From 93cbcd29fbc7d3904337fb57f0178ff9ace2fee2 Mon Sep 17 00:00:00 2001
From: Florian RICHER <florian.richer@protonmail.com>
Date: Sun, 14 Jul 2024 20:35:22 +0200
Subject: [PATCH] Migrate to sops

---
 .sops.yaml                 |  2 +-
 ansible.cfg                |  2 +-
 flake.nix                  | 22 +++++++++++++
 group_vars/all.enc.yml     | 63 ++++++++++++++++++++++++++++++++++++++
 group_vars/all.yml.sample  | 37 ----------------------
 work/inventory.enc.yml     | 37 ++++++++++++++++++++++
 work/inventory.yaml.sample |  6 ----
 work/inventory.yml         |  6 ++++
 8 files changed, 130 insertions(+), 45 deletions(-)
 create mode 100644 group_vars/all.enc.yml
 delete mode 100644 group_vars/all.yml.sample
 create mode 100644 work/inventory.enc.yml
 delete mode 100644 work/inventory.yaml.sample
 create mode 100644 work/inventory.yml

diff --git a/.sops.yaml b/.sops.yaml
index d5a5650..0f72187 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,2 +1,2 @@
 creation_rules:
-  - pgp: "0E5A986FEF6488A68318F953536CDDC25A451FE8"
+  - pgp: "B19E3F4A2D806AB4793FDF2FC73D37CBED7BFC77"
diff --git a/ansible.cfg b/ansible.cfg
index 8c48cf9..fbd0897 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,4 +1,4 @@
 [defaults]
-inventory = work/inventory.yaml
+inventory = work/inventory.yml
 retry_files_enabled = false
 interpreter_python = auto_silent
\ No newline at end of file
diff --git a/flake.nix b/flake.nix
index 0cbfe21..a994a68 100644
--- a/flake.nix
+++ b/flake.nix
@@ -10,6 +10,26 @@
     flake-utils.lib.eachSystem flake-utils.lib.allSystems (system:
       let
         pkgs = import nixpkgs { inherit system; };
+
+        init_sops = pkgs.writeScriptBin "init_sops" ''
+          #!${pkgs.runtimeShell}
+          
+          echo "Decrypting vars file"
+          sops -d group_vars/all.enc.yml > group_vars/all.yml
+
+          echo "Decrypt inventory file"
+          sops -d work/inventory.enc.yml > work/inventory.yml
+        '';
+
+        clean_sops = pkgs.writeScriptBin "clean_sops" ''
+          #!${pkgs.runtimeShell}
+          
+          echo "Decrypting vars file"
+          sops -d group_vars/all.enc.yml > group_vars/all.yml
+
+          echo "Decrypt inventory file"
+          sops -d work/inventory.enc.yml > work/inventory.yml
+        '';
       in
       {
         devShells = {
@@ -17,6 +37,8 @@
             buildInputs = [
               pkgs.ansible
               pkgs.sops
+              init_sops
+              clean_sops
             ];
           };
         };
diff --git a/group_vars/all.enc.yml b/group_vars/all.enc.yml
new file mode 100644
index 0000000..be178f5
--- /dev/null
+++ b/group_vars/all.enc.yml
@@ -0,0 +1,63 @@
+#ENC[AES256_GCM,data:EQ==,iv:PyBYH5JrFrsupAzTatchy4diXcDcDlPJ8gzlKShtf6s=,tag:Z5QAwwQM7VFSnBemRP3ZOw==,type:comment]
