From e898fd1bc0afef0d8ee85f198f71fccf633fad54 Mon Sep 17 00:00:00 2001 From: Fabio Scotto di Santolo Date: Thu, 2 Apr 2026 10:42:14 +0200 Subject: [PATCH] Support local vault overrides and optional vault pass file --- AGENTS.md | 7 ++++++- README.md | 7 ++++++- ansible.cfg | 1 + ansible/site.yml | 15 ++++++++++++++- scripts/vault_password_client.sh | 26 ++++++++++++++++++++++++++ secrets/.gitignore | 2 ++ secrets/vault.yml.example | 2 +- 7 files changed, 56 insertions(+), 4 deletions(-) create mode 100755 scripts/vault_password_client.sh diff --git a/AGENTS.md b/AGENTS.md index 247f5c7..aa93494 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -50,6 +50,11 @@ python3 -m pip install ansible ansible-lint yamllint shellcheck-py ansible-galaxy collection install -r ansible/collections/requirements.yml ``` +Vault handling: +- `secrets/vault.yml` is the shared encrypted vars file +- `secrets/vault.local.yml` is an optional machine-local encrypted override file and should stay untracked +- `secrets/.vault_pass` is an optional local password file; if absent, Ansible falls back to an interactive prompt via `scripts/vault_password_client.sh` + Core validation from the repo root: ```bash ansible-playbook ansible/site.yml --syntax-check @@ -155,7 +160,7 @@ There is no pytest, Molecule, or unit-test suite. Use the narrowest command matc - `profile_workstation_dev_common` carries the Ubuntu dev layer shared by native workstation and WSL Ubuntu - `profile_workstation_gnome` now carries Linux host-only GNOME setup, extensions, and UFW - `profile_workstation_dev_wsl` carries WSL-specific Ubuntu tweaks such as `systemd` -- `profile_workstation_host_windows` manages the Windows host via PSRP and installs host applications via `winget` called from `win_powershell` +- `profile_workstation_host_windows` manages the Windows host via PSRP over HTTPS and installs host applications via `winget` called from `win_powershell` - `deadalus-wsl` is modeled as a local inventory target intended to be run from inside the Ubuntu WSL distro - Do not auto-restart `emptty` during playbook runs on active desktop hosts; prefer a manual restart from SSH or another TTY after the run - `dotfiles/desktop/.xinitrc` is part of the X11 session bootstrap path; changes there affect login behavior diff --git a/README.md b/README.md index 53d4464..6b141b5 100644 --- a/README.md +++ b/README.md @@ -113,7 +113,7 @@ Il profilo workstation e agganciato al playbook principale e ora distingue: - layer dev Ubuntu condiviso tra workstation Linux nativa e Ubuntu in WSL - layer host Linux GNOME -- layer host Windows con bootstrap WSL, gestione app via `winget` e VS Code lato Windows +- layer host Windows con bootstrap WSL, remoting `PSRP` su `HTTPS/5986`, gestione app via `winget` e VS Code lato Windows - layer WSL dedicato per sviluppo con `systemd` Lo stato attuale del profilo workstation include: @@ -135,6 +135,8 @@ Workflow Windows + WSL previsto: 5. lanciare il playbook da WSL su `deadalus-wsl` per configurare l'ambiente dev locale 6. lanciare da WSL anche il playbook su `deadalus-win` via `psrp` per configurare l'host Windows 7. usare VS Code con le estensioni Remote (`WSL`, `SSH`, `Dev Containers`) dal lato Windows + +Per il remoting Windows il repository usa di default `PSRP` con `NTLM` su `HTTPS/5986`. L'utente di default puo essere un `MicrosoftAccount\...