sjat
4ee1b66e23
Master vault password is fetched from Vaultwarden via the rbw agent (scripts/vault-pass-client.sh, wired as vault_password_file) instead of a plaintext .vault_pass. Vault secrets use a nested vault.<service>.<key> map. Encrypted vault.yml files are excluded from lint. Includes the host rename in Makefile and STATUS.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
35 lines
1.2 KiB
Bash
Executable file
35 lines
1.2 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
#
|
|
# ansible-vault password client.
|
|
#
|
|
# Prints the boma master vault password to stdout by fetching it from Vaultwarden
|
|
# via the `rbw` agent. Wired in as `vault_password_file` (ansible.cfg) and used by
|
|
# the Makefile vault targets, so every ansible-vault / ansible-playbook / lint run
|
|
# obtains the password the same way.
|
|
#
|
|
# The password lives only in Vaultwarden (encrypted at rest) and in the rbw agent's
|
|
# memory while unlocked — never in a plaintext file on disk.
|
|
#
|
|
# Unlock once per terminal session before running any vault operation:
|
|
# rbw unlock
|
|
#
|
|
# Override the Vaultwarden item name via BOMA_VAULT_ITEM if it ever changes.
|
|
#
|
|
set -euo pipefail
|
|
|
|
item="${BOMA_VAULT_ITEM:-boma-ansible-vault}"
|
|
|
|
if ! command -v rbw >/dev/null 2>&1; then
|
|
echo "vault-pass-client: 'rbw' is not installed — see docs/runbooks/rotate-secrets.md." >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Only the password reaches stdout; all diagnostics go to stderr so they can never
|
|
# be mistaken for the password by ansible-vault.
|
|
if ! pw="$(rbw get "$item" 2>/dev/null)"; then
|
|
echo "vault-pass-client: could not read '$item' from Vaultwarden via rbw." >&2
|
|
echo " The agent is probably locked. Run: rbw unlock" >&2
|
|
exit 1
|
|
fi
|
|
|
|
printf '%s\n' "$pw"
|