentityFile ~/.ssh/id_ff_rsa + IdentitiesOnly yes + PasswordAuthentication no + Port 22000 + +################################# +## KVM host @ spektral + +Host ffspektral + Hostname spektral.ffgraz.net + + +Host ffoldgw + Hostname oldgw.ffgraz.net + +Host ffgw-cc + Hostname gw-cc.ffgraz.net + +Host ffstats + Hostname stats.ffgraz.net + +Host ffwww + Hostname www.ffgraz.net + +Host ffgit + Hostname git.ffgraz.net + User git + +Host ffbuild + Hostname build.ffgraz.net + User builder + +Host ffbuild2 + Hostname server88.ffgraz.net + +Host fftun + Hostname tun.ffgraz.net + +Host ffconftun + Hostname conftun.ffgraz.net + + +################################# +## KVM host @ mur.at + +Host ffmur + Hostname mur.ffgraz.net + + +Host ffgw-mur + Hostname gw-mur.ffgraz.net + +Host ffdebian + Hostname debian.ffgraz.net + +Host ffspider + Hostname spider.ffgraz.net + + +################################# +## KVM host @ TU Bibliothek + +Host fftub + Hostname tub.ffgraz.net + + +Host ffgw-wien + Hostname gw-wien.ffgraz.net + +Host ffdvb + Hostname dvb.ffgraz.net + +Host ffnodedb + Hostname nodedb.ffgraz.net + +Host ffnodedbstage + Hostname nodedb-staging.ffgraz.net |