+#ENC[AES256_GCM,data:n3YqSd513z8GJhkrd5x7ymIPXUgd,iv:o7x+KXmYzyOFnueavi4pJE9wL+ULoLvKZ38RCBa2BpI=,tag:aHFzaaiCG6tGvaahVF7q6g==,type:comment]
+server:
+    domain: ENC[AES256_GCM,data:XwKXW8a+P5+AKu8=,iv:CoyZARSf7OaxNRa9mWNGJMkgKEvezjKJJGuWIuYTa0w=,tag:R2RVePN6DHP+yayos+FpTg==,type:str]
+    ssh_port: ENC[AES256_GCM,data:FbC8Ag==,iv:UWLlqMCHUnEX5P8n/0sJ/YAPODj5fkfdaKOgqlWf3KM=,tag:Bg1uehmeyg+NCgMpPJ9dWA==,type:int]
+    work_dir: ENC[AES256_GCM,data:WPC8tg1e94NG,iv:zwMMeUGHyRRBxFB5wxcb9zkceN44e4d981njo11jPls=,tag:JgKQuSLXV1wgNdw/H0fq4w==,type:str]
+    backup_dir: ENC[AES256_GCM,data:jVA1/bRIwyv/pN0=,iv:52sq6l95bIGRyQYPxUc8rHttCFnURZ6SzRkzW1EjkfM=,tag:Khk/2ywI3UIyRelcv3+MQA==,type:str]
+    ip: ENC[AES256_GCM,data:XOjYFm5o1rvDWyOLbdll,iv:UbCbn+7JhRfd6aWHGM/Fqe9gbcKXlQNERg3pAiWJWv4=,tag:RMhj6E10B4FzmnTwHWaNKg==,type:str]
+    vpn:
+        subnet: ENC[AES256_GCM,data:rCzHSiJy0iI7QwRLiyc=,iv:yh8d6dI3RQwjXnpI6s5Uj1feom3LUeJV+Q8HogC6S20=,tag:8OhOju73Yxan5iXY0iqaLw==,type:str]
+        ip: ENC[AES256_GCM,data:C7iMBijM5Km95huf,iv:1O3svsjYFn4NIx5K18D7rMirFbyfhi1yPH6mTWluPjk=,tag:S98OuZUEc+Mfok6WspaC5w==,type:str]
+        reverse_proxy_ip: ENC[AES256_GCM,data:F073L22Hw4KFhy+z,iv:NjN398rOZUy5GU8CYC9mewCuHObFRnkub2lh4PL858g=,tag:MGZY8lbJxbJ43jigkDu5cA==,type:str]
+        dns_ip: ENC[AES256_GCM,data:WN9jZPxFXdYMib76,iv:cUNMAWFyORul4lTEDaZcvRq1zfzCnMbF9Fu+ATwXud4=,tag:U94pIIRxKzCq7X0+VYPk9w==,type:str]
+        port: ENC[AES256_GCM,data:GW0Ddg4=,iv:mU2HW4gj16QNLae/hkAkbyEjeDjBvX09M9RWCxy8mPU=,tag:vr76TllzPoIDJnLVMHHcEg==,type:int]
+        peers: ENC[AES256_GCM,data:okkQ1lNEFfr3Nc0Ntp4DwtguLjp81v0icXr0,iv:iaCkBTo1KMSMysEWuEHRaf+2glQnQPE9YEi8EJleQCY=,tag:wdHznNaKFMENmBFpC9T0FQ==,type:str]
+private_network:
+    extra_ips_whitelist:
+        - ENC[AES256_GCM,data:qfAgQEavzB0dcSxg3A==,iv:6Bnordv+FoIulBGxL/G4PN8lwkbASfX1WJG8WAbpUN0=,tag:oGizCAmqpCGF4pN+yYeevw==,type:str]
+acme:
+    email: ENC[AES256_GCM,data:ykYDRJGzJTgFnUUAkcKyFKoxSxFWQE/DWcEoBUo=,iv:MNcIjHcBg/Y+XdY8+lucf4kewtFH7Ui9vgXp/QM6iZs=,tag:ywHRwmHEnrbhL0BRoPzGPA==,type:str]
+    debug: ENC[AES256_GCM,data:BQ3AVWI=,iv:4zfaA/57TBlw8HDg68kk2yDcKMot15HHi7rIongWBEk=,tag:zz1xE4FmwVbvyTpeiPSHQQ==,type:bool]
+#ENC[AES256_GCM,data:FknDuiYn,iv:k8Y57jkpnLr69BEf1lHh9+FTinRPK3l7EXIPuuUZV28=,tag:m5GOV6g0dpedSBvWxC8yIQ==,type:comment]
+protonmail:
+    initialized: ENC[AES256_GCM,data:aMUMLUo=,iv:QEue5Z22MQJqZbYelk8VR1CjMaKwpCZE7tidUexk7q0=,tag:+mBLzSSToKeqsqae4yDZew==,type:bool]
+vaultwarden:
+    admin_token: ENC[AES256_GCM,data:qP5aUZHoMNqNZAGJf/F/fjyi/VwhvTRKB20r+3AXhWSr5cmXr6Y81ctLIHD4La0AS3d0piMoHWV9fAAlSGziQdEvSY6Swv+PNc6cf9qJKQAeulOWRI6h9XaLmPdOOfn042rv2p5H0C0EghMTjz8RVG8ravXmYA==,iv:ue0WBnaUFX5f6VOgSNo2IXcxbCdzqdNvbRW/gJHn0Kc=,tag:bRoWmRpPfx3Qt/YUPMs2Og==,type:str]
+gitea:
+    runner_registration_token: ENC[AES256_GCM,data:PMhn23aq+bA7PB8RhvPDI6TXldPKR0EwnpVG6bBFan9NHo9z7TXREw==,iv:fSWaRmb6agJWrXRCULvEnoR+pSMslZde29w95cOdfCc=,tag:mDl4jIntss7VJW8jxHuAPw==,type:str]
