feat(tooling): added tasks to ease en/decrypt operations on vault files

2025-03-02 00:00:00 +00:00 · 2025-03-02 00:00:00 +00:00 · 43d68e5cab
commit 43d68e5cab
parent 93a3754ce4
4 changed files with 41 additions and 0 deletions
--- a/Taskfile.yml
+++ b/Taskfile.yml
@ -3,14 +3,20 @@ version: '3'
 includes:
  setup: ./tasks/setup_{{OS}}.yml
  test: ./tasks/tests.yml
+  utils:
+    taskfile: ./tasks/utils.yml
+    flatten: true

 env:
  DOCKER_REPOSITORY: pouncetech/molecule
+  ANSIBLE_VAULT_PASSWORD_FILE: ./scripts/pass_get_vault_id.sh

 vars:
  PYTHON_WRAPPER: '{{.ROOT_DIR}}/scripts/python_wrapper.sh'
  MOLECULE_DIR: '{{.ROOT_DIR}}/collections/ansible_collections/nullified/infrastructure/extensions'
  COLLECTIONS_DIR: '{{.ROOT_DIR}}/collections/ansible_collections'
+  ANSIBLE_PASS_PATH: ansible/vault-id
+  ANSIBLE_PASS_LENGTH: 50

 tasks:
  setup:
@ -20,6 +26,7 @@ tasks:
      - task: 'setup:venv'
      - task: 'setup:ansible'
      - task: 'setup:galaxy'
+      - task: 'vault:init'

  docker:build:
    desc: build docker images locally.
--- a/scripts/pass_get_vault_id.sh
+++ b/scripts/pass_get_vault_id.sh
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+PASSWORD_STORE_BIN=${PASSWORD_STORE_BIN:-"pass"}
+ANSIBLE_PASS_PATH=${ANSIBLE_PASS_PATH:-"ansible/vault-id"}
+
+$PASSWORD_STORE_BIN show "${ANSIBLE_PASS_PATH}"
--- a/tasks/setup_linux.yml
+++ b/tasks/setup_linux.yml
@ -11,6 +11,7 @@ tasks:
          build-essential \
          coreutils \
          curl \
+          pass \
          libcurl4-openssl-dev \
          libtool \
          python3-virtualenv \
--- a/tasks/utils.yml
+++ b/tasks/utils.yml
@ -0,0 +1,27 @@
+version: '3'
+
+tasks:
+  encrypt:
+    desc: encrypt all vault.yml files using; requires creating a vault-id file in your home
+    vars:
+      VAULT_FILES:
+        sh: find . -type f -name vault.yml -and -not -path "./.venv/*"
+    cmds:
+      - for: { var: VAULT_FILES }
+        cmd: '{{.PYTHON_WRAPPER}} ansible-vault encrypt {{.ITEM | replace "\n" " " }} || true'
+
+  decrypt:
+    desc: encrypt all vault.yml files using; requires creating a vault-id file in your home
+    vars:
+      VAULT_FILES:
+        sh: find . -type f -name vault.yml -and -not -path "./.venv/*"
+    cmds:
+      - for: { var: VAULT_FILES }
+        cmd: '{{.PYTHON_WRAPPER}} ansible-vault decrypt {{.ITEM | replace "\n" " " }} || true'
+
+  vault:init:
+    desc: Create a vault id file in your home directory for encrypting/decrypting vault files
+    cmds:
+      - 'pass generate {{.ANSIBLE_PASS_PATH}} {{.ANSIBLE_PASS_LENGTH}} > /dev/null'
+    status:
+      - 'pass show {{.ANSIBLE_PASS_PATH}} &> /dev/null '