fscotto/infra
1
0
Fork 0
mirror of https://github.com/fscotto/infra.git synced 2026-05-30 15:39:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Prefer encrypted local Ansible vault password

Browse Source
This commit is contained in:
Fabio Scotto di Santolo
2026-04-03 10:54:48 +02:00
parent 65c1b59378
commit e7eec99007
3 changed files with 20 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
AGENTS.md
View File

@@ -53,7 +53,9 @@ ansible-galaxy collection install -r ansible/collections/requirements.yml
Vault handling:
- `secrets/vault.yml` is the shared encrypted vars file
- `secrets/vault.local.yml` is an optional machine-local encrypted override file and should stay untracked
- `secrets/.vault_pass` is an optional local password file; if absent, Ansible falls back to an interactive prompt via `scripts/vault_password_client.sh`
- `secrets/.vault_pass.gpg` is the preferred optional local vault password file; `scripts/vault_password_client.sh` decrypts it with `gpg`
- `secrets/.vault_pass` remains supported as a legacy local fallback if `.vault_pass.gpg` is absent
- if neither local file exists, Ansible falls back to an interactive prompt via `scripts/vault_password_client.sh`
Core validation from the repo root:
```bash

2
README.md
View File

@@ -327,7 +327,7 @@ Gestione segreti:
- il repository supporta anche `secrets/vault.local.yml` per override locali non versionati
- `secrets/vault.yml.example` funge da template/esempio
- se `secrets/vault.yml` non e presente, il playbook continua comunque senza caricare variabili locali opzionali
- se `secrets/.vault_pass` esiste viene usato automaticamente per sbloccare i vault; altrimenti Ansible richiede la password in modo interattivo
- se `secrets/.vault_pass.gpg` esiste viene usato automaticamente per sbloccare i vault tramite `gpg`; in alternativa resta supportato `secrets/.vault_pass` come fallback legacy locale; se nessuno dei due file esiste Ansible richiede la password in modo interattivo
- per il ramo Windows puoi anche definire `vault_windows_package_backend`, con valori supportati `winget_psrp` e `winget_wsl_local`; il default e `winget_psrp`
---

17
scripts/vault_password_client.sh
View File

@@ -4,8 +4,23 @@ set -eu
script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
repo_root=$(CDPATH= cd -- "$script_dir/.." && pwd)
vault_pass_gpg_file="$repo_root/secrets/.vault_pass.gpg"
vault_pass_file="$repo_root/secrets/.vault_pass"
if [ -r "$vault_pass_gpg_file" ]; then
if ! command -v gpg >/dev/null 2>&1; then
printf '%s\n' "Encrypted vault password file found at $vault_pass_gpg_file but gpg is not installed." >&2
exit 1
fi
if ! gpg --quiet --batch --decrypt "$vault_pass_gpg_file"; then
printf '%s\n' "Failed to decrypt vault password file at $vault_pass_gpg_file." >&2
exit 1
fi
exit 0
fi
if [ -r "$vault_pass_file" ]; then
IFS= read -r password < "$vault_pass_file" || password=''
printf '%s' "$password"
@@ -22,5 +37,5 @@ if [ -t 0 ]; then
exit 0
fi
printf '%s\n' "Vault password file not found at $vault_pass_file and no interactive TTY is available." >&2
printf '%s\n' "Vault password files not found at $vault_pass_gpg_file or $vault_pass_file and no interactive TTY is available." >&2
exit 1