chore: add encryption tools

.ageboxreg.yml

@@ -0,0 +1,4 @@
+file_ids:
+- .env
+- roles/common/files/robo_key
+version: "1"

.devfiles/justfile

@@ -0,0 +1,32 @@
+set dotenv-load := true
+
+export AGEBOX_DEBUG := "0"
+export AGEBOX_PUBLIC_KEYS := source_dir() + "/public_keys.txt"
+
+fetch-deps:
+  .devfiles/scripts/fetch_gh_release.sh "slok/agebox" "agebox-linux-amd64" "agebox"
+
+# Easy and simple file repository encryption tool based on Age.
+agebox +ARGS="--help":
+  @.devfiles/bin/agebox  {{ ARGS }}
+
+# Encrypt the provided files, relative to project root.
+encrypt +FILES: (agebox "encrypt " + FILES)
+
+# Encrypt all the tracked files.
+encrypt-all: (agebox "encrypt --all")
+
+# Decrypt the provided files, relative to project root.
+decrypt +FILES: (agebox "decrypt " + FILES)
+
+# Decrypt all the tracked files.
+decrypt-all: (agebox "decrypt --all --force")
+
+# Reencrypt all the tracked files with the new public keys.
+reencrypt: (agebox "reencrypt")
+
+# Show the content of an encrypted file to stdout.
+peek +FILES: (agebox "cat " + FILES)
+
+# Validate that all tracked files are encrypted.
+check:(agebox "validate --no-decrypt ")

.devfiles/public_keys.txt

@@ -0,0 +1,2 @@
+# anavarro
+age1gj7hj894l0a0lvu3fsndlkdkyc0da7963kcqhpfe43reflx3gafqnm058u

.devfiles/scripts/fetch_gh_release.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+basedir=".devfiles/bin"
+
+repo="$1"
+shift
+release_filename="$1"
+shift
+out_filename="$basedir/$1"
+shift
+
+curl -sSL "https://github.com/$repo/releases/latest/download/$release_filename" -o "$out_filename"
+
+chmod +x "$out_filename"

.gitignore

@@ -1,3 +1,5 @@
+.devfiles/bin/**
+
 # ---> Terraform
 # Local .terraform directories
 **/.terraform/*
@@ -11,8 +13,8 @@ crash.log
 crash.*.log
 
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json

.justfile

@@ -1,42 +1,43 @@
-set dotenv-load := true
+import '.devfiles/justfile'
 
 export ANSIBLE_VAULT_PASSWORD_FILE := justfile_directory() + "/.decrypt-pass.txt"
 export ANSIBLE_BECOME_PASSWORD_FILE := justfile_directory() + "/.become-pass.txt"
 
 # Debug output, disabled in CI
+
 export ANSIBLE_DISPLAY_ARGS_TO_STDOUT := if env('CI', '') == 'true' { 'false' } else { 'true' }
+
 # export ANSIBLE_ENABLE_TASK_DEBUGGER := if env('CI', '') == 'true' { 'false' } else { 'true' }
 
-
 play +ARGS:
-  uv run ansible-playbook {{ ARGS }}
+    uv run ansible-playbook {{ ARGS }}
 
 deploy-services: (play "./playbooks/docker/services.yaml")
 
 ansible +ARGS:
-  uv run ansible {{ ARGS }}
+    uv run ansible {{ ARGS }}
 
 list-host:
-  uv run ansible-inventory --list
+    uv run ansible-inventory --list
 
 [no-cd]
-encrypt +ARGS:
-  uv run ansible-vault encrypt {{ ARGS }}
+encrypt-file +ARGS:
+    uv run ansible-vault encrypt {{ ARGS }}
 
 encrypt-var NAME +CONTENT='':
-  uv run ansible-vault encrypt_string {{ if CONTENT != "" {"--name"} else {"--stdin-name"} }} {{ NAME }} {{ CONTENT }}
+    uv run ansible-vault encrypt_string {{ if CONTENT != "" { "--name" } else { "--stdin-name" } }} {{ NAME }} {{ CONTENT }}
 
 decrypt-var FILE NAME:
-  uv run ansible localhost -m ansible.builtin.debug -e "@{{ FILE }}" -a var="{{ NAME }}"
+    uv run ansible localhost -m ansible.builtin.debug -e "@{{ FILE }}" -a var="{{ NAME }}"
 
 [no-cd]
-decrypt +ARGS:
-  uv run ansible-vault edit {{ ARGS }}
+decrypt-file +ARGS:
+    uv run ansible-vault edit {{ ARGS }}
 
 [no-cd]
 decrypt-store +ARGS:
-  uv run ansible-vault decrypt {{ ARGS }}
+    uv run ansible-vault decrypt {{ ARGS }}
 
 [no-cd]
 tofu +ARGS:
-  tofu {{ ARGS }}
+    tofu {{ ARGS }}