Updated gen_keys script

Improved cli. Now it also allows to use tagged vaults.
This commit is contained in:
sfigato 2020-08-19 18:43:51 +02:00
parent 670e47e30c
commit 540a11f8c4
Signed by: blallo
GPG Key ID: 0CBE577C9B72DC3F

View File

@ -1,5 +1,7 @@
#!/usr/bin/env python #!/usr/bin/env python
import argparse
import os
import subprocess import subprocess
import sys import sys
import typing as T import typing as T
@ -47,45 +49,90 @@ def gen_key(name: T.Text) -> None:
subprocess.call(["wg", "pubkey"], stdin=sec_r, stdout=pub) subprocess.call(["wg", "pubkey"], stdin=sec_r, stdout=pub)
def to_vault(name: T.Text, passfile: T.Text) -> None: def _encrypt_string(
plaintext: T.Text,
passfile: T.Text,
vault_id: T.Optional[T.Text],
passfile_dir: T.Optional[T.Text],
) -> bytes:
if passfile_dir is None:
passfile_dir = os.getcwd()
if vault_id is None:
return _encrypt_string_simple(plaintext, passfile, passfile_dir)
else:
return _encrypt_string_vault(plaintext, f"{vault_id}@{passfile}", passfile_dir)
def _encrypt_string_simple(
plaintext: T.Text, passfile: T.Text, passfile_dir: T.Text
) -> bytes:
return subprocess.check_output(
[
"ansible-vault",
"encrypt_string",
f"--vault-password-file={passfile}",
plaintext,
],
cwd=passfile_dir,
)
def _encrypt_string_vault(
plaintext: T.Text, vault_passfile: T.Text, passfile_dir: T.Text
) -> bytes:
return subprocess.check_output(
["ansible-vault", "encrypt_string", f"--vault-id={vault_passfile}", plaintext,],
cwd=passfile_dir,
)
def to_vault(
name: T.Text,
passfile: T.Text,
vault_id: T.Optional[T.Text],
passfile_dir: T.Optional[T.Text],
) -> None:
with open(f"{name}.pub", "r") as pub: with open(f"{name}.pub", "r") as pub:
pubkey = pub.readline() pubkey = pub.readline().strip("\n")
enc_pub = subprocess.check_output( enc_pub = _encrypt_string(pubkey, passfile, vault_id, passfile_dir)
[
"ansible-vault",
"encrypt_string",
f"--vault-password-file={passfile}",
pubkey,
]
)
with open(f"{name}.sec", "r") as sec: with open(f"{name}.sec", "r") as sec:
seckey = sec.readline() seckey = sec.readline().strip("\n")
enc_sec = subprocess.check_output( enc_sec = _encrypt_string(seckey, passfile, vault_id, passfile_dir)
[
"ansible-vault",
"encrypt_string",
f"--vault-password-file={passfile}",
seckey,
]
)
HOSTS[name] = { HOSTS[name] = {
"public_key": yaml.load(enc_pub.decode(ENCODING), Loader=yaml.SafeLoader), "public_key": yaml.load(enc_pub.decode(ENCODING), Loader=yaml.SafeLoader),
"private_key": yaml.load(enc_sec.decode(ENCODING), Loader=yaml.SafeLoader), "private_key": yaml.load(enc_sec.decode(ENCODING), Loader=yaml.SafeLoader),
} }
def usage() -> None:
print("Usage: \n\tgen_keys.py <path/to/inventory> <path/to/vault_password_file>")
if __name__ == "__main__": if __name__ == "__main__":
if len(sys.argv) != 3: parser = argparse.ArgumentParser(
usage() description="Generates keys for wireguard connection of the dns servers"
sys.exit(-1) )
parser.add_argument(
for host in load_hosts(sys.argv[1]): "inventory", metavar="INVENTORY", type=str, help="path to the inventory"
)
parser.add_argument(
"passfile",
metavar="VAULT_PASSFILE",
type=str,
help="the name of the file that contains the passphrase for the inventory",
)
parser.add_argument(
"--vault-id",
metavar="VAULT_ID",
type=str,
help="the name of the (existing) vault",
)
parser.add_argument(
"--passfile-dir",
metavar="PASSFILE_DIR",
type=str,
help="path where the passfile is located",
)
args = parser.parse_args()
for host in load_hosts(args.inventory):
gen_key(host) gen_key(host)
to_vault(host, sys.argv[2]) to_vault(host, args.passfile, args.vault_id, args.passfile_dir)
result = yaml.dump(HOSTS, Dumper=yaml.SafeDumper) result = yaml.dump(HOSTS, Dumper=yaml.SafeDumper)
with open("result.yml", "w") as res: with open("result.yml", "w") as res:
res.write(result) res.write(result)