+#ENC[AES256_GCM,data:EMrnASV+t5neejzvu0cQJV/DAABX,iv:mHcvQr2ZU7JPB4j9Ta/kdlbCkDwco2TdGJL7ihHZEr8=,tag:d3n4Vz5TRTm68p+fTcoerQ==,type:comment]
+amazon:
+    client_id: ENC[AES256_GCM,data:2MM8juhtpmaoQ2k/5CrCAyNHOLWLIjOS9/6BTKiK,iv:bLSdrkCw3sFj4v85JDkCAW3KovolZt+mLO6Yxnes12o=,tag:TNcPOqNa1Ym52KypgLv7gg==,type:str]
+    client_secret: ENC[AES256_GCM,data:sk5mrUW+MbOt5ZMlxJRfdLzyLgEI7PdP5CfOmenJ,iv:cGQJnyD1OQ6QJNPxspUUUmq8zo1a1G1lcEcw+z+8oqE=,tag:4SbfpE8w9H6hKMnYEY9zrw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-07-14T18:28:36Z"
+    mac: ENC[AES256_GCM,data:FagYabkjwsi5VEAb3iVgTUKycIfTi0oIC8TJCkl5z1S0r1N4aG46tfEpAHWc49uXOR2o/uyPNg2KPJtEXIsW0Elu686eXQA5zJDKnHgWu97/4kZ2uebEzzuqkwnaxHqMbNyr2ABOJKZoNx4874tkdML0RxxRGD+/lD1EtayrJ5A=,iv:/qnB8SmJBKP2RPDlXmewgx/s0Yke7nhjzSxSbeg+g/s=,tag:MKvun7kBMaIgwFCmzJTQMQ==,type:str]
+    pgp:
+        - created_at: "2024-07-14T18:28:36Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Ns3cJaRR/oARAAmVMa6mZHmgWtDhaz8jOpfPLPpKCXekgtfbXilxfaHK1R
+            D11H5yoYRnekvH4QNtUcptcO+I0b/V7MiPDp5i7IzOWCWkYCBLPSpyNQlVls7DAG
+            +RS5bA++LdB6/LxMNXMeARFSLJbQ0wqH21B/FnjiqprqZMZdb1EbAJCElZOMSqpT
+            26p00vfuOeN1tNEezuPeBdj2jtuc6Em8Imd+aq08wOzUxGb2w8bQR/G3AOEMvxCg
+            keVIJ8MgN+Qx6lbHY+1p4PzuNb6YaSJ57U3v0CcBmrY/po6/sYvlz+ReHyeUQycl
+            NdvzkpTAogUACxE1oFCHYylFrfGmjkz/qA3ksG6AaSYuwIU41mi3u6MvafaXX35S
+            VeYiWn3OYfSAKuI4YBnV36YMescIKqc17Etkz523jSpC4BthbEhVs7HIkFB0FawK
+            Xm2pdKW9Dj88057OffCj7AyARvcOhPd6nZw1aCDfiHheNi+v9th7fCf4gB9sq7+P
+            7XBgtUxfejb175MiHQvw4MaS/5zKQSIrAjP1Lpswf2p73OBO6NbnHL0J4XXydqx9
+            4fEuUCIAyZuhecc5BDcNtxJ0UM2ck1mVPHeuQzij0guu0++YLV5fQ3XjTIdoGDl5
+            fUglZugJ/7AFMV6tno0MsSbYMmZMTEpQIYwmKU8ugdx7eyFEagVVmnTPKybn6g7S
+            WAGNGXMsVUvTGki73O7PvBzU08Vsen399+SxKxyrEQBBfDHdLUYOpDEIjUb9hQ6+
+            HZOIXzs1LYcfL7XV0TKPZB93Y0vSzNJdUGxR4q+eYiCHgeKzXxKmcKs=
+            =xcMM
+            -----END PGP MESSAGE-----
+          fp: B19E3F4A2D806AB4793FDF2FC73D37CBED7BFC77
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
deleted file mode 100644
index 1de9e29..0000000
--- a/group_vars/all.yml.sample
+++ /dev/null
@@ -1,37 +0,0 @@
-##
-# Global configuration
-server:
-  domain: mrdev023.test
-  ssh_port: 22
-  work_dir: /mnt/test
-  backup_dir: /mnt/btest
-  ip: 127.0.0.1
-  vpn:
-    subnet: 192.168.1.0/24
-    ip: 192.168.1.254
-    reverse_proxy_ip: 192.168.1.254
-    dns_ip: 192.168.1.254
-    port: 22
-    peers: test
-
-private_network:
-  extra_ips_whitelist: []
-
-acme:
-  email: test@test.fr
-  debug: true
-
-# Other
-protonmail:
-  initialized: false
-
-vaultwarden:
-  admin_token: token
-
-gitea:
-  runner_registration_token: token
-
-# Use for game in ryot
-amazon:
-  client_id: client_id
-  client_secret: client_secret
