From cfc55af09746de63e5cc215b46bf028cbc440021 Mon Sep 17 00:00:00 2001 From: Fabio Scotto di Santolo Date: Fri, 3 Apr 2026 10:54:48 +0200 Subject: [PATCH] Prefer encrypted local Ansible vault password --- AGENTS.md | 4 +++- README.md | 2 +- scripts/vault_password_client.sh | 17 ++++++++++++++++- 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index d72074f..7ecf834 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -53,7 +53,9 @@ ansible-galaxy collection install -r ansible/collections/requirements.yml Vault handling: - `secrets/vault.yml` is the shared encrypted vars file - `secrets/vault.local.yml` is an optional machine-local encrypted override file and should stay untracked -- `secrets/.vault_pass` is an optional local password file; if absent, Ansible falls back to an interactive prompt via `scripts/vault_password_client.sh` +- `secrets/.vault_pass.gpg` is the preferred optional local vault password file; `scripts/vault_password_client.sh` decrypts it with `gpg` +- `secrets/.vault_pass` remains supported as a legacy local fallback if `.vault_pass.gpg` is absent +- if neither local file exists, Ansible falls back to an interactive prompt via `scripts/vault_password_client.sh` Core validation from the repo root: ```bash diff --git a/README.md b/README.md index 06b0945..cf76682 100644 --- a/README.md +++ b/README.md @@ -327,7 +327,7 @@ Gestione segreti: - il repository supporta anche `secrets/vault.local.yml` per override locali non versionati - `secrets/vault.yml.example` funge da template/esempio - se `secrets/vault.yml` non e presente, il playbook continua comunque senza caricare variabili locali opzionali -- se `secrets/.vault_pass` esiste viene usato automaticamente per sbloccare i vault; altrimenti Ansible richiede la password in modo interattivo +- se `secrets/.vault_pass.gpg` esiste viene usato automaticamente per sbloccare i vault tramite `gpg`; in alternativa resta supportato `secrets/.vault_pass` come fallback legacy locale; se nessuno dei due file esiste Ansible richiede la password in modo interattivo - per il ramo Windows puoi anche definire `vault_windows_package_backend`, con valori supportati `winget_psrp` e `winget_wsl_local`; il default e `winget_psrp` --- diff --git a/scripts/vault_password_client.sh b/scripts/vault_password_client.sh index bf0a2c7..6c6d9b8 100755 --- a/scripts/vault_password_client.sh +++ b/scripts/vault_password_client.sh @@ -4,8 +4,23 @@ set -eu script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd) repo_root=$(CDPATH= cd -- "$script_dir/.." && pwd) +vault_pass_gpg_file="$repo_root/secrets/.vault_pass.gpg" vault_pass_file="$repo_root/secrets/.vault_pass" +if [ -r "$vault_pass_gpg_file" ]; then + if ! command -v gpg >/dev/null 2>&1; then + printf '%s\n' "Encrypted vault password file found at $vault_pass_gpg_file but gpg is not installed." >&2 + exit 1 + fi + + if ! gpg --quiet --batch --decrypt "$vault_pass_gpg_file"; then + printf '%s\n' "Failed to decrypt vault password file at $vault_pass_gpg_file." >&2 + exit 1 + fi + + exit 0 +fi + if [ -r "$vault_pass_file" ]; then IFS= read -r password < "$vault_pass_file" || password='' printf '%s' "$password" @@ -22,5 +37,5 @@ if [ -t 0 ]; then exit 0 fi -printf '%s\n' "Vault password file not found at $vault_pass_file and no interactive TTY is available." >&2 +printf '%s\n' "Vault password files not found at $vault_pass_gpg_file or $vault_pass_file and no interactive TTY is available." >&2 exit 1