From ed972509cec03cba23eaa98b29fbc1c514296e73 Mon Sep 17 00:00:00 2001 From: "M. V. Hutz" Date: Thu, 4 Sep 2025 22:08:00 -0400 Subject: [PATCH] feat: ansible vault --- .gitignore | 3 ++- Taskfile.yml | 37 ++++++++++++++++++++----------------- ansible.cfg | 6 ++++++ requirements.txt | 1 + vault.yml | 6 ++++++ 5 files changed, 35 insertions(+), 18 deletions(-) create mode 100644 vault.yml diff --git a/.gitignore b/.gitignore index a65451b..59c0721 100644 --- a/.gitignore +++ b/.gitignore @@ -212,4 +212,5 @@ cython_debug/ *secret* .vscode -.DS_Store \ No newline at end of file +.DS_Store +*.key \ No newline at end of file diff --git a/Taskfile.yml b/Taskfile.yml index f18c3ea..e11db9c 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -1,21 +1,24 @@ version: 3 -includes: - tf: { taskfile: terraform, dir: terraform } +# includes: +# tf: { taskfile: terraform, dir: terraform } + +# tasks: +# dev: +# - docker compose -f compose.dev.yml rm -fsv +# - docker compose -f compose.dev.yml up --build --force-recreate --no-deps + +# deploy:fast: ansible-playbook playbooks/fast.yml +# deploy:slow: ansible-playbook playbooks/slow.yml +# deploy:restore: ansible-playbook playbooks/restore.yml -e "restore_bucket={{.BUCKET}} restore_key={{.KEY}}" + +# enter: +# cmd: aws ssm start-session --target $INSTANCE_ID +# env: +# INSTANCE_ID: { sh: jq -r .instance_id.value < config/infrastructure.secret.json } +# AWS_REGION: { sh: jq -r .aws_region < config/ansible.secret.json } +# AWS_ACCESS_KEY_ID: { sh: jq -r .aws_access_key < config/ansible.secret.json } +# AWS_SECRET_ACCESS_KEY: { sh: jq -r .aws_secret_key < config/ansible.secret.json } tasks: - dev: - - docker compose -f compose.dev.yml rm -fsv - - docker compose -f compose.dev.yml up --build --force-recreate --no-deps - - deploy:fast: ansible-playbook playbooks/fast.yml - deploy:slow: ansible-playbook playbooks/slow.yml - deploy:restore: ansible-playbook playbooks/restore.yml -e "restore_bucket={{.BUCKET}} restore_key={{.KEY}}" - - enter: - cmd: aws ssm start-session --target $INSTANCE_ID - env: - INSTANCE_ID: { sh: jq -r .instance_id.value < config/infrastructure.secret.json } - AWS_REGION: { sh: jq -r .aws_region < config/ansible.secret.json } - AWS_ACCESS_KEY_ID: { sh: jq -r .aws_access_key < config/ansible.secret.json } - AWS_SECRET_ACCESS_KEY: { sh: jq -r .aws_secret_key < config/ansible.secret.json } + vault:edit: ansible-vault edit vault.yml \ No newline at end of file diff --git a/ansible.cfg b/ansible.cfg index 32ad899..20eb1f9 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,6 +1,12 @@ [defaults] callbacks_enabled = profile_tasks localhost_warning = False +vault_password_file = vault.key [inventory] inventory_unparsed_warning = False + +[ssh_connection] +ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes -o IdentityAgent=none +pipelining = True +retries = 256 \ No newline at end of file diff --git a/requirements.txt b/requirements.txt index 30ce1b7..f1062ee 100644 --- a/requirements.txt +++ b/requirements.txt @@ -14,6 +14,7 @@ charset-normalizer==3.4.1 click==8.1.8 cryptography==44.0.0 filelock==3.16.1 +go-task-bin==3.44.1 idna==3.10 importlib_metadata==8.5.0 Jinja2==3.1.5 diff --git a/vault.yml b/vault.yml new file mode 100644 index 0000000..8a990c8 --- /dev/null +++ b/vault.yml @@ -0,0 +1,6 @@ +$ANSIBLE_VAULT;1.1;AES256 +38656161656531643430306264373465643164656338326333333365646666336364303939383330 +3730613865373335386631313931656438396435366330610a663837343033643964356333653663 +66643062653936343031336432663064663831313430346464643534316538616638333965386531 +3834373335663766380a396534363833653163373635353037623337336637303962303733396439 +6631