From 3ec0861e6b4a869497f264827b525496e361bd05 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Wed, 27 Feb 2019 08:43:45 -0800
Subject: [PATCH] Add edit-secrets script to bridge.o.o

This adds a script that will wrap emacs with gpg-agent when editing the
secrets file. This avoids issues with rogue gpg-agents running on the
system.

Change-Id: Ic3cc73b5c25eab2ede41d8ca05b5695b817973d9
---
 playbooks/bridge.yaml                                  | 1 +
 playbooks/roles/edit-secrets-script/README.rst         | 3 +++
 playbooks/roles/edit-secrets-script/files/edit-secrets | 2 ++
 playbooks/roles/edit-secrets-script/tasks/main.yaml    | 5 +++++
 4 files changed, 11 insertions(+)
 create mode 100644 playbooks/roles/edit-secrets-script/README.rst
 create mode 100644 playbooks/roles/edit-secrets-script/files/edit-secrets
 create mode 100644 playbooks/roles/edit-secrets-script/tasks/main.yaml

diff --git a/playbooks/bridge.yaml b/playbooks/bridge.yaml
index 44b173bf29..d5446b7d29 100644
--- a/playbooks/bridge.yaml
+++ b/playbooks/bridge.yaml
@@ -23,6 +23,7 @@
     - root-keys
     - ansible-cron
     - cloud-launcher-cron
+    - edit-secrets-script
   tasks:
     - name: Allow Zuul to trigger Ansible
       authorized_key:
diff --git a/playbooks/roles/edit-secrets-script/README.rst b/playbooks/roles/edit-secrets-script/README.rst
new file mode 100644
index 0000000000..16196aec44
--- /dev/null
+++ b/playbooks/roles/edit-secrets-script/README.rst
@@ -0,0 +1,3 @@
+This role installs a script called `edit-secrets` to /usr/local/bin
+that allows you to safely edit the secrets file without needing to
+manage gpg-agent yourself.
diff --git a/playbooks/roles/edit-secrets-script/files/edit-secrets b/playbooks/roles/edit-secrets-script/files/edit-secrets
new file mode 100644
index 0000000000..5f1a22d2e0
--- /dev/null
+++ b/playbooks/roles/edit-secrets-script/files/edit-secrets
@@ -0,0 +1,2 @@
+#!/bin/sh
+gpg-agent --daemon emacs /root/passwords/passwords.gpg
diff --git a/playbooks/roles/edit-secrets-script/tasks/main.yaml b/playbooks/roles/edit-secrets-script/tasks/main.yaml
new file mode 100644
index 0000000000..21800d5f33
--- /dev/null
+++ b/playbooks/roles/edit-secrets-script/tasks/main.yaml
@@ -0,0 +1,5 @@
+- name: Copy edit-secrets script
+  copy:
+    mode: 0750
+    src: edit-secrets
+    dest: /usr/local/bin/edit-secrets