diff --git a/work/inventory.enc.yml b/work/inventory.enc.yml
new file mode 100644
index 0000000..0dc8482
--- /dev/null
+++ b/work/inventory.enc.yml
@@ -0,0 +1,37 @@
+servers:
+    hosts:
+        ssh.mrdev023.fr:
+            ansible_connection: ENC[AES256_GCM,data:gdpF,iv:LYDP75NrUpT4pbKP5B8dt0f7zMCI2JEPc2eTbcSirEU=,tag:Pb0vODcG/2qKDx0Um6jorA==,type:str]
+            ansible_user: ENC[AES256_GCM,data:7QacOjCILA==,iv:eHsIfpuXpupRNxVMuvThwhplY8ejWZjOsavmrybEN0o=,tag:+OckehdbDR+DBypeuNOVlg==,type:str]
+            ansible_port: ENC[AES256_GCM,data:O9zcyw==,iv:BML7K5NEbHiDjL8tXViKgyLEz//LQQ6pHA/fvmTETwg=,tag:zD5PWlluO4FCprCeSk1Xsg==,type:int]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-07-14T18:28:45Z"
+    mac: ENC[AES256_GCM,data:8YxHA7ohlkdehAAk9/rRxeWvmY5EFDp+iou1+X/lldiYRZye+wZvXAyAlJIKkccSiOTJ1Uitp610Iy5qAp3dJha1Ib+LBGgJDw+knwPEVUmkAUMGweBVG5YGFh7x/QZZXKK+kKoLBbK5EALLbg61obxgGU2aoaMKmGc9v562n6k=,iv:cH7ydk9kkI0oh872T4CXH213SpkapiSxEXGSdD42ZQk=,tag:Fuv6zyQb8bx3/Tses3nqtA==,type:str]
+    pgp:
+        - created_at: "2024-07-14T18:28:45Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1Ns3cJaRR/oARAA9hF2uWYDDYoDSDhPwcRKn8Ni2dad8253UbShFNzCUmj7
+            ImgJN3WdNJUF05ovKm8RG20c/nCYHnHljvjQPGI2s/uMfNd4Qf3mdI/TgVVYr7/V
+            kiGK1cw7mguPVLi35QOJpAFFhX3O/w7b8TCoZHjF2eQFnSK9aHZCcLLkPIdOPIYx
+            Ze/L82T70VH0fSqKYdMW0eecZrDRc76YYQ5bwfm28Z3q3iwZ1exuoj9LyCbybDnJ
+            Su53lwa8cApV9lot6AK4NCPajXEzfJziQXu9EgU3NTzbbopGyk35+Jl4SfZ7ZOQ5
+            sjgmj5I40HDZXmH2yXexzFOkKw425WRhRb2c+SLABfDCrpqgJE2t4JKxzerKFGrf
+            y7fO8bRlnMnfyy2N4Vx8pSoC2OhN1QsZIjfqmXAbjuQHD1YjFfpJQs781KVPzvdx
+            598YtXekWy7Os122jAz+x5ZsiHd8GuUNw4ZmrPciDtxHVyynk5K3nii4NgSND6Mj
+            +9sECHTczxqWo1gfU7GtvOqXH4orbsZc/MMz7v7EyoIPg7AZMZFsnsJDXpJ+eNEU
+            itzfpNtkRHXbyOy8UsTy7hWMXl5I5SY3wJoR1DmLY/cN/s+RkeOREm+vOuCRSGkT
+            EevReq0sCWwKcELJn7EwU4h35sEuDXBIZQx7Xh4l6/jLh5KzYrIT51oH4NiYs33S
+            WAGYJaoc7nOAxHW5FqUahY5puLI+oLrKwSh3aOWL4wPQqa4PYigAYtizlFK5uXMR
+            PbHlDFJFVXOLiFaPdp6O/l8sKm6yqXHmj+Pg3ujMsW1/vaE9buqrELY=
+            =amoN
+            -----END PGP MESSAGE-----
+          fp: B19E3F4A2D806AB4793FDF2FC73D37CBED7BFC77
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/work/inventory.yaml.sample b/work/inventory.yaml.sample
deleted file mode 100644
index a6277d7..0000000
--- a/work/inventory.yaml.sample
+++ /dev/null
@@ -1,6 +0,0 @@
-servers:
-    hosts:
-        localhost:
-            ansible_connection: ssh
-            ansible_user: test
-            ansible_port: 22
diff --git a/work/inventory.yml b/work/inventory.yml
new file mode 100644
index 0000000..db7b7fd
--- /dev/null
+++ b/work/inventory.yml
@@ -0,0 +1,6 @@
+servers:
+    hosts:
+        ssh.mrdev023.fr:
+            ansible_connection: ssh
+            ansible_user: florian
+            ansible_port: 7943