`, con host, utente e password forniti via vault o extra vars. --- @@ -304,8 +306,10 @@ ansible-galaxy collection install community.general Gestione segreti: - il repository supporta il caricamento opzionale di `secrets/vault.yml` +- il repository supporta anche `secrets/vault.local.yml` per override locali non versionati - `secrets/vault.yml.example` funge da template/esempio - se `secrets/vault.yml` non e presente, il playbook continua comunque senza caricare variabili locali opzionali +- se `secrets/.vault_pass` esiste viene usato automaticamente per sbloccare i vault; altrimenti Ansible richiede la password in modo interattivo --- @@ -325,6 +329,7 @@ Allo stato attuale questo comando: - per gli host `ubuntu_server` applica pacchetti Ubuntu, servizi systemd, profilo server, UFW, dotfiles e template dedicati - non riavvia automaticamente `emptty`; le modifiche al display manager vanno applicate manualmente da SSH o da una TTY separata - carica `secrets/vault.yml` solo se presente +- carica `secrets/vault.local.yml` solo se presente, dopo `vault.yml`, cosi gli override locali hanno precedenza Per validare prima di applicare: diff --git a/ansible.cfg b/ansible.cfg index 7b3f1c8..ef59c2a 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -3,3 +3,4 @@ inventory = ansible/inventory/hosts.yml roles_path = ansible/roles host_key_checking = False retry_files_enabled = False +vault_password_file = ./scripts/vault_password_client.sh diff --git a/ansible/site.yml b/ansible/site.yml index f7fc078..63753b3 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -8,6 +8,12 @@ file: "{{ playbook_dir }}/../secrets/vault.yml" when: lookup('ansible.builtin.fileglob', playbook_dir + '/../secrets/vault.yml', errors='ignore') != '' + - name: Load machine-local vault variables when available + tags: [always] + ansible.builtin.include_vars: + file: "{{ playbook_dir }}/../secrets/vault.local.yml" + when: lookup('ansible.builtin.fileglob', playbook_dir + '/../secrets/vault.local.yml', errors='ignore') != '' + roles: - dotfiles_common @@ -56,6 +62,12 @@ file: "{{ playbook_dir }}/../secrets/vault.yml" when: lookup('ansible.builtin.fileglob', playbook_dir + '/../secrets/vault.yml', errors='ignore') != '' + - name: Load machine-local vault variables when available + tags: [always] + ansible.builtin.include_vars: + file: "{{ playbook_dir }}/../secrets/vault.local.yml" + when: lookup('ansible.builtin.fileglob', playbook_dir + '/../secrets/vault.local.yml', errors='ignore') != '' + - name: Ensure Windows PSRP connection settings are defined tags: [always] ansible.builtin.assert: @@ -63,7 +75,8 @@ - (ansible_host | default('') | length) > 0 - (ansible_user | default('') | length) > 0 fail_msg: >- - Define windows_psrp_host and windows_psrp_user via extra vars or secrets/vault.yml + Define windows_psrp_host and windows_psrp_user via extra vars, secrets/vault.yml, + or secrets/vault.local.yml before running the workstation_host_windows play. roles: diff --git a/scripts/vault_password_client.sh b/scripts/vault_password_client.sh new file mode 100755 index 0000000..bf0a2c7 --- /dev/null +++ b/scripts/vault_password_client.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +set -eu + +script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd) +repo_root=$(CDPATH= cd -- "$script_dir/.." && pwd) +vault_pass_file="$repo_root/secrets/.vault_pass" + +if [ -r "$vault_pass_file" ]; then + IFS= read -r password < "$vault_pass_file" || password='' + printf '%s' "$password" + exit 0 +fi + +if [ -t 0 ]; then + printf 'Vault password: ' >&2 + stty -echo + IFS= read -r password + stty echo + printf '\n' >&2 + printf '%s' "$password" + exit 0 +fi + +printf '%s\n' "Vault password file not found at $vault_pass_file and no interactive TTY is available." >&2 +exit 1 diff --git a/secrets/.gitignore b/secrets/.gitignore index e045166..208d74d 100644 --- a/secrets/.gitignore +++ b/secrets/.gitignore @@ -1,2 +1,4 @@ .vault_pass .vault_pass* +vault.local.yml +vault.local.yml* diff --git a/secrets/vault.yml.example b/secrets/vault.yml.example index 7a9d1b2..82ba291 100644 --- a/secrets/vault.yml.example +++ b/secrets/vault.yml.example @@ -7,7 +7,7 @@ vault_protonmail_email: "REPLACE_ME" vault_icloud_mail_password: "REPLACE_ME" vault_git_work_email: "REPLACE_ME" vault_windows_psrp_host: "REPLACE_ME" -vault_windows_psrp_user: "REPLACE_ME" +vault_windows_psrp_user: 'MicrosoftAccount\user@example.com' vault_windows_psrp_password: "REPLACE_ME" vault_navidrome_db_password: "REPLACE_ME" vault_postgres_root_password: "REPLACE_ME"