From 205cf36feb68594eb02a98b7d280f5ccdc73b6e8 Mon Sep 17 00:00:00 2001 From: aleidk Date: Wed, 28 May 2025 12:42:05 -0400 Subject: [PATCH 1/2] chore: cleanup repo --- .ageboxreg.yml | 8 ---- .devfiles/hooks/.gitkeep | 0 .devfiles/hooks/commit-msg.sh | 5 --- .devfiles/hooks/pre-commit.sh | 16 -------- .devfiles/justfile | 44 -------------------- .devfiles/public_keys.txt | 4 -- .devfiles/scripts/.gitkeep | 0 .devfiles/scripts/dependecy-check.sh | 30 -------------- .devfiles/scripts/fetch_gh_release.sh | 16 -------- .devfiles/scripts/gitignore.sh | 42 ------------------- .env.agebox | Bin 560 -> 0 bytes files/docker/rss/.env.agebox | Bin 786 -> 786 bytes opentofu/vms/.terraform.lock.hcl | 24 ----------- opentofu/vms/providers.tf | 35 ---------------- opentofu/vms/s3.tf | 56 -------------------------- opentofu/vms/variables.tf | 4 -- 16 files changed, 284 deletions(-) delete mode 100644 .ageboxreg.yml delete mode 100644 .devfiles/hooks/.gitkeep delete mode 100644 .devfiles/hooks/commit-msg.sh delete mode 100644 .devfiles/hooks/pre-commit.sh delete mode 100644 .devfiles/justfile delete mode 100644 .devfiles/public_keys.txt delete mode 100644 .devfiles/scripts/.gitkeep delete mode 100755 .devfiles/scripts/dependecy-check.sh delete mode 100755 .devfiles/scripts/fetch_gh_release.sh delete mode 100755 .devfiles/scripts/gitignore.sh delete mode 100644 .env.agebox delete mode 100644 opentofu/vms/.terraform.lock.hcl delete mode 100644 opentofu/vms/providers.tf delete mode 100644 opentofu/vms/s3.tf delete mode 100644 opentofu/vms/variables.tf diff --git a/.ageboxreg.yml b/.ageboxreg.yml deleted file mode 100644 index 37d7cdd..0000000 --- a/.ageboxreg.yml +++ /dev/null @@ -1,8 +0,0 @@ -file_ids: -- .env -- files/docker/fedi/.env -- files/docker/hoarder/.env -- files/docker/rss/.env -- roles/common/files/robo_key -- roles/docker/files/rclone.conf -version: "1" diff --git a/.devfiles/hooks/.gitkeep b/.devfiles/hooks/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/.devfiles/hooks/commit-msg.sh b/.devfiles/hooks/commit-msg.sh deleted file mode 100644 index 1c54b90..0000000 --- a/.devfiles/hooks/commit-msg.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/env bash - -set -euxo pipefail - -cog verify --file "$1" diff --git a/.devfiles/hooks/pre-commit.sh b/.devfiles/hooks/pre-commit.sh deleted file mode 100644 index c8d84f5..0000000 --- a/.devfiles/hooks/pre-commit.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env bash - -set -euxo pipefail - -root="$(git rev-parse --show-toplevel)" - -cd "$root" - -export PATH=$PATH:.devfiles/bin - -gitleaks git - -# Only validate encrypted files if we are tracking any -if [[ -e .ageboxreg.yml ]]; then - agebox validate --no-decrypt -fi diff --git a/.devfiles/justfile b/.devfiles/justfile deleted file mode 100644 index 2d9a105..0000000 --- a/.devfiles/justfile +++ /dev/null @@ -1,44 +0,0 @@ -set dotenv-load := true - -export PATH := source_dir() + "/bin:" + source_dir() + "/scripts:" + env("PATH") -export AGEBOX_DEBUG := "0" -export AGEBOX_PUBLIC_KEYS := source_dir() + "/public_keys.txt" - -# Install agebox from the latest github realse -install-agebox: - curl -sSL "https://github.com/slok/agebox/releases/latest/download/agebox-linux-amd64" -o .devfiles/bin/agebox - chmod + x .devfiles/bin/agebox - -[no-cd] -install-hooks: - cog install-hook --all - -# Easy and simple file repository encryption tool based on Age. -[working-directory('..')] -agebox +ARGS="--help": - @agebox {{ ARGS }} - -# Encrypt the provided files, relative to project root. -encrypt +FILES: (agebox "encrypt " + FILES) - -# Encrypt all the tracked files. -encrypt-all: (agebox "encrypt --all") - -# Decrypt the provided files, relative to project root. -decrypt +FILES: (agebox "decrypt " + FILES) - -# Decrypt all the tracked files. -decrypt-all: (agebox "decrypt --all --force") - -# Reencrypt all the tracked files with the new public keys. -reencrypt: (agebox "reencrypt") - -# Show the content of an encrypted file to stdout. -crypt-peek +FILES: (agebox "cat " + FILES) - -# Validate that all tracked files are encrypted. -crypt-check:(agebox "validate --no-decrypt ") - -# Validate no credentials are pushed to git -leaks: - @gitleaks git --verbose --redact diff --git a/.devfiles/public_keys.txt b/.devfiles/public_keys.txt deleted file mode 100644 index 41951ff..0000000 --- a/.devfiles/public_keys.txt +++ /dev/null @@ -1,4 +0,0 @@ -# aleidk -age1h0wfmxcrfjjcmv3ju7zcm6gc8j8pz35gs08kkqsjej20ndsxq54qv48hgn -# anavarro -age1gj7hj894l0a0lvu3fsndlkdkyc0da7963kcqhpfe43reflx3gafqnm058u diff --git a/.devfiles/scripts/.gitkeep b/.devfiles/scripts/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/.devfiles/scripts/dependecy-check.sh b/.devfiles/scripts/dependecy-check.sh deleted file mode 100755 index 684a14b..0000000 --- a/.devfiles/scripts/dependecy-check.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -root="$(git rev-parse --show-toplevel)" - -export PATH=$root/.devfiles/bin:$root/.devfiles/scripts:$PATH - -devtools=( - age - agebox - cog - gitleaks -) - -missing_tools=() - -for cmd in "${devtools[@]}"; do - if ! command -v "$cmd" &>/dev/null; then - missing_tools+=("$cmd") - fi -done - -if [[ ${#missing_tools[@]} != 0 ]]; then - echo "The following tools where not found:" - printf "%s\n" "${missing_tools[@]}" - exit 1 -else - echo -e "All tools are installed!" -fi diff --git a/.devfiles/scripts/fetch_gh_release.sh b/.devfiles/scripts/fetch_gh_release.sh deleted file mode 100755 index 5e80632..0000000 --- a/.devfiles/scripts/fetch_gh_release.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env bash - -set -euxo pipefail - -basedir=".devfiles/bin" - -repo="$1" -shift -release_filename="$1" -shift -out_filename="$basedir/$1" -shift - -curl -sSL "https://github.com/$repo/releases/latest/download/$release_filename" -o "$out_filename" - -chmod +x "$out_filename" diff --git a/.devfiles/scripts/gitignore.sh b/.devfiles/scripts/gitignore.sh deleted file mode 100755 index 0b5100d..0000000 --- a/.devfiles/scripts/gitignore.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -root="$(git rev-parse --show-toplevel)" - -base_url="https://git.alecodes.page/api/v1/gitignore/templates" - -query="$*" - -list_available() { - curl -Ssl $base_url | jq -r '.