diff --git a/.ageboxreg.yml b/.ageboxreg.yml new file mode 100644 index 0000000..238b0da --- /dev/null +++ b/.ageboxreg.yml @@ -0,0 +1,4 @@ +file_ids: +- .env +- roles/common/files/robo_key +version: "1" diff --git a/.devfiles/justfile b/.devfiles/justfile new file mode 100644 index 0000000..1833382 --- /dev/null +++ b/.devfiles/justfile @@ -0,0 +1,32 @@ +set dotenv-load := true + +export AGEBOX_DEBUG := "0" +export AGEBOX_PUBLIC_KEYS := source_dir() + "/public_keys.txt" + +fetch-deps: + .devfiles/scripts/fetch_gh_release.sh "slok/agebox" "agebox-linux-amd64" "agebox" + +# Easy and simple file repository encryption tool based on Age. +agebox +ARGS="--help": + @.devfiles/bin/agebox {{ ARGS }} + +# Encrypt the provided files, relative to project root. +encrypt +FILES: (agebox "encrypt " + FILES) + +# Encrypt all the tracked files. +encrypt-all: (agebox "encrypt --all") + +# Decrypt the provided files, relative to project root. +decrypt +FILES: (agebox "decrypt " + FILES) + +# Decrypt all the tracked files. +decrypt-all: (agebox "decrypt --all --force") + +# Reencrypt all the tracked files with the new public keys. +reencrypt: (agebox "reencrypt") + +# Show the content of an encrypted file to stdout. +peek +FILES: (agebox "cat " + FILES) + +# Validate that all tracked files are encrypted. +check:(agebox "validate --no-decrypt ") diff --git a/.devfiles/public_keys.txt b/.devfiles/public_keys.txt new file mode 100644 index 0000000..17fe580 --- /dev/null +++ b/.devfiles/public_keys.txt @@ -0,0 +1,2 @@ +# anavarro +age1gj7hj894l0a0lvu3fsndlkdkyc0da7963kcqhpfe43reflx3gafqnm058u diff --git a/.devfiles/scripts/fetch_gh_release.sh b/.devfiles/scripts/fetch_gh_release.sh new file mode 100755 index 0000000..5e80632 --- /dev/null +++ b/.devfiles/scripts/fetch_gh_release.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +basedir=".devfiles/bin" + +repo="$1" +shift +release_filename="$1" +shift +out_filename="$basedir/$1" +shift + +curl -sSL "https://github.com/$repo/releases/latest/download/$release_filename" -o "$out_filename" + +chmod +x "$out_filename" diff --git a/.gitignore b/.gitignore index a91c288..11ca3a6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +.devfiles/bin/** + # ---> Terraform # Local .terraform directories **/.terraform/* @@ -11,8 +13,8 @@ crash.log crash.*.log # Exclude all .tfvars files, which are likely to contain sensitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject # to change depending on the environment. *.tfvars *.tfvars.json diff --git a/.justfile b/.justfile index 50d8ca4..8c48d89 100644 --- a/.justfile +++ b/.justfile @@ -1,42 +1,43 @@ -set dotenv-load := true +import '.devfiles/justfile' export ANSIBLE_VAULT_PASSWORD_FILE := justfile_directory() + "/.decrypt-pass.txt" export ANSIBLE_BECOME_PASSWORD_FILE := justfile_directory() + "/.become-pass.txt" # Debug output, disabled in CI + export ANSIBLE_DISPLAY_ARGS_TO_STDOUT := if env('CI', '') == 'true' { 'false' } else { 'true' } + # export ANSIBLE_ENABLE_TASK_DEBUGGER := if env('CI', '') == 'true' { 'false' } else { 'true' } - play +ARGS: - uv run ansible-playbook {{ ARGS }} + uv run ansible-playbook {{ ARGS }} deploy-services: (play "./playbooks/docker/services.yaml") ansible +ARGS: - uv run ansible {{ ARGS }} + uv run ansible {{ ARGS }} list-host: - uv run ansible-inventory --list + uv run ansible-inventory --list [no-cd] -encrypt +ARGS: - uv run ansible-vault encrypt {{ ARGS }} +encrypt-file +ARGS: + uv run ansible-vault encrypt {{ ARGS }} encrypt-var NAME +CONTENT='': - uv run ansible-vault encrypt_string {{ if CONTENT != "" {"--name"} else {"--stdin-name"} }} {{ NAME }} {{ CONTENT }} + uv run ansible-vault encrypt_string {{ if CONTENT != "" { "--name" } else { "--stdin-name" } }} {{ NAME }} {{ CONTENT }} decrypt-var FILE NAME: - uv run ansible localhost -m ansible.builtin.debug -e "@{{ FILE }}" -a var="{{ NAME }}" + uv run ansible localhost -m ansible.builtin.debug -e "@{{ FILE }}" -a var="{{ NAME }}" [no-cd] -decrypt +ARGS: - uv run ansible-vault edit {{ ARGS }} +decrypt-file +ARGS: + uv run ansible-vault edit {{ ARGS }} [no-cd] decrypt-store +ARGS: - uv run ansible-vault decrypt {{ ARGS }} + uv run ansible-vault decrypt {{ ARGS }} [no-cd] tofu +ARGS: - tofu {{ ARGS }} + tofu {{ ARGS }}