fscotto/infra
1
0
Fork 0
mirror of https://github.com/fscotto/infra.git synced 2026-05-30 15:39:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Support local vault overrides and optional vault pass file

Browse Source
This commit is contained in:
Fabio Scotto di Santolo
2026-04-02 10:42:14 +02:00
parent b7d1a7c2e6
commit b01b3a7c1a
7 changed files with 56 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
AGENTS.md
View File

@@ -50,6 +50,11 @@ python3 -m pip install ansible ansible-lint yamllint shellcheck-py
ansible-galaxy collection install -r ansible/collections/requirements.yml ansible-galaxy collection install -r ansible/collections/requirements.yml
``` ```
Vault handling:
- `secrets/vault.yml` is the shared encrypted vars file
- `secrets/vault.local.yml` is an optional machine-local encrypted override file and should stay untracked
- `secrets/.vault_pass` is an optional local password file; if absent, Ansible falls back to an interactive prompt via `scripts/vault_password_client.sh`
Core validation from the repo root: Core validation from the repo root:
```bash ```bash
ansible-playbook ansible/site.yml --syntax-check ansible-playbook ansible/site.yml --syntax-check
@@ -155,7 +160,7 @@ There is no pytest, Molecule, or unit-test suite. Use the narrowest command matc
- `profile_workstation_dev_common` carries the Ubuntu dev layer shared by native workstation and WSL Ubuntu - `profile_workstation_dev_common` carries the Ubuntu dev layer shared by native workstation and WSL Ubuntu
- `profile_workstation_gnome` now carries Linux host-only GNOME setup, extensions, and UFW - `profile_workstation_gnome` now carries Linux host-only GNOME setup, extensions, and UFW
- `profile_workstation_dev_wsl` carries WSL-specific Ubuntu tweaks such as `systemd` - `profile_workstation_dev_wsl` carries WSL-specific Ubuntu tweaks such as `systemd`
- `profile_workstation_host_windows` manages the Windows host via PSRP and installs host applications via `winget` called from `win_powershell` - `profile_workstation_host_windows` manages the Windows host via PSRP over HTTPS and installs host applications via `winget` called from `win_powershell`
- `deadalus-wsl` is modeled as a local inventory target intended to be run from inside the Ubuntu WSL distro - `deadalus-wsl` is modeled as a local inventory target intended to be run from inside the Ubuntu WSL distro
- Do not auto-restart `emptty` during playbook runs on active desktop hosts; prefer a manual restart from SSH or another TTY after the run - Do not auto-restart `emptty` during playbook runs on active desktop hosts; prefer a manual restart from SSH or another TTY after the run
- `dotfiles/desktop/.xinitrc` is part of the X11 session bootstrap path; changes there affect login behavior - `dotfiles/desktop/.xinitrc` is part of the X11 session bootstrap path; changes there affect login behavior

7
README.md
View File

@@ -113,7 +113,7 @@ Il profilo workstation e agganciato al playbook principale e ora distingue:
- layer dev Ubuntu condiviso tra workstation Linux nativa e Ubuntu in WSL - layer dev Ubuntu condiviso tra workstation Linux nativa e Ubuntu in WSL
- layer host Linux GNOME - layer host Linux GNOME
- layer host Windows con bootstrap WSL, gestione app via `winget` e VS Code lato Windows - layer host Windows con bootstrap WSL, remoting `PSRP` su `HTTPS/5986`, gestione app via `winget` e VS Code lato Windows
- layer WSL dedicato per sviluppo con `systemd` - layer WSL dedicato per sviluppo con `systemd`
Lo stato attuale del profilo workstation include: Lo stato attuale del profilo workstation include:
@@ -136,6 +136,8 @@ Workflow Windows + WSL previsto:
6. lanciare da WSL anche il playbook su `deadalus-win` via `psrp` per configurare l'host Windows 6. lanciare da WSL anche il playbook su `deadalus-win` via `psrp` per configurare l'host Windows
7. usare VS Code con le estensioni Remote (`WSL`, `SSH`, `Dev Containers`) dal lato Windows 7. usare VS Code con le estensioni Remote (`WSL`, `SSH`, `Dev Containers`) dal lato Windows
Per il remoting Windows il repository usa di default `PSRP` con `NTLM` su `HTTPS/5986`. L'utente di default puo essere un `MicrosoftAccount\...`, con host, utente e password forniti via vault o extra vars.
--- ---
## Server ## Server
@@ -304,8 +306,10 @@ ansible-galaxy collection install community.general
Gestione segreti: Gestione segreti:
- il repository supporta il caricamento opzionale di `secrets/vault.yml` - il repository supporta il caricamento opzionale di `secrets/vault.yml`
- il repository supporta anche `secrets/vault.local.yml` per override locali non versionati
- `secrets/vault.yml.example` funge da template/esempio - `secrets/vault.yml.example` funge da template/esempio
- se `secrets/vault.yml` non e presente, il playbook continua comunque senza caricare variabili locali opzionali - se `secrets/vault.yml` non e presente, il playbook continua comunque senza caricare variabili locali opzionali
- se `secrets/.vault_pass` esiste viene usato automaticamente per sbloccare i vault; altrimenti Ansible richiede la password in modo interattivo
--- ---
@@ -325,6 +329,7 @@ Allo stato attuale questo comando:
- per gli host `ubuntu_server` applica pacchetti Ubuntu, servizi systemd, profilo server, UFW, dotfiles e template dedicati - per gli host `ubuntu_server` applica pacchetti Ubuntu, servizi systemd, profilo server, UFW, dotfiles e template dedicati
- non riavvia automaticamente `emptty`; le modifiche al display manager vanno applicate manualmente da SSH o da una TTY separata - non riavvia automaticamente `emptty`; le modifiche al display manager vanno applicate manualmente da SSH o da una TTY separata
- carica `secrets/vault.yml` solo se presente - carica `secrets/vault.yml` solo se presente
- carica `secrets/vault.local.yml` solo se presente, dopo `vault.yml`, cosi gli override locali hanno precedenza
Per validare prima di applicare: Per validare prima di applicare:

1
ansible.cfg
View File

@@ -3,3 +3,4 @@ inventory = ansible/inventory/hosts.yml
roles_path = ansible/roles roles_path = ansible/roles
host_key_checking = False host_key_checking = False
retry_files_enabled = False retry_files_enabled = False
vault_password_file = ./scripts/vault_password_client.sh

15
ansible/site.yml
View File

@@ -8,6 +8,12 @@
file: "{{ playbook_dir }}/../secrets/vault.yml" file: "{{ playbook_dir }}/../secrets/vault.yml"
when: lookup('ansible.builtin.fileglob', playbook_dir + '/../secrets/vault.yml', errors='ignore') != '' when: lookup('ansible.builtin.fileglob', playbook_dir + '/../secrets/vault.yml', errors='ignore') != ''
- name: Load machine-local vault variables when available
tags: [always]
ansible.builtin.include_vars:
file: "{{ playbook_dir }}/../secrets/vault.local.yml"
when: lookup('ansible.builtin.fileglob', playbook_dir + '/../secrets/vault.local.yml', errors='ignore') != ''
roles: roles:
- dotfiles_common - dotfiles_common
@@ -56,6 +62,12 @@
file: "{{ playbook_dir }}/../secrets/vault.yml" file: "{{ playbook_dir }}/../secrets/vault.yml"
when: lookup('ansible.builtin.fileglob', playbook_dir + '/../secrets/vault.yml', errors='ignore') != '' when: lookup('ansible.builtin.fileglob', playbook_dir + '/../secrets/vault.yml', errors='ignore') != ''
- name: Load machine-local vault variables when available
tags: [always]
ansible.builtin.include_vars:
file: "{{ playbook_dir }}/../secrets/vault.local.yml"
when: lookup('ansible.builtin.fileglob', playbook_dir + '/../secrets/vault.local.yml', errors='ignore') != ''
- name: Ensure Windows PSRP connection settings are defined - name: Ensure Windows PSRP connection settings are defined
tags: [always] tags: [always]
ansible.builtin.assert: ansible.builtin.assert:
@@ -63,7 +75,8 @@
- (ansible_host | default('') | length) > 0 - (ansible_host | default('') | length) > 0
- (ansible_user | default('') | length) > 0 - (ansible_user | default('') | length) > 0
fail_msg: >- fail_msg: >-
Define windows_psrp_host and windows_psrp_user via extra vars or secrets/vault.yml Define windows_psrp_host and windows_psrp_user via extra vars, secrets/vault.yml,
or secrets/vault.local.yml
before running the workstation_host_windows play. before running the workstation_host_windows play.
roles: roles:

26
scripts/vault_password_client.sh Executable file
View File

@@ -0,0 +1,26 @@
#!/bin/sh
set -eu
script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
repo_root=$(CDPATH= cd -- "$script_dir/.." && pwd)
vault_pass_file="$repo_root/secrets/.vault_pass"
if [ -r "$vault_pass_file" ]; then
IFS= read -r password < "$vault_pass_file" || password=''
printf '%s' "$password"
exit 0
fi
if [ -t 0 ]; then
printf 'Vault password: ' >&2
stty -echo
IFS= read -r password
stty echo
printf '\n' >&2
printf '%s' "$password"
exit 0
fi
printf '%s\n' "Vault password file not found at $vault_pass_file and no interactive TTY is available." >&2
exit 1

2
secrets/.gitignore vendored
View File

@@ -1,2 +1,4 @@
.vault_pass .vault_pass
.vault_pass* .vault_pass*
vault.local.yml
vault.local.yml*

2
secrets/vault.yml.example
View File

@@ -7,7 +7,7 @@ vault_protonmail_email: "REPLACE_ME"
vault_icloud_mail_password: "REPLACE_ME" vault_icloud_mail_password: "REPLACE_ME"
vault_git_work_email: "REPLACE_ME" vault_git_work_email: "REPLACE_ME"
vault_windows_psrp_host: "REPLACE_ME" vault_windows_psrp_host: "REPLACE_ME"
vault_windows_psrp_user: "REPLACE_ME" vault_windows_psrp_user: 'MicrosoftAccount\user@example.com'
vault_windows_psrp_password: "REPLACE_ME" vault_windows_psrp_password: "REPLACE_ME"
vault_navidrome_db_password: "REPLACE_ME" vault_navidrome_db_password: "REPLACE_ME"
vault_postgres_root_password: "REPLACE_ME" vault_postgres_root_password: "REPLACE_ME"