Migrate to sops

.sops.yaml

@@ -1,2 +1,2 @@
 creation_rules:
-  - pgp: "0E5A986FEF6488A68318F953536CDDC25A451FE8"
+  - pgp: "B19E3F4A2D806AB4793FDF2FC73D37CBED7BFC77"

ansible.cfg

@@ -1,4 +1,4 @@
 [defaults]
-inventory = work/inventory.yaml
+inventory = work/inventory.yml
 retry_files_enabled = false
 interpreter_python = auto_silent

flake.nix

@@ -10,6 +10,26 @@
     flake-utils.lib.eachSystem flake-utils.lib.allSystems (system:
       let
         pkgs = import nixpkgs { inherit system; };
+
+        init_sops = pkgs.writeScriptBin "init_sops" ''
+          #!${pkgs.runtimeShell}
+          
+          echo "Decrypting vars file"
+          sops -d group_vars/all.enc.yml > group_vars/all.yml
+
+          echo "Decrypt inventory file"
+          sops -d work/inventory.enc.yml > work/inventory.yml
+        '';
+
+        clean_sops = pkgs.writeScriptBin "clean_sops" ''
+          #!${pkgs.runtimeShell}
+          
+          echo "Decrypting vars file"
+          sops -d group_vars/all.enc.yml > group_vars/all.yml
+
+          echo "Decrypt inventory file"
+          sops -d work/inventory.enc.yml > work/inventory.yml
+        '';
       in
       {
         devShells = {
@@ -17,6 +37,8 @@
             buildInputs = [
               pkgs.ansible
               pkgs.sops
+              init_sops
+              clean_sops
             ];
           };
         };

