diff --git a/_modules/credentials.py b/_modules/credentials.py
--- a/_modules/credentials.py
+++ b/_modules/credentials.py
@@ -59,7 +59,10 @@
return VAULT_PREFIX
-def _read_secret(key, prefix=None):
+def read_secret(key, prefix=None):
+ if _are_credentials_hidden():
+ return "credential for " + key
+
if prefix is None:
prefix = _get_default_secret_path()
@@ -78,10 +81,7 @@
:param prefix: the prefix path for that key, by default "ops/secrets/"
:return: The username
"""
- if _are_credentials_hidden():
- return "credential for " + key
-
- return _read_secret(key, prefix)["password"]
+ return read_secret(key, prefix)["password"]
def get_username(key, prefix=None):
@@ -97,7 +97,7 @@
:param prefix: the prefix path for that key, by default "ops/secrets/"
:return: The secret value
"""
- return _read_secret(key, prefix)["username"]
+ return read_secret(key, prefix)["username"]
def get_token(key, prefix=None):
@@ -122,7 +122,7 @@
return "credential for " + args["credential"]
host = __pillar__["sentry_realms"][args["realm"]]["host"]
- credential = _read_secret(args["credential"])
+ credential = read_secret(args["credential"])
return (
f"https://{credential['username']}:{credential['password']}"
diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -49,6 +49,7 @@
vault_policies:
- salt-primary
+ - viperserv
# -------------------------------------------------------------
# Vault policies for Salt
@@ -135,3 +136,6 @@
- ops/secrets/zed.phabricator.mysql
- ops/secrets/zed.phabricator.sendgrid
+
+ viperserv:
+ - ops/secrets/nasqueron.viperserv.vault
diff --git a/pillar/nodes/nodes.sls b/pillar/nodes/nodes.sls
--- a/pillar/nodes/nodes.sls
+++ b/pillar/nodes/nodes.sls
@@ -150,6 +150,7 @@
roles:
- devserver
- dbserver-mysql
+ - viperserv
- webserver-legacy
zfs:
pool: arcology
diff --git a/roles/vault/policies/files/viperserv.hcl b/roles/vault/policies/files/viperserv.hcl
new file mode 100644
--- /dev/null
+++ b/roles/vault/policies/files/viperserv.hcl
@@ -0,0 +1,18 @@
+# -------------------------------------------------------------
+# Vault configuration - Policy for ViperServ eggdrops
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/vault/vault/files/viperserv.hcl
+# -------------------------------------------------------------
+#
+#
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+#
+
+path "apps/data/viperserv/*" {
+ capabilities = [ "read" ]
+}
diff --git a/roles/viperserv/eggdrop/config.sls b/roles/viperserv/eggdrop/config.sls
--- a/roles/viperserv/eggdrop/config.sls
+++ b/roles/viperserv/eggdrop/config.sls
@@ -57,8 +57,15 @@
- source: salt://roles/viperserv/eggdrop/files/dot.credentials
- user: viperserv
- group: nasqueron-irc
- - replace: False
- - mode: 660
+ - mode: 400
+ - template: jinja
+ - context:
+ db:
+ host: localhost
+ database: Nasqueron
+ vault:
+ approle: {{ salt['credentials.read_secret']('nasqueron.viperserv.vault') }}
+ addr: https://172.27.27.7:8200
{% for botname, bot in pillar['viperserv_bots'].items() %}
diff --git a/roles/viperserv/eggdrop/files/dot.credentials b/roles/viperserv/eggdrop/files/dot.credentials
--- a/roles/viperserv/eggdrop/files/dot.credentials
+++ b/roles/viperserv/eggdrop/files/dot.credentials
@@ -1,6 +1,16 @@
# -------------------------------------------------------------
# Eggdrop configuration file
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# License: Trivial work, not eligible to copyright
+# Source file: roles/viperserv/eggdrop/files/dot.credentials
+# -------------------------------------------------------------
+#
+#
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+#
#
# _ ___ _____
# | | / (_)___ ___ _____/ ___/___ ______ __
@@ -13,9 +23,9 @@
#
# -------------------------------------------------------------
-set sql(host) localhost
-set sql(user) someuser
-set sql(pass) somepass
-set sql(database) Nasqueron
+set sql(host) {{ db.host }}
+set sql(database) {{ db.database }}
-die "Please configure MySQL credentials in /srv/viperserv/.credentials"
+set vault(roleID) {{ vault.approle.roleID }}
+set vault(secretID) {{ vault.approle.secretID }}
+set vault(host) {{ vault.addr }}
diff --git a/roles/viperserv/eggdrop/files/eggdrop-bot.conf b/roles/viperserv/eggdrop/files/eggdrop-bot.conf
--- a/roles/viperserv/eggdrop/files/eggdrop-bot.conf
+++ b/roles/viperserv/eggdrop/files/eggdrop-bot.conf
@@ -47,18 +47,31 @@
# Main eggdrop settings common to all ViperServ bots
source core.conf
+# Credentials for Vault (work in progress) and MySQL (deprecated)
+source .credentials
+
+# -------------------------------------------------------------
+# Vault
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+source scripts/vendor/vault.tcl
+source scripts/Vault.tcl
+
# -------------------------------------------------------------
# MySQL
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
load lib/fbsql.so
-source .credentials
-sql connect $sql(host) $sql(user) $sql(pass)
-sql2 connect $sql(host) $sql(user) $sql(pass)
+set sql_credentials [dict get [vault_get mysql] data]
+
+sql connect $sql(host) [dict get $sql_credentials username] [dict get $sql_credentials password]
+sql2 connect $sql(host) [dict get $sql_credentials username] [dict get $sql_credentials password]
sql selectdb $sql(database)
sql2 selectdb $sql(database)
+unset sql_credentials
+
# -------------------------------------------------------------
# Base settings with scripts dependencies
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
@@ -68,7 +81,7 @@
# Settings
{%- if nickserv %}
-set nickserv_password [registry get nickserv.$username.password]
+set nickserv_password [vault_get nickserv/$username password]
set servers "
irc.libera.chat:+6697:$username:$nickserv_password