diff options
-rw-r--r--gpg/vault-keyring.gpgbin0 -> 53199 bytes
15 files changed, 377 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..3b3711f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
diff --git a/ b/
new file mode 100644
index 0000000..311cc2a
--- /dev/null
+++ b/
@@ -0,0 +1,117 @@
+Secrets and Vaults
+All secrets are stored inside encrypted ansible vault files which live
+inside the secrets directory. Access to the vault files is controlled via
+GPG keys. Anybody who uses this ansible repository needs to have a GPG key.
+Creating a GPG key
+You can use the following command to generate a new GPG key:
+# gpg2 --full-gen-key
+ - select "RSA and RSA" as kind (should be option: 1)
+ - set keysize to: 4096
+ - set key expiration to: 2y
+ - set Real name and eMail adress
+ - set a passphrase for the key (please use a strong passphrase!!!)
+This command prints the fingerprint and other inforamtion about the newly
+generated key. In the line starting with pub you can find the key ID. This
+ID can be used to uniquely identify your key. Here is a sample output:
+pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01]
+ Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678
+uid [ unknown] Firstname Lastname <>
+sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01]
+The key ID is the hexadecimal number next to ```rsa4096/``` in the line
+starting with ```pub``` (not ```sub```). In this case the key ID is: ```0x1234567812345678```
+In order to add your key to the list of keys which can read the ansible vault
+you first need to export the public part of your key using the following
+# gpg2 --armor --export "<your key id>" > mykey.asc
+Adding a key to the Vault
+Everybody who currently has access to the vault can add keys using the
+following command:
+# gpg/ mykey.asc
+This will add the new key to the keyring stored inside the repository and
+reencrypt the secret to unlock the vault for all keys inside the keyring.
+Removing a key from the Vault
+Everybody who currently has access to the vault can remove keys using the
+following command:
+# gpg/ "<key-id>"
+This will remove the key from the keyring stored inside the repository and
+reencrypt the secret to unlock the vault for all remaining keys inside the
+You can find out the key ID using the command:
+# gpg/
+Here is an example output:
+pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01]
+ Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678
+uid [ unknown] Firstname Lastname <>
+sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01]
+The key ID is the hexadecimal number next to ```rsa4096/``` in the line
+starting with ```pub``` (not ```sub```). In this case the key ID is: ```0x1234567812345678```
+Working with Vault files
+ * create new vault:
+ ```
+# ansible-vault create secrets/foo.vault.yml
+ ```
+ This will open up an editor which allows you to add variables. Once you
+ store and close the file the content is automatically encrypted.
+ * edit a vault file:
+ ```
+# ansible-vault edit secrets/foo.vault.yml
+ ```
+ This will open up an editor which allows you to add/remove/change variables.
+ Once you store and close the file the content is automatically encrypted.
+ * show the contents of a vault file:
+ ```
+# ansible-vault view secrets/foo.vault.yml
+ ```
+ This will automatially decrypt the file and print it's contents.
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..387e4e4
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,12 @@
+inventory = ./hosts
+remote_user = equinox
+log_path = ./log
+gathering = smart
+var_compression_level = 9
+pipelining = True
+ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -F ssh/config
diff --git a/ b/
new file mode 100755
index 0000000..3d39f34
--- /dev/null
+++ b/
@@ -0,0 +1,13 @@
+if [ -z "$1" ] || [ -z "$2" ] ; then
+ echo "$0 <host(s)> <role>"
+ exit 1
+echo "######## applying the role '$role' to host(s) '$hosts' ########"
+exec ansible-playbook -e "myhosts=$hosts" -e "myrole=$role" $@ generic.yaml
diff --git a/generic.yaml b/generic.yaml
new file mode 100644
index 0000000..d3b8de8
--- /dev/null
+++ b/generic.yaml
@@ -0,0 +1,5 @@
+- name: "Apply role {{ myrole }} to hosts: {{ myhosts }}"
+ hosts: "{{ myhosts }}"
+ roles:
+ - role: "{{ myrole }}"
diff --git a/gpg/ b/gpg/
new file mode 100755
index 0000000..98e2917
--- /dev/null
+++ b/gpg/
@@ -0,0 +1,21 @@
+if [ -z "$1" ]; then
+ echo "no keyfile specified, reading from stdin ..."
+"${BASH_SOURCE%/*}/" --import $@
+if [ $? -ne 0 ]; then
+ echo -e "\nERROR: import key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg."
+ exit 1
+echo ""
+"${BASH_SOURCE%/*}/" | "${BASH_SOURCE%/*}/"
+if [ $? -ne 0 ]; then
+ echo -e "\nERROR: reencrypting vault password file failed!"
+ echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!"
+ exit 1
+echo "Successfully reencrypted vault password file!"
+echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg."
diff --git a/gpg/ b/gpg/
new file mode 100755
index 0000000..202c94f
--- /dev/null
+++ b/gpg/
@@ -0,0 +1,2 @@
+gpg2 --decrypt --batch < "${BASH_SOURCE%/*}/vault-pass.gpg" 2> /dev/null
diff --git a/gpg/ b/gpg/
new file mode 100755
index 0000000..b00c49c
--- /dev/null
+++ b/gpg/
@@ -0,0 +1,2 @@
+exec gpg2 --keyring "${BASH_SOURCE%/*}/vault-keyring.gpg" --secret-keyring /dev/null --no-default-keyring $@
diff --git a/gpg/ b/gpg/
new file mode 100755
index 0000000..4b01049
--- /dev/null
+++ b/gpg/
@@ -0,0 +1,2 @@
+exec "${BASH_SOURCE%/*}/" --list-keys $@
diff --git a/gpg/ b/gpg/
new file mode 100755
index 0000000..80ae157
--- /dev/null
+++ b/gpg/
@@ -0,0 +1,35 @@
+if [ -z "$1" ]; then
+ echo "Please specify at least one key ID!"
+ echo ""
+ echo "You can find out the key ID using the command: gpg/"
+ echo ""
+ echo " Here is an example output:"
+ echo ""
+ echo " pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01]"
+ echo " Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678"
+ echo " uid [ unknown] Firstname Lastname <>"
+ echo " sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01]"
+ echo ""
+ echo " The key ID is the hexadecimal number next to rsa4096/ in the line"
+ echo " starting with pub (not sub). In this case the key ID is: 0x1234567812345678"
+ echo ""
+ exit 1
+"${BASH_SOURCE%/*}/" --delete-keys $@
+if [ $? -ne 0 ]; then
+ echo -e "\nERROR: removing key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg."
+ exit 1
+echo ""
+"${BASH_SOURCE%/*}/" | "${BASH_SOURCE%/*}/"
+if [ $? -ne 0 ]; then
+ echo -e "\nERROR: reencrypting vault password file failed!"
+ echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!"
+ exit 1
+echo "Successfully reencrypted vault password file!"
+echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg."
diff --git a/gpg/ b/gpg/
new file mode 100755
index 0000000..1fb3426
--- /dev/null
+++ b/gpg/
@@ -0,0 +1,20 @@
+keyids=$("${BASH_SOURCE%/*}/" --list-keys --with-colons --fast-list-mode 2>/dev/null | awk -F: '/^pub/{printf "%s\n", $5}')
+if [ -z "$keyids" ]; then
+ echo "ERROR: no keys to encrypt to, is the keyring empty?"
+ exit 1
+for keyid in $keyids; do
+ receipients="$receipients -r $keyid"
+"${BASH_SOURCE%/*}/" --yes --trust-model always --encrypt -a -o "${BASH_SOURCE%/*}/vault-pass.gpg.$$" $receipients
+if [ $? -ne 0 ]; then
+ rm -f "${BASH_SOURCE%/*}/vault-pass.gpg.$$"
+ exit 1
+mv "${BASH_SOURCE%/*}/vault-pass.gpg.$$" "${BASH_SOURCE%/*}/vault-pass.gpg"
diff --git a/gpg/vault-keyring.gpg b/gpg/vault-keyring.gpg
new file mode 100644
index 0000000..ac982f5
--- /dev/null
+++ b/gpg/vault-keyring.gpg
Binary files differ
diff --git a/gpg/vault-pass.gpg b/gpg/vault-pass.gpg
new file mode 100644
index 0000000..10013e2
--- /dev/null
+++ b/gpg/vault-pass.gpg
@@ -0,0 +1,30 @@
+-----END PGP MESSAGE-----
diff --git a/hosts b/hosts
new file mode 100644
index 0000000..791109f
--- /dev/null
+++ b/hosts
@@ -0,0 +1,31 @@
diff --git a/ssh/config b/ssh/config
new file mode 100644
index 0000000..c12c550
--- /dev/null
+++ b/ssh/config
@@ -0,0 +1,82 @@
+Ciphers aes256-ctr,aes128-ctr,,,,aes256-cbc,aes128-cbc
+Host *
+ ProxyCommand ssh -q pan nc -q0 -w1 %h %p
+ IdentityFile ~/.ssh/id_ff_rsa
+ IdentitiesOnly yes
+ PasswordAuthentication no
+ Port 22000
+## KVM host @ spektral
+Host ffspektral
+ Hostname
+Host ffoldgw
+ Hostname
+Host ffgw-cc
+ Hostname
+Host ffstats
+ Hostname
+Host ffwww
+ Hostname
+Host ffgit
+ Hostname
+ User git
+Host ffbuild
+ Hostname
+ User builder
+Host ffbuild2
+ Hostname
+Host fftun
+ Hostname
+Host ffconftun
+ Hostname
+## KVM host @
+Host ffmur
+ Hostname
+Host ffgw-mur
+ Hostname
+Host ffdebian
+ Hostname
+Host ffspider
+ Hostname
+## KVM host @ TU Bibliothek
+Host fftub
+ Hostname
+Host ffgw-wien
+ Hostname
+Host ffdvb
+ Hostname
+Host ffnodedb
+ Hostname
+Host ffnodedbstage
+ Hostname