group_vars/all.enc.yml

@@ -0,0 +1,63 @@
+#ENC[AES256_GCM,data:EQ==,iv:PyBYH5JrFrsupAzTatchy4diXcDcDlPJ8gzlKShtf6s=,tag:Z5QAwwQM7VFSnBemRP3ZOw==,type:comment]
+#ENC[AES256_GCM,data:n3YqSd513z8GJhkrd5x7ymIPXUgd,iv:o7x+KXmYzyOFnueavi4pJE9wL+ULoLvKZ38RCBa2BpI=,tag:aHFzaaiCG6tGvaahVF7q6g==,type:comment]
+server:
+    domain: ENC[AES256_GCM,data:XwKXW8a+P5+AKu8=,iv:CoyZARSf7OaxNRa9mWNGJMkgKEvezjKJJGuWIuYTa0w=,tag:R2RVePN6DHP+yayos+FpTg==,type:str]
+    ssh_port: ENC[AES256_GCM,data:FbC8Ag==,iv:UWLlqMCHUnEX5P8n/0sJ/YAPODj5fkfdaKOgqlWf3KM=,tag:Bg1uehmeyg+NCgMpPJ9dWA==,type:int]
+    work_dir: ENC[AES256_GCM,data:WPC8tg1e94NG,iv:zwMMeUGHyRRBxFB5wxcb9zkceN44e4d981njo11jPls=,tag:JgKQuSLXV1wgNdw/H0fq4w==,type:str]
+    backup_dir: ENC[AES256_GCM,data:jVA1/bRIwyv/pN0=,iv:52sq6l95bIGRyQYPxUc8rHttCFnURZ6SzRkzW1EjkfM=,tag:Khk/2ywI3UIyRelcv3+MQA==,type:str]
+    ip: ENC[AES256_GCM,data:XOjYFm5o1rvDWyOLbdll,iv:UbCbn+7JhRfd6aWHGM/Fqe9gbcKXlQNERg3pAiWJWv4=,tag:RMhj6E10B4FzmnTwHWaNKg==,type:str]
+    vpn:
+        subnet: ENC[AES256_GCM,data:rCzHSiJy0iI7QwRLiyc=,iv:yh8d6dI3RQwjXnpI6s5Uj1feom3LUeJV+Q8HogC6S20=,tag:8OhOju73Yxan5iXY0iqaLw==,type:str]
+        ip: ENC[AES256_GCM,data:C7iMBijM5Km95huf,iv:1O3svsjYFn4NIx5K18D7rMirFbyfhi1yPH6mTWluPjk=,tag:S98OuZUEc+Mfok6WspaC5w==,type:str]
+        reverse_proxy_ip: ENC[AES256_GCM,data:F073L22Hw4KFhy+z,iv:NjN398rOZUy5GU8CYC9mewCuHObFRnkub2lh4PL858g=,tag:MGZY8lbJxbJ43jigkDu5cA==,type:str]
+        dns_ip: ENC[AES256_GCM,data:WN9jZPxFXdYMib76,iv:cUNMAWFyORul4lTEDaZcvRq1zfzCnMbF9Fu+ATwXud4=,tag:U94pIIRxKzCq7X0+VYPk9w==,type:str]
+        port: ENC[AES256_GCM,data:GW0Ddg4=,iv:mU2HW4gj16QNLae/hkAkbyEjeDjBvX09M9RWCxy8mPU=,tag:vr76TllzPoIDJnLVMHHcEg==,type:int]
+        peers: ENC[AES256_GCM,data:okkQ1lNEFfr3Nc0Ntp4DwtguLjp81v0icXr0,iv:iaCkBTo1KMSMysEWuEHRaf+2glQnQPE9YEi8EJleQCY=,tag:wdHznNaKFMENmBFpC9T0FQ==,type:str]
+private_network:
+    extra_ips_whitelist:
+        - ENC[AES256_GCM,data:qfAgQEavzB0dcSxg3A==,iv:6Bnordv+FoIulBGxL/G4PN8lwkbASfX1WJG8WAbpUN0=,tag:oGizCAmqpCGF4pN+yYeevw==,type:str]
+acme:
+    email: ENC[AES256_GCM,data:ykYDRJGzJTgFnUUAkcKyFKoxSxFWQE/DWcEoBUo=,iv:MNcIjHcBg/Y+XdY8+lucf4kewtFH7Ui9vgXp/QM6iZs=,tag:ywHRwmHEnrbhL0BRoPzGPA==,type:str]
+    debug: ENC[AES256_GCM,data:BQ3AVWI=,iv:4zfaA/57TBlw8HDg68kk2yDcKMot15HHi7rIongWBEk=,tag:zz1xE4FmwVbvyTpeiPSHQQ==,type:bool]
+#ENC[AES256_GCM,data:FknDuiYn,iv:k8Y57jkpnLr69BEf1lHh9+FTinRPK3l7EXIPuuUZV28=,tag:m5GOV6g0dpedSBvWxC8yIQ==,type:comment]
+protonmail:
+    initialized: ENC[AES256_GCM,data:aMUMLUo=,iv:QEue5Z22MQJqZbYelk8VR1CjMaKwpCZE7tidUexk7q0=,tag:+mBLzSSToKeqsqae4yDZew==,type:bool]