[]' -} - -if [[ -z $query ]]; then - list_available - exit 0 -fi - -tmp_file="$(mktemp)" - -for template in $query; do - # Capitalize the string - template=${template,,} - template=${template^} - - response="$(curl -Ssl "$base_url/$template")" - name="$(echo "$response" | jq -r '.name')" - content="$(echo "$response" | jq -r '.source')" - - if [[ "$content" == "null" ]]; then - echo "Template not found, available options:" - list_available - exit 1 - fi - - printf "\n### %s\n\n%s\n\n" "$name" "$content" >>"$tmp_file" -done - -sed -i -ne "/#### -- TEMPLATES BEGIN -- ####/ {p; r $tmp_file" -e ':a; n; /#### -- TEMPLATES END -- ####/ {p; b}; ba}; p' "$root/.gitignore" - -rm "$tmp_file" diff --git a/.env.agebox b/.env.agebox deleted file mode 100644 index fc8549e6f452432cd1ac6f404051637fcee486ec..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 560 zcmV-00?++nXJsvAZewzJaCB*JZZ2)f>LT+v`NkV8u zMqxBkHD+RFa5HUBb2VXZb4ONLdQxphRx3wWMokJ=Xl^hoL2ofJXlqG$K`T^2D{*2m zL{2y`NoGVxdTTIgcUVd=PBV3SH9-n3J|I{!H8n9gAZm0aWTYgB4tXfQ})a#2HX3S>7@V{~*=H*7d;ZZ%A9D==1KL_=pqPgPEo%V6O%KmDFQ;ZlgXZk=5Pm+-Y(QkcFdb?%?=k=^YUUT9 z7Ty6n)$~37Ekr+e=B?!EDqu>$sd}%37r8ReJn*F_u4*ab8u95Rhm7~M)Zm!Kq#HrK?cFuB?6fL5A}dn`cvinvfo79XHB1Qnp{ZxSL0AB>pFoBUxJ zs|5+JUGWl^K|K*#%}3=!1+jhP@9`=av1!-Pk$7n(ziev3#u(tf*xC!^#?27|{qRJ} zRia%hzZ-TsoqQ3ZmXT5h`Va(USzVZT%?NJe3NoaSV@&k0ihYkSWdD~P--OZJ!lLca ya$|dvq?6XKTN0}q|1GP#REdihaWWq);LNjPLlGf`78ac5FE z3TsVuNiR%VO*U08LNY;GS!GxEWb52$=OlxCqH*G;ecsXb^3TIuib|V031Ao?6 zR!G-s9Sj3wDSy%{)Cze`XAv5@(o>m}9+%De{BMjS6Fd+^#J8V^l%YRJRJ2%MMu44< z`UE{&*3RH}H5gcu6&gTe2eYN?IVA&^X^*}o>_TfuwUb8LN>b(EEJyfQTKyhIy|N?K zQ!cIpuv`mo5@`93m!Eq~XN!|Sy(*~5_!+`L;WiD|6o2ah6QG%be;j4$wIt7f1T}X( zgW$p(u&&dr4^>rE!hKW!Nk=EV$InAANj%=o>%a|G$3;1Rp-15iVwLBCcDn?{9;oZ8(-!)G~WxvL)*WWd7Sm2LjZu z5YWOs2H)rOVfN9*_Z)J(MH@YLfOn5QgF&?B2X|G*YtItlr{2VllC6J)vO7Xw1n|qN ztJ?plvP<*dg%v3#1ypgmFBK2SMfMBrn;)G6&M6TdH5|F>Ed<_r*MB5ewKd~t^Guws w7BvI$lFh(muM^|}EN-tf z3P*ZRG&N>&O+jO7MKnz_R5W*WZDv4+pX-jTr3N0-yAWT{L4QI4pR~q7ZHd0 zIVK{Kok+di1mG!g=U5bX>p#@BRl^8zbTaq5il*%_MZB!c)z6CXC^x6q`&8&4rXmW+ za7cpM2RM!j`I#E3bOijwfKK&jcx946y>Ga=pnn~eR)0^lRQz7ItiDmjs#civ&C9*P zZ6K3`;=nOtLvNQ{XdLU6F!#7e)Upgzsr;OblWpNm{HCZ64`-1X2zw_Q0Cb4ZHF~r4 z_nMQZPg$Jn`D3=E+GonN2} z%v1L!=@_~cN)pE#g35SIN;`xAQnwRiw6R{9CSLHiU$QUHW(heM)sQ6*85@)zn49g& z`>x7>oI}e>8Mu!Hpbt2_iBrx-ggVpm{oPPHKX-z;!B#CMAC%VtwGbb;43#rXhV~be zt+qHG#guo^izvi8MLVMipxb}Aupq~Ojo}l^1!4R#RRQUAd!XOL?)TH$R*}>r(tiljc4gdfE diff --git a/opentofu/vms/.terraform.lock.hcl b/opentofu/vms/.terraform.lock.hcl deleted file mode 100644 index 690a74a..0000000 --- a/opentofu/vms/.terraform.lock.hcl +++ /dev/null @@ -1,24 +0,0 @@ -# This file is maintained automatically by "tofu init". -# Manual edits may be lost in future updates. - -provider "registry.opentofu.org/bpg/proxmox" { - version = "0.43.2" - constraints = "0.43.2" - hashes = [ - "h1:5+YNvUbtMlus6GJJktc9/7o68tYgQIQxhjTqqt2WCpk=", - "zh:07c9357e80cc52c020bd3728e5a00e21b9c06b20ee91d13d0c8ea034c1de4b6f", - "zh:41208bfd4d69f04142a69e9eabd79d4cba99f4fcacd59318aad0265c7b4bfe9e", - "zh:420623a0ae35bee21c00da444c0fbc63d3d6008d71516d90e11512651f25210f", - "zh:4cf21c0245a4fcbfec9edc1c65a5a0f0d83180607d870229ce3761fa25652ac7", - "zh:6f07cab62a60d7adc7a2c3f6fb27057dd70883c02c8ee762aec683743aee16c0", - "zh:75c4c97b110373ee48ad87774d9becbb1e21d55e0a4324f594a3b3cc8d25d73e", - "zh:79b3ab36e5276a1172c661eb60574a330cb502f2de40410f2540a50061a777f7", - "zh:96a8cda572ac540aa6c616eabd2e8dc9399809e8558f6d53a883da2a9fbdede8", - "zh:99a78347944868062bac87e93372672aa0f12422cf82d5a7f13a00805f18d5bd", - "zh:a6d2ff27558114277a9e2db874f5c9c9ee65d0dc5e918f2d9994e3ec9ef0e2b5", - "zh:c220049b7b3890e8b882873f0a4320d5b6ca28cf4b3ff9128a130e86ffbc3209", - "zh:da586199b595f278d4ecfc64e60afa52b15b9183323edde00d74a7ede5abad27", - "zh:f2caa3eefc03dd03f05ce466e98ba6fb9f0b87ece3a7fc35eb73d63f816c13d4", - "zh:f99012369fff51af76557d5616a24ae48d12ef662c6d132aa74db7f6b9d4144b", - ] -} diff --git a/opentofu/vms/providers.tf b/opentofu/vms/providers.tf deleted file mode 100644 index bb0c737..0000000 --- a/opentofu/vms/providers.tf +++ /dev/null @@ -1,35 +0,0 @@ -# docs: https://registry.terraform.io/providers/bpg/proxmox/latest/docs - -terraform { - required_providers { - proxmox = { - source = "bpg/proxmox" - version = "0.43.2" - } - } - - backend "s3" { - bucket = "opentofu-state" - region = "us-east-1" - key = "lxc/terraform.tfstate" - encrypt = false - - skip_credentials_validation = true - skip_region_validation = true - skip_requesting_account_id = true - skip_s3_checksum = true - - endpoints = { - s3 = "https://a7638f5d66d44acc48d4b80b7c3c8a0c.r2.cloudflarestorage.com" - } - } -} - -provider "proxmox" { - insecure = true - tmp_dir = "/var/tmp" - ssh { - agent = true - username = "robo" - } -} diff --git a/opentofu/vms/s3.tf b/opentofu/vms/s3.tf deleted file mode 100644 index bd21365..0000000 --- a/opentofu/vms/s3.tf +++ /dev/null @@ -1,56 +0,0 @@ -# docs: https://registry.terraform.io/providers/bpg/proxmox/latest/docs/resources/virtual_environment_container - -variable "vm_names" { - type = list(string) - default = ["donkey-kong"] -} - -resource "proxmox_virtual_environment_container" "vm" { - for_each = toset(var.vm_names) - vm_id = 160 + index(var.vm_names, each.key) - node_name = "pve" - description = "S3 data storage" - unprivileged = true - - start_on_boot = "true" - - disk { - datastore_id = "local-lvm" - size = 8 - } - - initialization { - hostname = each.key - - ip_config { - ipv4 { - address = "10.0.10.${160 + index(var.vm_names, each.key)}/24" - gateway = "10.0.0.10" - } - } - - user_account { - password = var.root_password - } - } - - network_interface { - name = "eth0" - firewall = true - bridge = "vnet10" - } - - operating_system { - template_file_id = "local:vztmpl/alpine-latest-base-2024-12-30.tar.gz" - type = "alpine" - } - - tags = [ - "storage", - "s3", - ] - - features { - nesting = true - } -} diff --git a/opentofu/vms/variables.tf b/opentofu/vms/variables.tf deleted file mode 100644 index 35c2ef3..0000000 --- a/opentofu/vms/variables.tf +++ /dev/null @@ -1,4 +0,0 @@ -variable "root_password" { - type = string - description = "Password used for the root user" -} From 033d3d637136d3dc03804c6578308c8fb5546616 Mon Sep 17 00:00:00 2001 From: aleidk Date: Wed, 28 May 2025 16:21:12 -0400 Subject: [PATCH 2/2] feat: add rbw plugin for secret management --- .justfile | 4 --- ansible.cfg | 4 +-- lookup_plugins/rbw.py | 50 ++++++++++++++++++++++++++++++++++++ playbooks/initial-setup.yaml | 8 ++++++ 4 files changed, 60 insertions(+), 6 deletions(-) create mode 100644 lookup_plugins/rbw.py create mode 100644 playbooks/initial-setup.yaml diff --git a/.justfile b/.justfile index 62409ff..9a9a9d2 100644 --- a/.justfile +++ b/.justfile @@ -1,10 +1,6 @@ # Repo management tasks -mod repo '.devfiles/justfile' set dotenv-load := true -export ANSIBLE_VAULT_PASSWORD_FILE := justfile_directory() + "/.decrypt-pass.txt" -export ANSIBLE_BECOME_PASSWORD_FILE := justfile_directory() + "/.become-pass.txt" - # Debug output, disabled in CI export ANSIBLE_DISPLAY_ARGS_TO_STDOUT := if env('CI', '') == 'true' { 'false' } else { 'true' } diff --git a/ansible.cfg b/ansible.cfg index c45dec5..6f1c6a8 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -170,7 +170,7 @@ inventory=/etc/ansible/hosts,./hosts/inventory.yaml ;log_path= # (pathspec) Colon separated paths in which Ansible will search for Lookup Plugins. -;lookup_plugins=/home/aleidk/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup +lookup_plugins=/home/aleidk/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup:./lookup_plugins/ # (string) Sets the macro for the 'ansible_managed' variable available for :ref:`ansible_collections.ansible.builtin.template_module` and :ref:`ansible_collections.ansible.windows.win_template_module`. This is only relevant for those two modules. ;ansible_managed=Ansible managed @@ -185,7 +185,7 @@ inventory=/etc/ansible/hosts,./hosts/inventory.yaml ;module_name=command # (pathspec) Colon separated paths in which Ansible will search for Modules. -;library=/home/aleidk/.ansible/plugins/modules:/usr/share/ansible/plugins/modules +# library=/home/aleidk/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:./modules # (pathspec) Colon separated paths in which Ansible will search for Module utils files, which are shared by modules. ;module_utils=/home/aleidk/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils diff --git a/lookup_plugins/rbw.py b/lookup_plugins/rbw.py new file mode 100644 index 0000000..55c59d4 --- /dev/null +++ b/lookup_plugins/rbw.py @@ -0,0 +1,50 @@ +# python 3 headers, required if submitting to Ansible +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +import json +import subprocess + +from ansible.errors import AnsibleError, AnsibleParserError +from ansible.plugins.lookup import LookupBase +from ansible.utils.display import Display +from jinja2 import Environment + +DOCUMENTATION = r""" + name: rbw + short_description: get secrets using rbw + options: + _terms: + description: Name of the secret to get + required: True +""" + +display = Display() + + +def rbw(name: str): + sub = subprocess.run(["rbw", "get", name, "--raw"], capture_output=True) + + secret = json.loads(sub.stdout) + + display.debug(f'Obtaining data for "{secret["name"]}"') + + return secret + + +class LookupModule(LookupBase): + def run(self, terms, variables=None, **kwargs): + # First of all populate options, + # this will already take into account env vars and ini config + self.set_options(var_options=variables, direct=kwargs) + + # lookups in general are expected to both take a list as input and output a list + # this is done so they work with the looping construct 'with_'. + ret = [] + for term in terms: + secret = rbw(term) + + ret.append(secret) + + return ret diff --git a/playbooks/initial-setup.yaml b/playbooks/initial-setup.yaml new file mode 100644 index 0000000..a5d9bb6 --- /dev/null +++ b/playbooks/initial-setup.yaml @@ -0,0 +1,8 @@ +--- +- hosts: localhost + vars: + secret: "{{ lookup('rbw', 'Work Laptop') }}" + tasks: + + - debug: + msg: the value of the secret is {{ secret.data.public_key }}