+vaultwarden:
+    admin_token: ENC[AES256_GCM,data:qP5aUZHoMNqNZAGJf/F/fjyi/VwhvTRKB20r+3AXhWSr5cmXr6Y81ctLIHD4La0AS3d0piMoHWV9fAAlSGziQdEvSY6Swv+PNc6cf9qJKQAeulOWRI6h9XaLmPdOOfn042rv2p5H0C0EghMTjz8RVG8ravXmYA==,iv:ue0WBnaUFX5f6VOgSNo2IXcxbCdzqdNvbRW/gJHn0Kc=,tag:bRoWmRpPfx3Qt/YUPMs2Og==,type:str]
+gitea:
+    runner_registration_token: ENC[AES256_GCM,data:PMhn23aq+bA7PB8RhvPDI6TXldPKR0EwnpVG6bBFan9NHo9z7TXREw==,iv:fSWaRmb6agJWrXRCULvEnoR+pSMslZde29w95cOdfCc=,tag:mDl4jIntss7VJW8jxHuAPw==,type:str]
+#ENC[AES256_GCM,data:EMrnASV+t5neejzvu0cQJV/DAABX,iv:mHcvQr2ZU7JPB4j9Ta/kdlbCkDwco2TdGJL7ihHZEr8=,tag:d3n4Vz5TRTm68p+fTcoerQ==,type:comment]
+amazon:
+    client_id: ENC[AES256_GCM,data:2MM8juhtpmaoQ2k/5CrCAyNHOLWLIjOS9/6BTKiK,iv:bLSdrkCw3sFj4v85JDkCAW3KovolZt+mLO6Yxnes12o=,tag:TNcPOqNa1Ym52KypgLv7gg==,type:str]
+    client_secret: ENC[AES256_GCM,data:sk5mrUW+MbOt5ZMlxJRfdLzyLgEI7PdP5CfOmenJ,iv:cGQJnyD1OQ6QJNPxspUUUmq8zo1a1G1lcEcw+z+8oqE=,tag:4SbfpE8w9H6hKMnYEY9zrw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-07-14T18:28:36Z"
+    mac: ENC[AES256_GCM,data:FagYabkjwsi5VEAb3iVgTUKycIfTi0oIC8TJCkl5z1S0r1N4aG46tfEpAHWc49uXOR2o/uyPNg2KPJtEXIsW0Elu686eXQA5zJDKnHgWu97/4kZ2uebEzzuqkwnaxHqMbNyr2ABOJKZoNx4874tkdML0RxxRGD+/lD1EtayrJ5A=,iv:/qnB8SmJBKP2RPDlXmewgx/s0Yke7nhjzSxSbeg+g/s=,tag:MKvun7kBMaIgwFCmzJTQMQ==,type:str]
+    pgp:
+        - created_at: "2024-07-14T18:28:36Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Ns3cJaRR/oARAAmVMa6mZHmgWtDhaz8jOpfPLPpKCXekgtfbXilxfaHK1R
+            D11H5yoYRnekvH4QNtUcptcO+I0b/V7MiPDp5i7IzOWCWkYCBLPSpyNQlVls7DAG
+            +RS5bA++LdB6/LxMNXMeARFSLJbQ0wqH21B/FnjiqprqZMZdb1EbAJCElZOMSqpT
+            26p00vfuOeN1tNEezuPeBdj2jtuc6Em8Imd+aq08wOzUxGb2w8bQR/G3AOEMvxCg
+            keVIJ8MgN+Qx6lbHY+1p4PzuNb6YaSJ57U3v0CcBmrY/po6/sYvlz+ReHyeUQycl
+            NdvzkpTAogUACxE1oFCHYylFrfGmjkz/qA3ksG6AaSYuwIU41mi3u6MvafaXX35S
+            VeYiWn3OYfSAKuI4YBnV36YMescIKqc17Etkz523jSpC4BthbEhVs7HIkFB0FawK
+            Xm2pdKW9Dj88057OffCj7AyARvcOhPd6nZw1aCDfiHheNi+v9th7fCf4gB9sq7+P
+            7XBgtUxfejb175MiHQvw4MaS/5zKQSIrAjP1Lpswf2p73OBO6NbnHL0J4XXydqx9
+            4fEuUCIAyZuhecc5BDcNtxJ0UM2ck1mVPHeuQzij0guu0++YLV5fQ3XjTIdoGDl5
+            fUglZugJ/7AFMV6tno0MsSbYMmZMTEpQIYwmKU8ugdx7eyFEagVVmnTPKybn6g7S
+            WAGNGXMsVUvTGki73O7PvBzU08Vsen399+SxKxyrEQBBfDHdLUYOpDEIjUb9hQ6+
+            HZOIXzs1LYcfL7XV0TKPZB93Y0vSzNJdUGxR4q+eYiCHgeKzXxKmcKs=
+            =xcMM
+            -----END PGP MESSAGE-----
+          fp: B19E3F4A2D806AB4793FDF2FC73D37CBED7BFC77
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

group_vars/all.yml.sample

@@ -1,37 +0,0 @@
-##
-# Global configuration
-server:
-  domain: mrdev023.test
-  ssh_port: 22
-  work_dir: /mnt/test
-  backup_dir: /mnt/btest
-  ip: 127.0.0.1
-  vpn:
-    subnet: 192.168.1.0/24
-    ip: 192.168.1.254
-    reverse_proxy_ip: 192.168.1.254
-    dns_ip: 192.168.1.254
-    port: 22
-    peers: test
-
-private_network:
-  extra_ips_whitelist: []
-
-acme:
-  email: test@test.fr
-  debug: true
-
-# Other
-protonmail:
-  initialized: false
-
-vaultwarden:
-  admin_token: token
-
-gitea:
-  runner_registration_token: token
-
-# Use for game in ryot
-amazon:
-  client_id: client_id
-  client_secret: client_secret

work/inventory.enc.yml

@@ -0,0 +1,37 @@
+servers:
+    hosts:
+        ssh.mrdev023.fr:
+            ansible_connection: ENC[AES256_GCM,data:gdpF,iv:LYDP75NrUpT4pbKP5B8dt0f7zMCI2JEPc2eTbcSirEU=,tag:Pb0vODcG/2qKDx0Um6jorA==,type:str]
+            ansible_user: ENC[AES256_GCM,data:7QacOjCILA==,iv:eHsIfpuXpupRNxVMuvThwhplY8ejWZjOsavmrybEN0o=,tag:+OckehdbDR+DBypeuNOVlg==,type:str]
+            ansible_port: ENC[AES256_GCM,data:O9zcyw==,iv:BML7K5NEbHiDjL8tXViKgyLEz//LQQ6pHA/fvmTETwg=,tag:zD5PWlluO4FCprCeSk1Xsg==,type:int]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-07-14T18:28:45Z"
+    mac: ENC[AES256_GCM,data:8YxHA7ohlkdehAAk9/rRxeWvmY5EFDp+iou1+X/lldiYRZye+wZvXAyAlJIKkccSiOTJ1Uitp610Iy5qAp3dJha1Ib+LBGgJDw+knwPEVUmkAUMGweBVG5YGFh7x/QZZXKK+kKoLBbK5EALLbg61obxgGU2aoaMKmGc9v562n6k=,iv:cH7ydk9kkI0oh872T4CXH213SpkapiSxEXGSdD42ZQk=,tag:Fuv6zyQb8bx3/Tses3nqtA==,type:str]
+    pgp:
+        - created_at: "2024-07-14T18:28:45Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Ns3cJaRR/oARAA9hF2uWYDDYoDSDhPwcRKn8Ni2dad8253UbShFNzCUmj7
+            ImgJN3WdNJUF05ovKm8RG20c/nCYHnHljvjQPGI2s/uMfNd4Qf3mdI/TgVVYr7/V
+            kiGK1cw7mguPVLi35QOJpAFFhX3O/w7b8TCoZHjF2eQFnSK9aHZCcLLkPIdOPIYx
+            Ze/L82T70VH0fSqKYdMW0eecZrDRc76YYQ5bwfm28Z3q3iwZ1exuoj9LyCbybDnJ
+            Su53lwa8cApV9lot6AK4NCPajXEzfJziQXu9EgU3NTzbbopGyk35+Jl4SfZ7ZOQ5
+            sjgmj5I40HDZXmH2yXexzFOkKw425WRhRb2c+SLABfDCrpqgJE2t4JKxzerKFGrf
+            y7fO8bRlnMnfyy2N4Vx8pSoC2OhN1QsZIjfqmXAbjuQHD1YjFfpJQs781KVPzvdx
+            598YtXekWy7Os122jAz+x5ZsiHd8GuUNw4ZmrPciDtxHVyynk5K3nii4NgSND6Mj
+            +9sECHTczxqWo1gfU7GtvOqXH4orbsZc/MMz7v7EyoIPg7AZMZFsnsJDXpJ+eNEU
+            itzfpNtkRHXbyOy8UsTy7hWMXl5I5SY3wJoR1DmLY/cN/s+RkeOREm+vOuCRSGkT
+            EevReq0sCWwKcELJn7EwU4h35sEuDXBIZQx7Xh4l6/jLh5KzYrIT51oH4NiYs33S
+            WAGYJaoc7nOAxHW5FqUahY5puLI+oLrKwSh3aOWL4wPQqa4PYigAYtizlFK5uXMR
+            PbHlDFJFVXOLiFaPdp6O/l8sKm6yqXHmj+Pg3ujMsW1/vaE9buqrELY=
+            =amoN
+            -----END PGP MESSAGE-----
+          fp: B19E3F4A2D806AB4793FDF2FC73D37CBED7BFC77
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

work/inventory.yaml.sample

@@ -1,6 +0,0 @@
-servers:
-    hosts:
-        localhost:
-            ansible_connection: ssh
-            ansible_user: test
-            ansible_port: 22

work/inventory.yml

@@ -0,0 +1,6 @@
+servers:
+    hosts:
+        ssh.mrdev023.fr:
+            ansible_connection: ssh
+            ansible_user: florian
+            ansible_port: 7943